The Bar Fight Risk Taxonomy
Update: Ricki has put t-shirts based on this tweet - literally - up in an Etsy store. They are 25 AUD and all proceeds go towards helping students and others get into cybersecurity as a career field. Yeet!
After hearing the words "vulnerability" and "threat" used interchangeably for the >9,000th time, I decided to take action, and the Bar Fight Risk Taxonomy was born.
Nothing occurs without communication, and risk, particularly in the cyber domain, is already a fairly vague and abstract concept, so I rely heavily on metaphors to explain cybersecurity and risk concepts. I've observed that situations or experiences that the majority of an audience has experienced, thought about, or seen on television serve as a firm foundation for shared comprehension. I also often employ visceral hyperbole to draw attention to the subject, immerse the reader in the scenario, and maintain the focus on the object of the illustration. This tweet utilized both techniques. Even if the reader has never been in or contemplated avoiding a fight in a pub, this scenario - despite being quite unpleasant - is relatively simple to imagine and very effective for getting the point across.
Hat tip to the legendary Jack Daniel who has been using a similar fighting analogy to communicate risk concepts for years...
Patch Tuesday = your weekly gym visit
— ARJ (@AndrewRJamieson) April 20, 2021
Security stack = your mates at the pub with you
APT = a mate who also wants to punch you in the face
Air gap = avoiding the pub by staying at home
Side channel = your wallet being nicked whilst you are being punched in the face
In any case... It went viral quickly, to the point where my friend Ricki Burke started making t-shirts out of it. Of all the tweets I've sent that made their way onto a t-shirt, I'm quite glad this is the one that did:
3000+ Posts
I'm clearly not the only one who frequently needs to explain these terms and gets mildly irritated when they're switched around, especially by those in the space who really ought to know better. The original tweet was viewed, liked, and reposted 250,000 times, and it spawned a thread with extensions of what I now refer to as "The Bar Fight Risk Taxonomy," which ranged from the concisely accurate to the deeply snarky and hilarious.
Here's the original tweet:
threat actor = someone who wants to punch you in the face
— cje ๐๐ (@caseyjohnellis) April 19, 2021
threat = the punch being thrown
vulnerability = your inability to defend against the punch
risk = the likelihood of getting punched in the face
My apologies to the tenured risk and GRC professionals who have already identified what appears to be a mistake here... Risk is mathematically defined as: Likelihood x Impact. Partially because Twitter has a character limit of 240, and partly because I was thinking about a breach through a "right of boom" lens (i.e. something bad has happened, let's understand why), I descoped Impact as a modifier by considering a successful punch as a notifiable breach... i.e. a pass or fail thing that no-one wants. Daniel Miessler did an excellent job expanding on the alternative treatment of risk in this analogy in his blog but since Twitter is written in pen, not pencil, my somewhat crude Impact = 1 math used in the definition remains unchanged.
Here are some subsequent additions to the thread...
acceptable risk = your willingness to be punched in the face
— cje ๐๐ (@caseyjohnellis) April 20, 2021
exploit = the fist
— cje ๐๐ (@caseyjohnellis) April 20, 2021
attack surface = the size and shape of your face
— cje ๐๐ (@caseyjohnellis) April 20, 2021
...and on, and on it went...
Patch Tuesday = your weekly gym visit
— ARJ (@AndrewRJamieson) April 20, 2021
Security stack = your mates at the pub with you
APT = a mate who also wants to punch you in the face
Air gap = avoiding the pub by staying at home
Side channel = your wallet being nicked whilst you are being punched in the face
bounty hunter = someone who promises to wear gloves when they punch you if you promise to pay them based on where they punch you
— ec0 || james ๐ดโโ ๏ธ (@devec0) April 20, 2021
bugcrowd = cage fight organiser
asymmetric threat = studying this entire thread then getting kicked in the crotch
— cje ๐๐ (@caseyjohnellis) April 21, 2021
cyberrisk insurance = your mates at the pub betting on if you can "talk that kinda shit" and not get punched in the face
— cje ๐๐ (@caseyjohnellis) April 20, 2021
Threat intelligence = โBobโs going to come at you with a right crossโ
— Bill Kyrouz (@Kyrouz) April 20, 2021
canary = a loud obnoxious friend who is daring everyone to punch them, wearing identical clothes
— Picaro Byte (@__picaro8) April 20, 2021
pentest = sparring partner, former welterweight boxer, will hit you until you say stop, no below the belt
compliance = how you think this all works until you've been punched in the face
— cje ๐๐ (@caseyjohnellis) April 20, 2021
Parameterized query: understanding the proper defensive ninja moves while someone is talking to you all friendly like and then suddenly tries to punch you in the face
— Jim Manico (@manicode) May 3, 2021
Risk acceptance = ok getting punched
— SecFightClub (@SecFightClub) May 3, 2021
Risk mitigation = practice taking a pinch
Risk mitigation = consider guards
Risk proactive controls = snipers pic.twitter.com/mHQTyMdw3R
bad threat intelligence = people are generally mad at you about stuff, and might try to punch you at some point in the future
— cje ๐๐ (@caseyjohnellis) April 20, 2021
CVE = list of known standard punches
— David Heath (@david_heath) April 21, 2021
Port scan = looking around the bar to see what everyone is drinking
Bouncer = Firewall
Band-aids = Initial post-event remediation
Blood = data-loss
No memory of the event = Ransomware, must rebuild from backups stored in the memory of pals
CVE=A Chuck Norris movie
— Mathias (@matthegap) April 21, 2021