Monday, July 4, 2022

InfoSec map is not the Info-Threat territory


We have many recent reminders of the growing, irrational gap between real information security threats and the solutions, regulations, practices, mitigations, and technologies we can and should bring to bear to mitigate these threats.  The recent successes and growth of ransomware is one indicator that malware threat mitigation is obviously failing.  Personally, I would like to enlist everyone to protect themselves and "crowdsource" aspects of the problem.

Within the Information Security attack / defend landscape, attackers have all possible advantages, including "asymmetric warfare," where a single attacker can easily harm billions of people. Attackers have enormous wealth and resources to create attacks as they are funded and resourced by nation states, wealthy organized criminals, and professionals.  For decades, governing entities, regulators, & consortia have written standards, regulations and policies that chase after emerging "cyber" threats, and the trillion-dollar tech giants have tried to protect their own customers by developing anti-malware prevention, defenses, as well as mitigation hardware and software.
 
 # 

A wise mentor once told me "Policy is hard.  Technology is easy."  This wisdom is broadly applicable in many areas of software development and IT: Naming Policy, Data Governance Policies, Algorithm Selection, Object Factoring, and even Design Policy.  

One recurring problem I have encountered is the ubiquitous confusion in Information Technology of an abstract requirement, problem, threat, or need versus one or more technological solutions (software products) that try to meet the requirement or solve the problem.  IT professionals get caught up in the solution and see their own problems through the lens of some product or product family.  It is nearly impossible for me to convince them to separate clearly the probability of a successful attack, the true severity of such an attack, and the resultant risk for our organization. Instead they see our problem through the lens of some specific IT technology that is designed for some other customer in some other situation to mitigate that other organization's risk.  This issue is much worse in an organization where estimates of probability multiplied by the severity (risk) varies enormously among the organization's stakeholders and decision makers.  After my repeated attempts to help InfoSec folks write artifacts that separate threats from technologies, they always inject some product and some mitigation to risks we do not have and I never prevent it.

So, I plan to "democratize" and crowd source threat mitigation wherever I can.

I shall enlist and empower everyone to help mitigate cyber threats.  One method is illustrated by the entire lifecycle of the Russian military's attack on Space-X Starlink consumer internet service in Ukraine. The approach Space-X's took to reacting to the problem is instructional and generalizable. They created, and shipped a mitigation very quickly. But most-importantly the shift in attitude from the USA's department of defense on the attack / defend methods will eventually broaden how nation states and large companies help defend us. When Starlink was jammed in Ukraine, Space-X reacted by calling the issue a "free QA department" that found a bug for Starlink to fix.  All of us can take this idea to heart.  We should all consider email spam, phishing, ransomware, click bait, and cyber attacks we encounter as training to make us "antifragile" and resistant to more-dangerous and better attacks we shall encounter in the future.  The US DoD said that our current checklist-driven approaches are flawed and we must be much more proactive in formulating defense.  Education, training, and constant vigilance among everyone is a step in that direction.








1 comment:

Anonymous said...

Today it just like that viruses/bacterias vs immunity.
Never-ending battle.
Well, the best protection Nature devised is still "security in numbers, and diversity".