Wednesday, October 29, 2008

Schneier is on to Something

I usually don't read Bruce that often, but I came across a post about Risk Management making Sense. My take away was that, we can inherently perform risk management when confronted with taking meat from a lion on the African plains in 10,000 BC. But are challenged with more complex threats and vulnerabilities.

I have been having some deep conversations with my wife and others about better ways to measure and manage risk. My recent contention is that with so many changing and evolving threats, should we just presume there will be a threat when a vulnerability is presented? Or one generic threat that could be tied to just about anything (Hacker Compromises System)? I don't know.

Getting back to the deep conversations, we try to draw parallels to cars. There are only so many things that can happen to a car, and only to varying degrees. We, as the (supposedly) responsible operator, take certain steps to reduce risks to the system (its snowing, drive slower or that tree looks like it could fall on my car, perhaps I shouldn't park there). The insurance company can infer certain things about how the car will be operated based on demographics, statistics, etc. A 16 year old football star will operate the car differently than a 42 year old soccer mom. We may also be transporting gold bars in the trunk of the car, but the car insurance people can't deal with that because they are insuring a 1986 Toyota Tercel not 37 million dollars in gold bars.

In this story, we only ever really care about impact (my car's been stoled with gold in the trunk). But we wouldn't be driving an '86 Tercel with all that gold in the trunk. My stuff would be in an armored convoy with air support (ala Italian Job). One could argue that putting your gold in a Toyota is a bad move (it is!). However, inside organizations all over the world, it is happening right now. Because of the intangibles that aren't or can't be (easily) measured.

Gold is something we can assign a value to, at the time of writing $749.11 an ounce. Data that could be turned into Information and then Knowledge, generally has only intrinsic value to the information owner (IO). They just need a place for it to live and be processed. The System Owner (SO) can't assign an discrete value to the information, because the SO doesn't know the costs associated with creating it. Further, SO doesn't know possible damage in case of leakage, corruption or inaccessibility. The SO has more to worry about in the face of inexperienced staff (the 16 yo jock), problems with the data center (tree falls) or any other metaphor you want to assemble.

My end point here is: how do we measure risk in a way that says what needs to be said and warrants the controls needed (and justify buying a newer, more secure car; like the Mercedes with the laser cut keys).

Monday, October 20, 2008

Go Vote!

I would like to add my two cents here for the few people that read this blog.

Go Vote.

I am not going to tell you who to vote for but I will say that it is important to vote. I watched Recount and Hacking Democracy recently and to say that I am upset would be an understatement.

So go vote, do not be discouraged or turned away. Our forefathers have fought and died for the right for us to vote.

Be counted.

Tuesday, October 14, 2008

Loss Prevention is not Risk Management

I have been giving a lot of thought about how to deal with Risk Management recently. I have talked to a few people and I have come to realize the title of this post. Many of my colleagues only talk about making sure the data doesn't get released, corrupted or unreachable. In my own little head, this to me is loss prevention. Retailers do it all the time, they put those annoying tags on the clothes so that you can try them on properly, to make sure that they don't experience a loss. I'm not saying that the RM and LP are not related, they are. But a loss prevention is the
implementation of controls is not a risk management. I am define risk management as (like Wikipedia):

a structured approach to managing uncertainty related to a threat, a sequence of human activities including: risk assessment, strategies development to manage it, and mitigation of risk using managerial resources.

Most of the time, I have started the risk assessment process with a threat identification, where we list out all the threats. The question is "Do we care?" The answer of course is "No". Stick with me now. Has the person in charge ever turned to you in the beginning of the incident
response ever turned to you and said "I have the Risk Assessment here can you tell me which threat succeeded and which control failed?" Maybe a few but not many, the question that they asked me was, "What failed and (delicately) how do we get the shit back in the horse?" Results not causes. In the heat of the moment, I haven't met anyone that said "I spent three days with a
CVSS calculator determining that the threat is a 2, xxxxxxx turned into a ... ."

You know the next steps, list of threats paired to vulnerabilities, and if you are using the 800-30 then you do the arbitrary but necessary likelihood and impact. To come up with a risk. And there was much rejoicing. Yea! I have checked the proverbial box, submitted my POA&M and now I will retire to the veranda for coffee without a care in the world, right? Wrong.

My perception is that we are working this thing backwards, at least in the Federal government space (which is all I am really familiar with). With the Feds, we know the controls we are going to implement (800-53 or CNSS 1253). And then we know what we don't want to happen, you know ... bad stuff that gets us in the Washington Post or dragged up the Hill.

So let me lay this out, the threats are changing, there are always new vulnerabilities (the only constant is change ), the likelihoods and impacts are subjective so why should we expect anything from that process. Or at best, something we can take action upon.

I have watched many smart people stand up new firewalls, IDPS, NAC solutions, SOCs, AV, whatever and still in the end something gets missed or the human element gets in the way. Because simply implementing and monitoring controls without the understanding of the risks those controls are protecting against is not good. It is just doing Loss Prevention.

Wednesday, October 1, 2008

Put down the DCID 6/3 and walk slowly towards me

While this does not personally excite me since I don't live in an IC or DoD world, the ODNI has abandoned DCID 6/3 in favor of the new CNSS instructions. It is only about a year late, since the first time I heard this was happening was in 2006 with an implementation of 2007. The news release is here:

The directive is here:

And I found out about it from here:

Thanks Mark!