Friday, 12 April 2013

Risk and security

In the past, we've selected security personnel based on military experience and other highly selective aspects of risk. Having spent time in both environments it took many years to move from that of the military focus to where I am now. At the same time I believe I managed to understand both. Security implications in a military context are incredibly far removed from risk in business. This is one of the reasons we sit behind confidentiality and forget all the other aspects of security.

Example of this is form of misapplied thought is Marcus Ranum's ultimately secure firewall.

The reality is that this is the ultimately insecure business firewall. This device does nothing for integrity and it completely destroys availability. There is some tongue-in-cheek in this post but the fact of the matter is that this also reflects the general attitude of many security practitioners. They are not business enablers, but feel need to determine the risk strategies of an organization rather than meeting the risk profile and budget they have been assigned.

This severe misalignment is one of the sources of increasing tension between different groups and departments within many organizations. For those of you who are upcoming security practitioners and professionals I would recommend actually spending some time learning about risk. It is a skill that is lacking within the information security community.

DoS vs DDoS

Along these lines of you to personal anecdotes. The first is from here in Australia. It's around a decade ago. The company I started was providing intelligence to various government departments concerning cyber security. In one of these instances we were alerted to a planned DDoS attack against Department of Treasury.

The aim was to mount an attack between Christmas and the new year when the majority of information technology personnel were away on vacation. Treasury saw this as a major concern and took steps to respond. Over the Christmas period they shut down major Internet connections on a number of systems and hence stopped any possible DDoS scenario. With the system disconnected there was no way to actually attack it. That at least was the argument.

The next scenario was similar, another DDoS. In this instance a major network player in the US had a client experiencing a DDoS. The senior architect at that organization did not decide to forgo his lunch acted on the attack in a manner that allowed him to enjoy his lunch before returning more still de-escalating the attack. His response was to black hole route the entire network of the client. So instead of having nearly no connectivity due to the DDoS, the client was taken off the Internet completely.

His explanation for this act was the same that was offered by treasury.

It was explained to that a DDoS was significantly worse than a DoS attack.

This is the flawed logic used by many in the security industry. In place of understanding and outcomes-based solution we look at the cause and effect. Clients do not care whether they are attacked using distributed means all from a single server being taken out. They do not care if it's a botnet of 10,000 hosts or a router that has been compromised. What they care about is availability. In each case the "security professional", and I do use that term lightly, changed degraded service to no service. In fact, they significantly reduced availability.

This is the problem with security today. We have this flawed idea that nothing is better than an attack. What we need a risk professionals and not risk adverse business impeding personnel. A good security professional is a business enabler. It is our job to ensure the ongoing activities of the organization that we work for. This means accepting risk. It doesn't mean taking a blind acceptance of everything but understanding the risk and limiting loss to a level set by management. I will say that again, to a level set by management. It is not the place of the security professional to decide what the risk position of the organization will be.

Personally, I think risk professionals need some training in finance. This includes information security personnel. We need to understand the value of the systems and processes we're working with. We need to start to understand that those systems that we value most may not be the ones that are most valuable to the organization


Mostly, security people need to start to understand risk.

No comments: