Information and the three-legged stool

I was trying to explain to a colleague how infosec people think about information, and came up with this:

I see information as being like a glass vase you have put on a three legged stool. The stool is standing on uneven ground, in a river of melted chocolate (yes, I'm peckish). If any leg is the wrong length, the vase will fall and be swept away. If the seat is too low, the vase will also be swept away. If the seat is too high, you won't be able to see the vase, and you may break it trying to get at it. Now, you may not be bothered about losing the vase, but then again you may. Depends on the vase.

The three legs of the stool represent the three main attributes of information: Confidentiality, Availability, and Integrity. The uneven ground represents your different tolerances of threats to those three attributes. The chocolate river represents the threats to your information. The length of each leg is the amount/severity of controls which have been applied to protect the information's availability, confidentiality and integrity. The space you decide to put between the bottom of the seat of the stool and the chocolate is your risk tolerance. If the vase is swept away or broken, that's an information security incident. This can be because the seat is uneven, or the seat is too low, or too high- not being able to see it is analogous to having so many security controls that you cannot do your work effectively, and breaking it while trying to get to it is analogous to creating an incident as a consequence of requiring overly strong controls (eg complex passwords which people then write down on Post-Its).

The role of infosec is to work out how uneven the ground is, and to help you get the legs to the right length, also bearing in mind the likely strength of the chocolate river now and in the future. Which means that you're always at risk of an unexpected chocolate tsunami, but hey, that's life...

OK, this isn't a perfect analogy, but hopefully it helps. Or makes you crave chocolate. it does imply that there isn't a "perfectly secure" situation, just one which is suitable to your organisation's needs, attitudes and risks.

Chickens!

Why is it so hard to explain the business justification for managing information risk? I have an idea about how to explain this.

I've heard it said that information security isn't about the shark attack, but instead about being pecked to death by chickens. Let's look at that from a financial standpoint. The risk of a major incident is low enough, in people's minds, that it can be discounted (like a shark attack); the potential financial loss is huge, but it won't happen, so who cares?

The risk of minor information security incidents- hah, they're happening all the time! Everyone and their dog is getting dodgy emails from "their bank", or "the IT department", and a non-zero proportion of the recipients will click on the wrong link out of bad luck, curiosity or fear. Of these, some will type in their login details, or have computers able to be taken over, and there you go. Not a huge impact on the organisation as a whole, by and large, but some hours of someone's day used to sort this out (once they notice...). The user loses time; the IT department loses time; and the organisation loses a little money. Not much. Like a single peck from a chicken- uncomfortable, but you can handle it.

How many chicken pecks before you start to really hurt? If the organisation doesn't have a "central nervous system" to allow the cumulative effect of these incidents to be understood, then they won't react like a human who's being pecked many times - they'll react like a huge number of humans who are each being pecked once. Which is to say, they will be mildly uncomfortable, but not inclined to make major changes.

The irony here is that a good information security management system acts as a central nervous system; but without it, you don't realise that you need one.

So what is the solution?

It's easy and hard - you need to either take advantage of a shark attack (have your wish list ready to go BEFORE the shark appears) or start really small and work on it. You can work on both of these approaches simultaneously.

Hack-a-day events

I have just attended a meeting in which a presentation was given expounding upon the great value of having a "hack-a-day" event, where lots of keen programmers with fresh ideas get together and try to create code in three days (or less) in an intensive and collaborative environment. Great. It has the major advantage of getting new ideas into a workable state in a short period of time.

The thing it doesn't provide is a finished product. This is sometimes not clearly understood by the people sponsoring the event. What you get may operate, but it is "hacked" together, exactly as you might expect of code written hastily by a group. It is best to think of a hacked together application, or app, as an example of what might be created for genuine use - a proof of concept. Like building a house in a week without plans or building regulations approval- it might look great, but how will it look in a year- and will it electrocute you?

A hacked together solution will not work reliably- it will not be documented, and it will not be supportable. It will also not be secure. But if you take it as what it is intended to be - an example of what you could produce- it saves you a lot of time and money by telling you that the goal may well be attainable in the production world, as long as you start from scratch and develop a supportable, documented, suitably secure version of your "hack". Using my analogy above, you need to get planning permission, electrical testing and qualified builders to build a house you would be happy to live in.

Say no to "cyber"

I am strongly opposed to the term "cyber" as I find it makes people think information security is just about IT, undoing all the hard work professionals in my field have been doing to try to bring the topic to board level.

I work in information risk (or security), not IT security.

Irregular verbs

Did you ever watch "Yes Minister" or "Yes, Prime Minister"?

If so, you may remember a particularly nice concept of the "irregular verb". The only example I can remember is:

I give confidential briefings; 

You leak;

S/he's been charged under Section 3 of the Official Secrets Act. 

It's all about perspective.

I have an infosec version- not based upon a particular incident, just my musings upon academic culture and the probable changes to data protection laws in the EU:

I have academic freedom;

You are irresponsible;

The University has been fined 5% of its annual turnover for breaching the General Data Protection Regulation.

Pomegranates in the Wild West- Internet and network security

I suffered from something of a collision of metaphors at the conference I attended today (#TEISS), but I believe it ended well. So here goes...

The Internet, as it currently stands, is a bit like the Wild West (or at least my concept of the Wild West). Pockets of law and order, like little towns, separated by great swathes of lawlessness and anarchy. Not judging here, just observing. Now add to this the idea of even the towns containing some "black hat" cowboys. You can't always trust your internal users.

So in this situation, which we all share, what do we do to protect our networks and information?

We take our inspiration from the humble (yet delicious) pomegranate, that's what.

Nature has endowed the pomegranate with a tough, leathery outer shell; that is the perimeter controls we put around the outside of our network to prevent the Internet madness getting in. But Nature doesn't stop there. Each pip is in its own little juicy compartment, designed to protect and nourish it - ignoring the idea that fruits aim to be eaten. 

So, in addition to the perimeter controls, we can create internal zones which protect things we care most about. And, in the process, apply the really resource-intensive protections, like IPS, to the bits which matter most. This saves time and money, and is a good way of avoiding overkill. It also follows the principle of managing risk to a suitable level, not trying to stomp out all risk.

Thus- pomegranates in the Wild West. I rest my case, and possibly need a good night's sleep.