3 ways security risk assessment goes wrong

Computer security defenders are notoriously unsuccessful at defending, for a variety of reasons — not the least of which is that they have all the accountability and very little authority.

It doesn’t help that users seem to go out of their way to ignore the good advice they’ve been given or even actively work to circumvent controls. But it’s too easy to blame the behavior of others for the mess known as the current state of computer security.

To take a chapter out of a rehab program, the first step in repairing this broken system is to accept your own responsibility. In my opinion, one of the biggest problems with computer security is the inability of defenders to correctly assess risk. They rank too many lesser risks as high risk and too many high risks as not worth focusing on.

Here are the three most common reasons why computer security defenders make poor risk decisions. Together, these points explain why most companies spend a big part of their IT budgets on projects that won’t protect them from being compromised.

Mistake No. 1: Confusing media hype with risk

When we’re inundated with media coverage of the latest vulnerability, who can blame us for paying attention? That’s the whole idea. Today’s threats come with a media blitz and even their own logos. It’s hard to ignore them — but that’s what we should do most of the time.

Here’s a great example: Any attack that requires the hacker perform multiple, separate, successful hacks in advance. Complexity isn’t only the enemy of the defender. Often, media coverage fails to note these necessary prerequisites at all — or mentions them in passing as if they were fairly easy to accomplish.

For instance, you may hear about an onslaught that says the attacker first must conduct a man-in-the-middle barrage to begin the second wave. Years ago, many hacker tools made man-in-the-middle attacks fairly easy to accomplish. Simply connect to a network, click on a button, and whoosh — you owned the network, often through ARP poisoning.

But today, man-in-the-middle attacks are notoriously hard to pull off on corporate systems, which typically use network devices that defeat ARP poisoning attacks. Even if attackers succeed, they often cause so much unintended disruption that the network team ends up rebooting the network to solve the problem, killing the man-in-the-middle reroute.

Mistake No. 2: Not focusing on root cause

In the wake of an attack, defenders focus too much on what was done after the attacker got in instead of how they breached defenses in the first place. Yes, we need to assess the damage and ensure the attackers have been flushed out. But we should spend as much energy, if not more, determining how the hackers gained access — and ensure the vulnerability can’t be exploited again.

Pass-the-hash attacks provide the best example. Here, the attacker must first have obtained system access in the elevated security context of root, local administrator, or domain administrator. Once they have this they can do absolutely anything. The world is their oyster. We could stop pass-the-hash attacks completely and it wouldn’t stop the attackers one bit. They have the access to do whatever they want. Stop one attack and they’ll simply change their methods.

Worrying about pass-the-hash attacks after the bad guy has your admin accounts is like worrying whether the thieves that stole your car will treat the brakes gently.

Mistake No. 3: Not informing management about the real risks

I frequently hear complaints that senior management doesn’t really back IT security or give it the tools and resources necessary to do the job. This is a cop-out in most cases. Typically, it’s a symptom of IT security not sharing the right information with management.

I’ve have yet to meet a senior manager who, when given a clear understanding of various risks and how they compare to each other, fails to give the security department the go-ahead to do what it needs to do. Unfortunately, most IT security departments hit management with dozens of “No. 1” threats and ask for funding for dozens of different “high priority” projects. Then IT security sits around wondering why their true No.1 threat isn’t being effectively addressed.

For example, if unpatched software is your top problem (in most companies, the highest risks can be tied to a few unpatched programs), if you explain that to senior management in no uncertain terms, management will probably give you the authority and tools to focus on patching.

I don’t want anyone to think that computer security defense is easy. It isn’t. We are faced with rogue’s gallery of different problems and risks. But it doesn’t help when we rank threats incorrectly and fail to give senior management the information necessary to help us do our jobs better.