Security Economics: The Key to Resilience


There are times when looking at something narrowly can be more effective than taking a wider and more comprehensive view. If you don’t believe me, consider the experience of looking at organisms in a microscope or watching a bird through binoculars. Distractions are minimized, allowing optimal evaluation and analysis of what’s under investigation.

In security, the normative way that we understand and examine the security of our organizations has a focus similar to the examples above: We examine the effectiveness of the security countermeasures (i.e., controls) put in place to achieve security objectives.

If you’ve ever had a program-level security assessment performed, for example, chances are good the assessor evaluated your controls — what wasn’t working and why — and recommended improvements to make them more effective.

Like using a microscope or binoculars, it’s useful to look at security from an executive vantage point. That type of analysis helps us understand whether we’re getting what we expect from the countermeasures put in place. When one or more of those methods or mechanisms fail to serve the function they were intended to perform, or when they don’t have sufficient scope to protect the organization fully, it’s helpful to know that.

Just like focusing on a bird through binoculars occludes your ability to see the broader landscape, looking at security effectiveness alone does not provide the full picture of what you as a security manager or executive might care about.

There are dimensions to examine beyond effectiveness that are both germane and relevant to security operations. Surprisingly, many organizations do not examine them at all, which can mean they are not using their resources optimally.

Other Dimensions?

For the purpose of illustration, consider multiple ways to implement the same countermeasure. One company might implement a countermeasure in a very mature way — for example, following processes that are documented, and implementing measures to learn and improve its operation. Another might just sort of wing it.

Say Company A implements a patch management process that is well documented and highly automated, while Company B leaves it to a junior intern. In this respect, maturity is another dimension beyond effectiveness. Effectiveness asks, “does the countermeasure work or not?” Maturity asks if it is resilient to personnel changes, changes in business processes, or other changes.

In addition to maturity, another dimension is total cost of ownership — that is, the amount of risk reduced (or attacks thwarted) per dollar spent. For example, what if Company A implements an automated tool to scan emails looking for malware, while Company B hires hundreds of analysts to read and review every inbound email manually?

I chose a ludicrous scenario to illustrate, but in the above example, clearly one approach (the automated tool) is orders of magnitude cheaper to operate than the other (the manual approach). Even assuming that both countermeasures perform equivalently — and have the same scope of coverage — clearly one is more cost-effective.

The additional expense required to maintain the inefficient/expensive countermeasure actually is making the overall security worse than it otherwise could be. Why? Because there’s an opportunity cost associated with what you could be doing with poor performing investments. There are things you otherwise could do if you were not using resources inefficiently.

“The key missing ingredient to most cybersecurity programs is economics,” said IDC Vice President Pete Lindstrom. “An understanding of costs and benefits is important, because we need to optimize scarce resources. Even if we have resources, we should prioritize the activities that reduce the most risk at the least cost.”

Getting Started

The point is, analyzing these other dimensions about your security program tells you things that just looking at effectiveness alone does not. Don’t get me wrong — effectiveness is a good starting point. If you don’t understand whether your countermeasures are appropriate and working well, you’ve got some fairly sizable fish to fry.

However, if you want to take the next step and ensure that you’re a responsible steward of your organization’s resources, then stopping there just doesn’t cut it. Why? Because governance, at its core, is about making the best use of resources to advance the organization’s mission optimally. How can you do that if you don’t understand the efficiency, resilience or maturity of the security measures you have in place?

The question for security executives therefore becomes how you can understand other dimensions of security systematically and holistically. There are a few ways to get started. One approach starts with an objective stock-taking of countermeasures according to an economic or maturity point of view.

Maturity is straightforward — systematically work through and evaluate critically how each security mechanism you have in place stacks up along the maturity spectrum. The important part is to be as objective as possible; if you are challenged in being objective, maybe bring in an unbiased third party, such as an audit firm or security consultant, to help with this evaluation.

An economic viewpoint is a bit more involved, but still not rocket science. Start by understanding what it costs on an annual basis to operate the countermeasures you have in place, both in soft costs (such as staff time and human-power) and in hard dollars (costs like licensing costs for software, or maintenance costs paid to vendors or service providers).

It’s important that you not try to boil the ocean at first. Even if your financial calculation model isn’t perfect, scale is more important than pinpoint accuracy out of the gate. Why? Because each mechanism you can understand in this way allows you to evaluate security mechanisms relative to each other.

The more you can evaluate, the more inefficiencies you can find, which will result in better decisions about future investments. Keep in mind that you can improve the accuracy of your models down the road as you start to see the benefits of taking this type of approach.

New iOS Security Feature Ripe for Defeat

A new feature in iOS 11.4.1, which Apple released earlier this week, is designed to protect against unwanted intrusions through the iPhone’s Lightning Port. However, the protection may be weak at best.

The feature, called “USB Restricted Mode,” disables data transfer through the Lightning Port after an hour of inactivity.

A password-protected iOS device that has not been unlocked and connected to a USB accessory within the past hour will not communicate with an accessory or computer, and in some cases might not charge, according to Apple. Users might see a message directing them to unlock the device to use accessories.

One possible use for USB Restricted Mode could be to foil passcode-cracking solutions made by companies like Cellebrite and Grayshift, which reportedly have been used by law enforcement authorities to crack iPhones.

Users can turn off the USB Restricted Mode capability if they desire to do so.

Thwarting Data Port Intruders

Although the Lightning port may be a sweet spot for law enforcement, USB Restricted Mode has a broader purpose than protecting users from police probes, maintained Will Strafach, president of Sudo Security Group, an iOS security company in Greenwich, Connecticut.

“Exploits and vulnerabilities can be seized on by anyone,” he told TechNewsWorld. “Criminals may want to steal data from the device or wipe it, so this mode is for mitigation of any kind of USB-based vulnerability.”

USB Restricted Mode is “first and foremost” designed to protect its users’ phones and data, maintained Andrew Blaich, head of device intelligence at Lookout, a maker of mobile security products in San Francisco.

“Law enforcement has recently been using new tools, such as GrayKey, to guess the passcode of a device to access it,” he told TechNewsWorld.

However, the vulnerabilities and technical bypasses used by GrayKey — and by solutions from Cellebrite and others — are still unknown, he pointed out.

Smart Approach

The code GrayKey uses to break the passcode on an iPhone is a closely held secret, but it appears to load through the Lightning Port.

“So Apple’s idea is to make a user enter a passcode after an hour. Otherwise the Lightning Port can only be used for power,” said Sudo’s Strafach.

“Without a data connection, there’s no way to communicate with the data services running on the phone, so there’s no way to access any vulnerabilities on the phone,” he explained.

“Instead of trying to address individual vulnerabilities, Apple is addressing a whole class of vulnerabilities that need the data link to be exploited,” Strafach pointed out.

“That’s smart,” he said. “It’s taking a long-term outlook on vulnerabilities. Rather than squashing vulnerabilities as they come up, they’re taking a proactive approach and mitigating the method by which these vulnerabilities are exploited.”

Breaking Restricted Mode

Once USB Restricted Mode is engaged, it appears to be impossible to break, so the key to foiling the security measure is to prevent it from engaging.

Oleg Afonin, a security researcher at ElcomSoft, has described exactly how to do that in an online post.

“What we discovered is that iOS will reset the USB Restrictive Mode countdown timer even if one connects the iPhone to an untrusted USB accessory, one that has never been [connected] to the iPhone before,” he wrote.

If USB Restricted Mode hasn’t been engaged, a police officer can seize an iPhone and immediately connect a compatible USB accessory to prevent the USB Restricted Mode lock from engaging after one hour, he explained. Then the device can be taken to a location where a passcode cracker can be used.

What’s the likelihood that a phone hasn’t been unlocked within an hour of it being seized by a law enforcement agent? Quite high, according to Afonin, who noted the average user unlocks a phone around 80 times a day.

Apple did not respond to our request to comment for this story.

“Nothing is a silver bullet,” warned Lookout’s Blaich.

“There is no perfect solution, but it’s best to assume that if someone has physical access to your phone, they will eventually be able to find a way to get in,” he said. “So users need to remember to use a strong passcode to minimize unintended access when they lose possession of their device.”

Related posts