Despite how much I’d like to use “F” for something else:
- What the ____ are you doing?!
- ____ you!
- Who the ____ told you to do that?!
- Why the ____ do I bother?
I’ll fight the urge and use “F” in a more decent manner, even if it is a little less honest.
So why does “F” stand for Fundamentals? For starters, fundamentals are critical. Without understanding and implementing fundamentals, the information security program you’ve poured your heart, soul, and money into will fail. Fundamentals form the foundation, and a house with a crappy foundation looks like this…
You might think your information security program looks better than this house, but if you lack fundamentals, you’re wrong. Sadly, we’ve seen too many information security programs look exactly like this house; falling apart, unsafe, and in need of serious rebuilding (or starting over). So, why do so many information security programs look like this house?
The quick answer:
- People don’t understand the fundamentals of information security. (AND/OR)
- People don’t practice the fundamentals of information security.
Let’s start with #1
People Don’t Understand Information Security Fundamentals
Seems we’ve preached “fundamentals” so many times, I’m beginning to wonder if we’re using the word right. Let’s look at the definition, then use logic (our friend) to take us down the path of understanding.
Here’s the definition of “fundamental” from from Merriam-Webster (along with my notes):
- serving as a basis supporting existence or determining essential structure or function – the “basis” or foundation of information security.
- of or relating to essential structure, function, or facts – the words “essential structure” reinforces the idea of foundation. We can’t build anything practical without a good foundation; therefore, we need to figure out what makes a good information security foundation (based upon its function).
- of central importance – what is the “central importance” of information security? We get this answer from understanding the purpose of information security.
OK, now let’s take “fundamental” and apply it to “information security”. My definition of information security is:
Managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).
Does the definition of information security meet the objectives set by the definition of “fundamental”? Think about it. Re-read if necessary.
If the answer is “no”, then define information security for yourself. Write it down. (let’s hope ours are close to the same)
The definition of “information security” is the most fundamental aspect of information security. If we don’t have a solid fundamental understanding of information security, good luck with the rest.
OK, so what’s next?
Notice the words “managing risk” in the definition? Information security isn’t “eliminating risk” because that’s not possible. Managing risk; however, is quite possible. Seems our next fundamental is to define how to manage risk. Logic is still our friend, so let’s use it again:
- You cannot manage risk unless you define risk. = risk definition
- You cannot manage risk unless you understand it. = risk assessment
- You cannot manage risk unless you measure it. = risk measurement (management 101 – “you can’t manage what you can’t measure“)
- You cannot manage risk unless you know what to do with it. = risk decision-making
If managing risk is fundamental to information security, it’s a good idea for us to define risk. The dictionary definitions of risk are not entirely helpful or practical. For instance:
- possibility of loss or injury – this only accounts for likelihood and says nothing of impact.
- someone or something that creates or suggests a hazard – this is more “threat” than risk.
In simple terms, risk is:
the likelihood of something bad happening and the impact if it did
OK, but how do we then determine likelihoods and impacts?
These are functions of threats and vulnerabilities. More logic, this time theoretical:
- If you have no weakness (in a control), it doesn’t matter what the threat is. You have zero risk.
- If you have infinite weakness (meaning no control), but have no threats, you also have zero risk.
- If you have infinite weakness (meaning no control), and have many applicable threats, you (potentially) have infinite risk.
- Zero risk and infinite risk are not practically feasible; therefore, risk is between zero and infinity.
Makes sense. The important things to remember about risk are likelihood, impact, threat, and vulnerability. Also, it helps to remember that risk is always relative.
The next fundamental in “managing risk” is to assess risk. To some folks, assessing information security risk seems like a daunting and/or useless exercise. There are several reasons for this. One reason might be because it is new to you. Risk assessments aren’t new (we do risk assessments all the time), but doing them in the context of information security is new.
Examples of everyday risk assessments:
- You’re driving down the road and the traffic light turns yellow. The risk assessment is quick and mostly effective. What’s the likelihood of an accident or a police officer watching? What would the repercussions be (or impact)? You quickly look around, checking each direction. You assess your speed and distance. If you assess the risk to be acceptable, you go for it. If you assess the risk to be unacceptable, you hit the brakes.
NOTE: Risk decision-making for information security comes later in this post.
- You just used the restroom. Do you wash your hands or not? You assess the risk of not washing your hands. Will I get sick, or worse, get someone else sick if I don’t wash? What are the chances? What could be the outcome if you don’t wash your hands? If you deem the risk to be acceptable without washing, you might just walk out the door. If you deem the risk to be unacceptable (hopefully), you’ll take a minute or two and wash your hands.
We all do risk assessments, and we do them throughout the day. We’re used to these risk assessments, and we don’t think much about them. Most of us aren’t used to information security risk assessments. There are so many controls and threats (known and unknown). It’s easy to become overwhelmed, confused, and paralyzed; leading to inaction.
Some truth about information security (risk) assessments:
- There is no such thing as a perfect one.
- Your one is probably going to be your worst and most painful one.
- You cannot manage information security without one.
- They’re fundamental.
Just do an information security risk assessment. Worry about comparisons, good ones versus a bad ones, later (you’re probably not ready to judge anyway).
People argue about measurements. Don’t. Fight the urge.
You can use an existing risk measurement; FAIR, S2Score, etc. or create one yourself. If you’re going to create your own risk measurement, here are some simple tips:
- Make the measurement as objective as possible. Instead of open-ended inputs or subjective inputs, use binary ones. Binary inputs are things like true/false, yes/no, etc.
- Use the measurement consistently. An inch is an inch, no matter where you apply it. A meter is a meter, no matter where you use it. For example, if a “true” answer to some criteria results in a vulnerability score of 5 today. It should be a 5 tomorrow too. Applying threats may change things, but the algorithm is still the same.
- The criteria being measured are relevant. For instance, take the crime rate in a neighborhood. Is it relevant to information security risk? The answer is yes. Our definition of information security is “administrative, physical, and technical” risk. Crime rates are relevant to physical security threats.
If you are new(er) to information security risk management, you may want to use a metric that’s already been defined by someone else. Again, caution against trying to find the perfect measurement. It’s like arguing whether an inch is a better measurement than a centimeter. Don’t get me started…
Alright, so you did your information security risk assessment.
Nope, just getting going now. Before doing your risk assessment, you were risk ignorant. Now, you’re risk learned. Yay you!
What to do with all this risk?
Let’s say your organization scored a 409 on a scale of 300 (worst) – 850 (best), and you discovered several areas where the organization scored close to 300. There’s LOTS of room for improvement. Now you need to make decisions about what you’re going to do. To keep things simple, you only have four options:
- Accept the risk as-is. The risk is acceptable to the organization and no additional work is required.
- Transfer the risk. The risk is not acceptable, but it’s also not a risk your organization is going to mitigate or avoid. You can transfer the risk, often to a third-party through insurance or other means.
- Mitigate the risk. The risk is not acceptable, and your organization has decided to do something about it. Risks are mitigated by reducing vulnerability (or weakness) or by reducing threats.
- Avoid the risk. The risk is not acceptable, and your organization has decided to stop doing whatever activity led to the risk.
That’s it. No other choices. Risk ignorance was not a valid option.
There you go! Now you have a start to the fundamentals of information security! The foundation.
Did you notice that I didn’t mention anything about security standards, models, frameworks, identification, authentication, etc.?
These are all fundamentals too, but first things first.
People don’t practice the fundamentals of information security.
We live in an easy button, instant gratification, shortcut world today. Information security is simple, but it’s definitely NOT easy. Good information security takes work, a lot of dirty (NOT sexy) work. What happens when you cut corners in laying a foundation? Bad things.
- Hacking things. That’s a lot sexier than doing a risk assessment.
- Blinky lights. These are a lot sexier than making formal risk decisions.
- Cool buzzwords. So much sexier than the basics. The basics are boring!
Hacking, blinky lights and buzzwords all have their place, but not at the expense of fundamentals.
You have no excuse for not doing the fundamentals. Zero. The truth is, if you know the fundamentals and fail to do them, you’re negligent (or should be found as such). Reminds me, there are a few more fundamentals you should know about before we finish:
- Roles & Responsibilities – Ultimately, the head of the organization (work and/or home) is the one responsible for information security; all of it. He/she may delegate certain things, but the buck always stops at the top of the food chain. Whatever’s delegated must be crystal clear, and documentation helps. We should always know who does what. (See: E is for Everyone).
- Asset Management – You can’t secure what you don’t know you have. Assets are things of value; tangible (hardware) and intangible (software, data, people, etc.). Tangible asset management is the place to start, because it’s easier to understand. Once you’ve nailed down your tangible assets, go tackle your intangible ones.
- Control (access, change, configuration, etc.) – You can’t secure what you can’t control. Administrative controls (the things we use to govern and influence people), physical controls, and technical controls.
- Start with administrative controls; policies, standards, guidelines, and procedures. These are the rules for the game, and this is where standards like ISO 27002, COBIT, NIST SP 800-53, CIS Controls, etc. can help.
- Access control; identity management and access management. Authentication plays here.
- Configuration control; vulnerabilities love to live here (not just missing patches).
- Change control; one crappy change can lead to complete vulnerability and compromise.
Last fundamental is cycle. Cycle through risk assessment, risk decision-making, and action. The frequency of the cycle depends on you.
I’d rather over-simplify information security than over-complicate it. Simplification is always a friend, along with logic. Quick summary of the fundamentals of information security:
- Fundamental #1 – Learn and work within the context of what information security is (risk management).
- Fundamental #2 – Roles and responsibilities.
- Fundamental #3 – Asset management.
- Fundamental #4 – Administrative control.
- Fundamental #5 – Other controls (several).
Honorable Mention for “F”
As was true in previous ABCs, I got some great suggestions. Here’s some honorable mentions for “F”:
- Facial Recognition
- Faraday Cage
- Fat Finger
- Fear Uncertainty & Doubt (FUD)
- Federal Information Processing Standards (FIPS)
- Federal Information Security Management Act (FISMA)
- Federal Risk and Authorization Program (FedRAMP)
- Federated Identity Management (FIM)
- Feistel Network
- Fibonacci Sequence
- File Integrity Monitoring (FIM)
- Fraud over Internet Protocol
- Fuzz Testing
Hope this helps you in your journey! Now on to “G”.