21st Century Risk Management Part 1: Managing risk means taking risks

By Drew Williams August 20, 2013

The stark reality is that our tools and technology have not made an impact on risk management and security
Some of the exploits being used today are almost old enough to have a driver’s licence in most countries

21st Century Risk Management Part 1: Managing risk means taking risks SUMMER in the northern hemisphere means blockbuster movie season for Hollywood producers, with the Fall line-ups following soon after for the television crowd.

This year has focused on space wars, galaxy-trekking legends and super heroes. While all eyes are looking toward the stars, we continue to focus our development interest on extending our imagination, while reality continues to hand us re-runs of the same risk management problems we’ve been facing since John Woo was directing Tom Cruise on how to save the world from a virus-ridden catastrophe in Mission Impossible II.

(Come to mention it, stories about “viruses” are as good for blockbusters as they are bad for business.)

The result from our social distractions: Billions of dollars in lost assets, as well as priceless losses in consumer and user confidence.

It seems that to boldly go where no one has gone before is out-pacing the idea of passively exploring where no one wants to go at all: The stark reality that tools and technology have not effectively made an impact on risk management and computing infrastructure security in staving off “EOTWAWKI” in financial losses and market reputation. (EOTWAWKI: End of the world as we know it).

Why? Because the foundation of almost all of the exploits we read about is based on compromises to process, masked as hacks through the technology infrastructure.

In recent months we have read or heard on the news dozens of ongoing reports on how a company, a large organisation, a government agency, etc., has been hacked, with assets being compromised and the resulting losses exceeding even blockbuster profits from a single movie.

Billions of dollars have been lost in revenues, company profits and consumer confidence, as a result of system exploits, target attacks and simple missteps by administrators.

Sometimes, consumer account records are the target; sometimes it’s more critical – like military secrets or government intelligence.

The resulting damage caused by most of these attacks can be greatly reduced, and in some cases, even removed altogether.

The solutions to address the most common and often the most critical security risks, however, continue to evade the less-informed, or are ignored altogether by those who remain faithful to the hordes of vendors who are (sometimes) more interested in profit-taking than prophesying risk.

So here’s the good news: Most organisations have enough technologies and tools to fill the cargo bay of a space shuttle.

The bad news, however, is that those tools are often also the targeted controls used by the Sith Lords of system security to break in and cause the greatest damage —lightsabre not included.
21st Century Risk Management Part 1: Managing risk means taking risks
Why then do these Galaxy-class infrastructures (some owned by the very conglomerates that produce said blockbusters) continue to succumb to system failures caused by the dark side?

Ironically, devices that we have all come to depend on for secure IT operations (firewalls, servers, routers, IDS tools, antivirus software, etc.), are at risk themselves, right out of the box.

Does that mean that these tools – which comprise the backbone of any network infrastructure – are bad and unreliable? No, my young Padawans. That said, however, (with apologies to Yoda), dependency on the deployment of tools and tech does not a secure infrastructure make.

When we further examine the compromises that were exploited in recent target enterprises, like Sony, Amazon and governments around the world, we see a common trend which continues to be overlooked – some of the exploits being used are almost old enough to have a driver’s licence in most countries.

These same exploits that have compromised computing infrastructures the world over include the most commonly addressable issues in security risk management.

Let’s explore the not-so strange new worlds of system exploits, and how organisations might fare better if they were to follow a practical course of action to reduce, and even prevent, such exploits:

In the ongoing saga of the Sony empire, where the most common problems continue to show up (like storing system passwords in clear text files, not following Payment Card Industry standards for securing account transaction records, and having computing infrastructures that are susceptible to rogue command injections), it doesn’t take an R2D2 to bring down this Death Star, just some very patient rebels with a little creativity and some exploitive skills to take advantage of common flaws in Sony’s infrastructure (“These are not the APTs you’re looking for!”)

In another case, let’s turn to the online-buy-anything king of the jungle, Amazon. While this virtual galaxy of e-commerce has joined with other red-white-and-blue giants of cyber space, such as Apple and Microsoft, in depending on cloud-based, shared consumer identification protocols, the resulting compromises to user accounts (as in the recent example reported by Wired writer and account victim Mat Honan), have been devastating throughout the international market of consumers who rely on these systems.

In our next instalment, we will evaluate this idea of IT risk management, and how it continues to move like a comet through the cyber universe, and how – when evaluating the core tenets of IT risk as being categorised into three groups (Policy, Controls and Exposure), IT risk management becomes more manageable and attainable without spending blockbuster money to achieve a balance between risk and productivity.

Drew Williams is the founder and CEO of international risk management consulting services firm Condition Zebra. He has also worked with the Internet Engineering Task Force and served on the 1999-2000 President’s Partnership for Critical Infrastructure Security (precursor to the Department of Homeland Security). He is a former member of the US Navy.