Why I don’t see the need for elaborate Risk Analysis


Convicted hacker Robert Moore, who is set to go to federal prison this
week, says breaking into 15 telecommunications companies and hundreds of
businesses worldwide was incredibly easy because simple IT mistakes left
gaping technical holes.

“It’s so easy. It’s so easy a caveman can do it,” Moore told
InformationWeek, laughing. “When you’ve got that many computers at your
fingertips, you’d be surprised how many are insecure.”

Even before I took up auditing as a profession every client I dealt with had glaring errors and omissions in their security arrangement, be it physical, logical or documentation.

Yes, this includes divisions of banks (brokerage firms were the worst).
Most of the horror stories would be familiar to people who read and contribute to security forums and blogs. This is what is, when it comes down to it, really astounding. The omissions from the ‘baseline’ of good practice and obvious issues like documentation (so as to span the employment of different sysadmins and communicate within the IT group); restriction on access to root password (especially for developers); not doing development on the production machine/database; backups – that reflect the business and not just the convenience of the hardware/sysadmin; documenting (and hopefully approving!) changes; actually installing and configuring the firewall, which, of course, assumes there is policy which
reflects the business needs rather than the ‘best guess’ of the sysadmin to determine how its going to be configured.

And so on and so on.

So it gets to be, if you’ll pardon the analogy, like worrying over the diseases of civilization like Alzheimer’s, Osteoarthritis/Osteoporosis, ALS, Macular degeneration, diseases due to over-rich diets, Senescence in general when you don’t have a adequate diet or clean water to drink.

“Standards” like a ISO-17799/27001, ITIL aren’t trying to do anything more than lead people though a process to make them deal with the basic good practices. When they talk of things like Risk Analysis they are trying to get people to think about risk and their risk posture, and that is, all to often, sadly, something most firms don’t seem to have got around to.

Judging by what I see people asking – as well as asserting – on other forums about security and risk, most of the IT industry is in a bad way and doesn’t even know it. Of course the dominance in IT departments of the techie-geek-and-proud-of-it who has a dislike for ‘suits’ means that there is an unhealthy obsession with equipment (rather than business processes) as assets, and with identifying and enumerating individual threats and vulnerabilities rather than they effect – as classes – on the business processes and how to mitigate or recover from those effects. (In other words FMEA. You knew I was going to get around to saying that, didn’t you 🙂 )

Lets worry about the baseline before we try to address the esoteric.

About the author

Security Evangelist


  1. Something I will always remember was a quote by Bill Murray, in response to some kid talking about how his site only used DES to protect transactions, and was trying to get them to upgrade to 3DES. His statement: “If the use of DES is your weakest control, then your site is very secure indeed.”

    There is something to be said for focusing on macular degeneration for an individual who is otherwise generally healthy but whose eyesight is going. But I think that is your point. One could say the same thing
    about this American obsession with the death of 5000 on 9/11, when “Modifiable behavioral risk factors are leading causes of mortality in the United States.” and leads to the death of a million each year. (1238
    JAMA, March 10, 2004 Vol 291, No. 10)

    I think I’ve become cynical. I do what I do, because it is a requirement. I do try to improve security postures, but it is not in the way that clients expect nor is it what they requested. Such is the way of business.

Leave a Reply