The Best Tool in Your Kit

Josh Beckett As security professionals, we all have to deal with real events and incidents and false positives.  Furthermore, we all need to try to minimize the impact that false positives have on our workflow so that we can focus on the real stuff. I love to use real world examples that have a parable-like quality to them in order get interesting points about security across.

A friend recently told me of an issue with someone they knew where they were requested to show their drivers license and it happened to be expired. Now, there are obviously many situations where we know this will become a problem, but there is really only one situation where this particular bit of information is actually relevant.  What is a driver's license really? It is proof of your authorization to drive a particular class of motor vehicle. If expired, it is possible that you are no longer so authorized. That is the only use case where such information is completely relevant.

Let's think about this for a moment. There are many other times where our driver's license is requested and it has features that make it a decent form of proof of certain things about us. It typically has a picture, a physical description, our address, and depending on where you live, some security features to help make it difficult to counterfeit and thus improve the general ability to trust the authenticity of it as a form of authentication. Now let's add that little bit about the motor vehicle class that you are authorized to drive, your state or province information, so we have some understanding of the rules that you were tested against, and an expiration date.  Now, if I ask you to show me your driver's license to prove who you are, is expiration REALLY a piece of information relevant to the question? No, of course not.  Just because your permission to drive a motor vehicle may be expired does not mean that all of the other information on that document is also expired.  You still are you, right?  Your description and picture still roughly match, right? Ok, so we all lie a bit about our height and weight, but you get the idea. Folks, that is what we call a false positive. Time to get out the best tool in your kit to truly examine the situation...your brain!

Don't be distracted by false positives

Think about it for a moment. Does the picture match? Does the physical description match? Does the age look about right? If asked for another piece of info or two, such as a credit card with a matching name, can they present such secondary pieces of information?  Looks like a duck, quacks like a duck, must be a beaver.  Sorry OSU vs. UofO joke. Universally, we in the security trade are in the business of risk assessment. If I have quite a few correlated facts telling me that this person is who they say they are, does it matter that they may not have been allowed to drive to get themselves in front of my person? Only if I happen to be an officer of the law and I've got you by the side of the road for a traffic issue where your right to drive may be in question.

We practice our responses so that we can rapidly recognize security events and mechanically react appropriately when we conclude that an event is really an incident.  This is a very good thing. It can save your backside quite handily if your reactions are appropriate and timely.  However, if you allow yourself to get distracted by the false positives, you have lost focus and are now wasting valuable time and energy on something that is meaningless.  Spend just enough time to prove that it is a false positive and then move on.

It all in how you see the world

Security is a way of thinking and a way of seeing the world.  I used to work at company where we would do behavioral interviewing.  In performing my part, I loved to ask interesting questions of potential job candidates to try to determine the depth of their security thinking.  The team was fond of taking promising candidates to lunch.  During lunch we would ask questions and try to judge how well the person might fit within our security team.  One of our favorite places was a Mongolian BBQ place. This particular place had a cashier just inside the front door.  You would select a large or small bowl size, pay the cashier, and then proceed into the queue behind the cashier and pick your bowl from the stack and proceed to make your food selections to take the the folks at the grill.  After we sat down and everyone was happily munching away, I would casually ask our perspective security practitioner "what did you notice about the system that we just passed through?"

Now, as I describe it here, it may be quite obvious to some, but if you add some hours of interviewing this person to the front end, and some relaxing environment and good food to the present time when the question was asked, it would often catch the person completely off guard.  Sometimes they would get it right away, sometime they might ask a clarifying question like "what do you mean?"  I would typically elaborate just enough to clue them in that it was a system and I would expect that with just that gentle reminder, as such, it had the potential to be subverted.  Some would get it.  Most wouldn't.  For those that may be lost by my scant description, the correct answer was that you paid the cashier and instead of the cashier handing you the bowl size that you paid for, you stepped into the queue behind and out of the view of the cashier and selected a bowl yourself.  Of course, most people are honest and picked the appropriate size bowl that they paid for, but both sizes were right next to each other and there was no real check or balance to verify if you picked the right one.  I thought it was a simple question and it really was for those that think like a bad guy and are interested in improving security processes for the betterment of their team.  After I left that organization, a former co-worked told me that they continued to use the 'Josh-test' for quite some time.  That made me feel a little proud.

Keep your edge

We all have procedures we practice.  We have tools in our kit.  We have training to know when to use each of those tools and the extent of its value. I'm on winging my way to CEIC and we have a lot of great information primed and ready for you (and maybe a new tool or two you will find useful).  I hope you brought the best tool in your kit and are eager to sharpen its edge.

No comments :

Post a Comment