“Security is dead” must DIE.
Perhaps the hardest part about security risk analysis is reconciling the widely divergent perceptions within your organization. On the one side, you have the security professional who reads up on the latest threats; on the other side, you have Joe the User who may not even be aware that the security group exists. Somewhere in the middle, you have a random IT staff member who knows his own area but never thinks about the security aspects of it because “we have a group for that.”
Frankly, security professionals can often have an extreme view of risk. When you are reading about exploits and attacks every single day, you tend to rate the probability higher than it warrants. In the same way that a guy with a hammer sees everything as a nail, a responder (be it security, law enforcement, or emergency personnel) sees a biased cross-section of life because he sees only the events in a concentrated form, not the population that makes up the statistical average. There are some sad examples of what can happen when you overestimate risk because that risk is all you work with and think about every day. I get risk fatigue on a regular basis from the streams of vulnerability announcements coming into my mailbox, and most of the conference tracks I see these days are along the lines of, “Oh noes! Another esoteric exploit is discovered! We’re all gonna die!” If you didn’t know anything about risk analysis, and simply read the titles of blog posts, books, magazine articles and conference talks, you’d swear that every system was under attack every second of every day.
[No. No. NO. No, they’re not. I don’t care what your IDS says. A probe that has no chance of succeeding is not an attack; it’s a contact event. Is the rain attacking you as you walk beneath your umbrella? Yes, water can drown you if applied correctly, but it doesn’t mean every drop is trying to kill you.]
Folks, if you so much as talk about these things too frequently to the same people, they’re going to come away with the impression that you think the risk is extremely high, even if you don’t. It’s completely at odds with their own experiences, so they’re not going to take you seriously even long enough to split the difference.
Now, it’s not entirely our fault: on the other side you have the users who never think about security at all. If they’re already intimidated by technology, they’re not going to want to try to understand it long enough to get a realistic understanding of security risk and how their actions affect it.
Perhaps the worst group of all is the one in the middle: the programmer who personally couldn’t figure out how to code a SQL injection attack, so he doesn’t believe they’re a threat. The help desk dude who doesn’t understand HTML, so he rejects any notion that even displaying a page could set something off. The PC technician who doesn’t understand malware, so he can’t conceive of it as anything other than a harmless set of error messages that need to be made to disappear by re-imaging the desktop. In other words, it’s the dangerous bias of someone with incomplete knowledge.
Put these all together, and you have a massive disconnect between the population that doesn’t think anything is possible—and the population that knows what’s possible and believes it all to be inevitable. If we’re to have any hope of achieving a realistic estimation of risk and having it accepted on all sides, we have to use a model that separates raw, irrational perceptions from knowledge-based data points. Our users lack knowledge, and we have to give it to them in the right way, not by abusing the data to take advantage of our psychological tendencies to misinterpret risk.
We have to stop defining risk by saying, “It happens all the time.” If you are chasing down tornadoes, of course they “happen all the time”—to YOU. That doesn’t mean they happen all the time to everyone, and we shouldn’t mislead people into thinking they do.
We have to stop “managing risk by headlines”—yes, I mean YOU, the ISO who emails scary Heartland stories around to all the management to try to convince them that a breach is imminent.
We have to build an understanding of the difference between attacks of opportunity and targeted attacks, and understand our particular exposure within the whole population.
In other words—and I mean this in the nicest possible way—we all need to get a grip.
Posted by shrdlu on Saturday, May 16, 2009
(4) Comments • Permalink •
