Information Security Risks, Gray Rhinos and Black Swans

Information security over the past few years has been obsessed with zero-day vulnerabilities, hacking exploits, and headline-making mega breaches.   Every security risk manager is looking for the “unknown unknowns” that could result in untimely unemployment.  But is that the right approach?  One presentation and one book made me think otherwise.

The presentation was Alex Stamos’s talk last summer at Black Hat; you can listen to it here.  In this talk, he highlights the differences between risks identified by traditional InfoSec and newer risks that he calls “abuse”.  This triangle diagram below from his talk captures his point.  Note that the vertical scale is a log scale.  Mr. Stamos’ definition of abuse is “technically correct use of a technology to cause harm”.  Think user profile scraping, insider trading, spam, doxing, sexual exploitation, etc.  The log scale illustrates that the biggest risks are found in the category of abuse.  Zero days and targeted attacks are orders of magnitude less important.  Searching for the “needle in the haystack”, the holy grail of InfoSec practice, may not be rewarding or cost-effective.

 

The book was Gray Rhino, by Michele Wucker.  It highlights the risks associated with looking primarily for needles in haystacks and confirmed Mr. Stamos’s thoughts.  The metaphor here is the Gray Rhino, which may be attacking while you are looking for the unknown unknowns.  Ms. Wucker’s book is written for risk management professionals in general, but by connecting the dots we can apply to InfoSec.  Gray Rhino is the counterweight to Black Swan, by Nicholas Taleeb.  Black swans are high impact events that we cannot predict.  A Gray Rhino is something you see coming, but ignore, for one reason or another.  It is a highly probable event, with high-impact.  Think of the Equifax breach in 2017.  There had been a previous reported  breach in May 2016 which I would call a Gray Rhino.  Another recent breach is the ransomware attack on Atlanta.  Is this a Gray Rhino?  Such attacks have been common since 2015.  Was the City of Atlanta able to take steps to train users and backup systems?  Apparently not yet.  How about Facebook and the alleged misuse of user data by Cambridge Analytica?  Many InfoSec professionals are looking for hacker attacks.  But go back to 2005 and the ChoicePoint breach; this attack could have been a Gray Rhino for Facebook.  In this breach, business partners of ChoicePoint exposed data on 163,000 users (a piddling number by today’s standards).  This should have tightened security within business units of Facebook.

A zoological risk matrix could look like this:

 

Low Probability

High Probability

Low Impact

White Swans

High Impact

Black Swans

Gray Rhinos

 

Dealing effectively with gray rhinos requires awareness, both individual and organizational.  The reasons we don’t do so comes down to several obstacles:

  • Weak response to signals that are seen by many but not followed up on
  • Systems that accept as normal a failure to respond
  • Impulse to procrastinate (everyone)
  • Taboos against raising alarms
  • Groupthink
  • Too many rhinos attacking at once

This is a short list of causes from the book.  All of them apply to information security risk management.

How about mitigations?  Ms. Wucker offers some general good ideas that can be applied in an information security context:

  • First, acknowledge that your Gray Rhinos are out there.
  • Prioritize which rhino you will manage first.
  • Accept incremental mitigations and continue to improve on them
  • If you do have a security incident, capitalize on it
  • Work hard to convince management to take action against distant rhinos before they show up on your doorstep

Going back to information security specific vulnerabilities, the Stamos triangle is a good starting point to look for specific Gray Rhinos.  Focus on getting out of the way of these four animals, before looking for targeted attacks or zero day attacks.

Common Information Security Gray Rhinos

  1. Phishing :  User training and repeated training is essential
  2. Unpatched systems:  Do you know the percent of systems, OS’s, middleware and applications that are not patched and the corresponding risk levels?
  3. Password reuse and mass compromise:  Have you implemented and required MFA on all critical systems?
  4. Abuse: How could your partners, customers and employees misuse your systems?

One of the functions of an outside consultant is to help client identify the Gray Rhinos, whether those above or others.  If you are considering this type of perspective, please drop me a line.

Frederick Scholl

Frederick Scholl is an accomplished Global Senior Information Security Risk Manager. Dr. Scholl earned a BS and Ph.D. in Electrical Engineering from Cornell University. In 1991, Fred founded Monarch Information Networks, LLC to enable forward-thinking organizations to protect their information. Previously, he co-founded Codenoll Technology Corporation (NASDAQ: CODN). He chaired the IEEE committee that wrote the first standard for Ethernet communication over fiber optic links, now used world-wide.

Book an Appointment for Cybersecurity Issues

Request an appointment with Dr. Fred Scholl. We will discuss any cybersecurity issues you have.

More Good Reading

Cybersecurity Thrives in An Organizational Context

The First National Cybersecurity Summit

New Privacy Laws Require Security Professionals Up Their Game

Cybersecurity Workforce Development: Real or Imagined Problem?

Antidote for Fake Everything

Information Security Risks, Gray Rhinos and Black Swans

Managing Information Security On a Limited Budget

Building a Security Start-Up

Cybersecurity Risk Management for Directors

My Reading List for Security Start-Ups

Should Your CIO Learn to Code?

How IT Leaders Can Keep a Seat at the Table

Equifax points out—again—the need for speed in security management

Anatomy of a Security Breach

The Smartest Information Security Companies

Book Review: Play Bigger

Long Term Beneficiaries of WannaCry

RISK: A NEW MOVIE ABOUT JULIAN ASSANGE

TRADE SECRET THEFT CONTINUES UNABATED

TENNESSEE LEGISLATORS MUDDY WATERS AROUND PRIVACY BREACH NOTIFICATION REQUIREMENTS

LEADERSHIP CHECKLIST FOR SECURITY PROFESSIONALS

SIEM VENDORS HAVE IT ALL BACKWARDS

THE SECRET TO GROWING YOUR SECURITY STARTUP

CLOUD JOBS PEAKING?

The Spy Who Couldn’t Spell

IS THERE A CYBERSECURITY PROFESSIONALS SHORTAGE?

No Blue Pill for Cybersecurity Failures

Presidential Cybersecurity Commission Makes Some Good Suggestions

Understanding Intelligence

Align Your Security Program With the Business

Don’t fall victim to BEC

Enterprise Risk Management and Information Security

Evidence Based Risk Assessment: Lessons Learned from the Y-12 Breach

First Conviction for Illegally Distributing Android Apps

Locking Up the Ivory Tower

Cloud Vulnerabilities

More Security Lessons Learned from the Y-12 Breach

Security or Compliance?

Home Disaster Recovery Planning

Cloud Computing: Trust but Verify

Background Checks May Not Be Enough

PERFECT SECURITY STORM FOR LAW FIRMS?

How Not To Be a Cyber Janitor

SECURITY MEMO: IT CAN’T HAPPEN HERE, CAN IT?

Don’t Forget Cloud Availability

Compliance v. Security

GAO Report on Information Security in Federal Government

Lean Security

Mitigate Your Social Engineering Vulnerabilities

HIPAA Security. Are We Making Progress?

Brand Your Security Program

PDCA is Dead

LEARNING FROM PAST MISTAKES

How Better Security Can Create Shared Value

C’est La Vie, You Never Can Tell: Lessons Learned from the HBGary Hack

DDOS Tutorial

The future of information technology

Data Governance Anyone?

Learning from the oil spill disaster

Down the Rabbit-Hole…Again?

Ideas on Risk Management