Vulnerabilities / Threats

12/7/2015
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Playing It Straight: Building A Risk-Based Approach To InfoSec

What a crooked haircut can teach you about framing the discussion about organizational security goals and strategies.

I don’t remember much from my school days, but I do remember one particular statement from one of my teachers. During the course of delivering the lesson, she illustrated her point by remarking: “If you hold your head crooked, you get a crooked haircut.” You might ask yourself what exactly this means and what this has to do with information security. Allow me to elaborate.

What my teacher illustrated with that phrase was the idea of building the proper frame of reference. The haircut analogy illustrates this as follows. A barber or stylist approaches a haircut from his or her frame of reference. Generally, the person giving the haircut is standing up, and thus their frame of reference is based on that (vertical). The person receiving the haircut is generally seated. If that person holds his or her head straight, then both people share the same frame of reference. If, however, that person tilts his or her head, his or her frame of reference becomes different than that of the barber or stylist. As a result, what appears to be a straight haircut to the barber or stylist will in fact be a crooked haircut to the customer.

In other words, if we want to achieve a certain outcome, we have to work towards it from within the correct frame of reference. Otherwise, no matter how much time, money, and resources we invest into our efforts, the outcome may be different from what we expected.

We can extend this analogy to the security realm and learn some valuable lessons from it. Almost all organizations now realize that they need to build or enhance their security programs. Of course, strategies, approaches, and methodologies will vary widely in this endeavor. Results will also vary widely. When undertaking this effort, frame of reference becomes extremely important. If an organization does not properly calibrate its efforts, it can end up investing a lot of time, money, and resources into a security program that misses the mark. In other words, having the right frame of reference guides a program to success. Building or enhancing a security program in a “crooked” frame of reference can ultimately lead to a program that does not adequately address the needs of the organization and does little to improve its security posture.

I’d like to illustrate this concept by sharing a few examples of incorrect frames of reference that I sometimes see in organizations. My goal is to help organizations understand the concept and identify any potential areas for improvement internally.

The Program of “No”
Unfortunately, security professionals sometimes get a reputation for being the people in an organization who always say “no.” In recent years, security has become an integral part of most organizations. But it’s important to remember that the main purpose of an organization is to be successful in its particular line of business. Of course, a business cannot operate without accepting some risk.

A security program’s ultimate goal should be to mitigate risk while enabling the business to be successful. For example, if the business needs to move to the cloud in order to stay competitive, the security organization should focus on how to mitigate and minimize risk before, during, and after that move.

Unfortunately, the frame of reference of many security organizations is structured around a knee-jerk “no” response. The trouble with this is that many areas of the business very quickly learn to go around the security team, rather than work cooperatively and collaboratively with it. In some cases, the security team may even be seen as an adversary. The end result is that the organization’s security posture does not improve at all -- in fact, quite the opposite.

The program of “no” frame of reference most often results in exactly the opposite of what it intended. A frame of reference that seeks to build trust with the business to enable the business to operate more securely produces much better results. After all, security is a business function and should operate accordingly.

Not Focusing on Risk
I, along with many others, have previously written on risk-based approaches to security. This approach is quite strategic in nature. It involves prioritizing risks and threat to the organization and subsequently working through mitigating those risks and threats. Unfortunately, some organizations don’t build security programs from this frame of reference.

There are a number of different types of approaches I’ve seen that are not risk-based in nature. For example, organizations may build their frame of reference around intelligence, certain categories of technology, certain skillsets, or other things. Each of the examples I’ve mentioned is important and has its place in security, but none of them should be used as the basis for a frame of reference. For example, although intelligence is important, building a security program solely around intelligence causes an organization to rely too heavily on what someone else tells them is important, rather than the real risks and threats to their organization.

Building a frame of reference around mitigating risk allows an organization to incorporate multiple techniques to reach the desired end goals. But the risk-based frame of reference ensures that the organization will properly address the risks and threats it faces regardless of the techniques it employs. Alternate frames of reference address some risks and threats, but they do so informally, rather than strategically. That leaves an organization vulnerable.

Chasing Ghosts
I’ve seen some organizations that run from one “strategy” to the next, following the latest fad, buzzword, shiny object, or otherwise. The fault in this frame of reference is obvious. Fads come and go, but at the end of the day, they were not defined to address the risks that an organization faces.

Of course, new technologies, novel approaches, and fresh thinking can always be used to improve and strengthen a strategic approach to security. But again, they need to be incorporated within a strategic frame of reference. The “new” cannot itself be the frame of reference. That often results in organizations investing heavily in areas that don’t actually mitigate much risk for them -- in other words, chasing ghosts.

Unfortunately, there are far too many “crooked” frames of reference within which an organization can find themselves. A strategic, risk-based approach to security can help an organization build a frame of reference geared towards its needs. Having a “straight” frame of reference is critical for properly guiding the efforts of a security organization to adequately address the risks and threats facing the organization.

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Uri Rivner
50%
50%
Uri Rivner,
User Rank: Author
12/9/2015 | 10:48:17 AM
Dynamic risk-based decisions
Great as always Josh.

Beyond making risk-based choices, it's time the enterprise begin to realise that the authentication and authorization paradigms that have been with us since the dawn of corporate security history are all but dead. What does an authentication session mean anyway these days? All fraud cases in online banking come from authenticated sessions. All hacks come from authenticated nodes.

The same applies to authorization. Take RBAC - a fundumental principal in security. Josh is a CTO, so he has access to this-and-that. Unless Josh changes his role, or unless that role needs an updated access scheme, that's basically it. But in today's reality, it's totally rubish. Yes, Josh is entitled to access this-and-that, but only if I think it's really Josh, and he really needs that access right now. If there are signs of foul play, I may change my mind. And if I have an ability to dynamically change my mind about authorization, and make sure people get access based on the risk for this specific activity, I'm far better off.

The same goes for my smart home app, the one I'm using to control my smart home. Once I authenticated, I have full access to everything. That's history. Future is different: far more agile and adaptive. The more it looks like me, and the lowest the risk with my current actions, the greater control I should have. And think of IOT appliances as well - they also have authentication and authorization controls that are totally black and white, and without giving it shades and adaptiveness - we'll be screwed a few years from now.

The enterprise security paradigms need some heavy shaking, become far more dynamic, adaptive and risk-based, so real time decisions can be made instantly for every activity.

 
gszathmari
50%
50%
gszathmari,
User Rank: Apprentice
12/7/2015 | 6:00:08 PM
Risk based approach is the king
The risk based approach is the only way that ensures money and time is spent on the right things for protecting the organisation. Risk can be managed on multiple levels, starting from the business risks, throughout IT and infosec risks all down to the code level.

I also wrote an article today on risk driven approach, but on incident management. This approach allows incident response teams to focus on the critical areas with their efforts. The post is available on Rainbow and Unicorn blog.
Microsoft, Mastercard Aim to Change Identity Management
Kelly Sheridan, Staff Editor, Dark Reading,  12/3/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19653
PUBLISHED: 2018-12-09
HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade.
CVE-2018-19982
PUBLISHED: 2018-12-09
An issue was discovered on KT MC01507L Z-Wave S0 devices. It occurs because HPKP is not implemented. The communication architecture is APP > Server > Controller (HUB) > Node (products which are controlled by HUB). The prerequisite is that the attacker is on the same network as the target HU...
CVE-2018-19983
PUBLISHED: 2018-12-09
An issue was discovered on Sigma Design Z-Wave S0 through S2 devices. An attacker first prepares a Z-Wave frame-transmission program (e.g., Z-Wave PC Controller, OpenZWave, CC1110, etc.). Next, the attacker conducts a DoS attack against the Z-Wave S0 Security version product by continuously sending ...
CVE-2018-19980
PUBLISHED: 2018-12-08
Anker Nebula Capsule Pro NBUI_M1_V2.1.9 devices allow attackers to cause a denial of service (reboot of the underlying Android 7.1.2 operating system) via a crafted application that sends data to WifiService.
CVE-2018-19961
PUBLISHED: 2018-12-08
An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because TLB flushes do not always occur after IOMMU mapping changes.