The Blog Inspired By The Book
In my work blog: “Announcing Elevation of Privilege: The Threat Modeling Game.”
After RSA, I’ll have more to say about how it came about, how it helps you and how very new school it is. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).
They say that Y equals m-x plus b
(well, when you remove the uncertainty).
So let me reveal a secret confession:
You’re the solution to my least squares obsession.
I don’t like the term “Best Practices.” Andrew and I railed against it in the book (pages 36-38). I’ve made comments like “torture is a best practice,” “New best practice: think” and Alex has asked “Are Security “Best Practices” Unethical?”
But people keep using it. Worse, my co-workers are now using it just to watch get me spun up. My continued snark is clearly a Best Practice because I keep doing it despite evidence that it doesn’t work.
I’d love to hear your experiences. What are proven or effective practices for getting people to stop using the term?
Taboos are willful ignorance, socially-enforced. They are so not New School. We have to deal with them, but we don’t have to be happy about it.
The Great Family Shame of incest between Oedipus and Jocasta
The public display of taboo is one of the more interesting aspects of Operation Aurora, a.k.a. the Google-China affair (summary and analysis is here, more details here.). It’s unfolding almost like a like a Greek tragedy.
Act 1 in the play was Google’s strategic decision to go public and recruit other breached companies to join them (without success). Google went public anyway, violating the InfoSec disclosure taboo, and also the taboo against corporations speaking out against China.
Act 2 was the public and institutional reaction to Google’s announcement, the political posturing between US and China, and even the tempest of chatter in the InfoSec community about “Advanced Persistent Threats“ (or “Advanced Persistent Adversaries“, a term I prefer).
Act 3 is now under way at that great annual public meeting of Big Thinkers, the World Economic Forum in Davos, Switzerland. While they discussed almost every other topic and idea, they avoided the Operation Aurora as if it was the Great Family Shame, as highlighted here:
“BusinessWeek reports that the cyber attack on Google was the elephant-in-the-room at the annual meeting of world leaders in Davos. ‘China didn’t want to discuss Google,’ Josef Ackermann, CEO of Deutsche Bank AG and a co-chair of this year’s World Economic Forum, said in an interview. China’s Vice Premier Li Keqiang made that clear, he added. Even Google CEO Eric Schmidt didn’t bring up China, and Bill Gates was mum on the topic in an interview. The reluctance of companies to talk about China illustrates the pressure on them to protect their business in the country, while the U.S. government doesn’t want to upset Chinese investors, said Andy Mok of Red Pagoda Concepts LLC. ‘People have their commercial interests,’ explained Deutsche Bank’s Ackermann.” [emphasis added]
The Business Week article is here. (Funny: here is a great Saturday Night Live skit that satirizes the power of China over the US in matters like this.)
While the Operation Aurora taboo is rooted in international politics, similar taboos exist within both the public and private sectors and no international politics are involved. While we must deal productively with these taboos, we also can’t let them block meaningful progress toward the goal of data-driven information security and collective learning.
For your amusement: This image came as an banner on an opt-in email from NetWitness. You’ll recognize this image as the face of F.U.D. (“fear, uncertainty, and doubt”)
If this is how you feel, buy our products. Then you'll feel better.
Headline is “You are losing the war!”, followed by “Criminal and state-sponsored adversaries are winning”. The key line: “NetWitness delivers real-time network forensics and automated threat intelligence solutions designed to combat advanced cyber security threats like Operation Aurora.”
I don’t blame them for surfing the publicity wave of “Operation Aurora” (China, Google, Adobe, et. al.). And I can’t blame them for following industry practice of amplifying FUD, primarily “fear”, to get potential buyers to give attention and budget to NetWitness solutions, to wit:
“You have a choice: The NSA or FBI can sit down with your CEO and report your company’s network compromises, or you can be the one telling them that an attack was detected, thwarted, and steps were taken to prevent it from happening again. Which scenario sounds better to you?”
OK… so here’s a glimmer of NewSchool hope in the last lines of the email:
“We’re so sure of this fact that we’re determined to prove it on your network. We’re offering a complimentary Proof of Concept to any organization meeting a minimum set of qualifications.”
So they are willing to show how their solution will actually work in your organization. Not bad. But to get the “NewSchool Tip-of-the-Hat”, it would be even better if the Proof of Concept included some sort of data about effectiveness vs. alternatives vs. make-do-with-whatever. It would be even better if they published such data or made it available via various information sharing organizations. We can only hope.
(I have no opinion about NetWitness or their solutions or their competitors, nor do I have any relationship.)
Yesterday, Russell posted in our amusements category about the avoidance of data sharing.
He gives an anecdote about “you,” presumably a security professional, talking to executives about sharing security information. I’d like to offer an alternate anecdote.
Executive: “So we got the audit report in, and it doesn’t look great. I was talking to some of my CEO buddies on the golf course about it…”
You (interrupting): “My god! You did what?!?”
Executive: “We were talking about a lot of stuff, and we got onto audit results.”
You: “You can’t do that! It might add to our problems!”
Executive: “I’m sorry, I didn’t realize. I figured we were talking strategy, how business is going in the recession, and why we spend so darn much money on PIC audits. We’re pretty open with each other.”
You: “We need to keep that sort of thing confidential.”
Executive: “Ok, no problem.”
I’ve seen executives look to their staff for a nod, and when we shake our heads no, they acquire the belief that we shouldn’t talk about security stuff. But if we nodded instead, the world would be a different place.
Which anecdote do you think is a better representation?
(Hey, it’s Friday. We’ll get all New School again on Monday.)
I’m just wondering how often any of you encounter this phenomena. The dialog goes like this:
You: “We’d like to define a metric for overall security and risk, and then publish it to stakeholders and business partners…”
Executive: “Wait right there! No way! That’s too confidential!”
You: “Excuse me? Confidential? You mean you already know what the number is, and revealing it will seriously harm your business?”
Executive: “No, we don’t know the number. It’s so confidential, that even we don’t know what it is.”
Of course, the conversation never goes like this exactly, but I hope you get the drift. The executive asserts the importance and critical nature of an overall metric for security and risk, but uses that as an excuse to not even try to estimate it in the first place.
I’m going to coin a label for this: “meta-taboo”. The topic itself is not taboo, but any discussion about how to actually get there or deal with the topic is taboo. (Another example: a humorous label for a design document from my early days in engineering: “Burn before reading.”)
Of course, this is a sign of an unresolved inner conflict in the executive, or more likely a blind spot in the social psychology where we bury our collective fears, our collective fictions, and our quid pro quo’s.
The Cone of Silence from "Get Smart" TV program. It was so effective that it prevented all communication!
Anyone else encounter this?
America’s Finest News Source teaches an excellent lesson on how to spin data:
Labor Dept: Available Labor Rate Increases To 10.2%
WASHINGTON—In what is being touted by the Labor Department as extremely positive news, the nation’s available labor rate has reached double digits for the first time in 26 years, bringing the total number of potentially employable Americans to an impressive 15.7 million.
Security programs that depend on 100% compliance are a bad idea, especially if they depend on 100% compliance from people who are proven to be poor in compliance capabilities.
Case in point: I saw a documentary about “Abstinence only” sex education programs for teens in the public schools of New Mexico — one negative example in Albuquerque and one positive example in Socorro. (This is federally funded.) Skipping over the most aggregious errors and misstatements in these programs, I noticed one big blooper regarding risk estimation and risk communication.
The educators who developed and deliver this program emphasize the failure rate of condoms as argument against relying on them. In contrast, abstinence-only is touted because it is 100% effective in preventing unplanned pregnancy and all the negative stuff that goes along with it. Funny thing–they never mentioned the failure rate of abstinence-only when implemented by teenagers! Sure, you can tell teenagers to be abstinent and they can even commit to it, but would you bet on it? What odds would you demand for a large bet(say, $100,000 from your bank account) that a large group of teens would remain abstinent for five years? There are plenty of studies (e.g. here and here) that demonstrate the limited capabilities of teens to avoid risky behavior, control impulses, rationally balance short-term gain against long-term pain, think beyond a short planning horizon, resist peer pressure, etc. For most teens in the US, their “failure rate” (i.e. failing to avoid risky behaviors) is greater than 0%, and in cases of “multiple-risk adolescents ” the failure rate is far above 0%.
I would bet that condoms are much more reliable than the average teenager’s commitments to eschew immediate pleasures. Of course, using both would be much more reliable than either alone. This is “defense in depth”, of course. Better still, take it to the max and advise that they add a “full-body condom”. Then they would be “fer sher, fer sher!”, as the Valley Girl might say. 
Amusement: Some of you may have heard that former VP Dick Cheney pulled some strings to get Google (or rather their third party supplier) to blur the image of his residence in DC (One Observatory Circle), presumably for security reasons. Cheney is out and Biden is in, so you’d think that the image would now be unblurred. Not so. Here’s the current image. Compare it to the neighboring buildings across the street and you can clearly see that the VP’s residence is still blurred. What about the more important targets? Both the White House (1600 Pennsylvania Ave.) and 10 Downing St. in London are not blurred. Maybe they didn’t have the same clout as Cheney.
Lesson: Politics and power can manipulate the data, and also leave a shadow. Could this happen to information security data if it were more visible and public? You bet. I’m not being cynical, just realistic. Reminds me of a team motto from a project long ago: “Trust no one. Believe nothing.” In other words, don’t take any data on face value. Always inquire about the interests of the parties who produce or publish the data.
What You’ve Said