Security Basics mailing list archives
FUD, risk and videotape...
From: "Craig Wright" <cwright () bdosyd com au>
Date: Sat, 3 Mar 2007 21:03:23 +1100
Hello, Risk is an area surrounded in uncertainty. It is a probablistic function of threat, exposure, vulnerability and the impact associated with the exploit of the aforementioned factors. Risk can be modelled quantitatively using inferential means and methods such as point processes, Monte Carlo markov chain simulations, asymptotically optimal tests and other statistical methods. Security modelling correlates extremely well to Poisson based survival and hazard functions. This said, the accuracy of models is reliant on the accuracy of the factors determining the model. As such, it is necessary to carefully assess both threats and vulnerability with an eye on the probablistic likelihood associated with the impact of a particular effect. By overstating threat we create bias. By overstating impact we create bias. By not assessing the true nature of a vulnerability we skew perception of risk. Without a true quantitative measure of risk we make errors. These mistakes come back to haunt us. People, including managers and others in our organisations remember our mistakes more than our successes. When we skew the impact of a vulnerability, such that we state are higher risk than it really contains, we cry wolf. People remember each time we cry wolf. People react negatively. The next time a real vulnerability with a serious impact and threat is discovered we are not believed. We have cried wolf too often. Our calls are silent, drowned in the din of past false assertions. So I reiterate, yet again, not for the last time, FUD is bad. With the innumerable numbers of valid attack vectors, why make up another one. We need to prove our assertions or find where another has already done so before we start making these assertions. One response to the fax question talked about determining the port and IP address associated with the fax service. Fax is not an Internet protocol. As such it has no port. This is exactly the type of comment that brings disrepute to the information Security community. Each and everyone of us binds the reputation of as all in his or her comments. To an extent, we are all judged for good or ill not only on our own achievements, but also on those of our cohort. We are judged by the action of our peers. F When we spread fear we sow the seeds of mistrust. This is doubt in the truth of our arguments. U When we propagate uncertainty, we leave those who listen to us unable to believe us. D When we espouse doubt we create confusion. It is common for those new to the information Security profession to complain that people do not listen to them. It is common for them to state that management do not take them seriously. It is likely that they feel that their assertions are not believed. We are sowing the seeds of fear, uncertainty and doubt. Yet, we complain when we start to reap what we have sown. When we cry wolf we are astonished to find no one listens any longer. So again I say FUD is bad. Regards, Craig S Wright Dr Craig S Wright DTh MNSA MMIT CISA CISM CISSP ISSMP ISSAP G7799 GCFA AFAIM Nam et ipsa scientia potestas es - Knowledge is power. (Sir Francis Bacon) Manager - Computer Assurance Services BDO Chartered Accountants & Advisers Level 19, 2 Market Street, Sydney, NSW 2001 Telephone: +61 2 9286 5555 Fax: +61 2 9993 9705 Direct: +61 2 9286 5497 <Mailto:CWright () bdosyd com au> Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
Current thread:
- Re: FAX a virus, (continued)
- Re: FAX a virus Shreyas Zare (Mar 07)
- Message not available
- FAX a virus - Rhetorical and logical Fallacies Craig Wright (Mar 07)
- RE: FAX a virus - Rhetorical and logical Fallacies Steven Hess (Mar 07)
- RE: FAX a virus Craig Wright (Mar 06)
- RE: FAX a virus Nick Duda (Mar 06)
- RE: FAX a virus- a PS Craig Wright (Mar 06)
- RE: FAX a virus Craig Wright (Mar 06)
- FUD, risk and videotape... Craig Wright (Mar 06)
- Message not available
- RE: FAX a virus Craig Wright (Mar 07)
- RE: FAX a virus Scott Ramsdell (Mar 07)
- RE: FAX a virus Craig Wright (Mar 07)
- Re: FAX a virus - THREAD IS NOW CLOSED Kelly Martin (Mar 07)
- RE: FAX a virus Craig Wright (Mar 07)