Beat To The Punch

Yesterday, Sammy Migues talked about the risk of too much risk management. The only problem is that he completely misused the term Risk Management. I was all set to post a rant about that here, and in fact spent far too much time last night writing up a response. In the meantime, the Hoff and Alex responded with far better explanations and analysis then I had. So just go there and read what they had to say instead.

Breach reporting rates

Adam’s comment to my previous post prompted me to think about breach reporting rates again. Above, there’s a slide (click for a larger image) from the presentation I delivered at FIRST 2007. It shows the breach reporting rate for different time periods, from different sources.
I think the results are pretty interesting when combined with this info from the OMB.

Disaster Preparedness by Conair

Mini-me guest posting on The Guerilla CISO tells us all some hard learned lessons in Data Centers and Hair Driers. In it we learn (yet again!) that Disaster Recovery/Emergency Response/Business Continuity rely heavily on documentation, process being followed and above all regular testing. Regular testing is more than just practicing via drills or table top exercises, but also verifying that your documentation is accurate for the entire infrastructure down to capacity, wiring for alarms (at one employer we found out the hard way that one of the fire sensors wasn’t hard wired to the Emergency Power Off rather than to the cutout board and as a result, took down the data center while doing some emergency welding) and servers are facing the right way in the racks. In the end, it’s far better to find out in non-emergency situations that something is wrong. Also never forget that a hair dryer can help you test your fire alarms system…
[Image is Dog Fluffer by Phitar]

15-30 dataloss incidents daily, sez top Fed cyber-beancounter

The Office of Management and Budget issued a memo in July 2006 requiring agencies to report security incidents that expose personally identifiable information to the U.S. Computer Emergency Readiness Team within one hour of the incident. By June 2007, 40 agencies reported almost 4,000 incidents, an average of about 14 per day. As of this week, the average had increased to 30 a day, said Karen Evans, administrator of the Office of Electronic Government and Information Technology at OMB.

Emergent Breach Analysis

When I started blogging about breaches and breach notices way back in early 2005, a number of friends wrote to say I was sounding like a broken record. They were right, and at the same time, I felt there was something really big going on, and I wanted to push it and shape it. Over the last couple of years, we’ve gone from fearing breach data to analyzing it, and even the lobbyists are a little less frantic in trying to roll things back. (Only a little, as their arguments dissolve one after another.)

So I was really happy to get mail from David Litchfield, pointing me to his new blog, and his opening entry, “SQL Injection and Data Security Breaches.”

Dan Geer has also been at the data, and has posted “some statistical analysis” of Attrition’s data.

It’s great to see more breach analysis, and I fully expect that we’re going to start seeing such data being used in presentations from Gartner, Burton, and other analyst firms. Why not take some time to look at the data and figure out how your organization could make use of it?

Beer For a Laptop

A New Zealand company is offering a lifetime supply of beer if someone gives them their lost laptop. See the BBC, “NZ brewery offers beer for laptop.” Thanks to Phillip Hallam-Baker for the pointer. We are indeed happy, and would analyze the clever marketing, ROI on investment, and emergent chaos of the barter system, but I have a nice cold beer calling me.

Photo: “Glorious George,” by AnotherPintPlease

Have data breaches affected your information security plans? Here is your chance to have a say

Alan Shimel writes:

My friend Ilena Armstrong, Editor-in-Chief over at SC Magazine is conducting a survey on on how news of breaches, thefts and exposures are affecting organizations info sec plans. Below is a note from Ilena inviting you to participate. If you have a moment please take the time fill out the survey. Everyone who does gets a copy of the results as well as a chance to win a full boat pass to RSA. Sounds like a good deal to me!

Dear IT Security Professional,

I am writing to ask if you will take a few minutes to help with some vital industry research.

A legion of data exposures have occurred over the past year, with many affected companies not
only being forced to address customer and investor concerns, but also pay fines and adhere to prolonged sets of requirements administered by the Federal Trade Commission. So just how is news of such breaches, exposures and possible thefts affecting the way organizations — large and small — focus on information security plans?

This survey, Guarding against a data breach, aims to find out and should take less than 15 minutes to complete. Click here to take the survey.

What Would One Actually Do With A Persona?

I asked Bob Blakley and Mike Neuenschwander some questions about Limited Liability Personae. Rather than focusing on the implementation, I wanted to talk about the high level purposes, as well as concerns that most people have with the idea of a persona. Whenever I discuss personae, there are issues that frequently come up, for example:

Mordaxus: What do you have to hide? That’s the obnoxious way to ask why one needs a persona. What problem does a persona solve? Is there another way to do this?

Bob Blakley: It has nothing fundamentally with “hiding”. It has to do with compartmentalizing risk.

There’s no good reason getting my social security number stolen should result in my bank account getting cleaned out and my credit record being polluted. This only happens because I have to “invest” my bank account in a transaction (and hence put it at risk) every time someone asks for my SSN. If I have a persona which has its own ID number and a separate bank account with a limited amount of my money in it, when I engage in a transaction I only have to put “as much of my resources and information as necessary” into the transaction. This means that my other resources (the ones I “hide”) do not have to be exposed to thieves and other bad actors.

One can of course use a persona to adopt a personality other than the one used at work or socially. This can be destructive (as when it’s used to perpetrate fraud or otherwise deceive) or constructive (as when one builds an interesting character in an online game, or constructs a persona as an artist, and so on).

Mordaxus: Won’t this just let people run amok? Many people think that “anonymity” (which I put in quotes because it includes pseudonymity
to these people) is the root of many evils. I disagree and think it
is a lack of accountability. It doesn’t really matter, though. How
will personae make the situation better for anything from identity
theft, to paying one’s bills, to politically-motivated Wikipedia edits?

Bob Blakley: An LLP isn’t anonymous, and it is accountable. The government agency which creates it requires a registration process. If something socially harmful is done using the LLP, the normal legal process can be used to associate the LLP with its owners (in fact ownership is usually public information). But as long as the law is followed, the liability incurred by the LLP does not transfer to the owners, and the owners can shield their “real” identities from transaction partners as long as the follow the law and the rules of LLC operation.

Regarding Wikipedia edits, assuming for the moment that there is actually a problem with them, an LLP is not designed to prevent politically-motivated activity of any kind including edits, and, as noted above, it’s not designed to be a vehicle for unbreakable anonymity.

Mordaxus: How will it actually protect me? This comes back to asking what a persona is actually good for.

Bob Blakley:Liability limitation is what LLCs are all about. The fundamental notion of the corporation is that it allows individuals to invest some of their resources in an enterprise which might sustain significant losses, without putting at risk resources which are not invested in the corporation.

Today the liability-limitation (and taxation) benefits of incorporation are enjoyed by business enterprises and the wealthy, but mostly not by private citizens who are not wealty. The LLP proposal is essentially intended to provide the risk-management benefits today enjoyed by the rich to everyone.

Mike Neuenschwander Good questions. I know Bob already took the bait on this one, but I’ll add a little more in the way of theoretical background.
First, persona building is an important human activity. In everyday experience, it’s easy to perceive the self as unified, fixed, separable identity, but that’s not the case at all. (The philosophical / scientific discussion of the topic can be found here.)
When you probe the idea of self bit deeper, you realize that people construct personas for nearly every relationship they engage in. They do this to fill a role that the relationship requires. Personas help set expectations among participants in a relation, provide protections for participants, and set parameters for behavior. Personas also “instruct” participants on how to behave. Role playing an archetypal character is an efficient method for humans to disseminate wisdom throughout society and across generations.

In the natural world (vs the online world), mechanisms exist to place costs on the creation of personas, so people can’t create an indefinite number of them. The natural world also makes it costly to shed personas or to defect from relations and society. In other words, there are natural processes in the natural world from keeping the system in check. In the digital world, they’re woefully sparse. We have “emoticons” (which emote individuals’ feelings) but we need “social emoticons,” which promote empathy, reciprocity, and trust among individuals.

Should Email Address Breaches Be Notification-Worthy?

Brian Krebs raises the issue in his column in the Washington Post, “Should E-Mail Addresses Be Considered Private Data?” The question raises some fascinating economics questions and a possibly unique opportunity for interesting information security signals:

A database of e-mail addresses and other contact information stolen from business software provider is being used in an ongoing series of targeted e-mail attacks against customers of several business clients, including SunTrust and Automatic Data Processing Inc. (ADP), one of the nation’s largest payroll and tax services providers.

I have a few responses:

  • First, I’m generally in favor of breach notice, as regular readers are tired of hearing about will know, and I’m always glad to see the debate extended chaotically.
  • Second, this would dramatically push up the overall cost of notifications, by requiring a rise in the quantity of notices.
  • Third, I might be willing to entertain the “too many notices” idea a bit more around email addresses. Why that’s risky isn’t obvious to most people, who use addresses like bkrebs@, rather than adam+securityfix@whatever or Is the disclosure of an address like bkrebs worthy of notice?
  • Fourth, it’s not obvious what the security expectation really is here. I think of + addresses and vanity addresses as ways for me to dump junk mail, and track who’s selling it. If I tell my bank that my address is ddfc1a093efd108181d86f0bd90bcc6f@emergentchaos, I might well have an expectation that only they have it, along with their mail processor, my domain service provider who sends all emergentchaos email to me, my buddies who operate a mail server, and everyone sniffing a network if any of those players aren’t using “StartTLS for Opportunistic Email Encryption.” That’s a lot of people. I’m not sure it’s a reasonable assumption.
  • [Updated to add] Email addresses such as that random string are a very useful part of an anti-phishing email strategy. If I sort email to ensure that only email to that address goes into a “bank” email folder, then phishing emails are far, far less effective because they’re in the wrong place.

I think that a bank could win points for customer service, and actively distinguish themselves for security purposes by offering to do this as part of their terms of service.

It’s actually a very interesting signal in that it’s somewhat hard to forge if the bank can be relied on to follow through. Each time you notify you’re reinforcing a message that you care about security, and that you’re willing to own up to mistakes.

Unfortunately, it’s easy to promise and not follow through at all, claiming that you’ve not been breached. (I’ve written more on signaling in “Security Signaling” and “Signaling by Counting Low Hanging Fruit?“)

Visa says TJX Impacted 94 million accounts, $68MM+ in fraud

“Although TJX suggests that the breach only affected approximately 45.7 million accounts, in fact the breach during a period of 17 months affected more than 94 million separate accounts. To date, Visa has calculated the fraud losses experienced by issuers as a result of the breach to be between $68 million and $83 million on Visa accounts alone.”

Evan Schuman, quoting Visa’s Joseph Majka, in “TJX Breach More Than Twice As Bad As Had Been Reported .”

Would someone please page Willy Sutton?

Ceremony Design and Analysis

Carl Ellison has been doing some really interesting work on what he calls Ceremonies:

The concept of ceremony is introduced as an extension of the concept of network protocol, with human nodes alongside computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects that carry data. What is out-of-band to a protocol is in-band to a ceremony, and therefore subject to design and analysis using variants of the same mature techniques used for the design and analysis of protocols. Ceremonies include all protocols, as well as all applications with a user interface, all workflow and all provisioning scenarios. A secure ceremony is secure against both normal attacks and social engineering. However, some secure protocols imply ceremonies that cannot be made secure.

He’s talked about it in public a little before, and now has a paper available from the IACR eprint service, “Ceremony Design and Analysis.”

If you design network protocols, or think about the intersection of security and usability, this is very much worth reading.

With p=.7, Breach Costs Will Fall by 2009

There’s an article over on Tekrati, “Cost of a sensitive data breach will increase 20 percent per year through 2009, says Gartner.”

Near as I can tell, this is the sort of half-thought through analysis which Gartner sometimes spews, to the great detriment of their reputation. (To be fair, I can only see what other people report on the news, not the original Gartner slide deck.)

Gartner analysts estimate that the cost of sensitive data break will increase 20 percent per year through 2009. While mass attacks such as worms and viruses have continued, the investments that enterprises have made in intrusion prevention, vulnerability management and network access control have paid off, as those simple mass attacks have succeeded much less often. However, the attackers are now more financially motivated and have launched new waves of attacks that, when successful, cause enormous damage to the bottom line, but that often go unreported.

There’s some fascinating juxtapositioning in that last sentence. It “cleverly” mixes new motives for attacks with attacks succeeding, and then implies that there are these secret attacks happening, causing “enormous damage to the bottom line,” but that somehow these material events aren’t being reported. What might the SEC think about that? What might Milberg Weiss say about such allegations? How about Sarbanes and Oxley?

I simply don’t believe that there are real events happening at public companies with real bottom line impacts being covered up. I believe that there are events whose costs are exaggerated. I believe there are events that are reported and not widely publicized. A company which is knowingly not reporting something which has caused “enormous damage to the bottom line” is committing a felony for which their executives can be jailed.

If you’re an information security professional, making claims like this damages your credibility and your career. Similarly, claiming that breaches often drive companies out of business simply isn’t supported by the facts.

However, I made a different assertion, which is that breach costs will fall, and I need to support that or risk damaging my own credibility. Breach cost will fall as the market responds and a growing number of credible organizations offer breach response services. Competition will drive costs down as everyone tries to get in on this new space.

I’d rate the chances as .9 five years out. If I’m wrong, I’ll refund 90% of the money I made on this post.