Photo Credit: Thomas Hawk via Compfight cc
[Thanks to @thegrugq for letting me use this analogy he came up with. I’ve expanded it a bit for storytelling purposes.]
Imagine someone famous; let’s call him Norm Alstranger, giving an interview about the biggest threats facing Americans today. Let’s imagine him sitting in an expensive tailor-sewn business suit with expensive glasses. Let’s imagine he owns a company that gets new business whenever new initiatives are mandated “for security reasons” in the US “War on Terror”. To take the edge off, he had two cocktails before the interview, probably Manhattans, right? During the interview he has another and expounds widely on how the war on terror is not yet won but how terrorism remains the sole largest threat to human life and public safety for US citizens.
When the interview is done he gulps down another two cocktails and says his goodbyes, heads out to find his car, stops briefly outside to have a gulp from the flask in his coat pocket then has a thought – hey, it would be great with a few cheeseburgers to go; he can eat them while driving and stuck in traffic here and there. His car has a fridge in it, which is well stocked. When he gets there he puts a Bud light in his cup holder and places the three cheeseburgers in the passenger seat. Then he drives home.
If you’re reasonably sane you will have detected that while possibly entirely plausible and realistic, the above story contains some actions that are probably not a good idea and something that should scream loudly at you “SOMETHING IS WRONG HERE”. With the recent tragic Germanwings crash, it turns out that measures to protect against terrorism have actually killed more people in the EU than terrorists combined. Similarly it should be pretty obvious that this cocktail-devouring 1%’er is probably a bigger threat to public safety and human life than terrorism.
Let’s turn this analogy into #Infosec. In the information security space you see a lot of vendors, their marketing material and even users focusing on zero-day threats. Zero-days are vulnerabilities for which no patch yet exists and the vendor is (hopefully) in the process of preparing one. Statistically speaking, zero-days are rare and rarely used, and they simply don’t and shouldn’t really factor into the defensive strategies of most companies, because these would then be spending money in areas that actually don’t have a corresponding risk rating. Breaches happen often but with a few exceptions, breaches happen:
- When old vulnerabilities are exploited on unpatched systems
- When human error occurs
So when an infosec vendor publishes supposed real-survey results of attendees at the Ignite conference showing that the threat assessed by the largest percentage of respondents as being “the gravest” is zero-days then either “Ignite attendees” are very similar to Norm Alstranger or the results have been doctored. I don’t know which is true, but the fact remains that publishing research like this ignores reality and replaces it with an agenda that neither actually focuses on preserving human life or makes your company.