Category Archives: The Information Security Profession

We must change how we do information security. Here is my suggestion

The Information Security Profession, ThoughtsEitan Caspi

As you advance in years in this profession, an increasing part of the efforts required of you is concentrated on “not giving up”.

A significant part of this is due to the huge gap between the information security tasks that needs to be accomplished and the resources given to realize these tasks, with an emphasis on the lack of personnel (in quantity and quality) and the objections of those who are not part of information security, i.e. the internal customers of the organization (mainly development, DevOps, marketing and so on).

In recent years, there has been strong public talk about the lack of manpower in the field of information security, and there are many efforts to overcome this gap, when unfortunately these efforts also cause the entry of quite a few suboptimal personnel into the field. The main thing is to apparently count more professionals added to the field, but this causes to a decrease in the level of performance and quality in some cases, so the advance using these efforts is sometimes questionable.

It is important to understand that the gap in information security between tasks and resources will always remain, to one degree or another, because:

  1. That’s life, it’s not unique to information security – you almost always don’t get what you want, and usually not what you need either (and thanks to the “Rolling Stones” band for that). You have to know how to work with what you have, constantly reflect to the relevant people the gaps and accordingly the risks, and live with it knowing that you are doing the best you can under the given circumstances.

  2. In most places where you will do information security – information security will not be a top priority, to say the least, and depending on the resources you will receive (and the resources in this domain are expensive). And that’s fine, and that’s true. You will not spend 1000 cash to guard an object worth 600, it makes no sense.
    Information security is not a core activity of most organizations. Information security does not bring in money, on the contrary. At best, it can be marketed as a Business Enabler, meaning a positive feature of the organization and/or products/services that can be marketed to the world.
    Information security is an envelope service provided to the organization, according to risk prioritization that the organization does (hopefully…), and the gaps you encounter are supposed to be “priced” as part of the organizational risk management. Information security in most cases pursues those it needs to protect, they are almost never a partner from the beginning, and the results and prices are accordingly.

  3. In many cases information security is seen as a type of “insurance”. In other words, we know that we need to prepare for possible damage, but in the current we suppress the thinking about this risk and accordingly devote as few resources as possible to it, with the assumption (part of it is suppression) that the chances are that the risk will not materialize and therefore we want to avoid unnecessary expenses for the benefit of this activity.

  4. And here I come to the main topic of this post, which links to the issue of the lack of manpower that I mentioned at the beginning – information security is considered as an exclusive subject/problem only of the information security department and its people, and therefore they are solely responsible for it.
    Everyone else does a favor and helps when possible and when they “feel like it” or when they are forced to, usually due to external reasons such as laws, regulations, or external criticism.

Information security, as an organizational function, because it is not a high priority in organizations – always has to run after the internal customers, especially development and DevOps, and try in one way or another, positive or negative, to get their “attention” and working hours of execution to promote information security with them.

In my opinion, changing this attitude is much more important to address than the lack of information security professionals. We need a fundamental shift in how we do information security.

As long as the current attitude will not change – the attempt to add more people to the information security profession, all continuing to follow the same activities as mentioned above – will not solve the problem.
It is not the direction in which efforts should be invested. Information security is a challenge too big to be handled exclusively only by information security professionals.

In my opinion, the only way to significantly improve the situation is only if it will be defined for all relevant internal customers of information security, from the top, from the CEO on down – that information security:

  1. Is an integral and essential part of any products/services that the organization creates. It’s not nice to have, it’s not “let’s do a favor to the poor information security folks who are begging us to do some information security”.

  2. Will be integrated into every product/service life cycle – from the product planning by the product managers and architects to the cancellation of the product/service and its fade out and closure

  3. Information security will not be the sole responsibility of the information security department. Each department, each manager, and each employee – will be responsible for implementing information security in their field of activity. The responsibility will first be on them.

The information security department and its people will assist them, with training, direction, advice, integration, etc., as a kind of internal “consultants”, but they will not be the first line. Information security will manage this activity “from above”.

Also, of course, the information security department will continue to be exclusively responsible for the core topics of information security and will operate products and services that are distinctly information security.

In my opinion, only a change of direction as proposed above could actually improve the implementation of information security from its current dismal state, otherwise we will continue to rely on the inherent incapacity of the current situation as described above and lose severely in the battles against the bad guys.

Sad declaration

Critical Infrastructure Protection, External Content, Government and Regulation, Information Security in Israel, The Information Security Profession, ThoughtsEitan Caspi

“There have been zero successful cyber-attacks on critical national infrastructures in the past year”

This is what Yigal Unna, the head of the National Cyber Directorate of Israel, declared at the CyberTech conference, held last week in Israel. Stunning declaration in my opinion.

I thought there is no 100% in information security (which is true for physical security as well). How can he know this for sure? Information security, and certainly as part of risk management, involves recognizing that there is never any certainty. You can always be attacked successfully and you will know about it as it happens and you may never know. You always have to assume that at any given moment, at any part of your systems – you lose, because you know you don’t cover everything and can’t cover everything.

This is a statements in the style that existed before the Yom Kippur War. Smugness and arrogance that have no place in our profession and I believe that sooner or later they will run into the wall of reality and shatter.

A thought about the essence of vulnerability

Hacking, Risk Management, Social Engineering, The Information Security Profession, Thoughts, VulnerabilitiesEitan Caspi

 

I would like to offer slightly differently way of thinking about the concept of vulnerability.
Vulnerability, in the context of information security, refers to one or more weaknesses, and following its exploitation, the probability of damaging data or information systems and/or processes.

Vulnerability as a concept, originates from the human life, of human weakness that endangers the body and/or soul/mind, thus increases the risk of injury to the person in question.
Vulnerability is something passive, kind of an existing characteristic, one that a person who has it – will probably wish to strengthen/fix it as soon as possible, to reduce the possibility of damage.

If a “regular” computerized bug hits a calculation or processing of a system, its stability and its performance – the bug is usually realized unintentionally, during the occurrence of certain cases, some originated from a standard human operation of the system and some by an automatic process.

Vulnerability, in my view, is a private case of a bug, but an important one – it would not be a bug nor it will materialize, as many cases of human life, without a malice of a human (except, perhaps, Denial-of-Service actions – which may (barely) be considered as an inability to meet high volume of legitimate operational activities).
Vulnerability is a bug that initiates and realized only when there is a malicious human intent behind it.

Both human and computerized systems can exist for a long time without being damaged when a vulnerability exits within them – if they live in an environment that is not hostile or malicious.
Without a human originated initiative to exploit a vulnerability – we can say that the risk the bug represents does not really exist, because no action was taken to reveal or exploit the vulnerability.

Many times, when thinking of information security, we tend to concentrate on the technology side of it (and therefore also looking for only technological solutions), and ignore/neglect the aspects of human behavior that is essentially inherited in this profession (and also at the parallel occupations of safety and physical security), with whom it is harder for us to deal with, both personally and as an organization – the human malicious intent.

 

(This post is a translation of a post from my Hebrew information security blog, from 10-May-2008)