Archive 6 min read

Assumptions & Outdated Mental Models

Unchecked assumptions are a major risk in any field...but in cybersecurity they take on a whole new level

Assumptions & Outdated Mental Models

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Good morning, everybody. How are you doing today? Um, a little bit of a personal mornings with Mark, not that we don't get personal. Um, but this one hit me hard last night and while I was recovering, I said, you know what, this is gonna great, make a great topic.

Um, for tomorrow's show, what I want to talk to you today is about updating assumptions and mental models. And the reason why this one has a personal tie is because last night I was playing in my Monday night, um, semi competitive basketball league. I am the oldest person in the league, I think by far and last night was one of those games when it really hit me.

I've been playing basketball for a very, very long time. It's a passion of mine. Um, but I haven't been keeping good, um, personal fitness up. I've been keeping care of myself as we talked about in a couple of episodes ago around self care and balance. Um, so I'm lagging a bit on the court.

Well, a bit is generous. I'm lagging quite a bit on the court and I'm playing with people half my age. Um, and it hit me last night like I still understand the game. I know the dynamics. I can see things that are to happen, you know, like any good player can, you know, good round quotes.

But I can see as the game is unfolding, I understand the dynamics. I understand the tendencies, the trends. The problem is I can't do a damn thing about it because my fitness is not there because my age, you know, I've lost a few steps and I just don't have the level of practice I used to.

But mentally, my model is still of younger, Mark, my reality is old man, Mark, um out of shape, old man, Mark, slow out of shape, old man, Mark. Um but that doesn't line up with my mental model. So I'm out on the court in the middle of a dynamic game.

There's nine other players on the court. Things are moving back and forth and I'm playing with an outdated mental model of my capability. I have a great model of the game, but it outdated, one of my capability. And the reason why as I was icing my knees down last night, why I thought this would make a great topic for the show is because I think this happens all the time in cyber security, we make proclamations, we make policies, we set up security controls and we just leave them or we monitor them and assume that they continue to be appropriate yet things change all the time in the environments we're defending.

We know that especially with the push for more of a dev ops culture for deploying more often into production that the environments that we're working in are dynamic changing constantly several times a day, dozens of times a day in the more advanced areas and even stodgy old larger enterprises are still deploying more than just the weekend maintenance window that we used to have in the nineties.

So things are changing all the time. But our mental models are not updating. One of the biggest things that our easiest example I can call out to you is passwords. It took until last summer. So the summer 2017 for n to finally update the password recommendations yet, math logic and any psych 101 study could have told you that we've been dealing with really bad passwords for a long time and we blame that on users.

Users weren't picking strong enough passwords. Users were being lazy about the way that they were updating their passwords. They were just incrementing the number in the back or adding a symbol or whatever the case may be. But of that was actually true. What was the problem was we had an old mental model for what a password could do and how to manage it and it wasn't lining up with the new reality, right?

So it took years and years of work from this to finally update that and we're still years and years away from having that implemented everywhere, right? So that's an example of not updating your mental model. Another one is security policy within the organization to not update.

So there's been a debate in public frameworks around the requirements for anti malware on systems or being able to prove that anti malware is running on systems. So if you have strong application control and can only execute a known white list of executables, do you actually need anti malware controls in place?

I say that yes, obviously working for a vendor that sells anti malware as well as a host of other security controls. But it's about using the right control at the right time where frameworks and policies don't necessarily permit that type of activity. It's an outdated mental model.

Um One of the easiest ways to tackle this is to make sure that you have an expiration date on any actions you take so that you automatically review them, right? Um If you want to see this played out in sort of the extreme ridiculous example, look at most Western countries legal systems every time they update a law, they add, there is very, very rarely an event where they remove a law from the books.

Yet some of those laws were written when there were no cars and horses were still going down the streets. Um When there were no streets, completely different mental model, like different constructs set up yet they continue to add instead of take away because of the way that system has been constructed up.

We are replicating that in cybersecurity and it is a massive, massive, massive mistake. We need to constantly update things, put reasonable deadlines on your policies. If you create a policy, it should be reviewed at least every year, if not every quarter to make sure that it's still valid, that it's still that mental model, that policy was constructed on those assumptions it was based on.

Still hold true. And the thing is reviewing, it is not a huge amount of work. Once you've done the work to get a policy or a control in place reviewing that it's still effective and appropriate should be relatively quickly. Hey, is this still doing the job?

We think? Yes. Well, yes, it is, but not nearly as effectively. No, it's not. OK. If it's not, then you need to start to another review process to make sure that there's something appropriate that you can actually start to roll out. But the most of the time you're going to say what we have an internet policy that says our users shouldn't be downloading new executables without at least putting them in a sandbox first.

Does that still make sense? Yes. Is it effective? Well, let's ask that question next. There's this requirement is there, I think the problem is, is that a lot of our systems don't allow for that to be easy there's no simple system that says, hey, this document should be reviewed every, every three months, every four months, every six months, whatever the case may be, those are easy enough to write.

I think you should be looking down that route. You should be having regular reviews of your policies, regular reviews of your security controls to make sure you're not in the situation. I was last night on the court where I'm playing with an outdated mental model.

I think I can still contribute there, but I need to update my mental model to account for the fact that, you know, I'm older. I'm twice as old as a lot of the folks, I'm slower and I'm not at all anywhere near a decent level of fitness, let alone a fitness of somebody half my age.

But if I have to up my mental model, I should be ok and still continue to have fun. Make sure you're doing that within your cybersecurity practice. What do you think? Let me know, hit me up online, marknca in the comments down below or as always by email

How do you keep your security controls, your security policy? Your approach to cybersecurity fresh? How do you make sure that you're not the old guy slogging it up and down the court? Have a great day. We'll talk to you online and we'll see you on the show tomorrow.

Read next