twitter facebook rss

Information Security and the Zero-Sum Game

Posted by on April 1, 2018.

A zero-sum game is a mathematical representation of a situation in which each participant’s gain or loss is exactly balanced by the losses or gains of the other participant. In Information Security a zero-sum game usually references the trade-off between being secure and having privacy. However, there is another zero-sum game often played with Information Security.

City of Atlanta has been battling a ransomware attack causing major disruptions in five of the city’s 13 local government departments. The source appears to be a strain of ransomware called SamSam. While SamSam may be the technical source, it is really just a symptom of a much larger problem across all technological landscapes.

I wrote about the actual problem before in my multipart article titled “What does Information Security have in common with Eastern Air Lines Flight 401?”. The sheer density and scope of Information Security coverage are not well appreciated at the C-Level. Add to the mix an onslaught of IoT devices, as I noted in “Injunction of Technology.” Cap it all off with the political hurdles of doing the right thing for a secure cyber posture, and you have a complicated and complex cocktail difficult to drink for any sober practitioner.

A small example is Office 365. A typical business leader would think little about the security impact of embracing this cloud offering. All the liability will now pass to Microsoft… right? Well of course, a business can never pass all the liability off. However, as I point out in “Uh Oh 365” there is a direct impact to your own infrastructure. Can’t see that connection, then give that post a read.

The basic construct of Information Security is broken, because it is usually injected at the wrong business level and never realistically approached from a resource to coverage standpoint. A City the size of Atlanta must have an IP count in the tens of thousands. The amount of telemetry that produces and the ability to review such traffic I am willing to bet is well beyond their staffing levels. However, Infosec is not just about monitoring. You have to protect those tens of thousands of IP’s, patch them (if they can be) and run vulnerability assessments while working with system owners to remediate said devices. Oh, and you also have to put together policy and procedures, get the business to embrace same, then audit and enforce. Lastly you are doing all of this to a very dynamic environment, for the technical landscape and associated threat vectors are never static.

So it was not a surprise (and in one way it was) when I read the following section of an ISO/IEC 27001 ISMS Precertification Audit report for the City of Atlanta:

“While stakeholders perceive that the city is deploying security controls to protect information assets, many processes are ad hoc or undocumented, at least in part due to lack of resources. Dedicating resources to formalize and document information security management processes would prepare the city for certification, and, more importantly, provide assurance that the city is adequately managing and protecting its information assets.”

There are two very big positives in the above reference. One, the City is actually going for ISO 27001 certification. ISO27001/2 is a great framework that covers much more than just the typical technical aspects of Information Security. Even so, the real surprise is something I often reference when asked to speak to audit groups. The auditors of this report actually considered the resource coverage needed to handle the findings. Furthermore, they recommend dedicating resources. That is a reality check, not a compliancy checkbox.

I have spoken at numerous auditor forums, because I believe they have power to integrate Information Security into a business more than 90% of CISOs. I usually ask how many have performed a Cyber Security type audit, almost every hand goes up. I then ask how many have performed an APO07 type audit? I always enjoy looking at all the puzzled faces. No hands ever go up. I then explain that APO07 is part of Cobit’s Manage Human Resources. It deals with the following:

  1. Reviewing staff performance
  2. Hiring and training IT personnel to support IT tactical plans
  3. Mitigating the risk of overdependence on key resources

Once I give that explanation a few hands go up. I then ask, “how many raised your hand based on item number 2 or 3 and not item number 1.” That always gets me back to zero.







Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Martin Zinaich | Tags: , , ,