RE: Security policy and risk analysis questions

["Matt McClung" <mmcclung () ndwcorp com>]

Bennet,

> I doubt you'll find anything useful there; the problem is, things
> won't hold
> still long enough to collect meaningful statistics. You the
> question you're
> asking ends up reducing to "what are the odds that someone will write and
> distribute an easy-to-use exploit", and the like.
>
> Fortunately, this doesn't mean we can't do our job:-).

You are correct about the state of security, in fact security is not a point
in time science, rather it is an ongoing responsibility.  However, you are
able to look at the security measures in place in a snap shot mode.  This is
how you gauge where you are and then decide where you need to get to.

Possibility is usually assumed to be on the high side.  We must assume that
there are people with more time on their hands than is productive.
Therefore, this small fast forces us to increase that number automatically.
In security, as you know, we always assume that there is someone who can
write whatever exploit that needs to be written to help 'educate' the public
about security.  On the otherhand specific applications and/or environments
have less exposure to the public and the possibility that someone could
attack something they have never seen decreases your Ps factor.

The goal of the formula is not to help create statistics, except to help
visualize the real need for certain INFOSEC steps given a particular
environment.

> The easy way to tackle the problem works just about all the time: having
> identified assets and threats to those assets, evaluate
> protective measures
> available, and insofar as possible stick to a policy that mandates
> conservative protections that do not hinder peoples' ability to get their
> work done. Turns out that's not too hard most of the time. When
> people start
> pressing to get their latest new toy running, explain the threat
> potential,
> and get 'em to provide the business case for their new service.
>
> Risk managers make business judgements all day long without hard
> statistical
> measures of some risks; that's just part of the job. As long as
> you can find a
> line where the costs of generous protection aren't onerous, you can get by
> without risk measures.

Ah, if you ask them how they make the decision, chances are that in their
background they have learned a risk aversion formula or technique (which is
what this is really) and now they have that so well ground in their daily
operations they can apply that without having to take the actual steps.  I
do the same thing, but the idea is what is important.  When you are trying
to learn how to 'calculate' the security levels needed this is a good start.

> It seems pretty safe to always assign a near-unity probability to a given
> threat being attempted; the resulting decisions seem reasonable,
> and when you
> look back over recent history, that probability seems to be
> justified:-). One
> week a theat is a theoretical discussion of a potential weakness; the next
> it's an announcement from CERT and emergency bugfix releases from vendors.

Oh so true, in fact, the sad part is that most people don't even know about
the theoretical part before CERT has sent out the email about the reality of
it.  Again, we need to somehow factor this into our daily security
evaulations.

I appreciate the comments, they help me take a different look at things to
further improve my own thinking...


Matt McClung