Security Through Absurdity

Alternate title: the only safe computer is...

In the last blog entry we talked about risk tolerance and the importance of learning your management's tolerances. In this entry I will focus on helping you ensure that your recommendations are not exceeding what your management will likely accept.  I can't save you from putting your foot in your mouth, but hopefully you won't know what the heel tastes like when I'm through.

The first thing you have to realize before making sound recommendations is you can't protect against everything.  Many junior security professionals will identify solutions for every vulnerability. After all, they know how easy it is to exploit that vulnerability.  If they can do it then someone else probably already has exploited it.   While this may be helpful to demonstrating why a vulnerability has a particular quality, it is not approaching the problem with an attitude for efficiency for all parties.  No company or government can afford to fix every vulnerability so we have to be practical and reasonable in what we choose to fix first.

A good place to start when identifying solutions is to focus on probability of exploitation. I previously mentioned that no company or government will spend the money to address every vulnerability. What I was really trying to say is that management recognizes that every vulnerability isn't equal in the eyes of attackers. And every vulnerability does not lead to the crown jewels. By focusing on probability of exploitation we will identify the holes that will let in the most water and sink our boat if they don't get plugged while leaving the others for when they become more threatening to our dryness.

So how do we recognize when we're being too absurd and trying to fix issues with a low probability of exploitation? When identifying "reasonable and practical" fixes you want to look for four qualities in your solution.

• The potential attacker has to have frequent (enough) opportunity to actually come in contact with the asset we care about.
• The potential attacker has to be capable of exploiting the vulnerability.
• The attacker has to be motivated to exploit the vulnerability.
• There has to be cost savings generated by reducing the impact caused by a successful exploit.    If the cost of the fix is greater than the pain we're feeling by not fixing it, you're not going to have an easy conversation defending your case.

For a case study consider a ping pong ball as our asset. During play, the ping pong ball is frequently going to be hit by my opponent's paddle. It is frequently going to hit other things (i.e. the table, my eye). It is NOT frequently going to be hit by a dump truck. So installing a steel safe around a ping pong ball to protect it from a dump truck is a possible solution but is it "practical and reasonable".

With our tests, we can see why the safe is an absurd solution which is probably going to get some laughs and glares if we propose it and may result in a sin on our record.

• Is the dump truck going to have frequent opportunity to damage the ball?  Not unless we play at a construction site.
• Is the dump truck capable of exploiting the ping pong ball's fragility?  With far in excess of 100% probability.
• Was the dump truck motivated to exploit the ping pong ball's fragility?   Not unless I threw it in front of the truck when the truck had too much momentum to stop before crushing the ball.
• Was the cost of the fix less than the cost of replacing the ball?   Safe = $50-$1000's - Ping pong ball = 20 cents.   NOOOOO!!!

When we look at the situation with those 4 litmus test questions, it’s clear that there is no reasonableness to the solution even if we had already spotted how impractical the fix would be to implement and still make the asset useful for it's intended purpose.

I hope this will arm you with some gut sense that you may not have actually stumbled on so your future recommendations can be viewed as sane, practical and intelligent.   If you use these tests and still get strange looks, dig back into management’s perception of the value of the asset as you may just have missed something in how they view the negative impact and can further tune your thoughts for a more accurate understanding of their tolerance.