nCircle.com >> 360 Security

« Blocking of the nCircle.com domain? | Main | SCADAGard SIG To Be Established »

Thinking vs. Acting

The Seattle FIre Department produces a web page that lists where all of their emergency aid and fire vehicles are deployed in the city. A guy name John Eberly used Google maps to produce a mashup that displayed all these points on a map. Nifty, huh. The SFD heard about this, or received some complaint and they very quickly stopped publishing the text feed. They didn't remove the data, they just started publishing it as a jpeg instead of text. You can read an article about it and some of the interaction between Eberly and the SFD as well.

We can all argue about the logic of the SFDs decision or more significantly their justification of the decision. Ultimately they chose to keep the data available, but make it harder to process in useful ways. This is an interesting conversation, but the topic of apparently illogical security decisions is well worn in this day and age.

This incident got me thinking, however, about thinking and about acting, and about the difference between the two in information security. The SFD was put in a position where they felt they could not let the status quo stand, i.e. they had to *do* something. One can imagine that they evaluated the choices, looked at the impact of each and balanced it against the *reduction* in risk they would achieve. This compromise turned out to be the best choice. For whatever reason, the option to remove the data entirely, which would have reduced the risk to zero, was not viable. Perhaps there are other people who rely on that data being available, and so its removal would have been detrimental to their business.

This decision making process mirrors the risk mitigation choices that infosec professionals are required to make all the time. Let me outline the process:

recognition of risk --> evaluation of solutions --> action (acceptance, mitigation)

It's interesting to lay it out this way because it demonstrates that action is at the end of the line, so to speak. Often, those who are not responsible for the 'action' piece of the process, can easily criticize the action taken. Often, such criticisms are perfectly valid, especially if the person isn't time-constrained by the requirement to move to the 'action' step. But, sometimes those criticisms aren't valid because the individual doesn't have all the information. To bring this around to infosec again, the right actions are predicated upon having the right information. Recognition of risk requires full information about the nature of that risk. Evaluation of solutions requires full consideration of *all* the potential options. Without the right information, bad decisions are the result. If this process if fundamentally time-constrained, and it usually is, then it's key that the gathering of relevant information exist outside the time constraint of the process itself.

Posted by Tim Erlin on October 16, 2006 6:59 AM |

Search


About

This page contains a single entry from the blog posted on October 16, 2006 6:59 AM.

The previous post in this blog was Blocking of the nCircle.com domain?.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]