Defining risk
Anyone who works in infosec or risk management for any significant amount of time, or who has studied for any of the several certifications in the infosec field is familiar with the following statement:
“RISK is the PROBABILITY that a THREAT will exploit a VULNERABILITY to cause harm to an ASSET”
This statement is sometimes represented as a mathematical equation:
While I’ve talked about Risk Calculus and how many people don’t think about risk mitigation in their personal lives, there is one area where I believe people don’t evaluate risk well and that is when doing compliance audits.
Risk management in the context of compliance
When you start dealing with compliance, risk evaluation is sometimes set aside so that an auditor can place a check in a box. However doing a full risk evaluation could tell you in the first place what boxes even need checked in the first place. Unfortunately though, many people who specialize in compliance that would rather see all of their boxes checked regardless of what real risk exists, regardless of what risks checking their boxes introduces.
I’ll give you an example from my personal experience.
There was an organisation that was going through a compliance inspection and had done well, except for one thing. This particular organisation had two networks bridged together and had a router on either end, connected to each other via a simple ethernet cable to each router’s WAN interface.
This was unacceptable to the inspection team as there was no rogue system detection mechanism in place between the two routers to make sure that nobody tried to place a system between the two routers for man in the middle attacks. In short, there was a compliance box not checked.
There was a perceived risk that someone could plug another computer in between the two routers and could start sniffing traffic and potentially inject their own malicious traffic, that is, if we take this simple setup out of context.
But what if we looked at the configuration in a larger context of risk evaluation. These two routers were inside a secure telecom closet that had two-factor access control (an access card + PIN) and access restricted to a group of <20 people. That closet was inside a secure building, which itself had two-factor access control and restricted to a group of ≈100 people, and that building was on a corporate campus that had guarded entry control points.
So when we look at the risk to this particular connection in the correct context, the chance that a rogue system would actually end up connected between these two routers was statistically 20 in 7 Billion give or take two billion. I tend to think that those are pretty low odds. Low enough that the extra cost of hardware and software to detect that fact that one of about 20 trusted people had placed a rogue device is not only not cost-effective, it has the potential to introduce its own set of vulnerabilities.
Risk mitigation and compliance audits
A risk manager should effectively prove to a compliance auditor risk mitigation measures that are in place e.g. “The probability of a rogue system being placed in between the two routers is minimal. Only a small handful of trusted people have access, also separation of duties and job rotation are in place to limit the possibility that a malicious insider can place a device between the routers.”
Conversely an auditor should recognize when adequate risk mitigations are in place to protect a system or network and be able to decide whether mitigations are adequate. If they are not, then they are nothing more than a box checker.
Most of my work and employment has been in food prep and food service. The problem I see your stated risk assessment should have been considering, something that I have seen in both food and data processing, is something I call “compliance drift.” I forgot to log the temps Just This Once so I’ll fill in the blanks, I didn’t check off the proof log and I can’t remember if I proofed this galley so I’ll skim it ’cause I probably did anyway and sign off the log, and so on. And yes, with management support I too have done this. 🙁 it isn’t exclusive to either small businesses or large corporations or government agencies or institutional services.
How do the risk auditors you mention here in secure data facilities account for this and take it into account? What in your experience controls for this?
Sorry it took so long to mod your comment, I’ve been incredibly
lazybusy lately. I see the same problem: “Oh those bilges are probably fine so I’ll just copy the sounding log from the last watch”I really wish there was a better answer. Until someone comes up with one compliance is going to be the answer. As one friend of mine explained: “If security is the lines painted on the highway, compliance are the guard rails that keep you from driving off the side of the mountain.”