When mentioned, information security often stirs up a little rush of emotions among most people. One might feel fear, annoyance, frustration, or guilt. And that’s OK, emotions are a part of our cognitive behaviour. But when coping with risks related to information security we need to be able to get beyond the first primitive emotions and try to think and behave rationally.
It is not trivial to identify and evaluate risks. Information is often fragmented and asymmetric, everybody does not have access to all information. Also, media, vendors, government security agencies and even information security professionals sometimes skew or exaggerate some risks for their own gain. With a dramatic horror story, you can sell your news, your security products, or get more funding or lobby a legal framework to make your agency more important.
Also, some information security professional might try to mystify security risks in a way that only the cyber illuminati could possible identify and cope with. Of course IT and technical security can be extremely complex and require advanced training, skills and experience, but it is still based on technology and human behaviour. Adequate risk management needs, well, management, but of course also solid technical expertise, good communication, commitment and good leadership.
A typical skewed perception about information security risks is that most important threat agent is a sinister intruder with superhuman skills. We who have been working with information security at Computing Centres and NRENs (National Research and Education Networks) have seen more or less smart intrusion attempts on a daily basis for almost a quarter century so far. Sometimes your system can get compromised, but mostly you can find the main culprit in the mirror. If you run your system with insecure configurations, no patching, no monitoring, no system administration, internal critical infrastructure open to the internet, then you can primarily blame yourself, and not the script kiddie who got root. There are, of course, also quite advanced attacks done by government agencies, which can be very difficult to mitigate. Good security practices will help or will at least diminish the damage.
A good example is the latest Wikileaks release of some hacking tools of the US government: https://www.theregister.co.uk/2017/03/31/wikileaks_cia/. As a combination of pleasure and pain (knowledge gives pain), I recommend the latest Snowden movie, it really gives you an impression and a feeling about what kind of cyber threats the are. Time to fold your own tin hat?
One of my favourite security authors, Bruce Schneier wrote already in 1996: “The lesson here is that it is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics”.
But back to our daily reality. We who try see that everybody in our own organisations to do their part of the risk management – we really need all staff to act responsibly – meet also daily frivolous downplaying of all kind of security risks. ‘Let’s share this confidential information in social media, everybody else does it too’, ‘ I do not need to test anything, I’m agile’, ‘ we can read peoples email, nobody will notice’, ‘ let’s install by just using default settings’, does these sound familiar to you?
Security it’s not only about confidentiality. Actually, ensuring trust, the business, and service availability is the best risk management. Computer and network security are crucial, but you need also to think about physical, damages, business, legal, and strategic risks. Do not do technical risk analysis without a context. It really differs if you loose a test server or a part of your – and your customers – critical infrastructure.
To make risk management work at home, i.e., your own organisation, you need to think about a couple of issues.
- Write a risk management policy (or include it in your security policy) and ask your management to approve it
- Define what are the important assets you are protecting, your crown jewels?
- Identify and evaluate a finite number of risks, use all information, skills and knowledge at hand (involve administrators and managers, use metrics and external information sources)
- Define risk ownership, make supervising management responsible
- Define in writing controls (technical, administrative) on how to mitigate the risks
- Monitor on how you are proceeding (check regularly on on each incident)
- React on changed risks and when controls are not properly in place
There are a lot of guidelines, frameworks and literature available for risk management. NIST has some very thorough guidelines on the subject, ENISA has also working on the topic. OWASP has a nice framework for handling risks related to web based services. The problem with all these are that for a starter, they are either too exhaustive or too generic. You need to start from scratch anyway.
Here at WISE we have special working group for sharing best practices on risk management, the RAW-WG. We are currently working on a sustainable tool with examples by which you can start risk management in your own NREN, Research Infrastructure, or Data Center. If you are an e-infrastructure and feel that you want to share about best practices about risk management, please join RAW-WG by contacting me.
Urpo Kaila is the Head of Security for CSC – the Finnish IT Center for Science, which provides a wide range of IT Services for academia and government, including Funet, the Finnish University and Research Network and Finland’s most powerful supercomputing environment.
Urpo has a long experience in developing and managing information security as well as handling a vast range of security incidents. He also holds the usual industry standard information security certificates CISSP, GCIH, GCED etc. Urpo has previously worked at F-Secure.
Urpo and CSC have successfully implemented ISO/IEC 27001 information security certification.
All views and opinions expressed in this blog are Urpo’s own and do not necessarily reflect the views of his employer, friends, family, or WISE.