(UPDATED) CISO’s and their teams are not just producers of risk analyses and assessments. We are also consumers of them. They come from many sources. The main four are:
- Responses from third parties whose goods and services we are evaluating as part of our due diligence
- Assessments provided by entities that are targets of mergers, acquisitions, partnerships and affiliations (more due diligence)
- Those unfortunate statements made by those individuals in the unenviable position of having to make statements about breaches and hacks that have impacted their organizations
- People trying to sell us stuff
These assessments, white papers, press releases and analyses are full of statements that purport to describe controls and how effective they are. With a nod towards Politifact, I’d like to propose a scale that we can use to rate these statements about controls effectiveness. Are they “spot on” or so far from the truth that you’re thinking they must be typos.
Since proximity to the truth is the point, I’m taking the scale from the kid’s game where you tell someone how close they are getting by indicating temperature: “you’re getting warmer” for when you are getting close and “you’re getting colder” for when you are moving away from it.
Below is an explanation of the scale followed by the first instalment of statements debunked (all from actual sources). Others will follow (send yours for consideration).
1. Absolute Zero: just plain lying about something. This includes lying to yourself
2. Freezing: a statement that something lowers risk when it just doesn’t
3. Getting colder: saying a control has an effect on risk it mostly doesn’t
4. Getting warmer: saying a control has an effect on risk it mostly does
5. Burning up: saying a control has the effect it says it does
But I don’t want to stop there. I’d like to add the “Sticks and Stones” label for statements which present a written policy or procedure as somehow being as effective as an existing strong physical or technical control. This is a variation on the children’s rhyme as follows:
Sticks and Stones
Protect my bones
But words won’t always
Save me
Below are some examples. You may not agree with the rating. You may have your own examples of controls you want to rate like this. Send your examples and feedback by clicking here and when we have enough for another installment of this column, we’ll publish it. And don’t worry if you are not sure how to rate it. Just send us a control and we’ll give it a rating. One caveat: this column will not be used for rating individual products by named vendors.
Age before beauty
The equipment is old and way past end of life but the manufacturer has a reputation for making high quality equipment and it has never gone down. So the information security risk of using the equipment is low
Absolute Zero: the reliability of the equipment is irrelevant at this point to its overall fitness to protect data. As an end of life product, it is no longer receiving security patches so is prone to new exploits and since no equipment lasts forever, it will eventually either break down or be incompatible with the newer components installed around it. This one is just for show.
We can count on you, right?
We don’t enforce password construction or use rules in our software but the sensitive data it stores are not at risk because you are running the software inside your firewalls
Getting colder: Ok. Yes, the software will run in a protected intranet so some threats will be blocked. But not all threats come directly from the outside, the internet. Sometimes malware infects a computer inside the firewall and then starts to explore for weaknesses. And a piece of software that can be easily hacked with a brute force attack is an easy target.
If people would only do as they’re told
By choice, we do not encrypt all our laptops but we have a policy against anyone putting sensitive data on an unencrypted laptop and leaving the building with it so the risk of a breach is low
Freezing: This is the equivalent of saying that you do not lock your front door because stealing is against the law. The only reason it does not get the Absolute Zero rating is that policies do matter and we don’t want to discount them.
But not only does this statement miss completely, it earns the Sticks & Stones label because it insists that a written policy can take the place of an available, extremely strong preventive control.
You can trust us, we use an acronym
Yes, installing the software in your environment is low risk. We have security as part of our Software Development Lifecycle (SDLC): we compile the software on servers that run anti-virus software
Freezing: You don’t know whether to laugh or cry with this one. You could write incredibly destructive software on machines running anti-virus software. You could write software that is vulnerable to all of the OWASP’s top 10 on a machine running anti-virus software since the anti-virus software doesn’t do security code review; it prevents malware from running.
In the real life scenario this is taken from, a little pushback and three levels of management later and we finally got to someone who understood what security code review was and assured us that the code was, in fact, reviewed for vulnerabilities. The moral to this one is that when doing a risk assessment by interviewing people involved in a project, make sure you talk to the right people.
The death of a thousand cuts
The database is in our data center behind lots of security. You might be able to hack individual POS terminals/workstations but you would not be able to steal the data wholesale so the risk of a large breach is low
Absolute Zero: Recent large breaches at major retailers have exposed this logic as having a flaw in it. This assessment is also an instance where the risk assessors where perhaps lying to themselves as much as to anyone.
You gotta know the secret handshake
The tapes are not encrypted. But it takes special equipment to read those tapes so the risk that the data will be breached is low
Getting colder: Ok. This one has some validity. As the number of people that even know what EBCDIC is gets smaller and the hardware for reading certain kinds of back-up tapes gets more scarce, obsolescence can be a mild control.
It is not strong enough to stand up to regulatory scrutiny (e.g., HIPAA). And if the data on the tapes were worth millions of dollars more than buying the tape reader, then it’s game over. But MacGyver never read an old style back-up tape with duct tape, a pencil and a paper clip. So in preventing a breach of data in the event that the tapes are lost/misplaced, we cannot say it misses the mark entirely.
Yes, but…
Passwords are obsolete. They do not lower the risk of a breach at all. It seems like sophisticated hackers have no problem obtaining any password to anything, any time they want
Getting warmer: Maybe we are just nostalgic, but we are not buying this as 100% accurate. It’s like saying: airbags can’t help you if your car is hit by a train so why use airbags? Not every car that crashes is hit by a train. In other words, data classification matters; scenarios matter.
If you are a (very attractive) celebrity and you store nude pictures of yourself in the cloud, that is like driving on train tracks. Bank regulators have required more than just passwords for large on-line transactions for years now. There are requirements to use two factor authentication for on-line prescribing of controlled substances.
Do we need to distinguish between our, pardon the expression, private parts and our less sensitive data when using computers and designing authentication schemes? Yes. Does that mean a good strong password can never contribute to security? No.
You can’t see it but you know it’s there
We fully encrypt the thumb drives before we give them to users to use
Burning up: You can argue that full disk encryption has its vulnerabilities, but as a way of preventing an unauthenticated user from reading what’s on the disk, I think you have to classify it as a control that does precisely what it sets out to do.