Putting security in perspective: beware of 'vending machines,' not sharks
Did you know more people are killed by vending machines every year than are killed by sharks? Neither did I. But the media goes into a feeding frenzy when there's a shark bite in the news.
HP security strategist Rafal Los makes that point, illustrating how organizations tend to worry too much about high-profile security attacks, when the real threat comes from more mundane, everyday vulnerabilities.
Los cites a Freakonomics post that posits that the yearly risk (in the United States) of dying from a shark attack is roughly 1 in 250 million, compared to dying from a vending machine accident is 1 in 112 million -- or twice the death rate. (I haven't heard about vending machines attacking any surfers. Maybe it's from the machine falling on top of them?)
Everyone quakes in fear of hacktivists, 'chaotic actors', and even state-sponsored advanced persistent threats, Los says. Yet, many do not even blink at the everyday, real threats:
"How many of you reading this right now have ever been targeted by a nation state, versus the odd malicious drive-by download that happened to infect your CEO's laptop because his kid plays World of Warcraft on it and was looking for cheats so they installed a random executable. Or how about intellectual or corporate property theft cases where the main cause was a configuration error or oversight which would have let anyone with even a remedial grasp of computers copy and 'steal' terabytes of corporate secrets?"
If you work for a government organization, or large corporation handling sensitive data, then you should keep an eye out for sharks, Los states. Otherwise, the greatest threats are likely to come from the less-glamorous forms of data breaches.
Heath Nieddu, senior information security analyst at Providence Health & Services, expanded upon Los' post, discussing how management can be properly educated in prioritizing security threats. First, determine whether there is a risk of a high-profile attack: "What tools do we have in our field to help us determine if we are a surfer, a vending machine repairman, or just a guy looking for peanut M&Ms? Then, how should we practically use the information that is available? How do we bring these things to life in real-time analysis?" Here is his response when management asks these questions:
"When I get a question from senior management on the latest external threat, the first thing I do is determine what analysis is already available to tell the story. I pull the [Verizon Data Breach Investigations Report] to remind myself of where my organization and the external threat meet in the breach universe. This helps me determine if I should expect to be in a special sub-population. I then look at the Data Loss Database , Ponemon’s Cost of a Data Breach report, and the HITRUST Healthcare Data Breach Trends report. Internally, I scan our security incident database and our analytic repository. I give a phone call to security engineers and security incident managers to make sure I have all the current data available. I explicitly ask myself, 'what’s new about this current event, and should any new evidence change my prior judgments?'"
Nieddu observes that the incidents reported in these sources typically represent small percentages of organizations overall. But he doesn't downplay the threats, he uses the dialogue with management as an opportunity to provide education -- and get budgetary support -- for the actual, pressing security threats that may come from more mundane sources, such as better password security, reducing user errors with data, or guarding against insider abuse:
"We do NOT tell the board about the vending machine versus the shark parable. We don’t scoff at any supposed sheep-like behavior. What we do is milk that puppy. We milk their interest, but we milk responsibly. These are some of the few situations where they are coming to us! We use their interest and respond as quickly as possible in a way that addresses their concern while directing their energy in the most productive direction."
Nieddu and his time actually apply a form of judo to the challenge -- the fact that management is interested in security creates an opportunity. When managers expressed concern about a recent public breach of LinkedIn passwords, this was their response:
“Although it is unlikely that our sensitive data will be directly impacted from the compromised passwords at LinkedIn, it is sound advice to encourage managers to reset their LinkedIn password. Also, information on LinkedIn could be used to develop better phishing attacks with refined social networking data. We highlighted the growing trend of targeted phishing in regards to a high-profile attack at RSA last year. We have a tool that simulates a phishing attack, and would like to launch a focused phishing exercise to raise our resiliency. Would you endorse our campaign?”
The bottom line is that the "shark attack" reports may be sensational, but typically only represent a small percentage of the real security threats that can make a mess of data. But they do represent an opportunity to channel the fear and concern into productive security efforts.
(Photo: Joe McKendrick.)