Emergent ChaosYesterday, Sammy Migues talked about the risk of too much risk management. The only problem is that he completely misused the term Risk Management. I was all set to post a rant about that here, and in fact spent far too much time last night writing up a response. In the meantime, the Hoff and Alex responded with far better explanations and analysis then I had. So just go there and read what they had to say instead.
Bookmark this post:
Adam's comment to my previous post prompted me to think about breach reporting rates again. Above, there's a slide (click for a larger image) from the presentation I delivered at FIRST 2007. It shows the breach reporting rate for different time periods, from different sources.
I think the results are pretty interesting when combined with this info from the OMB.
Bookmark this post:
Mini-me guest posting on The Guerilla CISO tells us all some hard learned lessons in Data Centers and Hair Driers. In it we learn (yet again!) that Disaster Recovery/Emergency Response/Business Continuity rely heavily on documentation, process being followed and above all regular testing. Regular testing is more than just practicing via drills or table top exercises, but also verifying that your documentation is accurate for the entire infrastructure down to capacity, wiring for alarms (at one employer we found out the hard way that one of the fire sensors wasn't hard wired to the Emergency Power Off rather than to the cutout board and as a result, took down the data center while doing some emergency welding) and servers are facing the right way in the racks. In the end, it's far better to find out in non-emergency situations that something is wrong. Also never forget that a hair dryer can help you test your fire alarms system...
[Image is Dog Fluffer by Phitar]
Bookmark this post:
Govexec.com
The Office of Management and Budget issued a memo in July 2006 requiring agencies to report security incidents that expose personally identifiable information to the U.S. Computer Emergency Readiness Team within one hour of the incident. By June 2007, 40 agencies reported almost 4,000 incidents, an average of about 14 per day. As of this week, the average had increased to 30 a day, said Karen Evans, administrator of the Office of Electronic Government and Information Technology at OMB.
Sigh.
Bookmark this post:
So I was really happy to get mail from David Litchfield, pointing me to his new blog, and his opening entry, "SQL Injection and Data Security Breaches."
Dan Geer has also been at the data, and has posted "some statistical analysis" of Attrition's data.
It's great to see more breach analysis, and I fully expect that we're going to start seeing such data being used in presentations from Gartner, Burton, and other analyst firms. Why not take some time to look at the data and figure out how your organization could make use of it?
Bookmark this post:
A New Zealand company is offering a lifetime supply of beer if someone gives them their lost laptop. See the BBC, "NZ brewery offers beer for laptop." Thanks to Phillip Hallam-Baker for the pointer. We are indeed happy, and would analyze the clever marketing, ROI on investment, and emergent chaos of the barter system, but I have a nice cold beer calling me.
Photo: "Glorious George," by AnotherPintPlease
Bookmark this post:
Photo: FEMA news conference, AP.
[Update: We originally attributed the photo to the AP. It was actually taken by pirhoebabe. We apologize for the confusion.]
Bookmark this post:
My friend Ilena Armstrong, Editor-in-Chief over at SC Magazine is conducting a survey on on how news of breaches, thefts and exposures are affecting organizations info sec plans. Below is a note from Ilena inviting you to participate. If you have a moment please take the time fill out the survey. Everyone who does gets a copy of the results as well as a chance to win a full boat pass to RSA. Sounds like a good deal to me!Dear IT Security Professional,I am writing to ask if you will take a few minutes to help with some vital industry research.
A legion of data exposures have occurred over the past year, with many affected companies not only being forced to address customer and investor concerns, but also pay fines and adhere to prolonged sets of requirements administered by the Federal Trade Commission. So just how is news of such breaches, exposures and possible thefts affecting the way organizations -- large and small -- focus on information security plans?
This survey, Guarding against a data breach, aims to find out and should take less than 15 minutes to complete. Click here to take the survey.
Bookmark this post:
I asked Bob Blakley and Mike Neuenschwander some questions about Limited Liability Personae. Rather than focusing on the implementation, I wanted to talk about the high level purposes, as well as concerns that most people have with the idea of a persona. Whenever I discuss personae, there are issues that frequently come up, for example:
Mordaxus: What do you have to hide? That's the obnoxious way to ask why one needs a persona. What problem does a persona solve? Is there another way to do this?
Bob Blakley: It has nothing fundamentally with "hiding". It has to do with compartmentalizing risk.
There's no good reason getting my social security number stolen should result in my bank account getting cleaned out and my credit record being polluted. This only happens because I have to "invest" my bank account in a transaction (and hence put it at risk) every time someone asks for my SSN. If I have a persona which has its own ID number and a separate bank account with a limited amount of my money in it, when I engage in a transaction I only have to put "as much of my resources and information as necessary" into the transaction. This means that my other resources (the ones I "hide") do not have to be exposed to thieves and other bad actors.
One can of course use a persona to adopt a personality other than the one used at work or socially. This can be destructive (as when it's used to perpetrate fraud or otherwise deceive) or constructive (as when one builds an interesting character in an online game, or constructs a persona as an artist, and so on).
Mordaxus: Won't this just let people run amok? Many people think that "anonymity" (which I put in quotes because it includes pseudonymity to these people) is the root of many evils. I disagree and think it is a lack of accountability. It doesn't really matter, though. How will personae make the situation better for anything from identity theft, to paying one's bills, to politically-motivated Wikipedia edits?
Bob Blakley: An LLP isn't anonymous, and it is accountable. The government agency which creates it requires a registration process. If something socially harmful is done using the LLP, the normal legal process can be used to associate the LLP with its owners (in fact ownership is usually public information). But as long as the law is followed, the liability incurred by the LLP does not transfer to the owners, and the owners can shield their "real" identities from transaction partners as long as the follow the law and the rules of LLC operation.
Regarding Wikipedia edits, assuming for the moment that there is actually a problem with them, an LLP is not designed to prevent politically-motivated activity of any kind including edits, and, as noted above, it's not designed to be a vehicle for unbreakable anonymity.
Mordaxus: How will it actually protect me? This comes back to asking what a persona is actually good for.
Bob Blakley:Liability limitation is what LLCs are all about. The fundamental notion of the corporation is that it allows individuals to invest some of their resources in an enterprise which might sustain significant losses, without putting at risk resources which are not invested in the corporation.
Today the liability-limitation (and taxation) benefits of incorporation are enjoyed by business enterprises and the wealthy, but mostly not by private citizens who are not wealty. The LLP proposal is essentially intended to provide the risk-management benefits today enjoyed by the rich to everyone.
Mike Neuenschwander Good questions. I know Bob already took the bait on this one, but I'll add a little more in the way of theoretical background. First, persona building is an important human activity. In everyday experience, it's easy to perceive the self as unified, fixed, separable identity, but that's not the case at all. (The philosophical / scientific discussion of the topic can be found here.) When you probe the idea of self bit deeper, you realize that people construct personas for nearly every relationship they engage in. They do this to fill a role that the relationship requires. Personas help set expectations among participants in a relation, provide protections for participants, and set parameters for behavior. Personas also "instruct" participants on how to behave. Role playing an archetypal character is an efficient method for humans to disseminate wisdom throughout society and across generations.
In the natural world (vs the online world), mechanisms exist to place costs on the creation of personas, so people can't create an indefinite number of them. The natural world also makes it costly to shed personas or to defect from relations and society. In other words, there are natural processes in the natural world from keeping the system in check. In the digital world, they're woefully sparse. We have "emoticons" (which emote individuals' feelings) but we need "social emoticons," which promote empathy, reciprocity, and trust among individuals.
Bookmark this post:
A database of e-mail addresses and other contact information stolen from business software provider Salesforce.com is being used in an ongoing series of targeted e-mail attacks against customers of several Salesforce.com business clients, including SunTrust and Automatic Data Processing Inc. (ADP), one of the nation's largest payroll and tax services providers.I have a few responses:
It's actually a very interesting signal in that it's somewhat hard to forge if the bank can be relied on to follow through. Each time you notify you're reinforcing a message that you care about security, and that you're willing to own up to mistakes.
Unfortunately, it's easy to promise and not follow through at all, claiming that you've not been breached. (I've written more on signaling in "Security Signaling" and "Signaling by Counting Low Hanging Fruit?")
Bookmark this post:
"Although TJX suggests that the breach only affected approximately 45.7 million accounts, in fact the breach during a period of 17 months affected more than 94 million separate accounts. To date, Visa has calculated the fraud losses experienced by issuers as a result of the breach to be between $68 million and $83 million on Visa accounts alone."Evan Schuman, quoting Visa's Joseph Majka, in "TJX Breach More Than Twice As Bad As Had Been Reported ."
Would someone please page Willy Sutton?
Bookmark this post:
Carl Ellison has been doing some really interesting work on what he calls Ceremonies:
The concept of ceremony is introduced as an extension of the concept of network protocol, with human nodes alongside computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects that carry data. What is out-of-band to a protocol is in-band to a ceremony, and therefore subject to design and analysis using variants of the same mature techniques used for the design and analysis of protocols. Ceremonies include all protocols, as well as all applications with a user interface, all workflow and all provisioning scenarios. A secure ceremony is secure against both normal attacks and social engineering. However, some secure protocols imply ceremonies that cannot be made secure.He's talked about it in public a little before, and now has a paper available from the IACR eprint service, "Ceremony Design and Analysis."
If you design network protocols, or think about the intersection of security and usability, this is very much worth reading.
Bookmark this post:
Thanks, Nicko!
Bookmark this post:
Near as I can tell, this is the sort of half-thought through analysis which Gartner sometimes spews, to the great detriment of their reputation. (To be fair, I can only see what other people report on the news, not the original Gartner slide deck.)
Gartner analysts estimate that the cost of sensitive data break will increase 20 percent per year through 2009. While mass attacks such as worms and viruses have continued, the investments that enterprises have made in intrusion prevention, vulnerability management and network access control have paid off, as those simple mass attacks have succeeded much less often. However, the attackers are now more financially motivated and have launched new waves of attacks that, when successful, cause enormous damage to the bottom line, but that often go unreported.There's some fascinating juxtapositioning in that last sentence. It "cleverly" mixes new motives for attacks with attacks succeeding, and then implies that there are these secret attacks happening, causing "enormous damage to the bottom line," but that somehow these material events aren't being reported. What might the SEC think about that? What might Milberg Weiss say about such allegations? How about Sarbanes and Oxley?
I simply don't believe that there are real events happening at public companies with real bottom line impacts being covered up. I believe that there are events whose costs are exaggerated. I believe there are events that are reported and not widely publicized. A company which is knowingly not reporting something which has caused "enormous damage to the bottom line" is committing a felony for which their executives can be jailed.
If you're an information security professional, making claims like this damages your credibility and your career. Similarly, claiming that breaches often drive companies out of business simply isn't supported by the facts.
However, I made a different assertion, which is that breach costs will fall, and I need to support that or risk damaging my own credibility. Breach cost will fall as the market responds and a growing number of credible organizations offer breach response services. Competition will drive costs down as everyone tries to get in on this new space.
I'd rate the chances as .9 five years out. If I'm wrong, I'll refund 90% of the money I made on this post.
Bookmark this post:
Bookmark this post:
What an amazing show. Shane MacGowan slurred a lot, but I just couldn't care when he sang 'Brown Eyes' or 'The Greenland' or 'The Sick Bed Of Cuchulainn.'
They're touring the western states.
Photo: "The Pogues in Seattle on October 17, 2007 - first show of US tour" by Dan10Things.
Bookmark this post:
There's a story in USA Today, "Most fake bombs missed by screeners." It describes how screeners at LAX find only 25% of bombs, at ORD, they find 40%, and at SFO, 80%:
At Chicago O'Hare International Airport, screeners missed about 60% of hidden bomb materials that were packed in everyday carry-ons — including toiletry kits, briefcases and CD players. San Francisco International Airport screeners, who work for a private company instead of the TSA, missed about 20% of the bombs, the report shows. The TSA ran about 70 tests at Los Angeles, 75 at Chicago and 145 at San Francisco.I could go on at length about how bad air travel has gotten, and how security theatre is crushing the travel and tourism industries in the US. Rather I'd like to focus on the emergent chaos aspects of this story: the reality that even TSA bureaucracy can't impose standards on airports, and why that would be a good thing, if they could accept it.
Before I do, I want to comment that missing 75% of the bombs is probably ok. There are very few airliners bombed in the US. I think it's less than 10 in history. So the issue is not really false negatives, where the screener misses a real fake bomb, but false positives, where the screener shuts down either someone's day or the airport. Given that every single bomb smuggled past security last year at US airports was fake, they are far more likely than real bombs.
Now, there's an opportunity for dramatic improvement in the way we run airport security. "Just run them all like they run SFO!" Orin Kerr makes this point, "I would think the real story is the dramatic gap between the performance of TSA employees and private sector employees."
More importantly, what comes out of this study for me is the emergent chaos of running a large mission like airport security, and the value of that variation for learning.
If all airports were run exactly the same, we'd have missed this opportunity for learning.
So ask yourself, what do I standardize on too much? Where is there too much structure, inhibiting learning? How can we harness chaos, and what emerges? (I talk in more deatil about a very similar point in the latest post in my threat modeling series on the SDL blog, "Making Threat Modeling Work Better.")
Photo: Frisk, by Tim Whyers. (Machine by Tim Hunkin, we've mentioned it previously.)
Bookmark this post:
MacEwan College was cited in the auditor general’s report this week after a tipster told the AG’s office about the security breach in 2006. It mirrored access problems in 2002-2003, the AG’s report confirmed.You'll note that I'm writing about it anyway.The college chose not to tell those whose personal information was included in the accessible journal entries based on an assessment of risk by its Freedom of Information and Protection of Privacy office, said MacEwan spokesman Gordon Turtle.
Secondly, people are upset:
Public institutions engender trust, and that’s just one of several reasons why students should have been told, even if the college was confident the breach was minor, said MacEwan Student Union president Justin Benko.Benko's opinion is interesting. There's no Canadian law explicitly requiring breach disclosure, but there's an expectation of disclosure. (There are also interpretations by Privacy Commissioners that read disclosure into existing laws.)“Based on what the auditor report says, if bank account information and credit card numbers and signatures were readily available and obvious, there should’ve been something said,” he said.
It also seems that the risk assessment was wrong. If you're covering up a breach because of a risk assessment, you might want to have another, and include crisis communication in the assessment.
