cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Champion

Testing, testing ...

Recently, a certain national leader has directed that testing for the SARS-CoV-2 virus be "slowed" so that the numbers of new cases of the disease will be reduced.  This is, of course, flatly ridiculous.  Testing does not cause problems, it just reveals existing problems.  And the lack of testing doesn't prevent problems, it only blinds you to the scope of the problem.  I have told my "testing" story before ...

 

Oh, well, what the hey:

 

I am reminded of a situation where sales and marketing was supposed to carry out virus scans before they installed our product. They had previously been using an inferior product and I mandated that they using a more accurate product. At one point a machine was brought in as a problem. First step in my process was to scan the machine, and, sure enough, it was infected.

 

"Did you scan it?"

"Yes."

"Did you use the right scanner?"

"Well, no, we used the old one."

"Why did you use the old scanner, when I've specified that you have to use the new one?"

"Well, when we use the one you told us to, it finds viruses ..."


............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
5 Replies
Highlighted
Community Champion

Re: Testing, testing ...


@rslade wrote:

Recently, a certain national leader has directed that testing for the SARS-CoV-2 virus be "slowed" so that the numbers of new cases of the disease will be reduced.  This is, of course, flatly ridiculous.  Testing does not cause problems, it just reveals existing problems.  And the lack of testing doesn't prevent problems, it only blinds you to the scope of the problem.

Quoting directly from a recent speech:

 

"Certain National Leader" said:

Here’s the bad part. When you do testing to that extent, you’re going to find more people, you’re going to find more cases. So I said to my people slow the testing down, please. 

Responding in the form of a test question (and with apologies to a certain game show😞

 

Q:  What is the best way to not find something?

 

A) Don't go looking for it.

B) 50/50.

C) Phone a Friend.

D) Ask the Audience.

 

Answer: A

 

The national leader's clearly stated goal was to "not find more cases".  Just as we teach CISSP padawans to select the answer that best answer to the question being asked, we need to recognize that the national leader correctly identified that "not looking" is the best way to not find something.

 

I leave it as an exercise to the reader to decide if our code of ethics is best met by the national leader's goal, by "testing to reveal the scope of the problem", or by "slowing the pandemic and defeating the virus".

Highlighted
Community Champion

Re: Testing, testing ...

Some people can hear a joke and not get the joke. I do not think that leader was really saying "slow down testing" in all seriousness. I think he was pointing out how the media is manipulating the data to prove whatever point they want gullible people to believe. There have even been studies that show that COVID-19 has been in our country longer than we knew it and more people have had it without serious health issues, than previously thought. 

 

I know several former bosses (and they are former bosses for a reason) that feared audits and wanted to make sure we were "100% ready" for it. However, being the experienced person that I am with audits, having been through a bunch of them, I also know how the audit "game" works. If an auditor finds something they usually stop digging there and don't look for the harder stuff. If they fail to find any easy findings, they usually keep digging until they find something. I inherited a very poorly run IT organization from a security point of view. I had been working with the CIO and making progress, then that CIO retired and they hired an new one a few months before a "big" audit. So as the CISO I had a choice, fix the easy things which don't actually stop the hackers from getting in (like out of date policies) or leave that for the auditors to find while working on the things that were actually getting us breached, like successful phishing attacks, poor patching processes (for fear of blue screens), poor administration privileges practices, etc. I knew we had this big audit coming up so I worked on the more critical stuff while leaving the easy stuff to find (and to fix) for the auditors to discover. Yes the policies were out of date, but they were also poorly written, had huge gaps in them, were not being followed by staff, etc. What did the auditors find? Policies were out of date. That's where they stopped. Nothing about how inadequate they were, or how they weren't being followed, etc.. I also knew that the organization had a reputation for ignoring the previous CISO's advice but allocating all kinds of resources to close audit findings, so I leveraged the audit to my advantage. I "let" the auditors discover some things I wanted the agency to fix so that they would be exposed (and yes I had already informed the agency of the vulnerabilities and they just shrugged them off and took no action on them). I fixed some things while the auditors were onsite so that they would know that we were capable of fixing them, but would write them up anyways as a finding. I knew this would give me budget leverage with the new director of the agency as well. The new CIO didn't understand this and took it as an affront to his "image" that the auditors found things. He didn't understand how these government auditors worked. I knew they would stop if they found easy things and keep digging until they found something if they didn't find anything easy. The auditors even admitted to and proved my theory in the out briefing as there was one area, out of about 100 areas looked at, that scored 100% on the questions (about 6 levels deep) when the auditor stated that they had never had anyone get 100% on any item in any of their previous audits. The only reason they couldn't find anything is because it was a firewall and the person auditing it only knew to ask the 6 questions they had. If the auditor was actually a firewall person, they could have easily found some more items on it.

 

So which would you rather have after an audit: 300 findings, of which 200 are easy and 100 are medium to hard, or 150 medium to hard things. Oh yeah, you also have a short timeline to remediate a portion of these findings and show progress or else you lose access to the data this government agency is providing your agency. The medium and hard things will all take either budget (which you have to go ask government for), personnel (which you again have to go ask for), procurement actions (which can take between 3-9 months) or dedicated SME's which you currently do not have in your organization to reorganize your IT infrastructure. I chose the first one. We could knock out the 200 easy things in the 6 month timeframe and get the ball rolling on the 100 medium/hard things. Then at the 6 month checkup we have remediated 66% of our findings and have work in progress on the other 34% versus only to be able to report that we have gotten the ball rolling on 100% of the findings but have made no completions as they all would take 6-12 months to get started before actually being able to complete them.

 

So I view testing/auditing as exposing what needs to be exposed so that things can be understood and fixed. My problem with this whole covid-19 problem is that in my country, people can profit off of claiming a covid case, whether or not it actually was a covid case, just to make money off of it. It skews the true statistics which then can be manipulated by people who want to present a certain narrative to people gullible enough to fall for it without doing their own research into the situation. Or to people without an understanding of how statistics can be manipulated to say whatever you want, you just have to ask the right questions in a certain way.

Highlighted
Community Champion

Re: Testing, testing ...


@CISOScott wrote:

Some people can hear a joke and not get the joke. I do not think that leader was really saying "slow down testing" in all seriousness. I think he was pointing out how the media is manipulating the data to prove whatever point they want gullible people to believe. T


 

https://www.youtube.com/watch?v=8JtnEUPvpus

 

https://www.youtube.com/watch?v=-CxX8nvLalE

 

 

\(*0*)/

Craig 

 

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile
href="Not Passing a Cert Exam is Not the Same as Failing" target="new";;https://cragins.blogspot.com/2018/08/pass-rates-for-professional-exams.html
Highlighted
Community Champion

Re: Testing, testing ...


@denbesten wrote:

I leave it as an exercise to the reader to decide if our code of ethics is best met by the national leader's goal, by "testing to reveal the scope of the problem", or by "slowing the pandemic and defeating the virus".

Q. Does Usenet help stamp out ignorance?
A. That depends on whether by `stamp out' you mean `eliminate' or `reproduce rapidly in great quantity.'

 

- Dr. Roger M. Firestone


............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Highlighted
Newcomer II

Re: Testing, testing ...


@CraginS wrote:

@CISOScott wrote:

Some people can hear a joke and not get the joke. I do not think that leader was really saying "slow down testing" in all seriousness. I think he was pointing out how the media is manipulating the data to prove whatever point they want gullible people to believe. T


 

https://www.youtube.com/watch?v=8JtnEUPvpus

 

https://www.youtube.com/watch?v=-CxX8nvLalE


After reading this, I have no idea whether President Trump is joking, and I don't think he does, either!

 

Mike