|
COUNTERPOINT by Marcus Ranum
Bruce, you're taking a very naturalistic--even evolutionary--view of risk management, and it's hard to disagree with something that has obviously worked for hundreds of thousands of years. The problem with any evolutionary viewpoint, however, is that we tend to sweep under the table the grim slaughter of the failures. The reason we got to where we are today (other than just plain dumb luck) is a pretty strong flight/fight reaction--in that order. As you say, our reflexes don't work in today's networks because there's no place to run--and the bad guys cheat.
It's fine to say we need to balance the costs and benefits of our decisions, but life has gotten a lot more abstract and our decisions are less visceral. If you let the guys in marketing have their way and open that port in the firewall, you might lose your job, but it's not as if the barbarians are going to force their way in and put everyone in the cubicle farm ...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
to the sword. Whenever someone says something like "a firewall is like a castle wall," I remind them that the stakes used to be different, and that's why the number of openings in a castle wall tended to be autocratically and rigidly controlled.
But that's the problem, isn't it? The stakes are moving and attitudes are not. It was one thing when a company's poor decision about a firewall rule affected its stock price; it's something completely different when you contemplate sovereignty-ending events like losing a war because too many secrets were leaked or a command/control network was compromised. I think a lot of decisions are being made based on wishful thinking rather than a clear-eyed assessment of costs and benefits.
I don't think we do a very good job of estimating costs, benefits or risk. Simple example: a company hooks SCADA systems to a wide-area network to save money, then spends many times the savings when it has to go back years later and secure it. The fact is, we're good at estimating risks right in front of us, but tend to leave long-range problems for later, when someone else who cares can deal with them. I've sat in on "risk assessment" exercises, and they generally seem to be a process whereby security practitioners try to manipulate senior management's perception by cooking up a bunch of wild guesses that multiply out to just the pretty number they think it should. You say we shouldn't "trust our gut," but that's exactly what's going on.
Once, as part of a group building command-and-control networks for war fighters, I made myself amazingly unpopular by pointing out, as a potential consequence of a network breach, that the U.S. might no longer be a world power. Everyone remembers Imperial Rome for having been eventually toppled by the outsourcers it had relied on to secure its northern borders--not for its advances in engineering or indoor plumbing.
Risk assessment numbers are cooked to make them complete-looking, cost-probable and organizationally acceptable to upper management. It's as if a bunch of medieval castellans based their wall design on the worst-case scenario of being attacked by ducks rather than barbarians.
You're right: We lack the data to do risk management well. Unlike Las Vegas, which is built on straightforward statistics, computer security is infinitely squishy because the attack vectors change every day, the target surface changes every week, and the value of what's at stake changes every second. The insurance industry tracks a lot of discrete parameters to formulate its point spreads, but in technology we're adding new parameters every day, and they're fiendishly interdependent. We'll never have the data to do risk management well unless the rate of innovation (also known as "the rate at which security gets worse") slows down. That brings its risks too.
In short, I don't think "risk management" is the correct term. We should call it something more accurate. The cargo cultists and voodoo practitioners would probably be insulted if we tried to insinuate we used their methods, so maybe we should just settle on "hand waving."
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] Coming in December
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
State data breach notification laws: Have they helped?
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
|
 |
|
