Monthly Archive for December, 2009

Airplane Terrorism, Data-Driven Edition

Published by Chandler Howell on December 31, 2009 in Uncategorized. 0 Comments

I’m just off a flight from London back to the United States and I’m hesitant to attempt to think while jet-lagged.  I’ll have some more thoughts and first-hand observations once my head clears, however.

In the meantime, Nate Silver has broken down the risk of terror attacks on airplanes so I don’t have to.  Summarizing his points, the odds of a terror attack can be variously expressed as:

  • one terrorist incident per 16,553,385 departures
  • one terrorist incident per 11,569,297,667 miles flown. This distance is equivalent to 1,459,664 trips around the diameter of the Earth, 24,218 round trips to the Moon, or two round trips to Neptune.
  • one incident per 3,105 years airborne
  • the odds of being on given departure which is the subject of a terrorist incident have been 1 in 10,408,947 over the past decade. By contrast, the odds of being struck by lightning in a given year are about 1 in 500,000

    • One point that Nate mentions up front, but doesn’t elaborate on, is that these are the odds of being on a plane that’s attacked.   A third of those attacks failed and no one but the terrorist was injured (Richard Reid and the latest Christmas Day attack).

    That’s right, you are twenty times more likely to be struck by lightning than to be on a plane that’s the target of an attack, and almost thirty times more likely to be struck by lightning than to be killed or injured in a terrorist attack.

    Pick your preferred typical comparison, but you’ll find that they’re all several orders of magnitude more likely than airline terrorism.

    An Open Letter to the New Cyber-Security Czar

    Published by adam on December 23, 2009 in government. 7 Comments

    Dear Howard,

    Congratulations on the new job! Even as a cynic, I’m surprised at just how fast the knives have come out, declaring that you’ll get nothing done. I suppose that low expectations are easy to exceed. We both know you didn’t take this job because you expected it to be easy or fun, but you know better than most how hard it will be to make a difference without a budget or authority. You know about many of the issues you’ll need to work through, and I’d like to suggest a few less traditional things which you can accomplish that will help transform cyber-security.

    There are important things which you can achieve which are aligned with President Obama’s agenda and orientation that aren’t in the current strategy to secure cyberspace. They’re opportunities which have arisen in the last few years to increase transparency and accelerate new research that’s focused on security outcomes, rather than process.

    Over the last 5 years, in the wake of California’s 1386 and ChoicePoint’s big breach, we’ve learned about thousands of security breaches. We’ve discovered that most of our fears don’t come to pass. Companies don’t go bust, and customers don’t flee. It’s time to embrace transparency, and admit that we all have security failures. Only by studying what goes wrong can we really expect to improve. So the first step is to de-stigmatize failure. That’s not to say accept failure, it’s disclose them, discuss them, and focus on what we can improve. You can set the right tone from your bully pulpit.

    Next, as the nation’s cyber-security advisor, you’re in a position to push the heads of the federal agencies to open up about what they’re doing and how it’s working out. The data is already being collected by US-CERT, it’s a matter of transparency. Of course, some subset of the data will need to be appropriately redacted, but let’s embrace a need to share in information security. The President has committed to getting our data online, let’s make sure security data is included on Data.gov. (I’ve already sent a request for this to data.gov) As you work to expand public-private partnerships, why not start by sharing the data that the government has? It could reset the tone of the conversation. You can also support the non-profit Open Security Foundation’s work on DatalossDB.org. The value they deliver on a volunteer basis is amazing, and the amount that would be required to take that to the next level by making it their day jobs would be a rounding error for any of the folks you’ll be working with daily.

    Finally, I’d urge you to evolve our nation’s security research agenda. There are many smart, dedicated people working in information security. Many have been promoting approaches which have yet to take hold. You must bring new voices and perspectives to research. Emergent fields like “economics and security,” usable privacy and security, and security and human behavior bring important new perspectives of security as a human-centered discipline.

    Each of these steps can be taken with your budget and authorities. Together, they’ll transform cyber security into an empirical, effective and outcome-centered discipline, and that would be an amazing legacy for any leader.

    NotObvious On Heartland

    Published by alex on December 21, 2009 in Data Analysis, Reports and Data and metrics. 1 Comment Tags: , , .

    I posted this also to the securitymetrics.org mailing list.  Sorry if discussing in multiple  venues ticks you off.

    The Not Obvious blog has an interesting write up on the Heartland Breach and impact.  From the blog post:

    “Heartland has had to pay other fines to Visa and MasterCard, but the total of $12.6 million they have set aside to handle the one-time costs is a drop in the bucket compared $1.5 billion in 2008 revenue and does not really even skim much off the top of the $161 million in profits from that same year (the numbers for 2009 look to be tracking the same). It is almost a guarantee that any member of the class action who submits a claim will see many years of scrutiny before receiving any payment, something which Heartland can factor into their yearly financial plans (and accommodate for by increasing fees).”

    For thought:

    1. One wonders how much a “sufficient” (loaded term, of course) InfoSec program for a company like Heartland costs on an annual basis.
    2. Does this set a sort of “worst case” bounds to impact distributions?
    3. If so, how does a worst case impact of ~$13million (US) impact security management at retailers (politically)?

    For Blog/Twitter Conversation: Can You Defend “GRC”?

    Published by alex on December 15, 2009 in Doing it Differently, Science of Risk Management and argument. 15 Comments Tags: , , , , , , , .

    Longtime readers know that I’m not the biggest fan of GRC as it is “practiced” today.  I believe G & C are subservient to risk management. So let me offer you this statement to chew on:

    “A metric for Governance is only useful inasmuch as it describes an ability to manage risk”

    True or False, why, and what are the implications if true or false.

    Please discuss.

    #newschoolsecurity

    Top Security Stories of the Year?

    Published by adam on December 14, 2009 in Uncategorized. 3 Comments

    On Wednesday, I’ll be joining a podcast to discuss “top security stories of the year.”

    I have a couple in mind, but I’d love to hear your nominations. What are the most important things which have happened in information security in the last year?

    (I posted this on Emergent Chaos, but forgot to post it here.)

    Data Not Assertions

    Published by David Mortman on December 10, 2009 in data. 12 Comments

    There have already been a ton of posts out there about the Verizon DBIR Supplement that came out yesterday, so I’m not going to dive into the details, but I wanted to highlight this quick discussion from twitter yesterday that really sums of the value of the supplement and similar reports:

    georgevhulme: I’m glad we have data to refute the “insiders conduct 80% of all attacks” mantra that has been repeated, ad nauseum for at least a decade

    adamshostack: @alexhutton @georgevhulme yeah, but… Data, not assertions

    This is so awesome, I can barely stand it. We’re actually starting to be able to make data based decisions as opposed to just asserting something is true because we believe it on faith or like the way it sounds.

    “Data, not assertions” really sums up so much of what I was trying to get at in the the discussion on securosis last week about password changing time frames. Read the comments over there. It really shows how far we have yet to go.

    Huh, who knew?

    Published by adam on December 10, 2009 in Uncategorized. 0 Comments

    We have a comments feed. I suppose we should add that to somewhere sane. In the meanwhile, you should click here. We have smart commenters, and what they say is usually worthwhile.

    Emerging threat: Social Botnets

    Published by Russell on December 9, 2009 in Uncategorized. 2 Comments Tags: , .

    We think of botnets as networks of computing devices slaved to some command & control system.  But what about human-in-the-loop botnets, where humans are either participants or prime actors?  I’m coining this label: “social botnet”.  Here’s the blog post that got me thinking: “Health Insurers Caught Paying Facebook Gamers To Oppose Reform Bill“:

    From Business Insider:

    Instead of asking the gamers to try a product the way Netflix would, “Get Health Reform Right” requires gamers to take a survey, which, upon completion, automatically sends the following email to their Congressional Rep:

    “I am concerned a new government plan could cause me to lose the employer coverage I have today. More government bureaucracy will only create more problems, not solve the ones we have.”

    gethealthreformrightWhen looking at the “Who we are” tab on the GetHealthReformRight.org. Here is the excerpt from this page below.

    Get Health Reform Right is a project of organizations whose shared mission is to ensure consumers continue to have access to employer-sponsored healthcare plans. We are concerned about federal legislation that would create new government bureaucracies that would unravel the workplace healthcare system where more than 160 million people get their coverage.

    * Association of Health Insurance Advisors
    * America’s Health Insurance Plans
    * American Benefits Council
    * BlueCross BlueShield Association
    * Council of Insurance Agents & Brokers
    * Healthcare Leadership Council
    * Independent Insurance Agents & Brokers
    * National Association of Health Underwriters
    * National Association of Insurance and Financial Advisors
    * National Retail Association

    I call it a “botnet” because the people playing the game don’t really know what’s being done with their personal information and what actions are being taken in the world, under the illusion that the person consciously initiated the action (which they did not).  This is a form of “soft control”, where incentives, peer influence, and appearances are manipulated to get the player to do what the controller wants them to do.

    I call this an emerging threat because of the proliferation of virtual worlds and virtual currency systems, where the individuals participating are highly motivated to maximize their virtual earnings.  Any virtual world+currency system is vulnerable to this sort of social botnet if a link can be made between some in-world activity (both fun, lucrative, and social) and some real world mass action (petition letters, flash mob, download, or what ever).  Your organization may be far outside this virtual world, but your organization may still be the target of the mass action.  One more thing to add to your threat model.

    NEW: Verizon 2009 DBIR Supplement

    Published by Russell on December 9, 2009 in Reports and Data. 0 Comments Tags: , , .

    verizon DBIR sup

    Full report is here.  A quick overview from a Wired magazine article:

    The supplement provides case studies, involving anonymous Verizon clients, that detail some of the tools and methods hackers used to compromise the more than 285 million sensitive records that were breached in 90 forensic cases Verizon handled last year.

    [Disclosure: Alex's paw prints are on this report somewhere.]

    Sweden: An Interesting Demographic Case Study In Internet Fraud

    Published by alex on December 7, 2009 in Reports and Data, Uncategorized and metrics. 2 Comments Tags: , , , , , .

    saab-900(quietly, wistfully singing “Yesterday” by the Beatles)

    From my favorite Swedish Infosec Blog, Crowmoor.se. I don’t speak Swedish, so I couldn’t really read the fine article they linked to.  Do go read their blog post, I’ll wait here.

    Back?  Great.  Here are my thoughts on those numbers:

    SWEDISH FRAUD STATISTICS RELEASED

    The World Bank estimates the population of Sweden to be 9,220,986 - 2008

    For Reference, London (2006 figures) was 7.5 million, New York City was 8.275 million in 2007

    So the Swedish “market” for fraud was around 60,000 people out of a total population of 9,000,000 suffering an average  of  €1050-1100 each.  This line of thinking draws the inevitable comparison to what VC call The Chinese Soft Drink Argument (If we can just get each person from China to buy one drink, we’ll make a billion!), obviously, but I thought it was interesting to put this into context.

    When I saw those numbers, I thought of a couple of other stats I’d like to have at hand:

    Break down of types of “attacks” that resulted in fraud (was the attack primarily hacking, was their SE involved, was it phishing, etc.), estimated number of attack attempts, number of arrests, demographics around Internet banking and broadband penetration…

    What other information do you think would be helpful to you as a practitioner?

    obligatory Swedish Chef reference: