security – Jay R. Wren – lazy dawg evarlast http://jrwren.wrenfam.com/blog babblings of a computer loving fool Wed, 15 Feb 2017 02:57:57 +0000 en-US hourly 1 https://wordpress.org/?v=4.7.2 Comparative Risk Analysis in IT Systems http://jrwren.wrenfam.com/blog/2015/11/04/comparative-risk-analysis-in-it-systems/ Wed, 04 Nov 2015 22:50:03 +0000 http://jrwren.wrenfam.com/blog/?p=1199 Continue reading "Comparative Risk Analysis in IT Systems"]]> You can quote me on this: “comparative risk analysis is among the most cost effective security measure your org can make. Why lock back door when front is wide open?” https://twitter.com/JayRWren/status/662015840636784640

What do I mean by this?

I mean, there is little point in applying inconsistent security system analysis in your system. The weakest link in a chain fails. When two links in the chain are identified to both be equally weak, nothing can be gained by spending resources (time and money) to improve the strength of only one link.

Let me get specific.

Lets say you have some services in production which interact. Lets call them Service A and B. You are introducing a new service, Service C. At the time of introduction concerns are raised about some security aspects of C.

Let me be clear, these concerns are 100% valid. Let us say for example that Service C is consuming Services of Service A using an overly privileged account rather than a least privilege account. The correct solution is to introduce a lesser privilege account capable of doing only the operations required by Service C.

From a “is it optimally secure” point of view for deploying Service C. That is all.

Rather than this point of view, lets take an overall systems point of view. Service B is using the exact same overly privileged account to perform operations on Service A. Further, the sources of data which Service B is using (publicly exposed https server accepting GET, POST, PUT, etc) are the same or more than Service C.

What is gained by going back, retooling Service A and C to use that lesser privilege account? Well, security of course. C is less vulnerable.

That is true. You’ve locked the back door while the front door is wide open.

Locked

How much did it cost? 80 people hours and the (often difficult to tie to a dollar amount) delay of introducing that much needed Service C.

Was the risk of privilege escalation reduced?

I honestly don’t know.

—————–

  • DuckDuckGo search for comparative risk analysis yields some fun reads.
  • In health, it is like counting calories and eating very well while continuing to abuse elicit drugs. http://www.ncbi.nlm.nih.gov/pmc/articles/PMC390121/
    “I totally would not eat that mcdonalds. It is so gross. Where is my lighter, I need another ciggy.”
]]>