Applying the Irari Rules to a risk-based security program

A few respected critics took issue with what we call the Irari Rules. Here's why their concerns are off base.

The feedback from our last article, in which we laid out what we call the Irari Rules for classifying a cyberattack as "sophisticated," was overwhelmingly positive. Nonetheless, a few people we respect disagreed with us. Ironically, examining why they disagreed demonstrates why the Irari Rules are relevant.

To summarize, the Irari Rules say that an attack is not sophisticated if any of the following conditions apply:

  • The attack used malware that should have been detected.
  • The attack targeted a known vulnerability.
  • Multifactor authentication was not in use on the targeted systems.
  • The attack exploited static passwords on critical servers.
  • A strong, comprehensive awareness program was not in place, if phishing was involved.
  • Detection mechanisms were not in place or were ignored.
  • Proper network segmentation was not in place.
  • User and administrator accounts that were exploited had excessive privileges.

All well and good, say the critics, but these rules don't take risk into consideration. For example, a company might not use multifactor authentication for systems that ended up being targeted in an attack, because it made a conscious decision that the information in those systems is not valuable enough to warrant that level of protection.

That would be a legitimate and defensible decision to make (assuming that the value of the information was properly assessed). But in the end, it is irrelevant to what the Irari Rules are meant to do. The rules are supposed to help us judge whether an attack can truly be deemed "sophisticated." If a company has made a risk assessment and decided not to use multifactor authentication, and subsequently is hit by an attack that could have been prevented with multifactor authentication, there is nothing in the attack that raises it to the level of "sophisticated." The risk assessment basically came to the conclusion that certain available countermeasures would not be deployed to prevent what is really a preventable attack. The attack itself need not be sophisticated.

Our feeling in formulating the Irari Rules was that we need to be able to assess the validity of claims, made repeatedly in the media, by companies that have been attacked, and even by law enforcement agencies, that an attack was sophisticated and, by implication, unstoppable. Those claims distort reality and can make us feel more resigned to the inevitability of successful cyberattacks than we should.

The Irari Rules are intended to give someone with minimal technical competence --as is the case with most people in the media -- the ability to ask, "Does this attack really meet the criteria of a sophisticated' attack? Was this an unpreventable attack, or the sign of an unsophisticated security program?"

And though the Irari Rules don't specifically take risk into account, a security professional looking at them should evaluate which of the countermeasures implied by the rules are really too difficult or too expensive to implement. Keeping anti-malware signatures up to date? Having a good password policy? Not having proper network segmentation? When looked at that way, we would argue, most of the implied countermeasures should be mandatory.

But some countermeasures might be subject to risk considerations. So yes, some security programs may decide that the cost of multifactor authentication is not worth the benefit. That can be a legitimate and defensible decision, as long as it arises from a truly objective risk assessment, which includes asking, "What is the impact if there was a compromise?"

Unfortunately, a lot of decisions about the level of security deployed are not conscious weighings of the risks involved. The reality is that such risk-based decisions are relatively rare in industry. Many decisions regarding implementing specific countermeasures are made by default due to either budget concerns or a lack of knowledge about the potential need for the countermeasures on the part of the people implementing the systems.

We would actually be happy if every security program looked at the Irari Rules and made a conscious evaluation of the applicability of each countermeasure. Conscious decisions, hopefully involving approval by some risk committee, would be a vast improvement.

We also endorse organizations doing more to prevent successful cyberattacks. As we said in concluding our previous article, more-than-trivial attacks are the new normal, but security programs have not kept pace. Although the Irari Rules imply fundamental countermeasures, those countermeasures are not necessarily comprehensive for all organizations. They are a starting point for organizations that are targeted by more than random attacks.

Ira Winkler is president of Secure Mentem and author of the book Spies Among Us. Ira and Araceli Treu Gomescan be contacted through Ira's Web site, They will be doing a full presentation on these rules at the RSA Conference this Friday, April 24.

Join the CSO newsletter!

Error: Please check your email address.

Tags data securitysecurityNonedata protection

More about RSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Ira Winkler and Araceli Treu Gomes

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place