Ira Winkler

You CAN Stop Stupid


Скачать книгу

are technological in nature. Technical countermeasures have a broad scope that extends beyond computers and information. For example, to stop car thefts, which are physical in nature, there is technology that can deactivate the engine remotely. Given the Internet of Things (IoT), almost any piece of equipment, no matter how basic, can now implement technical countermeasures.

      Detection can involve two aspects of the UIL problem. Technology can detect that malicious parties are attempting to interact with users or that a user has done something that can initiate a loss. So, for example, you can detect phishing messages are being sent to users. Another example is that you may detect that a user is attempting to go to a malicious website.

      Obviously, the circumstances of reaction are similar. If you detect attacks targeting users, there are a variety of technologies that can react to and mitigate the attacks before they get to the users. Also, if you detect a user action that might initiate loss, you can then mitigate that action in progress. Following up with examples described in the previous paragraph, detected phishing messages can be deleted before reaching the user. The messages can also be analyzed, and any websites or Internet systems involved can be proactively blocked and reported. If you detect a user going to a malicious website, you can lock the user's account, block the website, or investigate the user to see whether the action is malicious or perhaps is being made by a person who has compromised the user's account.

      Technical countermeasures can be the failsafe for a security and risk mitigation program. Users will fail. Procedures will fail. However, if you have the right technology in place, you can detect and react to the other failures. Obviously, technological countermeasures can also fail. However, if you implement the methodology in Part IV properly, technical countermeasures can be your first and last line of defense.

      When people think of risk, there is frequently an unstated assumption that risk should be minimized. This assumption is wrong. Risk is about balancing loss with the cost to mitigate the loss. This balance should be optimized, not minimized.

      Taking these measures would minimize a great deal of risk, but they would not guarantee your safety and would likely cost more than you stand to lose from an injury or robbery. In fact, for the average person they would be prohibitively expensive. On the other hand, if you were carrying a great deal of money in a high-risk area, some of these precautions might be more practical. The important point is that the cost of your countermeasures is balanced with your potential loss.

      NOTE Risk optimization is clearly a complicated concept that we cannot do justice to within a reasonable length. For those people who want to look further into this topic and want to be more effective in a risk mitigation position, we recommend the work of Lawrence Gordon and Martin Loeb. Their book, Managing Cybersecurity Resources: A Cost-Benefit Analysis (McGraw-Hill Education, 2005), is a helpful work on the subject.

Graph depicts the cost of countermeasures compared to vulnerabilities.

      At some point, however, the cost of your countermeasures exceeds your potential loss. This is when you know that you are spending too much on countermeasures. The users running your security program can actually drain finances disproportionately to benefits, which effectively creates another form of loss.

      Keep in mind that there can also be intangible forms of loss other than monetary, such as loss of life, reputational costs, and so on, and these might justify spending more than would otherwise be justified. Even then, you want to try to place a potential monetary value on such intangible loss and not put excessive investment into countermeasures.

      Generally, you want the cost of your countermeasures to be significantly less than the potential loss. If you invest in countermeasures to the point where they exceed the potential loss, you are also likely wasting a great deal of money. In Figure 4.2, the area under the vulnerabilities line represents potential loss, not actual loss. It is rare that all potential loss becomes fully realized into actual loss.

Graph depicts the risk optimization point.

      That might sound obvious, but that is not the way security programs are typically budgeted. Security programs generally get some percentage of the IT budget and then have to determine how to spend that money. Obviously, this number is frequently inadequate, which results in major losses.

      Understanding that last sentence is essential. There is typically no relationship between the potential loss a security program is trying to prevent and the budget the organization is willing to allocate. That is a critical issue that will lead to the failure of the security program.

      Consider the example of how the city of Baltimore was the victim of a ransomware attack in 2019, due to malware based on EternalBlue. EternalBlue