An elephant, a mouse, or a ghost?
Sometimes I feel like I’m selling elephant repellent:
I identify a particular species of elephant (for example, compromise of our networks due to spearphish delivered email).
I find examples of this particular elephant showing up on the networks of similar organizations.
I try to calculate the damage which said elephant would cause (which nearly always includes hard to quantify types of damage to things like “reputation” and “trust.”)
I run some tests to show that, yes, some of our users would in fact happily open the gates of the village to this particular elephant by clicking on just about any link emailed to them.
I then look for some sort of elephant repellent – a policy, a procedure, education, some technology or a combination of the above to keep said pachyderm from rampaging through our village.
Of course, elephant repellent is not free… there is a cost in productivity, usability, share of user attention, or cold hard cash. If the risk to cost ratio seems right, I take action, spraying elephant repellent all around the village. Time passes. No elephants show up, I proudly announce the success of this particular elephant repellent and start looking for the next elephant to repel. Of course, the question remains as to whether the lack of elephantine activity in the village is due to the repellent, well, repelling or whether the elephants never would have shown up at the village gates in the first place. (or whether the elephants will get clever and will show up next week and trample the place in spite of my efforts)
Elephants come in a variety of sizes. Some of them can rampage through the village and leave a wide path of destruction. Other elephants sound scary, but end up being more mouse like in their impact. If you ring the elephant alarm every day, the villagers (in particular, the village elders) are going to pay less attention as time goes on. Elephants are also unpredictable – sometimes they show up, other times, they pass your village by and trample the village next door. You gotta pick your elephants. I guess that is part of the “art” side of infosec (anticipating howls of protest from the quantitative guys on this).
At least Infosec people don’t usually have to deal with elephants which kill people – let’s say, a devastating earthquake. The stakes are, of course, very high in these cases and the village elders can get very angry when these elephants make it through the village gates. In fact, six seismologists and a government official are currently on trial for manslaughter in Italy for failing to predict an earthquake which struck the L’Aquila region in April, 2009. Yes, you read that right… While this episode may be an outlier, it does point out the rising expectations of all sorts of village elders (both corporate and governmental) as to the risk experts’ ability to make very accurate predictions of risks – expectations which may not be possible to achieve. Call it the “CSI effect” – we are used to seeing all sorts of cool technology providing definite answers to questions and we have come to expect that all questions can be answered in this way.
We as Infosec professionals have to strike a balance between the quantitative and qualitative approaches to choosing which elephants to worry about. To add to the problem, some of us (particularly in highly regulated industries like finance) are given a set of elephants which we must repel by regulators and other stakeholders. These “default elephants” may pose less risk to the village than other, less famous, elephants, but we have to divert resources (and repellent) to deal with them in order to stay in business.
So… the takeaway? We need to share best practices for spotting, measuring and evaluating risk from both a qualitative and quantitative point of view. Organizations like the FS-ISAC (and other industry ISACS) where we can share information in confidence with our peers are a great place to do this. We need to up the level of information sharing in these fora – while it is great to get lists of bad IP addresses and URLs, I’d also like to see more (anonymous) sharing of stories about risks and repellents. The more people looking at the elephant and reporting on what it did when it visited their villages the better picture we can put together.