Information security over the past few years has been obsessed with zero day vulnerabilities, hacking exploits and headline making mega breaches. Every security risk manager is looking for the “unknown unknowns” that could result in untimely unemployment. But is that the right approach? One presentation and one book made me think otherwise.
The presentation was Alex Stamos’s talk last summer at Black Hat; you can listen to it here. In this talk he highlights the differences between risks identified by traditional InfoSec and newer risks that he calls “abuse”. This triangle diagram below from his talk captures his point. Note that the vertical scale is a log scale. Mr. Stamos’ definition of abuse is “technically correct use of a technology to cause harm”. Think user profile scraping, insider trading, spam, doxing, sexual exploitation, etc. The log scale illustrates that the biggest risks are found in the category of abuse. Zero days and targeted attacks are orders of magnitude less important. Searching for the “needle in the haystack”, the holy grail of InfoSec practice, may not be rewarding or cost effective.
The book was Gray Rhino, by Michele Wucker. It highlights the risks associated with looking primarily for needles in haystacks and confirmed Mr. Stamos’s thoughts. The metaphor here is the Gray Rhino, which may be attacking while you are looking for the unknown unknowns. Ms. Wucker’s book is written for risk management professionals in general, but by connecting the dots we can apply to InfoSec. Gray Rhino is the counterweight to , by Nicholas Taleeb. Black swans are high impact events that we cannot predict. A Gray Rhino is something you see coming, but ignore, for one reason or another. It is a highly probable event, with high-impact. Think of the Equifax breach in 2017. There had been a previous reported breach in May 2016 which I would call a Gray Rhino. Another recent breach is the ransomware attack on Atlanta. Is this a Gray Rhino? Such attacks have been common since 2015. Was the City of Atlanta able to take steps to train users and backup systems? Apparently not yet. How about Facebook and the alleged misuse of user data by Cambridge Analytica? Many InfoSec professionals are looking for hacker attacks. But go back to 2005 and the ChoicePoint breach; this attack could have been a Gray Rhino for Facebook. In this breach, business partners of ChoicePoint exposed data on 163,000 users (a piddling number by today’s standards). This should have tightened security within business units of Facebook.
A zoological risk matrix could look like this:
Dealing effectively with gray rhinos requires awareness, both individual and organizational. The reasons we don’t do so comes down to several obstacles:
- Weak response to signals that are seen by many but not followed up on
- Systems that accept as normal a failure to respond
- Impulse to procrastinate (everyone)
- Taboos against raising alarms
- Too many rhinos attacking at once
This is a short list of causes from the book. All of them apply to information security risk management.
How about mitigations? Ms. Wucker offers some general good ideas that can be applied in an information security context:
- First, acknowledge that your Gray Rhinos are out there.
- Prioritize which rhino you will manage first.
- Accept incremental mitigations and continue to improve on them
- If you do have a security incident, capitalize on it
- Work hard to convince management to take action against distant rhinos before they show up on your doorstep
Going back to information security specific vulnerabilities, the Stamos triangle is a good starting point to look for specific Gray Rhinos. Focus on getting out of the way of these four animals, before looking for targeted attacks or zero day attacks.
Common Information Security Gray Rhinos
- Phishing : User training and repeated training is essential
- Unpatched systems: Do you know the percent of systems, OS’s, middleware and applications that are not patched and the corresponding risk levels?
- Password reuse and mass compromise: Have you implemented and required MFA on all critical systems?
- Abuse: How could your partners, customers and employees misuse your systems?
One of the functions of an outside consultant is to help client identify the Gray Rhinos, whether those above or others. If you are considering this type of perspective, please drop me a line.