This past Tuesday I spent the afternoon at a local college helping them work through their Risk Management process. In my opinion Risk Management is one of the least understood practices in information security, and subsequently one of the most miscast, overlooked and underperformed. But it makes me happy.
Given that this is the first time that this client is going through Risk Management, we’ve spent a considerable amount of time evaluating risk in a number of areas of security. The evaluation has been thorough and complete, a testament to the client’s committment. And caffeine load. It’s never easy the first time around.
Risk Management is misunderstood for many reasons, not the least of which is the calculation of risk itself. Evaluating risk has always been one of information security’s dark arts. The mathematical product of Likelihood and Impact, calculating risk can be difficult for a number of reasons. In most cases, asset owners and businesses are equipped to determine the impact of losses in confidentiality, integrity or availability of one or more assets. This is a reasonably simple process, even if estimated qualitatively. The difficulty arises when trying to establish likelihood.
Tuesday was a beautiful day. Sunny and warm with a slight breeze, it reminded me just how lucky we’ve been this summer, as the weather in these parts can suck year-round.
At approximately, 10 minutes before 2 PM ET, I noticed a mild wobbling occurring in the room. Being engrossed in a conversation about Access Control, I dismissed it thinking that perhaps someone had had a bit too much soda for lunch. After a few seconds the wobbling intensified, and several of us silently declared that something was amiss. The conversation trailed off and we each began inspecting each other, simultaneously looking for clues and confirmation that the building was indeed shaking, now uncontrollably. At that point we all stood up, enacted a mini-crisis management plan and headed for the door.
Now we all know that the likelihood of an earthquake occurring on the East coast is near nil, and even less so in Albany. Right?
As we returned to the room after experiencing one of the Northeast’s rarest disaster scenarios (most of the campus was evacuated for a period of time), we had a newfound perspective on what is possible in the realm of information security. Luckily on this day, all we needed to combat this crisis was a little extra sunscreen.
“I have six locks on my door all in a row. When I go out, I lock every other one. I figure no matter how long somebody stands there picking the locks, they are always locking three.” – Elayne Boosler
This past Monday night I attended the monthly business meeting for a pistol range in my area. Having heard great things about the facilities and management, I decided that it was time to join another range – it’s great to have options. This particular range is used by DHS, DEA and 10 other law enforcement agencies which added to its legitimacy. The club also offers regular combat and tactical training courses, an added bonus.
But this story isn’t about that kind of security.
During the meeting the chapter Vice President rifled (oops) methodically through each committee update and then stopped to share with us some issues that the club had been having regarding unwanted visitors. Without giving away too many details, the club is protected by proximity card access control in various places, and cards are only granted to members of reputable standing. I made some assumptions about the “issues” that they could be having, recognizing that cards can be shared or stolen, card readers don’t prevent tailgating or social engineering and remembering that there were few visible supporting controls in place. Having experience on many ranges, I know how irresponsible, careless and downright malicious people can be.
The Vice President, after describing numerous incidents of non-member trespassing, facility damage and seriously dangerous shooting conditions, opened it up to the floor for suggestions on how to deal with this latest rash of problems. The club’s insurance, after all, did not cover all of these liabilities.
The monthly meeting was attended by individuals of all ages, from various walks of life. One thing they had in common, however, was a shared love for the 2nd Amendment. If there was one thing these guys knew, it was how to protect their property.
“We need cameras in here!”
“Put a gate out front!”
“Change the locks on the doors!”
As the new guy I sat quietly listening to each suggestion as the roar became deafening. Clearly, the club and its members were passionate about protecting their assets. They weren’t about to let a few malicious interlopers get away with this.
Unfortunately, they didn’t know how to stop them.
Preventing crime, cyber or otherwise, is not about technology. We continue to see firewalls, antivirus software, gates and door locks fail to protect us for one simple reason – they are created by, configured by and susceptible to people. A review of our industry’s survey’s, articles, databreach reports and analysis all point toward one conclusion – people continue to be the greatest weakness in the security chain. Until our security programs, budgets and corporate priorities address this – our real risk – we are doomed to repeat history.
In short, the pistol range will be more succesful if it trains its members – its security control with the greatest surface area, intelligence and liability – how to detect, prevent and correct security incidents like those that have been occurring over the past several months. A well-trained membership will be far more capable of dealing with a negligent individual or trespasser than a “No Trespassing” sign or a card-activated gate. As it turns out, training will also be a lot less expensive. While human psychology will usually default to technology (firewalls or guns) for addressing security, in most cases addressing the human element is the most effective.
While this didn’t occur to the membership on Monday night, I’m sure some well-meaning member will eventually make this suggestion.
Perhaps next month I won’t sit so quietly.