Monthly Archive for October, 2009

Just say ‘no’ to FUD

Published by Russell on October 30, 2009 in Uncategorized. 5 Comments

fearfulNewSchool is about making rational security decisions and investments based on best available data, experiments, and even formal reasoning.  It’s the opposite of “fear, uncertainty, and doubt” (FUD).  FUD is the intentional amplification and exaggeration of fears and uncertainties for the sole purpose of manipulating the decision-maker into approving your proposal or budget — the “safe choice”.

Dr. Anton Chuvakin, in his guest blog post at FUDsec.com, argues in favor of FUD as a tactic:

…many people view using FUD for driving security spending and security technology deployments as the very opposite of sensible risk management. However, FUD is risk management at its best: FUD approach is simply risk management where risks are unknown and unproven but seem large at first glance, information is scarce, decisions uncertain and stakes are high. In other words, just like with any other risk management approach today!

In light of this, we have to accept that there are benefits of FUD – as well as risks. … First, in the world we live in, FUD works! …Second, keep in mind that many of the Big Hairy Ass Risks (BHARs) are both genuinely scary and, in fact, likely…Finally, …fear might not be a very positive emotion to experience, but acting out of fear has led to things that are an overall positive…The key issue with FUD is its “blunt weapon” nature. It is a sledgehammer, not a sword! If you use FUD to “power through” issues, you might end up purchasing or deploying things that you need and things that you don’t.

As “greed-based” ROI scams fail to move security ahead, the role of fear has nowhere to go but up. In other words, all of us get to pick out favorite 3 letter abbreviation – and I’d take honest FUD over insidious ROI any day…

…Even if objective metrics will ever replace FUD as the key driver for security, we have a bit of time to prepare now. After all, in that remote future age interstellar travel, human cloning, teleportation and artificial intelligence will make the life of a security practitioner that much more complicated…  [emphasis in original]

Anton’s position on FUD reminds me of the quote by Gordon Gekko from the 1987 movie “Wall Street”:  “…greed, for lack of a better word, is good. Greed is right, greed works. Greed clarifies, cuts through, and captures the essence of the evolutionary spirit.”   Substitute “FUD” for “greed”, and this is basically Anton’s argument.

This Machiavellian justification of FUD sounds appealing until you consider this: FUD is unethical, plain and simple.

200412418-001A Halloween analogy: It’s like putting an arachnophobic person in a dark room and then whispering: “This is such a dark room.  There’s no telling how many spiders there are in here.”    Then, just before locking them in the room, you say: “For all the money in your wallet, I can sell you some bug spray.”

 

The term “FUD” originated in the 1970s to describe some of IBM’s selling tactics against competitors (who had better price/performance, etc.). The FUD technique was used by IBM sales people to destabilize the decision-maker’s thinking process. FUD issues raised could not really be answered by the decision-maker or the competitor, and so nagged at the back of the mind. They had the effect of causing the decision-maker to retreat to the safe decision, which was IBM. “Nobody ever got fired for buying IBM”.

FUD has the same ethical status as using incriminating photos to coerce a favorable decision (one of J. Edgar Hoover’s favorite tactics).  Both of them work if all you care about is getting approval, but it corrupts the process and works against rational decision-making overall.

There are substantial reasons for framing risks  beyond simple statement of facts and statistics, namely to deal with the psychology of risk. Security is about avoiding bad outcomes.  We have fear and uncertainty about those outcomes and we are prone to cognitive distortions about them.   FUD amplifies distortionsFUD is anti-data and anti-analysis. 

Instead, ethical security professionals should take pains to present feared scenarios in an understandable way and, most important, relative to the likelihood of other possibilities.  We should also be on a never-ending quest for data and analysis that will inform decisions and reduce emotionalism. Don’t make the situation worse by pumping out FUD. It’s unethical.

Continue reading ‘Just say ‘no’ to FUD’

Ooops! and Ooops again!

Published by adam on October 30, 2009 in presentation. 1 Comment

Those of you who’ve heard me speak about the New School with slides have probably heard me refer to this as an astrolabe:

orrey.jpg

Brett Miller just emailed me and asked (as part of a very nice email) “isn’t that an orrery, not an astrolabe?”

It appears that I’m going to have to update my commentary. Thanks, Brett!

[And thanks Scott--I misspelt orrery, now corrected.]

Ross Anderson’s Psychology & Security page

Published by adam on October 30, 2009 in Uncategorized. 2 Comments

Ross Anderson has a new Psychology and Security Resource Page. His abstract:

A fascinating dialogue is developing between psychologists and security engineers. At the macro scale, societal overreactions to terrorism are founded on the misperception of risk and undertainty, which has deep psychological roots. At the micro scale, more and more crimes involve deception; as security engineering gets better, it’s easier to mislead people than to hack computers or hack through walls. Many systems also fail because of usability problems: the designers have different mental models of threats and protection mechanisms from users. Wrong assumptions about users can lead systems to discriminate against women, the less educated and the elderly. And misperceptions cause security markets to fail: many users buy snake oil, while others distrust quite serviceable mechanisms. Security is both a feeling and a reality, and they’re different. The gap gets ever wider, and ever more important.

A tremendous resource.

Is responsible disclosure dead?

Published by adam on October 26, 2009 in Uncategorized. 2 Comments

Jeremiah Grossman has an article in SC Magazine, “Businesses must realize that full disclosure is dead.” On Twitter, I asked for evidence, and Jerimiah responded “Evidence of what exactly?

I think the key assertion that I take issue with is bolded in the context below:

Unquestionably, zero-day vulnerabilities have an increasing real-world value to many different parties. We should expect more and more researchers to demand and receive payment from governments, software vendors, security vendors, enterprises or someone on the black market. It has already happened and will continue. The evolution is underway and it will become more prevalent in the next few years as it becomes routine for our systems to be compromised using unknown vulnerabilities. This environment will force us to evolve our thinking and mature our offensive and defensive security strategies – fueling the need for third-party patches, subscriptions to unreleased vulnerability information, and general underground industry intelligence. We’re already seeing these services being offered on the fringe (legally and illegally) and slowly moving towards mainstream acceptance as the business models are better understood. So it’s not a matter of if, but when.

We will need to evolve, yes, but I don’t see that the direction suggested is the one we’ll need to take. In particular, operationally using 0day is a tricky business. You risk discovery and losing a valuable asset by exposing it to a target. So maybe you use something a bit more commonplace. As I recall the Verizon Breach Report, they say that roughly 75% of vulns exploited have been public for a year or more. Yes, there’s a rapidly growing volume of underground stuff, but that’s easy when such things are a tiny fraction of attacks, vulnerabilities, or root causes of bad outcomes.

So I’m curious where is the evidence that undisclosed vulns will come to dominate? Oh, and a second question. Jerimiah, your title seems to imply that this is the most important thing for businesses to realize. Is that really what you meant?

My employer spends a lot of energy on building things to make exploiting unknown vulns harder, but if I wanted to speak for them, I’d do so on my work blog.

[Ooops! Mis-spelt Jeremiah's name. Sorry!]

On the value of ‘digital asset value’ for security decisions

Published by Russell on October 23, 2009 in Uncategorized. 4 Comments

I left out something important in my blog post “How to Value Digital Assets (Web Sites, etc.)” .  This came to light as I read the commentary on other blogs by Andrew Jacquith, Pete Lindstrom, Matthew Rosenquist, and Gunnar Peterson.  (I’m also anticipating Alex Hutton’s soon-to-come blog post.)

What good is it to know the economic value of a digital asset for the purposes of making information security decisions?  If you can’t make better decisions with this information, then the metric doesn’t have any value.  Skip it.

Like most things in information security management, this is less obvious and more complicated than it seems.  (more tutorial…)

Continue reading ‘On the value of ‘digital asset value’ for security decisions’

Something For Soscia, Girardi, & Charlie Manuel

Published by alex on October 23, 2009 in Uncategorized. 0 Comments

It’s the probabilistic decision making tool for baseball managers.  On the iPhone.  It’s like a business intelligence application in the palm of your hand :)

Basically, it takes the probabilistic models of either Win Expectancy or Run Expectancy (any given action has some probability of contributing a run or a win) and given a situation, attempts at offering whether it’s a good idea or bad idea to execute that plan.

StealView-1Here we see a situation where the manager is wondering if it’s a good idea to attempt a double steal.  An obvious dependency is knowing the stolen base success rate for the runner on second (it also assumes that the catcher will only attempt to throw at the lead runner, a pretty safe assumption).  If we’re baseball freaks, we might also note that there’s not contra-factor around the probability of a pick off move, I don’t see how the catcher’s rate of successful pick offs is factored in, etc. – but we’re nitpicking….

Once the decision to execute is established (press the button! press the button!) then we receive a screen that tells us whether it’s a good or bad idea, respective of how much our win (or run) expectancy increases or decreases.

StealResult-1

Now obviously, this is more of an “armchair quarterback” (to mix sports in metaphors) sort of toy, but it got me to thinking that this would be pretty fun for us to have something like this for risk or threat based modeling.  Rather than a baseball diamond, we might conceive of a set of connected IT objects/assets (a business process, maybe), each with their own “expectancy” to do some combination of Prevent/Detect/Respond to various threat sources.  Do I want to add more Prevent?  Bad idea!  Your risk is reduced at an insignificant level compared to the investment required to achieve that new level of prevention.  Do I want to add more training?  Good idea!  Training analysts in “detection” increases the risk reducing probability for this group of assets in an economically efficient manner.  Obviously, this is all probabilistic, but all decision making is, right?  I mean, this is why I’m NewSchool, I hope that someday we’ll reach this level of sophistication as an industry.

How to Value Digital Assets (Web Sites, etc.)

Published by Russell on October 20, 2009 in Data Analysis and Science of Risk Management. 6 Comments

Many security management methods don’t rely on valuing digital assets.  They get by with crude classifications (e.g. “critical”, “important”, etc.).  But if you need to do financial justification or economic analysis of security investments or alternative architectures, especially risk analysis, then you need something more precise and defensible.

This tutorial article presents one method aimed at helping line-of-business managers (“business owners” of digital assets) make economically rational decisions.  It’s somewhat simplistic, but it does take some time and effort.    Yet it should be feasable for most organizations if you really care about getting good answers.  Warning: No simple spreadsheet formulas will do the job.  Resist the temptation to put together magic valuation formulas based on traffic, unique visits, etc.

(This is a long post, so read on if you want the full explanation…) 
Continue reading ‘How to Value Digital Assets (Web Sites, etc.)’

You’ve Got To Move It Move It

Published by David Mortman on October 19, 2009 in Links. 1 Comment

Josh Corman had an awesome post over on Fudsec on Friday. It’s so awesomely appropriate to this blog, that I’m sharing it with you. My only complaint is that I wish that I had written instead. Go read it right now.

Speaking in Michigan on Tuesday

Published by adam on October 16, 2009 in presentation. 0 Comments

Andrew Stewart and I will be speaking at the University of Michigan SUMIT_09 on Tuesday. We’re on 10:30-11:25. If you’re in the area, please come by.

Are Security “Best Practices” Unethical?

Published by alex on October 16, 2009 in Uncategorized. 9 Comments

Anton Chuvakin’s been going old school.  Raising the specter of “risk-less” security via best practices and haunting me like the ghost of blog posts past.   Now my position around best practices in the past has been that they are, to use Jack Jones’ phrase, Infosec “shamansim”.  We do these things because our forefathers do them, because the tribe up the river does them, and/or because if we don’t the thunder gods (hackers) will get us, not because we have any formal evidence that they are “best”.    Now that said, these suggested practices I keep seeing are not completely uninformative, after all there’s a reason people suggest the things they suggest.  But being Friday and all, maybe we could talk a bit about why we don’t really have best practices, why Anton’s concept of risk-less security is a fallacy,  and what we call best practices?  Yeah, I think we could even argue that they’re unethical.

DO WE EVEN HAVE “BEST” PRACTICES?

First, why don’t we head over to that all-authoritative source, Wikipedia, for a definition of Best Practice.

A Best practice is a technique, method, process, activity, incentive or reward that is believed to be more effective at delivering a particular outcome than any other technique, method, process, etc. The idea is that with proper processes, checks, and testing, a desired outcome can be delivered with fewer problems and unforeseen complications. Best practices can also be defined as the most efficient (least amount of effort) and effective (best results) way of accomplishing a task, based on repeatable procedures that have proven themselves over time for large numbers of people.

Despite the need to improve on processes as times change and things evolve, best-practice is considered by some as a business buzzword used to describe the process of developing and following a standard way of doing things that multiple organizations can use for management, policy, and especially software systems.

As the term has become more popular, some organizations have begun using the term “best practices” to refer to what are in fact merely ‘rules’, causing a linguistic drift in which a new term such as “good ideas” is needed to refer to what would previously have been called “best practices.”

Now whether or not you agree that Wikipedia is useful, I think that passage serves our discussion today.  I have long said that if we were to use the word “best”, that would require us to know “not best”.  So considering:

Best practices can also be defined as the most efficient (least amount of effort) and effective (best results) way of accomplishing a task, based on repeatable procedures that have proven themselves over time for large numbers of people.

Maybe you could tell me about “efficient” and “effectiveness” – and how you would compare a “best practice” to an “almost best practice” without hand waving and resorting to a “just because I said so” argument.  I don’t think you could, our (the infosec industry)  measurement capabilities aren’t there yet, and so though while we have various reports and studies that suggest certain things are more effective than others, and we’re making great progress, Exhibit A today is:

Exhibit A – We don’t really have “best” practices – yet.

I could see saying “recommended” practices, “suggested” practices, or even based on some studies out there “essential” practices, sure.  But we don’t have the sophistication of “best/not best” and I would argue that we, as an industry, are guilty of

using the term “best practices” to refer to what are in fact merely ‘rules’, causing a linguistic drift in which a new term such as “good ideas” is needed to refer to what would previously have been called “best practices.”

CAN YOU HAVE RISK-LESS SECURITY?

I’m not sure of what desire is driving Anton towards risklessness, but it’s folly.  Here’s why:  as soon as you consider a control, you’re considering risk. Impact comes easily and instinctively, likelihood in a similarly quick and instantaneous fashion.  Otherwise, to use Peter Tippett’s examples, we’d all have titanium seatbelts and falling asteroid protectors on our cars.  Now the hitch is, we (human brains) are notoriously bad at likelihood without the methods of models and math.  But my point still stands – when we think security (and especially we, the people paid to think security) consider an asset we want to protect, we’re already doing a risk assessment, albeit in manner that just isn’t as structured as one that might use a formal model.

Exhibit B – So really, we’re *all* doing risk, and when we have these discussions of “use risk or don’t use risk” – all we’re really arguing about is how much cognitive bias we’re allowing into our assessment.

If you want to be on the side of the debate that suggests that lots of cognitive bias is a good thing, so be it.  There’s no rational way I can argue with you  – have a nice day, thanks and come again.  But if the role and purpose of risk modeling is to remove bias and provide a state of knowledge – then I have to ask you,

IS IT ETHICAL TO USE A RISK-LESS APPROACH?

Strong charge, I know.  And certainly an Incomplete thought that needs more discussion, but bear with me while I reason this out for us.  Take this quote from Donn Parker against a risk-based approach:

risk reduction justification makes it too easy to accept security vulnerabilities in exchange for other benefits.

The problem with this statement is that the economic decision of butter vs. guns *is not ours to make*.  In all the CISSP study guides sitting on my library shelves, the premise is offered that the asset does not belong to us, security, but rather to the data owner.  So with all due respect, that’s not your call to make!  Not mine, not Donn’s, not yours.  It is the responsibility of the business owner.  Our responsibility is to do the best job we can informing them of the (wait for it) consequences of accepting (or not-accepting) a security vulnerability.

So if our job is to inform, not decide – and if risk analysis is the best way we have of reducing cognitive bias – then is resorting to a “do it because I say so” “best” practice approach ethical?  Because what you’re essentially doing is purposefully withholding information from the data owner in order to force them to accept your risk tolerance.  A “best” practice approach, without reference-able data or analysis to back it up is not just an act of hubris, it is deceit.

Exhibit C – If our job is to help the data owner make informed decisions, calling what we do in our industry a “best” practice is not entirely truthful, and not using a risk model that removes bias and expresses uncertainty is not doing the best job you can.

CAVEATS GALORE

1.)  There’s nothing wrong with real best practices.  In a sense, that’s what the New School is all about, inspiring us to arrive at things like (reasonably) measurable efficiency and effectiveness.  After all, a best practice could be said to be the current standing, well-tested hypothesis or theory.

2.)  There are plenty of times when we don’t have to go and do a formal risk assessment.  My goal here is not “spreadsheets for the masses”, it’s rational expressions of risk management and helping people make the best decision they can with the information available at the time of the decision.

3.)  Admittedly, 95% of the “likelihood” determinations out there in our industry, in the words of my 11 year old, make me want to throw a sidewalk pizza.  And I could see a response post where you might claim that bad likelihood models are just as unethical, and that there’s so much uncertainty in our estimates, we are many times doing a disservice.  Again, I’m not saying we’re in a perfect world yet, I’m suggesting that a good risk model removes bias and expresses uncertainty.

Similarly, the enemy here is not subjectivity – everything we do is subjective and/or relative.  The enemy here is not removing all the subjectivity you can and not expressing uncertainty in the results.  Our industry’s “best practices” don’t do that yet.  Let me encourage you to express the limitations in everything – it is the pathway of critical thinking we must travel.

4.)  I’m not accusing anyone, nor do I think anyone is really being purposefully unethical or deceitful.  I can say that Anton and Donn are really good, smart, and upstanding people in as much as I’ve had the pleasure of knowing them.  I’m just trying to caution us all about the consequences of what we do and how we approach our profession.