Monthly Archive for January, 2010

That’s Some Serious Precision, or Watch Out, She’s Gonna Go All Decimal!

Published by alex on January 30, 2010 in Uncategorized. 1 Comment

So last night the family and I sat down and watched a little TV together for the first time in ages.  We happened to settle on the X-Games on ESPN, purely because they were showing a sport that I can only describe as Artistic Snowmobile Jumping.  Basically, these guys get on snowmobiles, jump them in the air flip around and stuff, and then a panel of judges score their efforts.  I suppose the criteria is like ice skating or gymnastics where they score creativity and technique and so forth…  If you haven’t seen this sport, here’s a little youtube video of what it’s like:

So we’re watching this sport on ESPN, and after a while I’m noticing a couple of things about the scores.  First, they’re using a 100 point scale, and all the scores are coming in between 85 and 92.  Fine, I suppose they’re summing up a number of elements.

Then this one rider scores an 88.3.  Point Three.  Seriously, what judge decides to go decimal?  You know, a 100 point scale isn’t good enough, I really need the precision of that tenth of a point to determine if the member of “Team Slednecks” is that much better than the “Red Bull Rockstars” or whatever.

Quote For Today

Published by alex on January 28, 2010 in Uncategorized. 2 Comments

Their judgment was based on wishful thinking rather than on sound calculation of probabilities; for the usual thing among men, is when they want something, they will, without any reflection, leave that to hope; which they will employ the full force of reasoning in rejecting what they find unpalatable.

— Thucydides

Help EFF Measure Browser Uniqueness

Published by adam on January 27, 2010 in measurement and metrics. 0 Comments

The EFF is doing some measurement of browser uniqueness and privacy. It takes ten seconds.

Before you go, why not estimate what fraction of users have the same
transmitted/discoverable browser settings as you, and then check your
accuracy at https://panopticlick.eff.org. Or start at http://www.eff.org/deeplinks/2010/01/help-eff-research-web-browser-tracking for a bit more detail.

Online Preso – Risk Management & Incident Information

Published by alex on January 26, 2010 in Uncategorized. 0 Comments

Tried to embed, didn’t work. Here’s the link: http://www.brighttalk.com/webcasts/8093/attend

Shameless Self-Promotion

Published by alex on January 25, 2010 in Uncategorized. 1 Comment

Hi,

If you like risk, risk management, and metrics, I’ll be giving an online presentation you might want to see tomorrow at 2 EST:

Gleaning Risk Management Data From Incidents

http://www.brighttalk.com/webcasts/8093/attend

Sunday Funnies: PhDComics on Statistics In The Media

Published by alex on January 24, 2010 in Uncategorized. 0 Comments

The Face of FUD

Published by Russell on January 20, 2010 in Amusements. 5 Comments

For your amusement: This image came as an banner on an opt-in email from NetWitness.   You’ll recognize this image as the face of F.U.D. (“fear, uncertainty, and doubt”)

If this is how you feel, buy our products. Then you'll feel better.

Headline is “You are losing the war!”, followed by “Criminal and state-sponsored adversaries are winning”.    The key line: “NetWitness delivers real-time network forensics and automated threat intelligence solutions designed to combat advanced cyber security threats like Operation Aurora.”

I don’t blame them for surfing the publicity wave of “Operation Aurora”  (China, Google, Adobe, et. al.).  And I can’t blame them for following industry practice of amplifying FUD, primarily “fear”, to get potential buyers to give attention and budget to NetWitness solutions, to wit: 

“You have a choice: The NSA or FBI can sit down with your CEO and report your company’s network compromises, or you can be the one telling them that an attack was detected, thwarted, and steps were taken to prevent it from happening again. Which scenario sounds better to you?”

OK… so here’s a glimmer of NewSchool hope in the last lines of the email:

“We’re so sure of this fact that we’re determined to prove it on your network. We’re offering a complimentary Proof of Concept to any organization meeting a minimum set of qualifications.” 

So they are willing to show how their solution will actually work in your organization.  Not bad.  But to get the “NewSchool Tip-of-the-Hat”, it would be even better if the Proof of Concept included some sort of data about effectiveness vs. alternatives vs. make-do-with-whatever.  It would be even better if they published such data or made it available via various information sharing organizations.  We can only hope.

(I have no opinion about NetWitness or their solutions or their competitors, nor do I have any relationship.)

Why I Don’t Like CRISC, Day Two

Published by alex on January 20, 2010 in Science of Risk Management. 11 Comments

Yesterday, I offered up a little challenge to suggest that we aren’t ready for a certification around understanding information risk.  Today I want to mention why I think this CRISCy stuff is dangerous.

What if how we’re approaching the subject is wrong?  What if it’s mostly wrong and horribly expensive?

I’m going to offer that we’re still too early on to know the answers to these questions (an offer that if correct, would also serve to prove my point yesterday about CRISC).  But if it turns out that we are doing things incorrectly (and really, what’s the probability that we are doing risk management correctly) – does something like CRISC make it easier or more difficult to change to something more effective?

Obviously, you don’t have to have a degree in Organizational Behavior to identify the problem here. If our approach to risk management is wrong, then CRISC is only going to serve to ensure that we are set in our incorrect ways.

Now where this should *really* upset you, my dear reader, is if you subscribe to various theories about how sciences progress.  If you believe that sciences progress by sporadic, somewhat instantaneous little revolutions – then we’re totally screwing ourselves by creating a bureaucracy that makes it more difficult for the next revolution to take place.  And believe me, as I’ve found out over the past 4 years, creating that revolution in risk management is hard enough already.

Why I Don’t Like CRISC

Published by alex on January 19, 2010 in Uncategorized. 15 Comments

Recently, ISACA announced the CRISC certification.  There are many reasons I don’t like this, but to avoid ranting and in the interest of getting to the point, I’ll start with the main reason I’m uneasy about the CRISC certification:

We’re not mature enough for a certification in risk management.

Don’t believe me?  Good for you, I like critical thinkers.  So let me offer up a little challenge in using ISACA’s own religion as my proof.

ALEX’S CRISC CHALLENGE TO ISACA
I challenge you to show me, in valid scale and using publicly available models, the impact of COBIT adoption on an organization’s exposure to risk.

If you can do that, then I’m all for certifying that someone can “get” risk management and that a certification might actually mean something.  But until you can,  I can’t for the life of me figure out what you are actually certifying and why having the letters “C, R, I, S, & C” together in someone’s title actually means I should value their certification – more or less how this certification would actually end up in having someone “see, risk”.

Note:

  1. Answers of “some things can’t be measured” will be considered to prove the point.
  2. Answers of “COBIT is governance, not risk management” will also be considered evidence that proves the point.
  3. Jack Jones & disciples, Russell Cameron Thomas – I believe you could give it a go.  In the interest of not wasting your time or exposing your IP, I hereby disqualify you from this challenge for being too dang cool.

At some point later in the week, I’ll post more on CRISC and I’ll also include alternate, more useful strategies for the CISO than sending people to CRISC school.

Doing threat intelligence right

Published by Russell on January 18, 2010 in Doing it Differently, Links and Science of Risk Management. 2 Comments

From a great article by Robert Jervis, professor of international politics at Columbia University:

The problem isn’t usually – or at least isn’t only – too little information, but too much, most of it ambiguous, contradictory, or misleading. The blackboard is filled with dots, many of them false, and they can be connected in innumerable ways. Only with hindsight does the correct pattern leap out at us, and to fix what “broke” the last time around only guarantees you have solved yesterday’s problem.

Far more important, and useful, is to address the flaws in how we interpret and use the intelligence that we already gather. Intelligence analysts are human beings, and many of their failures follow from intuitive ways of thinking that, while allowing the human mind to cut through reams of confusing information, often end up misleading us. This isn’t a problem that occurs only with spying. It is central to how we make sense of our everyday lives, and how we reach decisions based on the imperfect information we have in our hands. And the best way to fix it is to craft policies, institutions, and analytical habits that can compensate for our very understandable flaws.

[...]

The first and most important tendency is that our minds are prone to see patterns and meaning in our world quite quickly, and then tend to ignore information that might disprove them. Premature cognitive closure, to use the phrase employed by psychologists, lies behind many intelligence failures.

[...]

Second, people pay more attention to visible information than to information generated by an absence. In a famous Arthur Conan Doyle story, it took the extraordinary skill of Sherlock Holmes to see that an important clue in the case was a dog not barking. The equivalent, in the intelligence world, is information that should be there but is not.

[...]

Third, conclusions often rest on assumptions that are not readily testable, and may even be immune to disproof.

I’ll add a fourth — ignoring threat intelligence all together or treating it as taboo.  This may take several forms: ”it’s beyond our control”, “we don’t have good data”, “it’s too hard to quantify”, “we aren’t paid for guess-work”, “we rely on vendors for that”, “everybody knows what the threats are”, “if we bring it up, we will get too many questions we can’t answer”, or other excuses.  (See Josh Corman’s post on the folly of relying on security vendors for your threat intelligence.  Vendors only have incentive to inform you about threats they can mitigate.)

If you want a good methodology for threat intelligence, look at Intel’s.    It was adapted for use by the Information Technology Sector Coordinating Council in their risk assessment for critical IT industry infrastructure.

As good as it is, it could even be better if they had some systematic methods to actively seek out contradictory information and contrary hypotheses about threats.  One simple way to do this is to create a “Mental Model Red Team” whose primary job is to disprove everything you think you know, or at least generate and validate contrary hypotheses.  (For social and cultural reasons, you should probably rotate your staff through this team rather than keeping the team membership fixed.)    Formal methods exist, including “Analysis of Competing Hypotheses” (slides).  (I’m in the process of evaluating a tool for this called SHEBA.  I hope to have a demo read for Mini-metricon, something like this.)  Another possible method is prediction markets, but I’ve never seen them used for this purpose.