Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.
I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.
Fortune Cookie advice for April:
Capability, intent, and focus are the defining aspects to quickly prioritize threats.
The world of information security threats is vast. We can easily be overwhelmed with different components, processes, impacts, and concerns. Quickly identifying the benign from the urgent is a competitive advantage. In order to organize and prioritize, we must have a consistent method to judge criteria.
I submit the three most compelling aspects are related to the attacker who is committing the violation. Their capability to do harm, defines the likelihood of a successful attack. The intent of the attacker has significant implications for the likelihood to detect activity and the persistence of continuing attempts. Lastly, the focus of the attack, whether it is targeting you specifically or just looking for opportunistic victims, completes the overlapping picture to understand the precision of activities.
Given these three aspects, a quick evaluation can be made to determine the severity of the threat and attacks. Of course this is just the first step necessary for triage, while a full evaluation should be conducted for the areas which rise to the top of the severity list.