A recurring theme for me lately is explaining the significance of taking things in context. When discussing vulnerabilities with people (I do this a lot working at Tenable), some folks don’t intuitively grasp that context is critical in translating a finding into usable and valuable information.
Let’s shift gears, a few weeks ago I was in Texas for BSidesAustin. While I was there I picked up a couple of bumperstickers, this one’s my favorite:
(For those who don’t know, that’s a stylized flag of my home state of Texas, and Texas is always trying to secede from something).
What does this have to do with context? Imagine this bumpersticker on the back of a Cadillac Escalade in Houston, there’s the stereotypical Texan sick of the meddling of the federal government and the liberal hatred of the Second Amendment. Now, let’s picture the same sticker on the back of a Toyota Prius in Cambridge, Massachusetts- the sentiment is more likely “get rid those ignorant hick psycho cowboys who are screwing up America”. Context matters.
So, back to that vulnerability, opportunity, threat, bug, whatever it is you are contemplating. You have to ask yourself “Is this on the back of a Houston Escalade, or a Cambridge Prius?”. Not literally, of course, and certainly not out loud- people would give you the kind of look I’m used to getting. BUT, you do need to assess how the vulnerability is exposed and what mitigations are in place (or possible); how hard the threat may be to execute against your situation; whether there is a graceful failure mode if the opportunity turns out to be inopportune, etc.
Consequences of the action or situation are also part of the context; the world is full of unintended consequences, please limit your contribution to them.
I guess what I’m saying is don’t make decisions in a vacuum, because that would suck.