Tennis Shoe Security draws its name from an old joke I like about two hikers who, while walking through the woods, encounter a bear. Both hikers turn and run away but after a short distance one stops, opens his backpack and pulls out a pair of tennis shoes. The second hiker stops and asks the first what he is doing. The first replies “It just occurred to me that I do not need to be faster than the bear; I just need to be faster than you.” That is tennis shoe security in a nutshell. It is the understanding that you do not have to have the best security money can buy (the NSA probably does and they still lost data), you just need to ensure that your security program meets your organizational requirements and is based on a sound understanding of the environment in which you operate. It is also an understanding that security is imperfect and no matter what you do, you may suffer a breach so it’s best to plan for that before it happens.
The implementation of a security program should be a pragmatic approach which ensures that creation of every system, process, policy, etc. is evaluated to determine if it meets the needs of the organization. If, for example, your change management process is so complex that people avoid it whenever possible and if it is possible to do so without fear of detection then that is a process that does not meet the needs of the business. If you bought a nice shiny SIEM and put it in the server room but it was never tuned, it is not meeting the needs of the organization. If you implement security controls that make it nearly impossible for people to work effectively but those controls are easily circumvented by, for example, simply mailing documents to a home computer, then you do not understand the needs of the organization. I could go on but I think you get the picture.
A good way to ensure you are meeting the basic requirements is to implement one of the various frameworks such as COBIT, SoGP, ISO 27000 or those provided free of charge by the NIST. One issue I see with many frameworks, however, is while they tell you what you should be doing, they generally provide very limited information on how to go about implementing them in a real life organization. At a 20,000 foot level, I would suggest starting your security program doing the following:
- Identify your information objects (data), all of the systems holding that data and the relationships between the systems and data. This should be done in conjunction with the IT Operations team which (hopefully) has a well-managed CMDB.
- Identify your critical business processes and their relationship to the information identified in step one. For example, a receiving process may require documents sent electronically from a shipping company before a truck carrying the material can be unloaded. If your internet connectivity fails you may not receive the documents and may therefore not be able to unload the truck resulting in penalties.
- Use an acceptable form of ranking to determine the protection requirements for each information object, system and process triad. I like to use five levels (very low to very high) for this step as it allows for granularity. Regardless of how many levels you use, you must ensure that you have properly identified what each means in terms of human, customer, financial, etc. loss.
- Identify the systems’ vulnerabilities and the threats which might exploit those vulnerabilities, the probability that the vulnerability might be exploited and the impact if the threat is realized. This will give you your inherent risk. Pay particular attention to the Black Swans (high impact, low probability) risks as these, if realized, could significantly damage your business.
- Identify the controls that are in place which help mitigate the identified risk and determine the level of risk the remains. This will give you your residual risk. Some controls help prevent the risk while others are used to detect or mitigate the results of a successful breach.
- Determine if the controls reduce the risk to an acceptable level and if not, identify any additional controls that are required. If no further controls can be implemented to reduce the risk and the level is still too high then you should either consider transferring the risk for example, buying insurance or simply eliminating the activity altogether.
- Rank all of the risks in a risk register and then implement those controls that will help reduce the greatest amount of risk and the lowest cost. Wherever possible implement those controls that eliminate reduce the risk from multiple vulnerabilities.
- Continuously monitor the risk to ensure it remains at an acceptable level and monitor the controls to ensure they continue to function as planned.
If you have read any risk management literature, most of that sounds like risk management 101 and, to be fair, it is. For those who are not familiar with risk management philosophy, a risk is basically the result of a threat agent (the bear) exploiting a vulnerability (you are slower than the bear). The amount of risk is determined by factoring the probability of the vulnerability being exploited by the threat agent (in this case, how often you will encounter a bear while out hiking) and the impact (getting eaten by a bear…high impact…ouch). Preventative measures are those steps you take to reduce the risk or impact of the risk (in this case, tennis shoes and slow hiking companions). The residual risk is that risk you are willing to accept after implementing controls (in this case, the residual risk is that your friend becomes bear snacks). A rule of thumb is that the cost of implementing a control should never exceed the cost of realizing the risk (in this case, $100 for tennis shoes vs. becoming bear snacks yourself).
To recap, you do not have NSA level security to reduce the chances of a breach or mitigate the results when (not if) your organization is breached. You should, however, understand the environment in which you operate to ensure you know where your organization’s crown jewels are and to ensure they are protected at an acceptable level. If you follow these relatively simple, albeit often time-consuming, steps listed above you will have a much better understanding of your environment which should equate to at least having a pair of tennis shoes in you backpack the next time you encounter a bear in the woods.