A false sense of security is the best cure for your conscious yet less effective against a real attack.
Security is about risks and how you manage it, if you like to build good security you need to perform risk management and periodically measure risk against your security template. Attacks shift and so does your budget assignment. Simple questions can reveal more
needs and address security in those areas of importance.
3. 1. Abstract: Sensible defence
Security is not product related only, improving your products and manage your risk is
mandatory to keep up with the latest threats. However some basic tools do increase your
security but it is debatable if all these tools enhance your security in the way you expect
perhaps they just give you a false sense of security. A false sense of security is the best
cure for your conscious yet less effective against a real attack.
Security is about risks and how you manage it, if you like to build good security you need
to perform risk management and periodically measure risk against your security template.
Attacks shift and so does your budget assignment. Simple questions can reveal more
needs and address security in those areas of importance.
Quote from Bruce Schneier
⢠What are we trying to protect?
⢠What risks to these assets?
⢠How well is the solution in mitigating those risks?
⢠What other risks does the solution cause?
⢠What costs and trade-off does the solution impose?
Risk Management an excellent mediator to gain an objective view on your security
strategy. However it consumes a lot of valuable time and resources. But wasn't it
important to implement security in the beginning of a project? Exactly, when your project
is defined and you know more or less your destination risk management can be your
guide to find the way.
By starting to integrate your security request as early as possible in a project life cycle
you increase the security as such and you reduce costs on a long term perspective.
Remember you have to sell your security, at the end it is politics. It comes down to the
weight you have in the decision and the motivation you used in the selling process.
To integrate successfully your risk management result you should define where what to
invest. Managing risks is more than just integrate technology controls. In security we
protect the CIA triangle but to protect it you use 3 sometimes 4 different mechanisms.
The four basic elements are prevention, detection, response and sometimes prediction, the
latter is probably the hardest one to achieve.
Balancing out these four will give you a sensible security mechanism which align with
budget restraints and complies with your regulatory obligations.
4. 2. Introduction
The security field undergoes a lot of changes at a rapid pace making technology old
fashioned in a glimpse of time. Replacement and upgrades are deemed necessary if we
may believe consultants and product vendors. But on what are these statements based?
This paper shows how risk management is used today and what the pitfalls are. A lot of
CISO's expressed their thoughts about it at the CISO 2003 that today's approach has gaps
and is based on to much intangible facts.
This document outlines the problems security people encounter today. Over the recent
years we can see an increased awareness about security issues however being aware there
is problem is not much of a value if countermeasures are not appropriate to the risk
In this paper you can find the basic concept of risk management used today, it will not
explain in detail or how you should integrate it in your environment. It is included as
reference to compare on how I and many others think it could be done instead. It is my
personal belief that todayâs concept is failing and more reasonable strategies should be
applied to get the necessary support from your management.
The risk management process in its entirety has its limits; more specific is the analysis
that is insufficient to provide the required proof.
3. How risk mitigation works
Security is not about technology but about risks and how you manage them. Covering a
risk in its entirety is not an easy thing and accepting the risk could at the end the only
solution.
Managing risk is based on different pillars; these pillars have each an important function
but are rendered useless if they are not weaved in together.
3.1. Detection
Detection is a passive security measure which is an outstanding solution to fraud
detection for example, but less effective in protection of corporate networks. Detection is
common and used in our every day life, the new radar system deployed in the UK to bill
people going for work by car is a perfect example. It does not prevent your from driving
in the city, it does not prevent you from not paying the bill especially for foreigner but it
does detect you. No matter where youâre from and what type of vehicle you drive you
will be noticed and receive a bill. The same goes for credit card companies; a lot of their
security is based on detection.
Detection might not be your Swiss knife to solve security however it is less expensive
and in some cases the most acceptable measure to enhance security in your environment.
Logging (un)authorized connections on a preventative measure can be considered a way
of detection, logging these events can be used afterwards to detect anomalies.
3.2. Prevention
Prevention is an active security measure able to deny or allow access; decisions are made
based on an integrated policy. Prevention stops certain attacks immediately, one of the
biggest advantages compared with detection or response which react once the event has
5. passed. Technologies providing prevention techniques are not waterproof either;
prevention does what it says as long as the device, software or even the human being acts
in a proper way. A flaw in the procedure or software can render it useless. Prevention
technology is definitely the most expensive way to secure your environment. One should
weight the benefits against the costs and explore other measures before putting the eggs
in one basket. Firewalls were thought to be the answer for network security, however
there are so many firewalls badly configured that it is sometimes better not to have any.
False sense of security can be worse than no security at all.
3.3. Response
Incident response is important in many aspects. Response shows how the attack took
place, how it has been detected and how it can be prevented in the future. Often response
is put aside due to time and cost restrictions but many companies doing incident response
realise that it saves a lot of valuable time whenever a similar attack occurs. Incident
response helps to recover quickly, efficiently and provides visibility on the events
happening during a defined period of time.
6. 4. Risk management concept today
Security relies on the management and the reduction of risk by assessing, reporting and
controlling the risk. It encompasses a number of activities which constitutes a systematic
process that aims to optimize the decision making process and improve the results.
The identification of risk to an organization entails defining the four following basic
elements:
⢠The actual threat
⢠The possible consequences of the realized threat (impact)
⢠The probable frequency of the occurrence of a threat (frequency)
⢠The extent of how confident we are that the threat will happen (probability)
4.1. The process
Some crucial steps are mandatory to enhance your risk management process. These
simple identifiers enable you to control the complete cycle of the risk you like to
measure.
4.1.1. Governance
Good governance establishes a repeatable and auditable methodology for integration of
the risk management process across the enterprise. The governance process outlines
what, how and by whom the risk management activities are performed.
Clearly, a risk management team must aim to develop and establish commitment; support
a participation of top management to succeed in their mission.
4.1.2. Context
The context determines the company's relationship with its environment. It consists of
two important influencers which shape the design of your risk management strategy.
External factors could be anything like cultural, commercial or regulatory influences.
Internal factors would be governance, reporting, business structure etc...
4.1.3. Identification
Determine and identify the risks that your company is exposed to be perhaps the most
important step in being successful at risk management. Focusing on tangible result only is
a common mistake, clearly intangible values are harder to measure but therefore as
important.
Risk identification in your enterprise entails four basic principles:
⢠The actual threat
⢠The possible consequences when a threat materializes
⢠Probable frequency of occurrence of a threat
⢠The probability a threat will occur
4.2. Risk analysis
Risk analysis is a process to ensure that security measures for an environment are
adequate to reduce the risks. By applying risk analysis you determine the risks and
7. develop a plan on how to deal with the risks. Analysing the identified risks gives you a
better understanding of the likelihood and potential outcome of an event impacting your
company.
The main purpose of risk analysis is to quantify the impact of a potential risk. The goal is
to put a price or value on the loss.
The main results of risk analysis are
⢠Identification of the current risks
⢠The cost/benefit justification of the countermeasures
⢠Influences the decision making process on hardware, etc?
⢠Focus on security resources where they are needed most
This chapter provides you with a brief outline of how risk analysis works. These are not
invented by the author and are only here as reference.
4.2.1. Key terms
Scientifically a risk is defined as the product of the threat and vulnerability. But in risk
management we identify the risk as the probability a threat will materialize. Risk can be
considered potential harm or loss to a system.
The risk management triple:
⢠Asset: A resource, process, product, system etc⌠The value equals the cost of
the creation, development, license, support, replacement, credibility, lost if IP
is disclosed, ownership values. The asset the precious item you are trying to
protect
⢠Threat: Any event that causes an undesirable impact on your organization
⢠Vulnerability: Absence of a safeguard constitutes vulnerability. Vulnerability
is a threat that circumvents or makes use of weakness in your safeguard.
The terms
Safeguard: A control or countermeasure to reduce the risk associated with a threat.
Exposure Factor (EF): EF represents the percentage of loss a realized threat event
would have on a specific asset. EF differs from high to low percentage, catastrophic loss
or just the loss of a single PC.
Single Loss Expectancy (SLE): An SLE is the dollar figure that is assigned to a single
event.
Asset Value ($) x Exposure Factor (EF) = SLE
8. Annualized Rate of Occurrence (ARO): Represents the number on how many times an
event could happen on a per year basis.
Annualized Loss Expectancy (ALE): The expected loss on a per year basis. The ALE
can be derived from the following. Single Loss Expectancy (SLE) x Annualized Rate of
Occurrence (ARO) = ALE
4.2.2. Quantitative risk analysis
Quantitative risk analysis aim is to assign concrete probability percentages; for example
real money values to the loss of an asset. As it might look fairly simple however the
complete process should be considered as a major project within your organization.
Be aware that you cannot apply quantitative analysis only because it relies on qualitative
analysis data.
Process of quantitative risk analysis
⢠Estimate potential losses to the assets by defining their losses
⢠Analyze potential threats to the assets
⢠Define the ALE
4.2.3. Qualitative risk analysis
Qualitative risk analysis is a scenario-oriented approach; in contrast to quantitative
analysis a purely qualitative analysis is always possible. Instead of assigning pure
dollar figures you rank threats on a scale to evaluate their risks, costs and outcome.
The seriousness of threats and the sensitivity of the assets are ranked or graded by using a
scenario approach. For each scenario you need to create an exposure rating scale and
match the various threats to the identified assets. Type of threat and the potential loss to
the assets and selection of safeguards to reduce the risk should be included in the
description of your scenario.
4.3. Pitfalls
This model of risk management has its proâs and conâs; the reliance on probability and
impact factors is a mayor downfall for this concept. The foundation for your security is
based on guess work; it can be very effective by using only the worst case scenarios to
cover all risks but will give you a budget outlook that looks grim. The contrary leaves
your budget in the green zone but can make your security poor. Other approaches
described in the next chapter could provide more realistic views on which security we
need and to what level we need to bring it. Anticipating the unknown, providing an
answer to vectors of attack we do not yet know about is impossible.
5. Sensible defence
Information security is hard to understand and even harder to successfully integrate.
Insecurity is not caused by todayâs risk management concept. Economic gain or
loss, legislation, regulation and so on are also important vectors.
1) Security is a trade-off. We need to make trade-offs, cost is one but there are more
trade-offs to make, convenience, liberty, functionality, time etcâŚ
9. I think the previous chapter has strong and weak points, using the risk management triple
is extremely valuable but trying to transform risk into numbers by using hefty formulas
and relying on to much intangible values is for sure not a reliable way to integrate
sensible and well thought security.
This chapter will outline some of the problems and how it could be improved. There is no
clear cut solution to all the issues but improving the existing by relying more on
measurable values do provide better end results.
5.1. Economic incentives and security failure
Economic incentives, profitability, market gain, etc⌠are important vectors in the
decision process. Security risks and business risks are quite different; forecasting how the
economic landscape evolves based on the investment of new resources to increase profit
is completely different than forecasting probabilities of IT risks. Evaluating risks and
how much risks are reduced by integrating new technology is as easy as playing the
Russian roulette. Even if you have all those statistics and numbers, if there is no
legislation and no direct economic consequence you will not succeed in your job. This is
plain business logic; managers deal with risk every day and are used to accept certain
levels of risk.
Example:
In a distributed denial of service attack it is very expensive to use measures to protect
your web servers from it. Your can spend thousands of euros to increase protection and it
still would fail in certain circumstances. However, home users who are being used as
ZOMBIE do in general spend a few euros to buy an anti-virus to protect themselves from
threats. But they rarely would spend the same amount to prevent their machines from
being used.
In the economics world this would be a âTragedy of commonsâ, these situations should
rather be solved on a legislative way to put pressure on those who can fix the issue
instead of investing too much money in a solution that is not providing the necessary
protection. Over the years we have been witness of the fact that often bad security wins
over good security, it can be explained rationally; popularity of system or service is
related to other factors than security. If people use the less secure system more, your
good system is doomed to failure. If you do not have a good economic reason why
security should be a priority you do not have a good chance in succeeding. Unfortunately
today business looks at security as a cost enabler instead of looking at it as cost reduction.
10. But an economic drive or market reaction sometimes forces a company to tackle security
issues. When this happens management does not have the burden to deal with any type of
risk assessment. Today companies are often confronted with reactions as such from
customers, auditors and other regulatory bodies.
5.2. Liability, regulation and compliance
This is an ongoing debate and a very hard one.
Imposing laws to make better products, provide secure services, conduct audits, carry
responsibility etc⌠will definitely improve security in some way. All of this sound easy
and achievable but the pitfalls are numerous and peopled against plenary.
Security has technological components but business regards to security, in terms of risk
management, as they do with any other risk. Business aims to reduce costs and improve
production. Why bother with improving the network security if business survives after
defacement, denial of service, reputation damage, and network downtime.
The point is that if your force companies to make their products secure their economical
gain could decline. And what about the brakes you put on the creative mind and
development of new ideas. A company making a new product has its focus on gaining
money and reply to unanswered issue in the market which does not necessarily require
advanced security in the initial stage.
If your government provides services on the internet you better be sure it is secure, if
there are no regulatory incentives why shouldnât they opt for the cheaper less secure
option? By enforcing rules via laws, regulation or company policies we impose liability
and make sure people are responsible for their deeds. I agree, regulation is not the all-in-one
helping you out in difficult times but it can push industry to improve security. Some
types of industry start with security and build their services inside the security
boundaries.
We have different compliance bodies that are well developed and pushing managers,
companies and even governmental organizations to a better and more secure
environment. SOX, HIPAA, BASEL II, etc⌠do push to create a better and safer
environment by motivating managers to pay attention to issues that were ignored before.
As time goes by and maturity develops legislation will improve and regulatory bodies can
impose penalties to keep the motivation alive.
Example:
Power plants for example live up to high security standards regarding their personnel. We
can be delighted that they did not use the same approach as often used in the computer
industry. Such approach makes managers aware that risks cannot be accepted because of
the high costs involved with it.
5.3. Due care and due diligence
2) Due care means that a company did all that it could have reasonably done to try and
prevent security breaches, and also took the necessary steps to ensure that if a security
breach did take place, the damages were reduced because of the controls or
countermeasures that existed. Due care means that a company practiced common sense
and prudent management practices with responsible actions.
11. Due diligence means that a company properly investigated all of their possible
weaknesses and vulnerabilities before carrying out due care practices.
Due care and due diligence, both require to be present to successfully integrate a certain
level of security in your environment. To convince management we should take distance
of examples and results (from threat and vulnerability assessment) that are based on
hypothetical values. It is almost impossible to convince people on a subject that has not
yet materialised. Replacing those intangible values can be achieved by using real life
examples of the existence of vulnerability and what solutions are available and who
integrated them already. Remember the approach, we are protecting against known
threats and not trying to increase budgets based on the unknown.
If management still decides to accept the risk, which is completely normal in certain
cases, we document it and motivate with the business reasons; this is done to limit
liability. The ultimate goal is to achieve good due diligence practise this reduces
ignorance and negligence. Due diligence result are not subject to be proven valid, the
result itself shows the good or bad experience. Whereas solutions never come directly
from an assessment but are chosen regarding the assessment results by means of due
diligence. One can argue if fortune telling is a better strategy compared to await results
from what actually is achieved.
5.4. Technology
The problem we have today with technology is that at a certain point it does provide a
protection but can create numerous other problems. Integrating additional tools software
or hardware does not imply that you improve security. An entire process of mechanisms
that interact is needed to provide robust security. As shown in chapter 3 you need to rely
on different techniques to create a secure environment. None of those concepts survives
an attack without the support of the others. Over the years we have been overwhelmed by
constructors providing us with the market leading product and still our networks are at
stake.
Does it mean that the products are bad?
Honestly, I donât think products are bad, the way they interact is perhaps not ideal. For
years we have been focusing on prevention and less on detection and response. A good
prevention tool is worthless without detection, and detection has no value if there is no
response process involved; most of the time these functions are included in a good
prevention product. During my career I had often discussions on what to log and what
not; logging everything does not increase your detection. It increases data you gather but
decreases the accuracy.
12. To make a safeguard valuable it requires interaction with other processes, systems or
people. A good interaction occurs on different layers, logging the issue is the first but
informing there as an issue is mandatory to make the logging useful. After the alert a
manual interference might be required, again this should be logged in a sensible way to
have good change management.
All these features are available on the market; unfortunately interaction between them is
still on a low level.
Example:
Wiretapping the mass public didnât proof to be useful yet, data mining or correlation on
the data is even harder. It does work once there is a lead or a clue; unless you have some
predefined known information your correlation will not have much of a value and could
miss those parts of data crucial to identify the attack. Using detection only to prevent
issues is just not the right way to solve a security issue.
Security budgets for government issues do increase however people tend to feel less safe.
In Belgium the police force is increased significantly but reducing crime is harder as ever
before. Prevention and detection capabilities are sufficient but response (court) is not at
the same pace.
Another big debate is functionality vs. security. Frankly I think this is bad trade-off.
Testing functionality is fairly easy. Functionality is whether or not something works
when it is being used as planned. But if you test security you are trying to find out how a
system behaves when placed under unanticipated circumstances with an adversary trying
to subvert the system. It will be very hard to test security like you do with functionality if
not impossible.
5.5. Awareness campaign and training
Awareness and training are mandatory to enhance your security. A good distinction
between training and awareness should be made.
Awareness campaign: A campaign for awareness explains you the âwhat is itâ, it shows
you what are the dangers or benefits of certain tool, system or environment.
Training: A training informs you about the âhow does it workâ, how do I use it, how do I
integrate it, how do I get the most out of it.
Awareness increases security on a human level, human intelligence is irreplaceable by
technology. But equal to technology we need to make our staff aware about risks
involved in their job. Today many companies understood they need awareness, some
because of regulation some because of campaigns launched by governmental
organisation. As risks and technology evolve at a rapid pace, we need to conduct
awareness on a regular basis to make it effective. Any means are good to make people
aware about the risks. In our daily life we are confronted with several awareness
campaigns which are time or event specific.
Example:
The 9/11 attacks provoked awareness in the UK, people were aware about risks and knew
13. how to respond in case of emergency. The results of the campaign were clear, panic was
reduced to a minimum and casualties could be rescued with a respectable time frame.
Training is equally important; knowing that there is risk is just one part of the solution.
How do you protect and how do you use the provided tools is an important step and
might be more difficult to achieve. It is clear that in certain cases and on certain subjects
those two aspects are weaved together. Explaining why one needs a password is one
thing but might be useless without explaining how to make a strong password.
6. Conclusion
Regardless which model of risk management one uses, you are still using hypothetical
data. Today there are no valid frequency and impact data available to provide you with
valid and sensible results. It might be possible to guess the impact or frequency of an
unusual incident. An unknown event or enemy can have an important effect on the risk
which makes the current security solution obsolete. I doubt that this will have a positive
change in the future due to the rapid changing technology of today.
Managing risk by tangible values like outlined in the previous chapter is maybe an
answer to this complex subject. Continuing with intangible risk assessment result is
expensive and does not necessarily improve your current security; this does not mean you
do not have to integrate it. Regulation and legislation can be met by doing high level risk
assessment outlining the dangers and the caveats of the unknown.
This is not a plea to abandon the current way of handling risk; I just share my and other
security professionalsâ view on the topic. As a consultant I have been confronted with
many aspects of security and saw that some try to protect to things that are not yet
realized. FUD (fear, uncertainty and doubt) and hypes are still provoking the integration
of security measures, often these are not the solution to the problem.
Without Donn B. Parkerâs help I would not have been able to make this document. I got
the authorisation to quote his article but I tried to write some of his ideas in my own
words.
14. 7. References
1 Bruce Schneier : Beyond Fear
2 Shon Harris : CISSP certification All-in-one Exam guide
Books & articles:
Bruce Schneier: Beyond Fear
Economics and information security
Regulation, liability and computer security
Donn Parker: Making the case for replacing risk-based security
Ross Anderson: Why information security is hard âan economic perspective-
Shon Harris: CISSP certification All-in-one Exam guide