I’ve said it many times before and I’ll say it again: trust is not an asset; it is a vulnerability. In an often-cited research paper (“Murder in Families” from the National Criminal Justice Reference Service, https://www.ncjrs.gov/App/Publications/abstract.aspx?ID=143498), 6.5 percent of murder victims were killed by spouses, 3.5 percent by parents, 1.9 percent by children, 1.5 by siblings, and 2.6 percent by other family members. Trust generates false assumptions and relaxed vigilance which weakens our natural defenses.
Luck is a euphemism for risks which refers to probabilities that something that may or may not have an impact may or may not happen.
Donald Knuth wrote in his Fundamental Algorithms that any piece of code over 1000 lines of code would be impossible to debug completely.
Alan Turing’s proof of the undecidability of non-trivially sophisticated algorithms is sufficient reason for:
• the autonomously adaptive, complex information strategies of life; and,
• the intractably problematic and recursively non-terminating information transcription of cancer.
The whole cybersecurity enterprise seems to be built upon a suite of psychological and culturally-reflexive assumptions that assert that there exists even a possibility of logical or systemic closure. No such closure or completion is possible and this is rarely acknowledged.
A few fundamental security definitions are in order at this point:
- Perfect Security: doesn’t exist except possibly in Geek mythology; like a flying unixorn.
- Latest and Greatest Security: this is the latest hype that our favorite security vendors have cranked out for us; you don’t need to understand exactly what it does and what it doesn’t do because, anyway, you don’t know what assets you actually have and what they are worth, dead or alive.
- Good-enough Security: this separates the men from the boys. You really shouldn’t try this at home unless you understand security. This requires you to know what assets you have, at least the top ten of them, how much they’re worth to whom, what risks to those assets security tools and processes deal with, and how much risk is left over after implementing those tools and processes.
- WYSIWYG Security: this is “What You See Is What You Get” security; it’s the budget left over after allocating funds and resources for everything else your c-level executives can think of that you get for building secure defenses to protect your organization’s assets. It is usually considered to be enough for Perfect Security until something bad happens, in which case the CIO and CISO are fired.
The human is the weakest link in any chain of defense; however, the human is also the strongest link in any attack chain. Why is that? Maybe they’re not talking about the same human?
In chess, statistics show that he who makes the first move (“white” player) has at most a 56:44 advantage over his opponent (“black” player), all other factors between the two players being equal.
On a modern physical battlefield, where much of what happens is hidden or secret and there are no rules, I would venture to say that the side that takes the initiative has a greater advantage than the first mover on a chess board, where all moves occur in plain sight and only the intentions are hidden.
In cyberspace, where everything is invisible except for the effects of successful attacks, the attacker has an incredibly large advantage over the defender by virtue of the fact that he makes the first move. After a breach, more often than not, an attacker enjoys complete freedom of operation inside the organization for four months or more, before being discovered.
In these examples we can see how the attributes of a playing or battle field may confer advantages to an attacker or a defender. Actually it would be more accurate to say that the attributes of a playing or battle field accelerate the advantages of the attacker and exacerbate the disadvantages of the defender.
What are the advantages of an attacker?
- He only has to find one vulnerability in his opponent’s defense. He doesn’t have to find all the vulnerabilities.
- He gets to decide how (how fast and how many), when, and where to attack.
What are the disadvantages of an attacker?
- He doesn’t know what to expect inside his opponent’s defenses.
- If his attack doesn’t succeed, he may not be able to defend himself or retreat. He is outside his safety zone.
What are the advantages of a defender?
- He is inside his safety zone.
- He knows his own defenses intimately because he built them himself.
What are the disadvantages of a defender?
- He has to defend against every possible vulnerability in his defenses. It only takes one vulnerability to permit a breach.
- He cannot choose how (how fast and how many) and when to defend. He needs to commit all of his resources all of the time.
Is there something about a human that makes him a better attacker than defender? Humans are analog creatures. Their thought processes are fuzzier than precise. They have limited attention spans and have trouble attending to details. When he is building his defenses, he’s more likely to say “whatever” than to inventory all his assets so that he might provide adequate protection where it’s needed. He’s not likely to take on a project that might last longer than a year, and the people making the decisions can’t be bothered with the details. As an attacker, a human only needs a long enough attention span to find one asset that’s inadequately protected and to hell with the consequences, and everyone knows that fuzzy favors the attacker, since almost only counts in horseshoes and hand grenades.
Somebody at the end of the command chain who actually does the thing.
Some people talk about information security and others speak of physical security. Still others wonder what either of those subjects has to do with business. Rather than trying to shoehorn either of them into business, I’d prefer to introduce a new subject which I’ll call business security. Then hopefully nobody will ask what it has to do with business.
Every organization, whether military, governmental, civilian, public, or private, has a mission. The mission is the organization’s main reason for being. The mission is the core task the organization was created to accomplish. The army’s mission is to defend the country and to win the war. The government’s mission is to provide a fair and decent life for its citizens. A bank’s mission is to protect the assets entrusted to it and to provide its investors a decent rate of return on their investments in it. So on and so forth.
In order to realize and achieve the mission, the organization must translate it into one or more objectives. An objective is a task deemed necessary in order to accomplish a mission. A military objective might be to neutralize the enemy’s capacity to operate freely in the air, in the seas, or in cyberspace. A government objective might be to get re-elected or to ensure fair elections. A bank’s objective might be to allow online services to its customers or to open up new branches in emerging markets. Objectives are more specific than missions but they are still not specific enough to implement in an efficient and consistent manner.
Objectives are further translated into well-defined processes and procedures that may be manually performed or automated with the help of technology.
Assets are things of value to an organization that it purchases or develops in order to achieve its objectives or mission. Assets may be tangible, like ships, planes, tanks, buildings, and computers, or intangible, like ideas, data, or software. A military asset may also be a soldier or a spy. Non-military assets may be converted into monetary terms and back. The value of a non-military asset may range from less than a cent to more than a billion dollars. It doesn’t make good business sense to lump all assets together and treat them the same. For instance it wouldn’t make sense to apply a $100,000,000 process to a $1 asset, unless that process applied to 100,000,000 of those assets. Assets should be treated in accordance with their value; however, value can be a tricky concept. It can depend on who’s evaluating. It might represent the cost to develop or purchase an asset back then. It might be the cost to replace it now. It might be what it’s currently worth after depreciation. It might be the market value after being processed and packaged or the value to a customer. It might have a certain value when stolen, exposed, copied, modified, or destroyed. These are damage values. Damage values can involve litigation or be punitive in nature.
Nobody has discovered a sure-fire way to make money. All business activities entail a degree of risk. Nothing ventured, nothing gained. It’s quite likely that the degree of expected profits equals the degree of risk. Risks generally attach themselves to assets, especially those assets that are not adequately protected. There are many different kinds of risk: financial risk, operational risk, security risk, geopolitical risk, natural risk (earthquakes, floods, hurricanes, asteroids, etc.), social risk, and the categories go on. All risks have the same basic attributes and deserve due consideration. The attributes of risks are the probability or frequency of occurrence and the damage value of an occurrence to one or more assets. It makes sense for an organization to consider its top ten assets and then consider the top ten risks in each of the risk categories against each of those ten assets, taking into account the probability or frequency of occurrence and the potential damage value.
At this point I only want to talk about security risks because that is my specialty. If you want to know more about the other risk categories, call an actuarial accountant. There are three kinds of security risks: risks to the confidentiality of an asset, risks to the integrity of an asset, and risks to the availability of an asset.
A risk to confidentiality of an asset may come from an intruder stealing or intercepting a container or a transmission with a secret or sensitive document, or injecting spyware or malware to exfiltrate a database of credit card data or operational plans.
A risk to the integrity of an asset may come from deliberately or accidentally breaking a computer screen or keyboard, or injecting a destructive or corrupting virus or malware into a document or software.
A risk to the availability of an asset may come from blocking all entrances to a building, blowing it up, or burning it down, or organizing a distributed denial of service or spam attack on an organization’s web or email site, or injecting ransomware to encrypt files so they can’t be accessed or used unless the victim pays a ransom.
Each security risk could be expanded into many more examples, but there are only three kinds. Once again, it makes sense for an organization to consider its top ten assets and then consider the top ten security risks in each of the security sub-categories (confidentiality, integrity, and availability) against each of those ten assets, taking into account the probability or frequency of occurrence and the potential damage value.
Risks may be reduced, avoided, transferred, or accepted, but they cannot be ignored without appearing negligent in the eyes of regulators, stakeholders, and customers. That goes for security risks too.
A control is something that works alone or in concert with other controls to deal with one or more risks. There are three kinds of security controls: those that detect risks, threats, vulnerabilities, or exploits, those that prevent exploits, and those that correct damages resulting from successful exploits. Some controls can detect risks, threats, and exploits before they reach the organization while others can only detect risks, threats, and exploits after they have reached the organization or those that have originated from within the organization. Some controls can prevent exploits before they reach your organization and others can only prevent exploits from within the boundaries of your organization. Corrective controls only work after the damage has occurred.
Detective security controls may include police detectives, security guards, security cameras, sensors, alarm systems, intrusion detection systems, tripwire systems, identity management systems, honey pots and honey nets, sandboxes, security logs, security information event management software, risk management procedures, security incident response procedures, forensic procedures, cyber intelligence, situational awareness, security policies, security managers, security procedures, and more.
Preventative security controls may include walls, doors, locks, the armed forces, security guards, firewalls, access control lists, identity and access management systems, white lists, black lists, adaptive networks, intrusion prevention systems, anti-virus and anti-malware software, encryption/decryption systems, sandboxes, 2- or 3-factor authentication systems, security policies, security managers, security procedures, security training, and more.
Corrective security controls may include backup/recovery systems, disaster recovery and business continuity plans, redundancy, clustering, replication, self-correcting networks, error correcting memory and disks, security policies, security managers, security procedures, etc.
The thing about controls is that it doesn’t make sense to spend more on them than the value of the assets being protected. That implies you had better know the value of your assets in order to apply appropriate controls. That, in turn, requires that you know what assets you have in your organization, at least the top ten or so. Many organizations don’t know what their top assets are. The consensus seems to be that instead of going through the effort of inventorying the assets, let’s just defend everything. Frederick the Great of Prussia was reputed to have said “He who defends everything defends nothing”. It invariably costs more to protect everything than it does to protect just the assets that justify the cost and it’s often inadequate for protecting the most valuable assets.
In summary, business security does not exist in a vacuum. It is part of the cost of doing business.