The Distorted Risk Landscape
I guess that many of you are asked for advice by decision makers in IT security matters. First of all, it is a good thing. It shows that they feel uncertain and need the confirmation of professionals with insight in the respective field.
Having said that, it worries me to receive more and more requests for comments on matters that I consider as less relevant in consideration of the issues that represent the real threats.
What disturbs me is the CSO asking me about measures to mitigate ‘video jacking’ while at the same time tolerating outdated versions of Java 6 for legacy reasons on Internet browsing workstations.
That’s what I mean by “distorted risk landscape”. It’s the overvaluation of less relevant risks that are perceived as relevant in contrast to actual issues that pose a real threat. If I had more time and a valid data basis I would have created a graph like the following for IT security related risks.
Let me give you some examples of topics that I’ve been asked to comment in the last three months:
- Attacks on VGA/DVI/HDMI cabels (video jacking)
- Email Tracking (tracking pixels in emails)
- Darknet Monitoring
- JavaScript Crypto Miners
- Antivirus on Smartphones
- Wifi Hacking Drones
Some evergreens:
- DRM (Digital Rights Management)
- DLP (Data Loss Prevention)
Don’t get me wrong. I answered all the requests, explained attack vectors, technical difficulties and damage potential. There is definitely a risk and value in solutions that mitigate the corresponding risks.
But I was asked by the same CIOs, ISOs and CSOs that had and still have issues with …
- Ransomware in production networks, because their Windows 7 embedded machines lack the patch for the EternalBlue vulnerability
- Office droppers on workstations because the Windows client department strongly resisted the attempts to deactivate Macros
- Exploits targeting outdated versions of JAVA and Adobe Flash (yes!)
- Malware downloads via HTTPS because the worker’s council and data protection officer have strong reservations regarding SSL interception (strict privacy laws here in Germany; probably rather a regional issue)
- Single factor remote access gateways in recently compromised environments
- Lack of network and rights separation: Shared DMZs, domain joined servers in untrusted networks, admin workstations with Internet access in office networks, service providers working as admin from shared Citrix server farms
- Default passwords and on many embedded systems, VoIP phones and ILO boards
I could write a long list of issues that I consider as far more relevant than ‘video jacking’. I typically start my answer with “I consider all attack vectors that involve physical access or the use of liquid nitrogen as less relevant”.
Maybe someone comes up with an idea to create a data basis on which we can build a “perceived and actual risk” graph for ITSec topics.
Further reading:
A while ago I wrote a blog post titled “How to Fall Victim to Advanced Persistent Threats” that list many ways to fail.
https://www.bsk-consulting.de/2016/05/04/how-to-fall-victim-to-apt/