Do you have a 500barrel RiskGun or a 1000barrel RiskGun?

Ok, as I read the latest 2600 magazine on my tablet (article “Parse Database Injection”).  I was going to write about the article as it is pretty interesting to me.  April 4, 2016 edition so it is not online yet.

But as I read more I realized only a few people will understand what I am talking about.

The article puts together various coding methods and comes up with a way to hack websites in a unique manner. If a website developer has not thought of this way of  hacking a website then they are now susceptible to this new method of attack.

We recommend defenses in cybersecurity which is why I have created Security News Analyzed¹ page so I can keep up with new methods of attacks. As well as learning what is going on in the industry.

2600 is a unique magazine as it was created as a hackers How-To  explanation of what we do sort of.  Image from the 2600.com website.

2600mag

 

My problem is in how to explain the general lack of understanding in IT causes our vulnerability to hackers.

The biggest problem(I believe) is that a person is generally not interested in security since it takes effort to be more secure and we all know the seesaw balance of security and functionality. I have tried to convey this before:

patchingvsattackers

In the patching versus attackers image above from 12/15/2015. One aspect I believe is important enough to discuss again.

The constant Risk/Security juggle is happening in all households and businesses whether consciously or not.

perfectsecuritynotpossible

So I want to make clear right now that Perfect security is also not possible. There are only difficult choices to make.

Risk includes the following:

  • Higher payoff reward with failure is allowed.
  • Security is low priority
  • Most Cyber Risks unknown
    • may be playing 1000 barrel Russian Roulette

 

Security includes:

  • Security is priority (x% of time spent – likely at least 5-10%)
  • Some Risks avoided
  • Perceived lower growth, but can be mitigated

 

My point is unless one does a best effort risk analysis the risks may be so high that you wondered why you did not do anything.  In fact I am trying to illustrate this by showing you a 100 barrel picture and then a 500 and 1000 barrel picture.

100gunbarrels1000gunbarrels

Imagine playing Russian Roulette every day as you walk in the office once per day or so (depends on various factors) Except the “Gun” is a number of barrels much higher than a standard gun. So This “risk gun” fires either a blank or the hackers have finally succeeded in advancing their agenda. So with a 500 barrel gun in a couple of years you still may not get “hacked” but now the risk has increased higher than what you think your risk actually is.  Sort of like going to the casino with minimal money and expecting to come out of the casino with an extra $100, it is not very likely. It happens but not often since the odds are against you.

 

The hacker has a similar likelihood problem, it is not very likely to find an easy mark, but he keeps searching and eventually they find the easy hack.   Once exhausting the easy hacks, they move on to slightly more challenging hacks and so on and on.

 

Of course in real life the situation is very fluid and likely hard to pin down, the 500 barrel ‘Gun’ is difficult to see even when photoshopped together. The real problem is our innate inability to see many problems until they actually happen.

 

I have discussed this before, but as in SVAPE&C²  the ultimate result attempted is control over your computers and resources.

It is tricky to know _all_ risks in your computer environment. So since we all want to use the Internet and reap the benefits of being connected, we have to accept some risks.

The key is to do it as secure as practical without a 100 barrel roulette gun, try and make it a 1000barrel gun instead or a 10k barrel gun.

Contact me to discuss this process of reducing your risk profile within as reasonable a manner as possible.

 

Quickly – a risk profile is set up by analyzing the current environment , evaluating and testing the devices, making easy changes or accepting risks and setting up monitoring of the high risk areas.

 

 

 

 

  1. http://oversitesentry.com/security-news-reviewed/
  2. https://fixvirus.com/svapec/

 

 

Advertisements