If you don’t have time to develop a data-driven, business focused security strategy, we sympathize. It’s a lot of hard work. So here to help you is “What the fuck is my information security ‘strategy?’ “:
Thanks, N!
Archive for the 'Amusements' Category
It’s not just a 3d pie chart with lighting effects and reflection. Those are common. This one has been squished. It’s wider than it is tall.
While I’m looking closely, isn’t “input validation” a superset of “buffer errors” “code injection” and “command injection?”
You can get the “Application Security Trends report for Q1-Q2 2010” from Cenzic. I’ve been generally impressed by the founders and other work I’ve seen for a long time, and I look forward to beautiful and effective data presentation in their future reports.
First, thanks to everyone who took the unscientific, perhaps poorly worded survey. I appreciate you taking time to help out. I especially appreciate the feedback from the person who took the time to write in:
“Learn the proper definition of “Control Systems” as in, Distributed Control Systems or Industrial Control systems. These are the places that need real security, not some bullshit enterprise network.”
You, sir or madam, are chock full of rock and roll. Thanks for cheering me up.
Next, the results were:
Daily = 6
a few times a month = 2
a few times a quarter = 1
less than a few times a quarter = 10
never = 43
and the chart looks something like this:
UPDATE: Jeff Lowder asked me to clarify this a bit. I’ll start by re-iterating that this was a not really a proper survey, but akin to asking a handful of friends (the survey existence was announced here, on twitter, to a couple of security – centric mailing lists). As such, don’t get all bent out of shape about it.
I was interested in the question – “how often does GRC analysis impact actual OpSec?” and decided that a frequency of interaction would be a pretty good bellwether. The question (and results with proper caveats) were part of the presentation Allison Miller and I gave at Black Hat. More on that presentation in a while, btw.
Using a dish full of marshmallows. We’re doing this with my oldest kids, and while I was reading up on it, I had to laugh out loud at the following:
…now you have what you need to measure the speed of light. You just need to know a very fundamental equation of physics:
Speed of a Wave (c) = Frequency (f) x Wavelength (L)
The distance between the melted sections of the marshmallow is in fact L/2, because there are two nodes for each wave (see animation). So if you have measured 6cm and your oven operates at 2450 MHz, then your measured speed of light is (0.12 x 2450,000,000) 294,000,000 metres per second.
The agreed value of the speed of light through a vacuum is 299,792,458 metres per second. See how accurately you can measure it? what could you do to make the experiment better, and thus get a closer answer?
IMHO, we need more published security metrics (and risk analytics) that don’t worry about those few million meters per second, and focus rather on the cleverness of using marshmallows and microwaves.
I’ve seen some cool Walmart visualizations before, and this one at FlowingData is no exception.
The one thing I wondered about as I watched was if it captured store closings–despite the seemingly inevitable march in the visualization, there have been more than a few.
For you football fans, from Advanced NFL Stats we get the equation for Surplus Coach Value!
That couldn’t be more brilliant if it tried.
In my work blog: “Announcing Elevation of Privilege: The Threat Modeling Game.”
After RSA, I’ll have more to say about how it came about, how it helps you and how very new school it is. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).
They say that Y equals m-x plus b
(well, when you remove the uncertainty).
So let me reveal a secret confession:
You’re the solution to my least squares obsession.
I don’t like the term “Best Practices.” Andrew and I railed against it in the book (pages 36-38). I’ve made comments like “torture is a best practice,” “New best practice: think” and Alex has asked “Are Security “Best Practices” Unethical?”
But people keep using it. Worse, my co-workers are now using it just to watch get me spun up. My continued snark is clearly a Best Practice because I keep doing it despite evidence that it doesn’t work.
I’d love to hear your experiences. What are proven or effective practices for getting people to stop using the term?
Taboos are willful ignorance, socially-enforced. They are so not New School. We have to deal with them, but we don’t have to be happy about it.
The Great Family Shame of incest between Oedipus and Jocasta
The public display of taboo is one of the more interesting aspects of Operation Aurora, a.k.a. the Google-China affair (summary and analysis is here, more details here.). It’s unfolding almost like a like a Greek tragedy.
Act 1 in the play was Google’s strategic decision to go public and recruit other breached companies to join them (without success). Google went public anyway, violating the InfoSec disclosure taboo, and also the taboo against corporations speaking out against China.
Act 2 was the public and institutional reaction to Google’s announcement, the political posturing between US and China, and even the tempest of chatter in the InfoSec community about “Advanced Persistent Threats“ (or “Advanced Persistent Adversaries“, a term I prefer).
Act 3 is now under way at that great annual public meeting of Big Thinkers, the World Economic Forum in Davos, Switzerland. While they discussed almost every other topic and idea, they avoided the Operation Aurora as if it was the Great Family Shame, as highlighted here:
“BusinessWeek reports that the cyber attack on Google was the elephant-in-the-room at the annual meeting of world leaders in Davos. ‘China didn’t want to discuss Google,’ Josef Ackermann, CEO of Deutsche Bank AG and a co-chair of this year’s World Economic Forum, said in an interview. China’s Vice Premier Li Keqiang made that clear, he added. Even Google CEO Eric Schmidt didn’t bring up China, and Bill Gates was mum on the topic in an interview. The reluctance of companies to talk about China illustrates the pressure on them to protect their business in the country, while the U.S. government doesn’t want to upset Chinese investors, said Andy Mok of Red Pagoda Concepts LLC. ‘People have their commercial interests,’ explained Deutsche Bank’s Ackermann.” [emphasis added]
The Business Week article is here. (Funny: here is a great Saturday Night Live skit that satirizes the power of China over the US in matters like this.)
While the Operation Aurora taboo is rooted in international politics, similar taboos exist within both the public and private sectors and no international politics are involved. While we must deal productively with these taboos, we also can’t let them block meaningful progress toward the goal of data-driven information security and collective learning.
What You’ve Said