MTBHD Part I: Defined

I have a personal, and I think (of course) the ultimate, information security metric: Mean Time Between Horrifying Discovery (MTBHD).

While this may be self evident, there are some subtleties in the definition of MTBHD. The basic idea would simply be

the duration between the previous time you found something horrifying about your environment and the next horrifying discovery. It does assume that you have already experience MTTHD, Mean Time To Horrifying Discovery. MTTHD being the time to your first Horrifying Discovery after starting a new job.

The nuances of MTBHD comes down to how one would define Horrifying Discovery. This is directly correlated with whether or not you know you have an HD on your hands. I find HDs come down to two families.

The first being the fact that you have not fully understood your environment, yet. This is when HD’s come fast and furious. Again, often experienced when starting a new job. The biggest combatant to this is, well, just experience.

You can get through this “honeymoon” phase by knowing what questions to ask and where to dig first. You know, key questions like, what is our vulnerability status? Well, do you know what patch levels we are at, then? Ok, do we have a patch management practice? What do you mean by “what do you mean by patch management”? DO WE EVEN PATCH!? That sort of thing…

Now, the one second is a bit more…devious and tricky to wade through. It is when you are asking question and the people giving the answers are not painting a complete picture, providing you only the exact answer to your question, or fain some sort of naivety. They often then dance around the issue, not necessarily lying to you, but definitely holding back information. It’s up to your own moral code if that crosses the line of lying or not.

Either way, they usually don’t hide behind a vague answer once you have enough information to ask the direct questions. You know, something like, “So, you haven’t re-booted the core routers in two and half years, which also means you haven’t patched in about two and half years, right? You have patched? Well then tell me your patch level. Oh, right, I forgot, you don’t know what patch management is.”

The good news is that once you have defined what a Horrifying Discovery is to you, then you can start tracking the duration between them. Knowledge is power.

Next time we will look at how the MTBHD is the ultimate metric, and has so many applications; professionally and personally.