Personalizing Data Security Part 2

Previously, we created a story that aligns data security with buying the best car for your only teenaged daughter. Now, let's explore the choice between vulnerability assessment and penetration testing - the consequences of your decision as a parent and car buyer.

Since you're tight on budget, you decide it's best to go with the thorough once-over. After all, if you opt for the test drive, you aren't going to find everything that's wrong, anyway. Your goal is to figure out how you should best spend your money now that you know your car has some flaws. Your objective is to figure out which flaws are the most serious, and address them with your wallet.

So, the mechanic confirms that the car has been in an accident before, and, when he measures it, the frame is bent a little. He also tries the door handles, and finds that the doors don’t lock. He confirms there are a couple of nails in the tires, but he doesn’t pull them out because he knows they would deflate your tires. He looks under the dirt and points out there’s a huge crack in the windshield, but also confirms that it doesn’t let water leak into the car and that you can still see the road through it. One headlight is indeed busted. But, the engine seems to be mechanically sound despite its age. You learn that you have to fix the headlight in order to pass inspection. 

This is your vulnerability assessment, or validated vulnerability scan. 

You could stop with the headlight, by the letter of the law. But, it’s your only daughter. Do you fix the tires and the frame? A blowout could be catastrophic and the frame could make the car harder to drive. You ultimately decide that you should fix the headlight so you can pass inspection, and you decide tires are pretty important and, the cost of the repair is reasonable. So, the mechanic also pulls the nails and patches the tires. You think long and hard about it, and decide you aren’t comfortable with the risk of your daughter driving a car with frame damage, so you ask him to fix that, too, and it really hits you in the wallet. You start to wonder if you shouldn’t have spent more money up front on a better car. But, he drops it on a frame puller and he straightens the axle, and you decide to leave the rest alone.

Now the car is all ready to give to your only daughter! Or, is it?

Let’s consider a universe that has two possible outcomes. One where the concerned parent stops here and does not proceed with the test drive, and one where the concerned parent decides the test drive is worth consideration. 

In the universe where you do splurge for the test drive, the mechanic takes it around the track and the drives the heck out of the car. He finds out that, although the frame was straightened, and the axle adjusted, the steering column is now out of whack. It works fine by itself: it turns left and right with the right tension as designed. So, the thorough inspection didn’t find any issues. But, it’s now misaligned with the other components, and the car responds dangerously to road conditions that require quick and sharp turns - conditions your daughter will encounter on the highway where higher speeds make safety more important. The mechanic tells you that while he was driving, he sprained his wrist and got whiplash as a result of this while driving the car on the track. But, additionally, the mechanic learned that the doors themselves don’t remain closed without functioning door locks. When the car turns too far, the door falls open. But, when the door fell open, he discovered a design flaw in the seatbelt. The seatbelt is attached to the door rather than the car seat. As a result, the mechanic tells you, he was dumped out of the car, broke his collarbone, got a concussion, has a mad case of road rash, and he shattered his left arm.

This is your penetration test. It considers vulnerabilities in context of one another, probes deeper when flaws are found (not just verifying the flaw exists), and considers systematic and strategic flaws, not just tactical ones.

It turns out that the frame was serious, and would have resulted in injury to your daughter. But, the door locks (a much more minor component!) would have resulted in far greater damage to her because of the chain of events.

But, what about the thorough once-over? Shouldn’t this have fixed all these problems? Well, the seatbelt was operating as intended. It even passed head-on crash tests with the doors closed. No part of testing the effectiveness of a door lock involves checking to see if the doors stay closed. The doors opened and closed as expected, and even stayed closed just fine while the car was parked in the garage. Independently, the frame, the axle, and the steering were all within normal parameters. 

So, what is the outcome for the only teenaged daughter in the other universe where we skip the test drive? Will you feel comfortable with whatever the consequences may be?

Think about it, and next time, we'll talk about mechanics.