Recent Posts

Blogroll

Blog powered by TypePad

« The Economist on Cyberattacks | Main | Know Your Customer »

Asset Focus

Several people emailed me about my talk on Finding and Fixing Vulnerabilities in Distributed Systems, basically commenting - "why do you assume you can fix all the vulns, don't you know threats are really bad, its all about threats," and so on. My answer is basically that no question - what I describe wrt finding and fixing vulnerabilities is not a complete solution. However, it is in my experience the best use of time and money to spend your time and money on the places where you have an unfair advantage. To get an unfair advantage over the attacker we need to play games that we can win.

If we look at risk management as being comprised of threats that exploit some vulnerability against some asset, there is really only one area where the defender has an information advantage - assets. The attacker knows way more about threats than defenders, the attackers know way more about most vulnerabilities as well. The one area where the enterprise security person may have the advantage of more and better information is on the asset side. Hopefully you know your assets better than the attacker does, so how do you beat Garry Kasparov and Michael Jordan? You play basketball against Kasparov and chess against Michael Jordan. I have no idea how good they are at these sports, but I bet you have a better chance at beating them if you pick the game instead of them.

December 09, 2008 in Security |

Comments

No. You have the advantage when it comes to vulnerabilities. You have source code. You don't have to know the insane details of SQL injection holes to know that parameterized queries eliminates them. You're in a far better position to verify your security controls than an attacker. But if you resort to using only the approaches used by attackers, then you give up that advantage.

Posted by: Jeff Williams | December 10, 2008 at 07:01 PM

Jeff - I agree that we can be much more proactive with vulns than with threats. Then the question is - how do you find the vulns and which ones do you choose to fix? I argue that you answer this question with assets.

http://1raindrop.typepad.com/1_raindrop/2008/11/the-economics-of-finding-and-fixing-vulnerabilities-in-distributed-systems-.html

Posted by: Gunnar | December 10, 2008 at 07:09 PM

The comments to this entry are closed.