Ever wondered why the security could be breached even if you have a ton of security mechanisms? Most of the time the problem is not technical but a result of poor risk analysis. One reason why the risk analysis is poor is that it doesn´t take the attackers determination into account. To be able to do this I have come to rely on a method named You3 that is part of SRM (Security Review Model). You3 is a rather simple concept that classifies risk in three categories:

  • You Have
  • You Belong
  • You Are

Looking fairly simple at first glance the model is extremely strong in helping me to decide the correct security mechanism for an identified risk.

You Have simply means that you have something that everyone else also have like a web server, a laptop, an office. You are not in any way different from anyone else and the only reason you are attacked is that you managed to be in the way or have really lax security. Most standard security mechanisms work in this group.

You Belong is a bit more complex. This means that you belong to a group of some kind, you are a bank, you are part of the government, you are within a group of CEO, you are in a specific sector. Those risk are specific for the group and are often more serious if the succeeded. An example is that you could be robbed because you are a bank. Many compliance schemes like PCI DSS, HIPAA, SOX and so on are connected to this group. The attacks are not as many but they are more serious and more often succeed.

You Are is the most serious attacks. They are conducted towards you because you are the one you are. It could be a customer hating your company, political extremist having a grudge for something your company did in a third country or you have some specific knowledge that an industry spy want to sell. The attacks are very serious and are often conducted by professionals.

This all sounds well and nice but does it really matter? Yes, I will provide you with a simple but very describing example: a Trojan. A Trojan is a piece of malware that affects some computer and make it do stuff it is not supposed to. Applying a Trojan to this model and we get rather interesting results.

A Trojan attacking from a You Have perspective means that you are in the risk of getting a Trojan into your network and on a desktop. It is the kind of Trojan that is blocked 99.98% of all times according to the vendors of antivirus systems. The obvious security mechanism to apply here is an antivirus of course.

However, lets assume the Trojan could be classified as an attack in the category of You Belong. Will that differ? Yes, it sure does. Let’s take a Trojan named SilentBanker. A nasty little bugger I encountered a few years ago. It is specifically geared towards the finance industry and to be yet more specific to install itself at the customers computer and place it as a filter between the customer and the bank changing the values and send fraudulent transactions other ways, masking it for the customer. It comes in new flavours that is not recognised by the existing antivirus solutions and therefor other kinds of protection is needed. In this case content signing of the transactions is needed to protect yourself.

And the worst case scenario? A Trojan classified as You Are. Since last year we have a perfect example in Stuxnet, a Trojan attacking a very specific small numbers of servers at Iran´s nuclear facilities making them go haywire and break down. This little bugger was specifically designed for a very small set of servers with a specific configuration. Of course it was not detected by any antivirus and apparently not by any other protection either as the attack at least partly succeeded. Being able to select the correct security mechanisms here means that I need to know a lot more of the facility, that I don´t do today so I cannot give any recommendation here more than that those attacks are very specific and takes some hard work to identify and mitigate.

So, a Trojan is a Trojan is a Trojan but still the attack and the counter measures are different in the different scenarios. Adding to this there is also a cost issue. Most of the time the You Have mechanisms are rather cheap while the price increases when the attack is more determined. So selecting mechanism that exists on You Belong when most attacks are in the region of You Have means that you spend too much money on security without getting any better protection.