This blog post is moved to my new blog platform:
This blog post is moved to my new blog platform:
Why do IT people and security specialists need to know and study the art of Risk, Risk Assessment and Risk Analysis?
Why each security exam like CISSP dedicates a whole section to talk about “Risk”? Who cares really?! Why don’t you just do your homework and implement some security best practices and hope nothing bad will happen?
Have you ever asked business people to spend couple of thousand dollars to purchase security products? When they asked why, you answered “Well, to prevent hackers and secure systems!!”.
I can imagine the look on business people who write the checks as the last thing they care about is spending money for something they do not feel or digest. If you asked them to write checks for laptops, then they might agree, because they can imagine a person using that laptop to do his work as laptops are physical assets after all. When you start talking about securing the systems, then do not expect business people to ever understand this. Usually business people cannot care less about security until they get attacked heavily.
Think about this, if you are in a small organization with couple of sales people and 2000 dollars profit daily, and you have couple of servers located in the kitchen because you do not have server room, then you cannot go to your boss asking for an IDS system that costs 50,000 dollars in order to implement detection counter measures. If you understand your business and profit, and study the risks, IDS could be the last thing to consider at this point.
Now, if you go to your boss, telling him that you need to build a server room to put all the servers there as it is more secure that way, he may or may not agree with you. Instead, if you tell him “We need to spend 5000 dollars building a server room, not doing that may allow anyone to steal servers from the kitchen and cause the business to stop for couple of days”. Since the business gets 2000 dollars profit per day, it makes sense to invest in 5000 dollars server room because the business impact for not doing this is bigger.
“Security people need to understand business and how to speak to business people and to justify their security countermeasures by speaking about the likelihood of business losses (Risk) if they do not purchase or implement security systems”.
Security specialist cannot just go and implement random security solutions (think about IDS in the previous example). Instead, they need to understand the business and what can cause the business to lose (Risk) and use that as the drive to implement security measures (Risk Mitigation). So let us talk more about “Risk” from that perspective.
First of all, remember that “Risk” is simply a business concept. It is invented for businesses to talk about their potential loss weather it is financial loss or other type of loss. Risk is not an IT concept at all. Keep this in mind always.
Business can be at risk when merging with another company (financial loss), or it can be at risk if it loses its secret (legal loss). Business can also be at risk if the servers went down (financial loss, think about Facebook site going offline for couple of hours).
Risk is defined as the likelihood of business losing. For example, you can say that the business is at big risk of losing all its assets if an earthquake hits the building or business is at big risk if its medical information get published.
Since Risk is a business concept, why should i learn about it? Well, IT and Risk intersect when IT security people start talking about security solutions that should be in place to protect business from loss. So you can say “what will happen if a server went down because of a virus for example, and how much money this will cost the business”.This will simply justify your need for Antivirus solution.
For you as an IT guy, risk relates to you when it comes to business losing something when your systems went down or attacked. Loss can come from different sources:
People have different ways to understand how risk is measured and evaluated. I am so comfortable with a particular way that I will try to explain here:
So the likelihood of loss equals what how high the threat is times how vulnerable my business is against that threat.
Do not think of this in a numerical way, by saying for example that threat is 40 and vulnerability is 10 so I will have Risk = 400 or so. It does not work this way.
Instead, think about it in a High, Low and Medium way. So if both threat and vulnerability are high, then I will have high risk. If both are low, then I will have low risk.
If I am worried about online attacks and If my business has an online presence, then there is a threat, and because hackers always target online websites, then the possibility of being attacked by hacker is high, and thus the threat of hackers is high. Now if I do not have firewalls and antivirus, then I will be vulnerable against that threat, so my vulnerability is high, and thus risk is high. If I happen to have good firewall and antivirus solution, then my vulnerability is low, so it could be that the risk of hackers is medium because the threat is still high.
What you can notice easily from this equation is that anything times zero equals to zero. So if any of the threat or vulnerability is zero, then the risk is simply zero. Let me explain more, if we are to evaluate the risk of earthquakes on business located in place that do not have earthquakes, then it is not logical to implement any counter measurements against earthquakes because the threat (the danger) is zero, and also the risk equals to zero because anything times zero is zero. No matter how vulnerable your business is against earthquakes, it does not matter.
Also, if you have many counter measurements and security controls in place against online hacking, then your vulnerability against online hackers is zero, and the risk is zero no matter how high the threat is.
Finally, IT security specialist should study the concept of Business Risk and how to mitigate those risks by implementing security solutions. Knowing what causes the business to lose money or reputation, should be your drive to focus your efforts on what to protect or what to protect most.
Studying types of threat that the business can have is very important. Each business has different type of threats. A certain threat can be big issue for a business, but can be ignored by different business. A company without online presence will care nothing about online attacks for example. Knowing the business will give you clear image of the type of threats and thus the risk the business can encounter. Keep this in mind.
Also, it is no practical to just implement security solutions because you think so. Why to implement a complex IDS systems on workstations while the business may not be affected of those workstations are down. Maybe the business is using web servers with static content, and bringing all those servers will not affect the core business, so the impact of the risk can be ignored and thus, you should not focus on securing those servers.
Risk Assessment controls the IT security budget also, by making sure the money is spent on protecting the business most valuable assets and on things that cause big damage to the business.
Risk Assessment from my point of view is like a compass, it calculates danger times protection, asks the business if it cares , and finally direct security efforts accordingly.
Why do IT Security specialist need to know and understand business, finance and return of investment to a certain extend? Why don’t security people do their homework by just installing a security solution and firewalls? After all who cares?!
Have you ever seen a security consultant entering an organization, going directly to the IT room, starting to ask questions from his predefined check list “Do you have FIPS Compliant encryption?” , ” Do you have a compliant firewall in place” , “Let us purchase this and this”.
Even worse, when you decide to do your homework and purchase a security solution and ask for money to secure your network, the people who write the checks may refuse to spend money on something they do not understand. They do not understand technology and why should they spend money on something they cannot digest or feel. “Wow, do you want me to spend money to be what?? Secure?!! Who cares” says the CEO.
I will start by talking about a strange fact for most of IT security specialist, and that is: “In order to be a successful security specialist and do Risk Assessment, you need to know about both technology and also business. A lot of technology and little of business”
A lot of people will simply forget or chose to ignore the need to know the business of the organization. They just install couple of firewalls and build a security solution, without knowing much about the business they are trying to secure. Believe me when I say, this is one of the biggest and most common mistakes happening all the time.
Firs of all, do not forget that IT exist to serve business and get money. In fact, we are here to serve the business and not the other way around. People who will pay money to purchase and implement security solutions are business people, and they need business justifications in order to spend money. It is not going to mean anything if you say “I need money to make the systems more secure”. For a business person, okay who cares! Do you want me to spend money for something that I cannot see or touch or even feel?
Instead, you can simply say “we are going to purchase a firewall to prevent hackers from stealing business trade secrets. Not doing that will cause us many financial and legal issues”. Now you got their attention when you start talking about business loss and impact. That is, you should provide business justifications and return of investment for spending money on security and what is the cost of not doing that. In other words, you shall start learning the concept of business “Risk” and “Risk Assessment”.
Not only that, if you do not know what the most valuable assets for the business are, then how could you know what to protect or what to protect most? If all what matters to a business is their contact information that exists in a file share, and losing those contacts can cause big damage, then it is not practical for you to put all your security measures on the company’s web servers that are holding the company static web site, and losing those web servers will not actually affect the business that much.
I cannot emphasis how important to study the business from an IT security angle in order to understand what cause the business financial loss, reputation issues or even legal loss. Knowing those business risks, will be your drive as a security specialist to start mitigating those risks from IT perspective and directing IT cost in the right direction.
To summarize this, IT security specialist should study the concept of Business Risk and how to mitigate those risks by implementing security solutions. Knowing what causes the business to lose money or reputation, should be your drive to focus your efforts on what to protect or what to protect most.
It is funny how the job of IT Administrators is to help users getting to everything they need, while Security Administrators will try to restrict the user’s access. Someone i know told me once “You got access denied ?! Good, the security is working” ! At a basic level, that means that Security Administrations at its core is fundamentally opposed to Network Administration – they have in fact conflicting goals. This creates the trade-off that we need to consider.
I think that technology should be transparent to users. At the end, users should be able to do their job, and bring some money to the corporation they are hired in.
Since end users are not IT people, then the technology should also be easy to use and useful. This is sometimes called Usability. In other words, the trade-off is between Security and Usability. Makes sense right?! Keep reading please.
You can make any technology more secure, but by doing so we will make it less usable. So how do we make it more secure and more usable?This is were the third axis of the trade-off comes into play. Any good engineer is familiar with the principle of “good, fast, and cheap”.You get to pick only two.
You can make something more secure and more usable, but you it will cost more in terms of money, time and human resources. This is why nowadays security cost a lot of money.
Returning to the argument (security will break stuff), many organizations, especially the small ones, will not invest or care a lot about security. Maybe they think that they are small enough to care about attacks or security. Those are the first to get attacked!
Medium and some big organizations that are not dealing with money saving (like banks) and secure government projects, will not consider high security measures most of the time until they get hit by an attacker.They took security for granted. Sadly speaking, most of those organizations will invest money on how to serve customers and preparing the infrastructure for that, ignoring the security side of their network. One day, they get attacked somewhere, and they will wake up and start considering security. This already costs them a lot (may be this may cost them their reputation also)
I guess that any organization nowadays should start with security in consideration, by applying the (Secure Enough) principle[http://wp.me/p1eUZH-8F]. They should invest in the minimum amount of security as a starting point and build up from there. After that, they should invest on hiring a security administration team to keep an eye on their network and make sure to gradually implement a security baseline, and following up with security audits. Finally, a complete threat modeling for their network can help them move to the correct place. It is not a bad idea to take an advise from external body to evaluate where they stand on terms of security and network protection.
Does security break stuff?! I guess that depends on the business. If you are a bank, then lowering usability to increase security is something you should do. On the other hand, investing more in terms of money and resources, will give you both security and usability. Always ask your self this question ” what i will lose if i get attacked? will i lose my reputation on the market? and what will happen if all my published services get shutdown because of DoS attack?” . if you do not like the answers, then start working on Security more seriously.
I started working as an infrastructure guy and playing around Active Directory and networking .I worked in many different platforms and products before I decided to specialize in network security and I have been working and researching in this ﬁeld for 5 plus years now, and my researches at ﬁrst was not about security products themselves, but about the theory of security and all related things like risk assessments and threat modeling, before I focused on Cryptography science and Public Key Infrastructure then jumping to Microsoft security products and solutions including Smart Cards and Identity life-cycle and management
I sometimes get asked this question “Do we have a secured network?” and also people think that my role is to make things 100% secured and that if we brought dozen of security products and the latest intrusion detection and prevention devices in addition to deploying smart cards ,that we have reached the state of secured network. The answer for all those questions is NO.
“Security” is deﬁned as “freedom from risk or danger; safety”. It is obvious that security in computers can never gain this goal. “Computer Security” on the other hand is more “management of risk” as “Secure” means we can stop working because the network is now secure.
So, network security is a process, a task description, not an end state. It is a journey, not a destination. I would like to think of network protection as the goal and network security as a task description.
Let us get back to the question “Is your network secured? “. Well, we cannot answer this question, but instead we are aiming to have “Secure Enough” network though. What does that mean? One way to look at it is by comparing it to a car alarm. Does a car alarm make it harder to steal a car? No, not really. Does it prevent the? Well, that depends. If you have an alarm but the car next to you does not, it is likely that a thief may just steal the car next to yours (unless he really wants yours).
It is kind of like the old story about a camping trip. Two guys are sing by the ﬁre and one of them asks what they will do if a bear comes. The other guy says, “That’s why I am wearing sneakers. “The ﬁrst guy asks, “Do you really think you can outrun a bear though?” The second responds, “No, but I don’t need to. I just need to outrun you!” In some cases, it is simply enough to be a more diﬃcult target than someone else.
I hope you got my idea clear now. As long as bad guys are not out to get to our network speciﬁcally, if we protect our network suﬃciently, it is likely that they will attack a network that is less secure, unless they really want something from our network. So we face two challenges: protecting our network from casual attacker or virus that does not care which network it destroys, and protecting our network from the determined attacker who wants information from us.
However, if we take some fundamental steps, we will have accomplished the former as well as make the job of the determined attacker much harder. This frees us to focus on the part of staying far enough ahead of the determined attacker. In a sense, protection is like a temporal security. It makes sure that we are secured until the bad guys learn enough to break our defenses. At that me, we had beer have additional defenses in place.
That’s only me.. Tell me what you think?