CC from anjouwu - User Error: Replace User (http://flickr.com/photos/anjouwu/)
In an effort to keep El Jefe off guard, here’s the return of what was supposed to be a feature… back when I did the first one.

It’s a Monday morning in my part of the universe, and I’d like it to be the kind of Monday morning where good things happen for you all too.

In this week’s episode of “Do your REAL job…” we’re again going to pull ourselves out of the weeds and have a look at what today’s IT Security Professional should be doing with some of that rare spare time.

It’s time to re-evaluate your Threat Profile…

Click for more

The Threat Profile is one of the key components of your Risk Management arsenal. It’s probably also the one that you haven’t revisited since you put it together 17 months ago (ahem… like me).

Just as a refresher, the Threat Profile is the worst kind of bad-guy you’re willing to defend against.

The Threat Profile that I use is pretty simple. I will defend against:

– external attacker
– moderate skill level (professional)
– 6 months / $150,000 time or funding available
– primary goal is defacement / theft of identity information
– unwilling to work from the inside

As you can see, I’m specifically leaving the “insider” threat on the table. In large part, this is due to the fact that despite my best efforts, I haven’t yet made significant in-roads with the nice folks over in Human Resources. I can’t prevent them hiring someone like me as a clerk, and I can do very little to decrease pressure on individual employees in such a way as to decrease the chance they might become disgruntled.

For now, this is workable. Were I truly honest with myself, I wouldn’t be ok with this as the status quo. I need to change it, but I need to create those bridges to the other parts of the organization that can help me first.

In the mean time, I just call out the risk — we’re subject to a number of risks related to information management based on the behaviours of internal people that we don’t entirely control. We’re stuck with the Layer 8 problem again.

How’s your Threat Profile looking? Have you taken the time to articulate your bad guy? Have you used a thumbnail sketch of your bad guy in your budget planning process? You might want to.

I have no idea what next week will bring, but while you’ve got a few moments without interuption, review what I said last time about MITs and figure out what you’re going to get done this week. Take a deep breath and dive in.

Comment! Let’s get the conversation started.
[tags]MITs, Infosec, Information Security Management[/tags]
[tags]

Comments

  1. I generally don’t use hard numbers for my bad guy because I am in a position where I have to assume worst-case scenario – regardless of traditional risk-based probability factors (vulnerability, threat, frequency, etc.) – and focus on impact of a successful incursion. My bad guy looks a lot like our workers as we are large enough for me to operate under the assumption that a breach exists at any point in time.

    I’m not terribly interested in the person who is looking to pilfer PII (no SOX, no HIPAA, etc.), though due diligence is done to mitigate external risks to a level that the business accepts. At the end of the day, the business decided it’s merely a flesh wound – albeit an embarrassing and potentially costly one.

    The goal of my bad guy is to disrupt the process through intimate knowledge, accident, or a take no prisoners approach. Accidents are fairly easy to minimize with traditional procedural or technical controls, and the defensive effort threshold is the intersection of reliable process operation and worker rebellion. Those who will take no prisoners cannot be defended against – just slowed to a point where responders can act with physical mitigations, and that is the threshold for defense. Those with intimate knowledge of the process have already won and we focus on forensics.

    This is still a work in progress, so feedback is valued.

  2. CJ,

    That’s a very interesting take — with a different target, different tactics are required. I can’t see any holes to walk through and I’m going to add this little bit of logic to my bag of tricks.

    Thanks for the comment!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.