Mudge, a former hacker and one of the nation's foremost security experts, details the perceptions and fixations that hobble most security efforts Take a 10 cent piece. What is it? Most people will see it as part of the monetary system. That is, you use it to buy things. It can also be a screwdriver, a very slender shim or a decision-making tool (heads or tails?). Seeing it only as one-tenth of a dollar is an example of functional fixation: the inability to see a use for something other than its intended use.
Now take digital security, everything from firewalls to virus software and the like. The corporate world sees these solutions as a magic elixir, suitable for any environment. This is another unfortunate example of functional fixation.
This fixation is a problem because off-the-rack digital security is of limited value. Technically, an auditor could ask whether a corporation had a firewall and consider his work complete. Would that same auditor be doing his job if he had asked a bank if it had a vault and left it there? Hardly - he'd ask more questions: Is the vault locked? Who has the keys? What's stored in it? When and why is it opened? Substitute "digital security" for "bank vault" and you're starting to understand the need for security customisation.
A bank cannot claim to be diligently protecting its customers simply because it possesses a safe. Similarly, the notion that installing a commercially available firewall will instantly protect your company from the vagabonds of the Internet is ludicrous. How can a business address its unique security needs through third-party vendors that don't know its business? A library, an automotive manufacturer, a financial institution and a telecommunications business each have unique security requirements. If an automotive manufacturer adopted the same security posture as a financial institution, it may be assuming an inappropriate degree of risk, which could mean either too much or too little. For example, a list of automotive dealers would not be as sensitive as a list of savings account customers, and therefore not at the same degree of risk and not worth the security investment.
Unfortunately, many CEOs and CIOs believe they have established adequate security measures by simply deploying a firewall. When asked if they have a firewall, they joyfully respond, "Yes!" The critical follow-up question - "Is your firewall configured to map your business model in risk mitigation?" - is seldom asked.
All Risks Are Not Created Equal
It makes good business sense to accept a modicum of risk, as long as the potential rewards outweigh the overall risks. If you choose to take larger risks, they should generate a higher potential yield. So how do you go about assessing, prioritising and minimising risk?
Understanding your business is the first step. From this understanding, you can determine what information is truly valuable. For a car maker, it might be the designs and specifications for next year's line of vehicles; for a financial institution, it might be customer account and transaction data; and for a telecommunications company, it might be rate plan comparisons. Once you've correctly identified these crown jewels, you can analyse how to best access, track and protect them.
The next step is to measure the impact of various risks to your business. If you identify risk, but cannot determine and prioritise the potential impacts, it will be difficult to establish an effective and efficient plan to mitigate those risks.
There are numerous tools available to help evaluate business risk. In fact, the same mechanisms used for weighing business strategies often translate quite effectively to measuring digital security. I use a customised variant of a strategy analysis developed by New Jersey-based consultancy Kepner-Tregoe to evaluate R&D efforts at @Stake, the security services company where I work. This helps me weigh futures and functionalities of certain technologies and better determine threat analysis areas that need my team's attention. We can then proactively help define our client corporations' technology and security curves.
Protecting Frobnitz
Here's a look at how we might evaluate a technology for security risk prior to deployment. We'll look at a hypothetical infrastructure device called Frobnitz. Let's say Frobnitz is deployed across a corporation to prioritise data transmissions on local networks based on whether or not the data originated from a company executive. First, we must ask why Frobnitz is being deployed in the first place. What are the business goals? How does it fit into the corporation's business model? Security becomes more manageable when placed in the proper context.
The security solutions will be quite different if we consider two hypothetical conditions. The first situation has the device used internally by senior executives to improve network performance. In this case, the overall benefit is minimal, so neither the risk posture nor the expenditure to secure the device should be disproportionate. A minimum need for security translates into nominal investment.
In the second scenario, the executives are performing business critical tasks like board meetings and strategic planning sessions between headquarters and remote locations over the Internet and including executives from other companies. Corporate secrets would be compromised if a competitor broke into these communications. These examples show that even a small, but dispersed user base offers an entry point into the corporation's infrastructure.
Now, the analysis might continue with questions like:
How is Frobnitz managed across the network?
Where is it deployed on the network?
What information can an attacker receive by watching this device?
What information can an attacker gain by analysing network traffic?
What happens if the device is compromised or tricked?
How was the component designed?
How is it initially configured (how does it know who is an executive and who isn't)?
What is the most restrictive configuration that will still meet the business need?
The next step in analysing risk is to create attack scenarios around each of these questions. We continue brainstorming risk mitigation techniques and responses to threat questions relative to the amount of risk they present to the company, as well as the likelihood of an actual Frobnitz-related security breach. Armed with those conclusions, we can research a customised security posture.
Ring in the Risk
Another useful risk evaluation tool is a variation of a ring analysis. This starts with a particular "atomic point", or item, and works outward in rings of accessibility. Let's use CIO as an example. The core of CIO's business could be viewed as its subscriber list; the valuable, targeted group CIO presents to its advertisers. If a competitor acquired this list, it could scoop up CIO's readers, offering them various enticements. The competitor could then present itself to advertisers as the best means to reach those valued readers. The subscriber list is therefore a crown jewel worthy of securing.
During a security analysis, you would want to define the people at CIO who need access to the list in order to modify it, adding or subtracting subscribers. You would also define read-only access for certain employees, the areas from which employees can access this list, and other interdependencies. All of these factors would have degrees of risk and value attached to them.
Then we examine the core ring. How is the system running the source database secured? The next ring of accessibility might be the local network. Analysis of this ring should include determining how users are authenticated and held accountable. Will a Web developer, HR manager and salesperson all know how to treat the data in a secure and consistent fashion? This may call for degrees of data classification. At this point, it should become obvious how to configure the firewall, network and host systems. This ring analysis method of risk assessment and mitigation is most effective once you understand how the components fit into the corporate model.
The idea of using the same procedures to define business risk analysis and your company's digital security infrastructure is long overdue. Whether you use a ring, financial or actuarial analysis to determine the appropriate security posture, there will undoubtedly be an increased understanding throughout the company when the results are in. Then, you will be able to truly maximise your returns against necessary risks.
Mudge is vice president of research and development at Massachusetts-based @Stake. Reach him at mudge@atstake.com The Million-Dollar QuestionsTry this simple exercise to help lead your company toward the goal of maximising value and minimising risk.
What you'll need:
a configured computer system about to be deployed on the corporate network
a tech-savvy systems administrator
Step 1. Have the systems administrator examine the system.
Step 2. Ask the administrator if she can tell exactly what this system is set up to do and which network leg it is going to or coming from.
Step 3. Ask the administrator about the system's functionality.
What can it do? Can it read mail? Is it a desktop system? Can it surf the Web? What is it restricted from doing? Is it equipped with the default operating system or has it been modified for a particular purpose? If the administrator is unable to provide a clear answer for Step 2 or 3 - this system may be anything from a desktop system for someone checking his bank account to the corporate database server or mail relay - then you are accepting unnecessary risk. The system has to be configured to mirror the business model. Furthermore, you will not be realising all possible rewards, you'll be throwing away performance and introducing a tendency toward chaos during future growth.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.