Quote of the Weak (Attacker’s Perspective)

I don’t like to pick bones with my fellow ISACAeans, but when I saw this in the Journal recently, I had to react. Can you pick out the problem?

IT enterprise security risk assessments are performed to allow organizations to assess, identify and modify their overall security posture and to enable security, operations, organizational management and other personnel to collaborate and view the entire organization from an attacker’s perspective. This process is required to obtain organizational management’s commitment to allocate resources and implement the appropriate security solutions.

Did you see it? You might want to check out my other quotes to see what has tripped my trigger in the past. Search for “quote of the weak” in the Search box in the upper right of the blog.

If you think you see the problem, leave me a comment. If no one sees it in a couple of days, I’ll give a hint.

P.S. No, it doesn’t have anything to do with nanny cameras, so don’t go there (U know who U R).

Update 1 – Hint

Think about this phrase:

“view the entire organization from an attacker’s perspective”

Update 2 – Conclusion

The issue that I noticed is that the entire risk assessment is from “the attacker’s perspective.” Since when are attackers the only factors that affect risk?

What about administrators who unknowingly misconfigure a shared drive or implement encryption in an insecure manner? What about a security administrator who disables antivirus software to load some hacking software, and then forgets to turn it back on?

What about a regular user who accidentally enters the wrong sales figure (two extra zeros) and no one notices?

What about acts of God? Can’t forget him.

Risk assessments must also include mistakes and disasters, not just attackers. Otherwise, organizations won’t be able to “assess, identify and modify their overall security posture.”

Update 3 – Accidental ignorant

I just read that ISACA calls a person who causes security and fraud violations or problems by mistake an “accidental ignorant,” a term I’ve never heard before, one that makes me chuckle. I guess that’s better than being a purposeful ignorant.

You’ll find the phase in the CISA manual (last bullet on page 354).

4 Comments

Filed under Audit, Quote of the Weak

4 responses to “Quote of the Weak (Attacker’s Perspective)

  1. Audit Monkey

    Stab in the dark. An attacker’s assessment of a firm’s security will differ from those responsible for defending attacks. IT specialists will have to cover all bases, rather one specific attack at a weaker area.

    Like

  2. ITaudit

    AuditMonkey,
    That’s true, but not what I’m focusing on.

    Think about what’s NOT in that statement…

    Like

  3. Audit Monkey

    There are two non sequitars in there.

    “IT enterprise security risk assessments are performed….view the entire organization from an attacker’s perspective”.

    I would disagree, as the perspective when performing the risk assessment is from the firm’s point of view.

    “This process is required to obtain organizational management’s commitment to allocate resources…”etc.

    Again doesn’t follow that this process will be followed, and second, it will result in the immediate allocation of resources.

    Probably not the answer you are looking for but it’s Sunday and my day off!

    Like

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s