This is cache of http://riskmanagementinsight.com/riskanalysis/?p=347. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
More thoughts on vulnerability
2008-04-07 13:34:01 by JonesJ in RiskAnalys.is
 

(A continuation of last week’s post)

Take a look at the following list and ask yourself which of the following would be labeled “vulnerable”:

• An eight -character password made up of alpha and numeric characters
• A six-character password made up solely of alphabetic characters
• A four-character PIN made up solely of numbers
• A fourteen-character password made up of alpha, numeric, and special characters

Actually, there are a couple of rational answers — 1) “it depends”, and 2) “all of them, to some degree”. As I think about it, maybe these are both the same answer stated from slightly different perspectives.

It Depends
The “it depends” answer comes from the fact that we haven’t identified the threat agent we’re up against. If we’re talking about a threat agent who isn’t particularly skilled, isn’t leveraging a toolset that makes up for their lack of skill, and/or doesn’t have much time in which to carry out their attack, then even the four-character numeric PIN might be more than they’re capable of defeating. On the other hand, if the threat agent is highly skilled, has powerful tools, and has lots of time, then even the fourteen-character password can be defeated. This, it seems, also supports the “all of them” answer. The point is, everything is potentially vulnerable under the right (or wrong) circumstances.

Unfortunately, we tend to use the term vulnerability as if it’s a binary condition. Something is vulnerable or it’s not. But whether we realize it or not, what we’re really doing when we say that something is or isn’t vulnerable, is making unstated assumptions and generalizations about threat capability relative to the control in question.

Of course, some folks insist that we have to rate controls against the “most capable” threat agent. A couple of problems with that include:

• Who’s to say what the most capable threat agent is capable of?

• If we’re judging against the most capable threat agent, then everything is theoretically vulnerable (given enough skill, resources, and motivation)

The fact is, when someone calls something vulnerable (or not vulnerable) they’re consciously or subconsciously quantifying the threat capability as well as the control condition, comparing the two, and then making a judgment about the degree of vulnerability. Or, I suppose, they may just be blindly following someone else’s proclamation that “this is vulnerable” and “that isn’t”.

So, if we’re performing subconscious quantification and comparison when we rate the vulnerability of something, is there any reason we can’t/shouldn’t be more conscious about it? What’s the downside? And is there any reason to believe conscious analysis would be less accurate than the subconscious one? Think about it. Subconscious assessment is at least as exposed (and arguably much more exposed) to errors of omission, errors in estimation, and personal bias/gaming, which means conscious analysis can be no worse and has the opportunity to be much better.

Next week — “Measuring Vulnerability”

 
Tags: capable threat agent, threat agent, capable, password, vulnerability, six-character password, vulnerable, -character password, numeric
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia