The Ostrich Algorithm: A Risky Alternative to Threat Modeling
Ignoring it won't make it go away
Let’s explore a concept that’s intriguingly named and widely applicable across various fields: The Ostrich Algorithm. Though it might sound technical, the term is actually metaphorical, capturing a behavior pattern where problems are deliberately ignored, in hopes they might disappear on their own. This analogy is drawn from the myth of ostriches burying their heads in the sand when faced with danger.
Origin of the Ostrich Algorithm
Although the name is derived from the proverbial myth of ostriches burying their heads in the sand to avoid danger, In a computer science context, it refers to the strategy of ignoring certain problems, based on the assumption that they are exceptionally rare and that addressing them might be more costly than the potential damage incurred. Used primarily in managing deadlocks within concurrent programming, this approach operates under the presumption that some issues can be disregarded if their occurrence is rare and the cost of prevention is unjustifiably high.
The Ostrich algorithm operates on the principle of preemptive resource allocation. Under this system, when a process demands a resource, the operating system first verifies its availability. If the resource is available, it is allocated to the requesting process. If not, the process is placed in a waiting state until the resource becomes free. Furthermore, if a process encounters a situation where the needed resource is unavailable, the operating system overlooks any potential deadlock, instead continuing to assign resources to other processes. This approach allows the system to maintain functionality even amid deadlocks.
In everyday life, we see the Ostrich Algorithm at play when people choose to ignore financial debts, health symptoms, or even basic maintenance tasks like changing the oil in a car. The idea is simple: out of sight, out of mind. However, the repercussions of such an approach can be significant, leading to bigger, more complex problems down the line. Understanding the Ostrich Algorithm helps us recognize when we might be avoiding issues rather than confronting them. This awareness is crucial because, while ignoring problems might offer temporary relief, it often leads to larger complications down the road. The real-world implications of this can be significant, ranging from wasted resources to severe operational failures.
Importance of Threat Modeling
If you have read my previous articles, you would be very much familiar with threat modeling but let’s quickly iterate over - Threat modeling serves a crucial role in security, functioning as a systematic process aimed at identifying and addressing potential threats proactively. This discipline facilitates a structured analysis of the security requirements of an application or system, allowing companies to anticipate potential vulnerabilities before they can be exploited maliciously. The purpose of threat modeling is not merely to identify security risks but to strategically allocate resources to mitigate identified vulnerabilities effectively. Therefore, threat modeling is indispensable for crafting robust security measures, tailored to protect valuable assets while accommodating an organization's specific risk tolerance and operational realities.
BUT HOW DO THE TWO RELATE?
Now that we understand the general concept of the Ostrich Algorithm, let's translate it into the realm of security, specifically within the threat modeling process. In security, the Ostrich Algorithm manifests when teams, perhaps subconsciously, choose to ignore or undervalue potential security threats. This could be due to a variety of reasons: the threat seems unlikely, solutions may be costly or time-consuming, or the threat is outside the scope of past experiences and therefore harder to recognize.
The Subtle Lure of Ignorance
In security, the Ostrich Algorithm isn’t just about blatantly ignoring threats; it’s often more insidious, manifesting subconsciously in everyday security practices. Professionals might not even realize they're following this pattern, as it can be deeply ingrained in the organization's culture or individual cognitive biases.
The Ostrich Effect
Cognitive biases play a significant role in the subconscious application of the Ostrich Algorithm. For instance, confirmation bias leads individuals to favor information that confirms their preexisting beliefs, effectively ignoring contradictory data about potential threats. Similarly, the normalcy bias causes people to underestimate the possibility of a disaster and its potential adverse effects, under the assumption that since something has not happened before, it will not happen at all.
Overlooking New Threats: Teams might focus on familiar threats and ignore emerging ones simply because they haven't yet experienced them firsthand. This isn’t necessarily a conscious decision; it’s often just easier to track and fight known issues.
Underestimating Internal Risks: There’s a common belief that threats predominantly come from outside the organization. This belief can lead to a subconscious neglect of internal security measures, such as regular audits of employee access rights and monitoring of internal network activities.
The Danger of Complacency
Complacency can set in when teams have dealt with their immediate, visible security issues. They might think their applications are secure because they've implemented standard security measures. This false sense of security is a direct result of the Ostrich Algorithm at play, where the lack of recent security breaches reinforces the belief that their environment is safe, overshadowing the need for ongoing and continuous vigilance.
The Role of Leadership
Leadership plays a crucial role in either perpetuating or dismantling the subconscious adherence to the Ostrich Algorithm. Leaders who emphasize a proactive security posture and continuous improvement can help shift the organizational mindset. On the other hand, leaders who prioritize short-term gains and display a reactive approach to security inadvertently reinforce this detrimental behavior. If all you want is SOC 2 compliance, it's easy to fall into the trap of checking off requirements without truly getting a sense of security culture in your organization. Leadership must drive the point that compliance standards are just the starting point, not the end goal.
Some Industry examples where we see this approach and hence the consequences -
Remember the Target breach in 2013 where attackers were able to steal 40 million credit and debit records and 70 million customer records even though they were PCI compliant at the time. Reports suggest that Target may have received warnings from its security alerts about the suspicious activities but did not respond with the urgency required. The security team either failed to grasp the severity of the alert or chose to prioritize other issues, underestimating the potential impact of the breach.
Another infamous example of the failure in threat modeling and addressing a vulnerability is the Equifax data breach of 2017. This breach exposed the sensitive information of approximately 147 million people. The root cause was traced back to a known vulnerability in the Apache Struts framework, which Equifax had failed to patch despite the availability of a fix. This oversight —specifically, underestimating the risk of not promptly updating their systems—led to significant financial and reputational damage for the company.
The United States Postal Service (USPS) experienced a significant security oversight that serves as a compelling case study for the Ostrich Algorithm in cybersecurity. In this instance, a critical vulnerability affecting all 60 million user accounts on the USPS website was reported by a researcher but took over a year to address. The issue centered around an authentication weakness in the site’s API. The delay in addressing this vulnerability is a textbook example of the Ostrich Algorithm. Despite being aware of the flaw, USPS did not take immediate action. The reason for the delay was the need for fundamental changes to fix the vulnerability—an indication that the problem was both recognized and understood but not promptly acted upon.
Potential ways to avoid neglect
Acknowledging cognitive biases is crucial in combating the Ostrich Algorithm in security. Organizations should do retro sessions that delve into the various biases affecting security decisions. These sessions should be led by experts (not just security), interactive exercises demonstrating bias effects, and case studies of security incidents caused by cognitive biases. By integrating bias awareness into security protocols and decision-making frameworks, companies can foster a more vigilant and self-aware security culture. Ignoring supply chain security because you haven’t experienced it yet can be one such example of bias-based decision-making.
The implementation of Devil's Advocate roles can significantly enhance an organization's ability to identify overlooked security risks. Well, we all have heard once in a while someone saying “I am playing Devil’s Advocate here”, why not make it an Informal (or maybe formal) system? This approach involves where team members rotate into a Devil's Advocate position, challenging assumptions and decisions. The role should have clear guidelines emphasizing constructive criticism and thorough risk analysis. Providing training on effective questioning techniques and risk assessment methodologies is crucial. To ensure the system's effectiveness, the Devil's Advocate should have the authority to temporarily halt projects if significant risks are identified. Regular reviews and adjustments of this system help maintain its relevance and impact.
Creating a "Vulnerability Inbox" offers a safe, anonymous channel for reporting potential security risks. This system should be user-friendly for submitting reports, ensuring anonymity protections. Security team can then review and triage reported vulnerabilities, with clear processes for investigation and resolution. Implementing a feedback mechanism keeps reporters informed about the status of their submissions. Regular analysis of reported vulnerabilities can reveal systemic issues and patterns, while organization-wide updates on significant findings promote transparency and engagement in security efforts.
Regular "Worst-Case Scenario or Chaos Engineering" exercises prepare organizations for extreme security breaches. These structured programs should include quarterly workshops covering different security domains, utilizing simulation tools to model potential impacts. Involving cross-functional teams ensures diverse perspectives are considered. Detailed response plans should be developed for each scenario, including resource allocation and communication strategies. Full-scale simulations of selected scenarios, conducted annually, provide practical experience. Regularly updating these scenarios based on emerging threats and technologies keeps the exercise relevant and effective.
Concluding Thoughts
Embracing the lessons from the Ostrich Algorithm is crucial for any organization committed to robust cybersecurity practices. This concept underscores the dangers of ignoring or underestimating potential security threats—a mistake that can lead to catastrophic data breaches and severe reputational damage
Ignoring alerts, underestimating the security capabilities of third-party vendors, or simply failing to keep security measures up-to-date can all be attributed to the Ostrich Algorithm. This approach not only jeopardizes the customers’ trust but also exposes organizations to legal and financial repercussions. Security Posture requires vigilance and proactive management; anything less is an open invitation to potential attackers.
Closing Quote
To encapsulate the importance of vigilance in security, consider this adaptation of a famous quote: "An ounce of prevention is worth a pound of cure." In the context of cybersecurity, this means that taking proactive steps to secure applications and data is far more effective and less costly than dealing with the aftermath of a security breach.
Addressing the subconscious elements of the Ostrich Algorithm requires more than just policy changes; it requires a shift in mindset at all levels of the organization. By understanding and acknowledging these psychological underpinnings, security teams can better prepare and protect against the full spectrum of threats.