DeepSec 2014 Talk: Build Yourself a Risk Assessment Tool
„The only advice I might give to everyone who is responsible for information security is that it is never about a tool or a methodology“, says Vlado Luknar. The never-ending quest for the “best” tool or methodology is a futile exercise. In the end it is you, the security specialist, who adds the most value to a risk assessment (RA) / threat modelling process for your company, claims Vlado Luknar (Orange Slovensko a.s. / France Telecom Orange Group). In his talk at DeepSec Mr. Luknar will demonstrate that it is quite easy to capture your overall security knowledge in a home-made, free-of-charge tool. But first, let’s ask Mr. Luknar a couple of questions:
1) Mr. Luknar, please tell us the top 5 facts about your talk!
- There is no problem with understanding existing RA methodologies, yet it is really not that easy to start with any of them.
- There is no single best approach to RA for everyone.
- For a RA to be practical we need to simplify things as much as we can.
- The presentation is for those practitioners who are subject of hefty compliance requirements which all demand a formal risk assessment.
- Exaggerating a little we could say the best about RA is not the result but the journey itself.
2) How did you come up with it? Was there something like an initial spark that set your mind on the topic of your talk?
One of key disappointments for me, as a (naive) practitioner, was the fact that no methodology would discover for me something I didn’t have a chance to know about before we started the RA journey. And I don’t mean a forgotten piece of sensitive data, or a server which we discovered when trying to solve the R(asset) = T x V x I formula.
I mean, the real discovery: after you went through all the exercises, responded to all questions, calculated everything that could be calculated, and after you finally pushed that red button labelled START on your mysterious RA machine… The machine then makes few cranky sounds, coughs a couple of times and then finally spits out the ominous verdict:
YOU’VE GOT A BIG RISK OF CLASSIFIED DATA BEING STOLEN, ABUSED OR DISCLOSED!
This is it? Well, yes. Nothing more nothing less.
Then I realized that performing a risk assessment is about the best collective judgment you can make from facts you are able to collect. Only very later on I discovered a very similar statement in the NIST SP 800-39 Managing Information Security Risk.
3) Why do you think this is an important topic?
Despite all that scholars know about risk it remains a vague and somewhat confusing concept. Everybody talks about it, asks for it, but only few know how to go about it, in particular those who really depend on it every day. And then there are those who don’t know that they should depend on it and that it should be an organic part of any security management and not a lifeless requirement from a standard. Done properly it can save you a lot of trouble, done formally you just cheat on yourself.
4) Is there something you want everybody to know – some good advice for our readers maybe? Except for “come to my talk” 😉
The only advice I might give to everyone who is responsible for information security is that it is never about a tool or a methodology.
It is you, the well informed internal expert and the team around you, who add the real value to the process, method or the tool. The tool or the methodology is just a facilitator, although an important one.
5) A prediction for the future – what’s next? What do you think will be the next innovations or future downfalls – for IT-Security in general and / or particularly in your field of expertise?
Some industries have already experienced it, not always handling it properly – that is, the growing pressure of regulation, and the open, public comparison of products based on security. One of the major “conflicts of interests” is that of technological advances versus privacy issues. To me the security is only another attribute of quality (in cases where the product does not directly depend on it) and due to many, mostly economic reasons, it does not yet make it there. The conflict of privacy vs. technology should inevitably make security a native part of any functional and design specifications during standard SDLC. It is not happening yet, especially with traditional business moving to web: just look at companies who provide GPS monitoring or smart home management – how many of them use even SSL and something more than a password on a web page. But it will change very soon.