The Ostrich Syndrome

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!

In April 2005, I was asked to contribute an article to a new professional newsletter, called Risk Mitigation Executive.  After understanding that the target audience would be business people, I wrote this article of which I am very proud.  Hope you like it:

The Ostrich Syndrome

It is easy to understand why Physical Security is important.  Just last week, in my hometown of Atlanta, Georgia, a suspect killed several people, evaded police for almost a day, and nearly escaped unscathed – all due to physical security policies that will now doubtlessly will be reviewed all across the country.

We find it a lot harder to understand the value of Cyber Security.  Why?

Let’s think for a moment.  What is the value of a corporation – be it a medium size business, a large enterprise, or a fortune 50 company?  Is the value comprised of the buildings it owns?  The machinery?  A price tag on its employees’ heads?  No.  The value of any business today is the Intellectual Property it has.  The know-how on how to make the widgets, how to advance the processes, how to get a leg up, and all in an increasingly global environment.

Where do you store data?  Do you write it on a piece of paper?  Do you jot it in your PDA?  Do you type it in a computer?  At the end, all worthwhile data is (or ought to be) stored in a computer system and backed up.

How real is the danger?

From my observation, and from data found in Symantec’s Deepsight quarterly report, several clear trends emerge:

  1. Threats to our information integrity are getting more and more sophisticated
  2. More and more often, Threats can no longer be mostly attributed to any one specific category (such as “Virus” or “Phishing”)
  3. Threats that take advantage of a newly discovered vulnerability are coming faster and faster on the heel of that vulnerability.  If it used to take two weeks, now we see “same-day” exploits.

What does it mean?

In my view, it means that hackers are no longer primarily the “script kiddies” that we have seen in the past.

  1. They are better.
  2. They are better organized
  3. They are better funded
  4. and they have a much longer span of attention (aka patience)

It also means that many more attacks today are not just “sweep” attacks.  They are targeted. Targeted not just to government sites but more everyday to individual company sites. They may be our competitors, foreign enemies, or even organized crime.

Why can’t we get the dollars?

Who says we can’t?  We simply have to prove our case.  Whereas physical security incidents carry a clear and concise mention in terms of lives or dollars and cents, we (as in the entire security industry, as well as major business) have been lax in the sharing of real information in terms of VALUE of incidents.  Whereas we have to inform the authorities in many cases of physical security breach, we shy away and fear disclosing data about REAL information security breaches.  Even within the ISAC’s  (Information Security and Analysis Centers) established for many industries, real data about real incidents is very rare and precious.  It is time for us to play nicely together and share information.

Further, it is time for us to stop treating information security within the context of “best practices” and knee-jerk reaction.  Best Practices are just that – ideas that are the best in the specific area they address.  If you own a parts supply store, your router security should NOT be the same as the NSA’s.  Right?

We need to grow up.  We need to look at information security as an integral, critical part of business.  We need to understand our own environment.  We need to analyze our true risk.  We need to determine our own exposure and we need to mathematically calculate our true needs.  We can not continue shouting from the rooftops that we need more money.  No one is getting away with it – why should we?

Here is an example I like to use.  No one likes spam (not even spammers like receiving it!)  So, here is a multiple choice question:

  1. Should we invest 100,000 dollars in a spam solution?
  2. Should we ignore spam and learn to live with it?
  3. Should we conduct a survey, in our own true environment, of the real affect of spam – how much disk space it uses, how much network bandwidth it occupies, what it might mean to our employees in term of lost productivity, et cetra? or
  4. Shall we use a “best practice” and follow it to the letter?

Surprisingly, many would suggest #4.

That would be akin to instructing everyone in Georgia to wear bulletproof vests and stay in their homes.  Would you put up with that?