I’ve stood atop the world’s largest meteorite. The Hoba meteorite is a solid chunk of metal weighing 60 tons, and is about as big as the ‘60s kombi that took us to it’s location in the remote Namibian desert. On colliding with the hard earth at 1,000 feet per second, Hoba would have made quite a sizeable impact crater.
Common sense and compliance directs us to wear a crash helmet when riding a bicycle or motorcycle. In the dark ages, knights wore a full suit of armour for protection, when under threat of sword or archery attack. Some parts of the world are so inhospitable that it is advisable to drive an armoured vehicle for protection.
However, if you put on your crash helmet and suit-up with body armour while driving your armoured vehicle, and you are then hit by a meteorite the size of Hoba, you are history. Finito. Kaput.
But this is so unlikely that you needn’t be concerned about it.
Penetration testers are becoming increasingly skilled at breaking defences these days. There are very powerful tools available to exploit the slightest vulnerabilities. And when they reach the limits of these tools, pentesters play a theoretical “what if” game. What if you are wearing bullet-proof underwear, and what if you have the best titanium crash helmet, and what if you are wearing the latest Kevlar suit of armour while driving your tank-grade Hummer, and a meteorite the size of a house flies out of the sky at a gazillion miles an hour and lands on your head? Hasta la vista.
It seems that pentesters dream up increasingly bizarre scenarios to identify security vulnerabilities. It makes them look smart. These theoretical games are unconstrained by the economic realities of black hat hackers who need to see a return on their time investment.
Theoretical “what if” games assume a variety of conditions which must exist simultaneously for a vulnerability to emerge. Each of these conditions individually has a probability of existing. The overall probability of all conditions existing simultaneously is the product of the individual probabilities (multiplied together). As soon as a vulnerability relies upon the existence of two or more theoretical conditions, it rapidly approaches the realm of deep space and time warps. Often the “what if” game produces an overall probability indicating such a low likelihood in the real world as to be of low significance.
There comes a point past which these theoretical “what if” scenarios outlive their usefulness. They then serve only to scare the less knowledgeable. We don’t need to fret the meteorites, the chances of being hit is far too low and unlikely, and if you are unlucky enough to be the target of a large meteorite there is nothing you can do about it anyway.
Penetration tests need to be interpreted carefully to properly understand the nature and realistic likelihood of a vulnerability:
– If the pentester has actually performed an attack, then give this a lot of weight. It is a real and proven vulnerability.
– If the pentester did not actually perform the attack, but relies on a “what if” scenario, then carefully evaluate the probability of this condition or series of conditions existing in the real world. Also evaluate the difficulty of performing the attack – if an experienced pentest team cannot actually perform the attack within a 2 or 3-week test, then this is an indication of it’s threat.
– Ignore meteorites – those threats which are so unlikely that they are not worth considering.
Crash helmets are still appropriate in circumstances even where there is the threat of meteorites. The penetration testing industry risks becoming irrelevant if it relies too heavily on meteorites.
Excellent points. For, in truth, some pen testers and auditing firms will go with the unicorn, the meteor strike notion. One so outlandish and improbable as to not survive a true risk analysis evaluation.
Ignoring the fact that it is positively raining meteors upon us each and every day. Those meteors are more commonly called dust. We don’t protect our windows and cars from them, we wash them off with soap and water.
One can plan for likely and even slightly improbable events. However, as important as those plans are, contingency plans for when things go awry as equally as important.
As an example, one event that I personally experienced comes to mind.
I was on a DoD installation in the Persian Gulf. It was a desert, as is much of the region. We had mitigation of various risks throughout the installation, from internal and external human threats, the environment itself with its harsh head and occasional high humidity and all manner of technical controls in place. We had good policies in place as well.
We did not have a plan for handling a flood. We had plans for leaky roofs in the technical areas for the rare heavy rains. We had alternate power in case of a failure due to those rains.
We had no contingency for a real flood.
Which is precisely what struck from a ruptured underground one inch water pipe. The water traveled along the below grade calcium carbonate bed beneath the site and filled the manholes for the communications lines, as well as the emergency generator fuel tank that was underground.
Fortunately, we had plans for other problems in place with those lines and modified them to handle clearing the manhole of water and drying the junctions out. We added a test for water in the tanks after that incident as well, for that was one contingency we didn’t anticipate for.
Which resulted in another outage due to generator failure and resulting in the building UPS discharging and leaving no alternative power.
Now, that wasn’t horses, it was a unicorn. But, adaptable plans can be made.
Two alterations to existing plans were made, one to clear the water and lines, the other became part of the monthly generator test, one that was common in every other region of the world.