We do a lot of risk assessments… a lot…. As a result, we spend a lot of time talking about risk, how it is measured and most importantly what it delivers for an organisation. We also do a lot of reading.
Most security professionals do; it’s important to understand changes in the threat landscape (which occur almost daily) so that we can be well informed on behalf of our clients. In both our risk work and our reading, the most important question we ask our clients and ourselves are ‘So What…?’
The process of risk management by definition is managing the amount of risk you are exposed to and therefore it implies that decisions will be made on levels of risk that are tolerable and risks that must be treated (or modified). To make these decisions we must be in possession of the information that tells us what will happen if the risk eventuates and some understanding of how probable or likely that risk is to eventuate. The ‘So What…?’ test is a simple way of understanding these risk factors to decide whether it is worth worrying about specific threats.
The reason that the ‘So What…?’ test is so useful is that we are bombarded on a daily basis with threat information. Some of this information is timely and useful. However, much of it is FUD (fear, uncertainty and doubt), which sells a lot of products, services and newspapers (or adverts depending on your medium). A recent example would be the Deloitte Technology, Media & Telecommunications report 2013 published in January. In this report, there are six key trends that are reported on, the third of which is titled ‘P@$$1234: the end of the strong password’. This was picked up in the press as ’90% of passwords are vulnerable’ which is a pretty strong headline but was no accident or misinterpretation. The Deloitte press release read as follows ‘Deloitte predicts that in 2013 more than 90% of user-generated passwords, even those considered strong by IT departments, will be vulnerable to hacking’. Well, ‘so what…?’ we asked ourselves and had a read of the report. Ultimately, it is a prediction based on increased computing power being able to brute force (in a reasonable time period) longer more complex passwords, even the eight character complex passwords most IT departments now enforce. Again, ‘so what…?’ you still need the password file to brute force the passwords and stealing a password file is not a frequent occurrence and far less likely for those organisations not exposing large user databases (if anyone is considering throwing back the LinkedIn breach from last year, try the ‘So What…? test first).
Ultimately, the article and section of the report does not inform or guide, it spreads a bit of fear based on some pretty shonky analysis and then states that two-factor authentication should be considered which brings us back to risk. We have known for years that passwords are a vulnerable component in any authentication system and if you truly have something worth protecting that is exposed to the Internet or a large hostile user base then a password will not reduce your residual risk by much, especially if there is significant motivation to steal what you have (i.e. likelihood is increased). Two-factor authentication is likely to reduce your residual risk to a much lower level but here’s my point. The level of risk that is acceptable will be different or every organisation based on the information it has and what it considers important. So, when you are doing your risk assessments or reading the latest security press release make sure you’re asking yourself ‘so what…?’ it might just save you a lot of time, money and worry.