Tuesday, January 13, 2009

Pareto is killing security

It's started to be a rule on security programs to have security solutions/processes implemented following the 80/20 "Pareto principle".  That's pretty acceptable except for the fact that people immediately forget that remaining 20% and keep in their heads that that risk is completely mitigated. You start to see those cases piling up, absurd "no risk" situations being used as premises for business decisions and then, suddenly, everything collapses in a Wall Street black swan style.A very good tool to detect "Pareto stacks" is the famous Penetration tests. Not those where a junior guy runs a nice vulnerability scanner, but those where a very smart guy looks into your network as someone who wants to steal the golden eggs and starts to move things around in order to find and get them. I'm not saying that vulnerability scanning is crap, but penetration test is not vulnerability scanning, much less "vulnerability scanning with confirmation of exploitation possibility" (yeah, I've heard that before). That worthless kind of pentest is dying, for sure, but long live the real pentest!If you want to understand what a good penetration test is, try reading "Stealing the Network: how to own the box". It's a very fun reading and also shows what a pentest should look like.It's not (why did I write "not" here before??)  easy to find servers with unpatched vulnerabilities. Let the automated services do that. Real hacks, however, don't always happen by someone exploiting those vulnerabilities. You need to find things related to the way that your organization works, things that were done out of the regular process, that 20% that everybody wishes it never exists. See some weird things that you can find by this approach here and here.Again, if going the 80/20 is that bad, what should we do instead? Look for solutions that are pervasive. Those that will work no matter if people will follow the rules, platform independent, "business proof". Those security solutions are the ones that you should put in the top of your priorities. There are not many things that can be done that way, but they will certainly bring you more results that all those 80/20.


  1. A Couple of Links on Risk & Decision Making | RiskAnalys.isMarch 6, 2013 at 10:26 AM

  2. A Couple of Links on Risk & Decision Making | RiskAnalys.isMarch 6, 2013 at 10:28 AM