Home > General Security, Risk > Yay! We Have Value, Part 2

Yay! We Have Value, Part 2

June 11, 2011

There are very few things more valuable to me than someone constructively challenging my thoughts.  I have no illusions thinking I’m right and I’m fully aware that there is always room for improvement in everything.  That’s why I’m excited that lonervamp wrote up “embrace the value, any value, you can find” providing some interesting challenges to my previous post on “Yay! we have value now!

Overall, I’d like to think we’re more in agreement than not, but I was struck by this quote:

Truly, we will actually never get anywhere if we don’t get business leaders to say, "We were wrong," or "We need guidance." These are the same results as, "I told ya so," but a little more positive, if you ask me. But if leaders aren’t going to ever admit this, then we’re not going to get a chance to be better, so I’d say let ’em fall over.

Crazy thought here… What if they aren’t wrong?   What if security folks are wrong?  I’m not going to back that up with anything yet.  But just stop and think for a moment, what if the decision makers have a better grasp on expected loss from security breaches than security people?  What would that situation look like?  What data would we expect to find to make them right and security people wrong?  Why do some security people find some pleasure when large breaches occur?  Stop and picture those for a while.

I don’t think anyone would say it’s that black and white and I don’t think there is a clear right or wrong here, but I thought I’d attempt to shift perspectives there, see if we could try on someone else’s shoes.  I tend to think that hands down, security people can describe the failings of security way better than any business person.  However, and this is important, that’s not what matters to the business.  I know that may be a bit counter-intuitive, our computer systems are compromised by the bits and bytes.  The people with the best understanding of those are the security people, how can they not be completely right in defining what’s important?   I’m not sure I can explain it, but that mentality is represented in the post that started this discussion.  This sounds odd, but perhaps security practitioners know too much.  Ask any security professional to identify al the ways the company could be shut down by attackers and it’d probably be hard to get them to stop.  Now figure out how many companies have experienced losses anything close to those and we’ve got a very, very short list.  That is probably the disconnect.

Let me try and rephrase that, while security people are shouting that our windows are susceptible to bricks being thrown by anyone with an arm (which is true), leaders are looking at how often bricks are thrown and the expected loss from it (which isn’t equal to the shouting and also true).  That disconnect makes security people lose credibility (“it’s partly cloudy, why are they saying there’s a tornado?”) and vice versa (“But Sony!”).  I go back to neither side is entirely wrong, but we can’t be asking leadership to admit they’re wrong without some serious introspection first.I didn't read anything at all at http://seattlest.com/2005/06/24/rant_rave_bitch_moan.php - I just used this image from there.

I’d like to clarify my point #3 too.  Ask the question: how many hack-worthy targets are there?  Whether explicit or not, everyone has answered this in there head, most everyone is probably off (including me).  When we see poster children like RSA, Sony, HBGary and so on.  We have to ask ourselves how likely is it that we are next?  There are a bazillion variables in that question, but let’s just consider it as a random event (which is false, but the exercise offers some perspective).  First, we have to picture “out of how many?”   Definitely not more than 200 Million (registered domain names), and given there are 5 Million U.S. companies (1.1 Million making over 1M, 7,500 making over 250M), can we take a stab at how many hack-worthy targets there are in the world?    10 thousand?  Half a million?  Whatever that figure is, compare it to the number of seriously impactful breaches in a year. 1? 5? 20? 30?  Whatever you estimate here, it’s a small, tiny number.  Let’s take worst case of 30/7,500 (max breaches over min hack-worthy) that comes out to a 1 in 250 chance.  That’s about the same chance a white person in the US will die of myeloma or that a U.S. female will die of brain cancer.   It might even be safe to say that in any company, female employees will die of brain cancer more often than a major/impactful security breach will occur.  Weird thought, but that’s the fun of reference data points and quick calculations.

This is totally back-of-the-napkin stuff, but people do these calculations without reference data and in their head.  Generally people are way off on these estimations.  It’s partly why we think Sony is more applicable than it probably is (and why people buy lottery tickets).  The analogy LonerVamp made about the break-ins in the neighborhood doesn’t really work, it puts the denominator too small in our heads.  Neighborhoods are pictured, I’d guess as a few dozen, maybe 100 homes max, and makes us think we’re much more likely to be the next target.  Perhaps we could say, “imagine you live in a neighborhood of 10,000 houses and one of them was broken into…” (or whatever the estimate of hack-worthy targets is).

I bet there’s an interesting statistic in there, that 63% percent of companies think they are in the top quarter of prime hack-worthy targets.  (yeah, made that up, perhaps there’s some variation of the Dunning-Kruger effect for illusory hack-worthiness).  Anyway, I’m cutting the rest of my points for the sake of readability.  I’d love to continue this discussion and I hope I didn’t insult lonervamp (or anyone else) in this discussion, that isn’t my intent.  I’m trying to state my view of the world and hope that others can point me in whatever direction makes more sense.

Categories: General Security, Risk
  1. June 12, 2011 at 10:08 am

    First let me start by saying that it’s just plain wrong for anyone to be happy about a major hacking incident. Sure we all say “I told you so” when Lockheed Martin gets hacked but in exchange for that childish delight, a major defense contractor has been breached by a sophisticated attacker. It also illustrates just how bad our profession is at the very reason we even exist as a profession. I think someone could make a decent argument that if Google, Sony, Infragard, Lockheed Martin, or the International Monetary fund can’t keep hackers out with their army of security people, then I can’t keep hackers out either and I should stop wasting money on security people.

    As for the risk cacluations, I think we have real problems on both the numerator and denomonator. You’ve already talked about the problems we have with frequency. But I was just looking at a risk analysis recently that put the probably loss magnitude of an unattended, unlocked laptop computer at 3 grand. Considering that this happens about a bagillion times a day where I work, we should be expecting complete bankruptcy by lunch time.


  2. June 13, 2011 at 8:47 am

    Jay, I’d certainly say we’re more in agreement than not. 🙂 I think we’re both poking at the gray places in our arguments where there really is no right and wrong. I do like that you carved out my quote like that. Reading it that way, I’m surprised at what I implied! I need to watch for that!

    Perhaps this discussion could be served just a tiny bit by looking at any possible increase in hacking attempts that are disruptive. For instance, we certainly get rocks thrown at our windows daily, hourly, and certainly we don’t need to stop every single one. Sometimes they lead to dead-end incidents that don’t matter or are easier responded to than prevented. I guess I expect hacking to continue to get worse, and even small incidents become more commonplace. Sort of like a bunch of mosquito bites finally causing a homeowner to take more measures for their backyard relaxation. (Then again, I doubt we’ll even know how many targets repelled these dedicated hacking groups.)

    It also should illustrate that once you have an Aaron Barr in your company who pisses some hornet’s nest off and they target you, you’re probably going to be in trouble. An outlying incident, perhaps, but something that dramatically changes [security needs] risk.

    It would certainly help if we knew even half the situation in these large hacking incidents. Were they really poor in their security, as in laughable? Was there any risk analysis done? I don’t think I’ve shaken my finger at Sony; it’s hard to do so without knowing details. I basically only have the lack of a CSO to go on, that and a series of attacks; but Sony is so large that even a culture of insecurity shouldn’t necessarily be reflected in sites and networks put up by different groups and units.

    I’ll admit, trying to have a guy interested and involved in security to justify security is a bit self-serving. I’d certainly listen to business leader opinions, and I think they would echo much of what you’re saying. And probably much of what we’re seeing in the business landscape. Baseline security?

    I guess this line of thinking could then dive into: Does that mean every security professional will be frustrated on a permanent basis, unable to get done what they feel they need to?

    I’ve rambled enough outside the lines of the original discussion. 🙂

    Lastly, I just want to say I’m not insulted in the least, and love a good discussion where I also can learn more!

    @Kevin I would disagree about not being happy about a major hacking incident. First, for the reasons above about improving security. It’s hard to get better without opposition (both practical but also budgetary). Second, because of the knowledge gained by such an action. I would hope that attackers blow an 0day or two, get themselves caught, teach the rest of us a little bit more about their methods and motivations, etc. That’s not to say I’m cheering some hacking group on or even begin to agree with their motives, of course.

    The media has an awful position in all of this. The media loves sensational things. And we in security (and even business leaders) accept that there is no “secure state” and that we *will* be popped in a security incident some day by some one. This makes for an infinite level of news fodder to point out that someone made a mistake or dropped a ball or let loose some data. Then we get that media frenzy, plus all the armchair quarterback commentors, and it really just turns into a mess where nothing and everything makes sense.

  3. June 13, 2011 at 9:24 am

    I was catching up on a mailing list (FD) and came across that attitude of “must fix every single thing or you’re insecure!” I think that’s part of the problem in the industry, but still a necessary and hopefully small component.

  1. No trackbacks yet.
Comments are closed.
%d bloggers like this: