Monthly Archive for June, 2009

Voltage Predicts the Future

Published by adam on June 30, 2009 in Uncategorized. 2 Comments

It’s easy to critique the recent Voltage report on breaches. (For example, “2009 started out to be a good year for hackers; in the first three months alone, there were already 132 data breaches reported.” That there were 132 breaches does not mean that hackers are having a good year; most breaches are not caused by hackers, and most breaches are small.)

But there’s some really interesting tidbits, including the claim that the log(10) of the size of the breach is a normal curve with an mean of 3.5 and a standard deviation of 1.2, which means the mean breach is about 3,200 people. I’ve been saying for a while that all the breaches we remember are outliers, and Voltage’s analysis would indicate that two standard deviations, or about 97%, of breaches are smaller than 10^5.9, or about 790,000 people. (It’s unclear why, having done analysis of the size of breaches, they use a order of magnitude system for rating breaches, rather than something based on deviations.)

What’s more interesting is that they’re making testable predictions about the future:

At that rate, we should expect roughly 528 data breaches in the next 12 months [from May 2009]. If that is the case, the probability of having one or more data breaches in the next year that exposes 1 million or more records is roughly 99.9951 percent, or a virtual certainty, and we should expect to see about 14 data breaches of that size in the next year – this represents 1 in 200 adults in the US being affected.

This model also tells us that the probability of any give breach exposing 10 million or more records is 0.001769, or about 0.18 percent. This means that we can expect about 0.18 percent, or about 1 in 565, of data breaches to be that big. If that is the case, then the probability of having one of more data breaches in the next year that exposes 10 million or more records is over 60 percent – this is the equivalent of 5% of the US adult population being affected.

The interesting thing about these predictions is that they can be tested in May 2010. (It would be helpful for Voltage to say exactly what period they mean by “the next 12 months.”) While Dissent says:

I am not sure that a logarithm model will be appropriate for predicting future breaches. If organizations were to actually learn lessons from known breaches … then we might expect to see fewer large breaches rather than more.

I tend to agree, but the great thing is our agreement doesn’t matter. If the prediction holds, then we know something about the model. If the prediction fails, then we know something about the model. That’s the great thing about presenting predictions which are specific and measurable. So thank you, Voltage, for putting forward predictions. I look forward to seeing how they play out.

(Mortman commented on this previously in “Voltage Security’s Breach Map.”)

Thanks, Jeffrey Bennett

Published by adam on June 29, 2009 in Uncategorized. 0 Comments

In “Books that should be in a security manager’s library,” Jeffrey Bennett says nice things about The New School (the book) and suggests that it’s one of eight that “no professional library is complete without.”

Thanks!

More Friday Skepticism

Published by Chandler Howell on June 26, 2009 in Uncategorized. 1 Comment

Since Adam started it, I’ll add a link to a nice YouTube video about how to be a good skeptic

h/t BoingBoing

Death-related items

Published by Chandler Howell on June 26, 2009 in Uncategorized. 1 Comment

I’m cleaning out my pending link list with couple morbidly-thematic links.

Old-but-interesting (2007 vintage) list of relative likelihoods of death compared to dying in a terrorist attack.  For example…

You are 1048 times more likely to die from a car accident than from a terrorist attack

You are 12 times more likely to die from accidental suffocation in bed than from a terrorist attack

You are nine times more likely to choke to death on your own vomit than die in a terrorist attack

You are eight times more likely to be killed by a police officer than by a terrorist

I know that Jimi Hendrix might argue that the risk of death-by-choking-on-vomit cannot be overstated enough, but everybody gets disproportionately worked up about something.

Of course, given that death is inevitable (in the long run, anyway), Cory Doctorow challenges us with the question of what will happen to our crypto keys when we die?

What do you-all do with your cryptokeys? Keep ‘em with a lawyer and hope that attorney-client privilege will protect them? Safe-deposit box? Friends? Under the mattress? Do you worry that if your friends have your keys, they can be subpoenaed or suborned?

I seriously don’t have a good answer to this question for my personal keys.  How about the rest of you?

(corrected spelling as noted in comments)

Visualization Friday & More!

Published by alex on June 26, 2009 in Uncategorized. 0 Comments

OK, so this week for Visualization Friday, I’m going to point you to just one thing:

At Last, a Scientific Approach to Infographics

A blog post by the awesome visualization expert Stephen Few that praises:

Visual Language for Designers: Principles for Creating Graphics that People Understand by Connie Malamed

OK, I’ll also mention that I really enjoyed this data quality post: http://www.dataqualitypro.com/data-quality-home/introduction-to-guerilla-data-governance-an-interview-with-m.html

And also that Beautiful Security is out, I have my copy and will be posting a review here once my private and professional life settles down.  At this rate, I expect that to be Late August :)

Finally, did you know we have a delicious feed of stuff we find interesting?  Really!  It’s here:  http://delicious.com/NewSchoolSecurity

Science, Skepticism and Security

Published by adam on June 26, 2009 in Uncategorized. 0 Comments

Rich Mogull has a great post on “Science, Skepticism and Security

In the security industry we never lack for theories or statistics, but very few of them are based on sound scientific principles, and often they cannot withstand scientific scrutiny. For example, the historic claim that 70% of security attacks were from the “insider threat” never had any rigorous backing. That claim was a munged up “fact” based on the free headline from a severely flawed survey (the CSI/FBI report), and an informal statement from one of my former coworkers made years earlier. It seems every day I see some new numbers about how many systems are infected with malware, how many dollars are lost due to the latest cybercrime (or people browsing ESPN during lunch), and so on.

Worth pondering on a Friday.

Economics of Information Security

Published by adam on June 24, 2009 in Uncategorized. 0 Comments

Ross Anderson is liveblogging the 2009 Workshop on Economics of Information Security. I’m in Seattle, and thus following eagerly. It seems Bruce isn’t liveblogging this time. I know I found it challenging to be a stenographer and a participant at SHB.

Visualization Friday!

Published by alex on June 19, 2009 in Uncategorized. 1 Comment

Yesterday I got to see what might have been one of the most amazing(ly bad) security dashboards I’ve ever seen.  And those who have read my posts on visualization know that I find the visualization of risk & security to be a pretty fascinating field of study.  So given the quality of the GRC apps I’ve seen, the dashboard I saw yesterday and my love for data visualization, I thought I’d take Friday to post a few things that came across my data analysis & visualization feeds that you might find interesting. If you guys like it, we’ll stick with it.

From the WSJ a visualization on GDP growth and various investment bubbles since 1994.  GDP growth is the gray line that shows steady growth with little dramatic variation.  I would have liked to see that line a little more pronounced because it is the reference that puts the rest of the plotted lines in context:

_ http://online.wsj.com/article/SB124526883036724391.html#articleTabs%3Dinteractive

Two visualizations on Oil prices present the similar information in a very interesting manner:

http://www.flickr.com/photos/27534298@N02/2963174874/in/pool-767445@N24

and

http://chartporn.org/wp-content/uploads/2009/06/image45.png

I like the idea of using interactive charts.  Here’s one from NPR that shows various information about the US electric grid, and one from the AP that shows their economic stress index over time.  I think it would be really interesting to evolve the idea of “heat maps” to reflect business processes, risk, data types, data owners, and configuration specifics and use the visual to see if we can’t quickly draw ad-hoc correlations.

http://www.npr.org/news/graphics/2009/apr/electric-grid/

http://hosted.ap.org/specials/interactives/_national/stress_index/

Here’s a recent WaPo “infographic” that just shows information on what the current Obama administration in the US wants to do to the financial markets:

http://www.washingtonpost.com/wp-dyn/content/graphic/2009/06/17/GR2009061703025.html?hpid=topnews

Thought it was an interesting format for a one page document that could be given to non-technical IT staff to discuss current risk mitigation strategies or co-ordinated efforts designed to accomplish one goal (like a PCI effort), what have you.

Finally, I’ll leave you with the WSJ economic forecast interactive infographic:

http://online.wsj.com/public/resources/documents/info-flash08.html?project=EFORECAST07

The Trouble With Metrics

Published by adam on June 18, 2009 in Uncategorized. 1 Comment

Is that they can be gamed. See “
Terror law used to stop thousands ‘just to balance racial statistics’” in the Guardian:

Thousands of people are being stopped and searched by the police under their counter-­terrorism powers – simply to ­provide a racial balance in official statistics, the government’s official anti-terror law watchdog has revealed.

Lord Carlile said in his annual report that he had “ample anecdotal evidence” of it happening, adding that such a practice was “totally wrong” and constituted an invasion of civil liberties.

“I can well understand the concerns of the police that they should be free from allegations of prejudice,” he said. “But it is not a good use of precious resources if they waste them on self-evidently unmerited searches.”

He said there was little or no evidence that the use of section 44 stop and search powers by the police could prevent an act of terrorism.

What information security metrics have you seen gamed like this?

Via BoingBoing.

Green Dam

Published by Chandler Howell on June 13, 2009 in Legislation and Uncategorized. 2 Comments

Update 26 June 2009: The status of Green Dam’s optionality is still up in the air.  See, for example, this news story on PC makers’ efforts to comply, which points out that

Under the order, which was given to manufacturers in May and publicly released in early June, producers are required to pre-install Green Dam or supply it on disc with every PC sold in China from July 1.

Last week, it appeared the government backed away from requiring compulsory installation by users, but manufacturers are still being required to provide the software.

I suspect that there will be at least one more update to this post before all is said and done.

Update 17 June 2009Green Dam is now to be optional, but installed-by-default.

There’s a great deal of discussion in China right now about the new government-mandated “Green Dam” Internet filtering software that must be installed on all PC’s in the People’s Republic of China

Every PC in China could be at risk of being taken over by malicious hackers because of flaws in compulsory government software.

The potential faults were brought to light by Chinese computer experts who said the flaw could lead to a “large-scale disaster”.

The Chinese government has mandated that all computers in the country must have the screening software installed.

It is intended to filter out offensive material from the net.

I was in a taxi in Beijing a couple days ago and the driver was listening to a call-in/talk radio show whose topic was the software and its flaws/weaknesses.  My post, however, had to wait until I returned states-side due to this ‘blog being blocked by the three different connections I tried to access it while I was in China.

The consensus about this software among the locals that I spoke to is that it will be widely ignored, except in places like primary schools and some government offices.

There is so much to say about this, however, that I almost don’t know where to begin.  First, there is the issue of externalities.  The benefit from this software are the government censors.  The cost, however, will be borne by those whose machines are rendered less stable, less secure, and less useful (due to the censoring).  This is the opposite of the theoretical goal of regulation–the transfer externalities back onto their creators, not the other way around.

The results here may be even more toxic than observers currently realize, however.  By demanding compliance even when it does direct harm to those who must comply, the government undermines the loyalty of the citizenry and its own credibility.  It may only be one straw on the camel of Chinese citizens’ discontent, but eventually, there will be a straw that breaks the camel’s back.  This software has re-energized the domestic debate over the role of government censorship and whether their goal is to keep the populace safe or merely in-line.

Similarly, there is a lesson here for security and risk managers.  Namely, policies must also be perceived as benefiting those they govern.  Corporations whose policies are too obviously unfair or which demonstrate a contempt for employees produce similar disloyalty.  While it may not be immediately obvious in the current job market–people generally won’t quit in protest if they can’t find another job–that makes the effect worse.  A grumbling workforce is an unproductive workforce.

Yes, we must achieve our goals, in my case protecting information, and the combination of reduced budgets and nervous employees makes it that much harder to achieve results.  But in times like these, we also need to tread more lightly than ever since the resisters of policy–those employees who are more likely to be a risk–are more likely to stay with us and undermine it from within.

So, as ever, when we are dealing with security, the mantra remains, “People, process and technology–in that order.” Any attempt to attack the problem otherwise frequently produces unintended–and often
unwanted–results.

Footnote:

I don’t know what my employer’s corporate stance is going to be, but we have a significant white collar presence in China, so will probably be unable to ignore the problem.

When asked, I will argue that we already perform this filtering on our corporate proxy servers, but it does not change the fact that the government has created a huge externality for their population and for companies operating here as part of a futile attempt to prevent Chinese citizens from viewing porn or dissident political commentary–not necessarily in that order, IMHO.