Cisco has their security report up – find it here. My favorite part? ”The Artichoke of Attack”
Archive for the 'Uncategorized' Category
Hey, just so you all know, SOIRA is having our lunch (or breakfast) Al-Desko Webex. This month we have the pleasure of watching Chris Hayes show how to use quantitative risk analysis for real, pragmatic business purposes. It’s going to be seriously useful.
Join SOIRA here: http://groups.google.com/group/InfoRiskSociety?hl=en for the invite.
Hi,
I’m very interested right now in finding the quality of risk analysis as it relates to operational security. If you’re a risk analyst, a security executive, or operational security analyst, would you mind taking a one question survey? It’s on SurveyMonkey, here: http://www.surveymonkey.com/s/GCSXZ2Q”
adapted from the t-shirt seen in the anton corbijn work here.
With all apologies to both
Paul Morely and Katherine Hamnett.
And that’s about all I have to say on the subject.
This GAO Report is a good overall summary of the state of Federal cyber security R&D and why it’s not getting more traction. Their recommendations (p22) aren’t earth-shaking:
“…we are recommending that the Director of the Office of Science and Technology Policy, in conjunction with the national Cybersecurity Coordinator, direct the Subcommittee on Networking and Information Technology Research and Development to exercise its leadership responsibilities…”
We could paraphrase this by quoting Spike Lee’s movie title: “Do the right thing.”
The only problem with this is recommendation is that NITRD’s Cyber Security and Information Assurance Working Group has specifically defined it’s role as facilitator, not a leader (p15). Wishing that they would take the lead won’t make it so.
Just to pile on a bit….
You ever hear someone say something, and all of the sudden you realize that you’ve been trying to say exactly that, in exactly that manner, but hadn’t been so succinct or elegant at it? That someone much smarter than you had already thought about the subject a whole lot and there’s actually formal studies and definitions and so forth, and you feel dumb because there’s no way you could have actually googled for the subject in that way, but there it is on wikipedia in black and white? Happens to me all the time.
Was reading the following from the NYT this morning on the Dunning-Kruger effect, and had a little bit of synchronicity when I realized that my entire problem with certifying people about risk and controls has to do with exactly this subject. My issue with ISACA and CRISC is that because I know that there’s so much that I don’t know, and indeed – that we, the infosec industry does not know, and so in my mind if we wanted to rationally, ethically “certify” someone about risk and controls as a domain expert, about the only thing we can do is to test that they are aware of their (and our) limitations. To do otherwise seems rather irrational to me.
TAKE ALEX’S “APPARENTLY OK” RISK PROFESSIONAL EXAM:
A dozen years or so ago, I was PM for a firewall product that had to go through certification. The certification involved several different tests, but at the time the key to certification was simply that your firewall would not pass packets when set in default-deny state. And it cost a lot to certify. This upset me to no end, mainly because I’d have rather spent the $50k certification cost on building a new GUI.
Knowing my frustration, one of the engineering team printed out Marcus Ranum’s “Apparently OK” firewall certification and taped to one of our boxes and congratulated me on getting certification.
With that spirit in mind, and with all apologies to Marcus, let me present Alex Hutton’s Apparently OK Risk Professional Certification Exam! Because frankly, the problem isn’t with “using risk management” – no I’m still a very big proponent of that. The problem is that risk analysis is steeped in critical thinking, and not identifying uncertainty is, well, less than professional in my opinion.
THE ALEX HUTTON “APPARENTLY OK” RISK PROFESSIONAL EXAM
Dear Prospective Risk Professional,
Congratulations on deciding to enter the exciting field of Information Risk Management! Your journey will be confusing, frustrating, and if you get off on performing sisyphean tasks, rewarding.
To achieve a state of “APPARENTLY OK” we ask that you take the following exam. The exam is one question, and you have three (3) minutes to answer it.
For all the risk assessment methodologies inventoried by ENISA (http://rm-inv.enisa.europa.eu/rm_ra_methods.html) and for RiskIT, please tell us the how the assessment methodology is fundamentally incapable of delivering the results claimed.
BONUS: Doing so in a total of two sentences.
There are multiple right answers.
Good Luck!
Alex’s posts on Posts on CRISC are, according to Google, is more authoritative than the CRISC site itself:
Not that it matters. CRISC is proving itself irrelevant by failing to make anyone care. By way of comparison, I googled a few other certifications for the audit and security world, then threw in the Certified Public Accountant (CPA) for good measure.
Needless to say, CPA crushed the audit and security certs with ?30,700,000 Google hits. CISM & CISA had 15,400,000 and 15,000,000, respectively. The CISSP showed a not-disrespectable 9,390,000.
Then we got into what I will kindly call the “add-on” certs, even though they are frequently intended to be extensions or specialist certifications. I chose the ISSAP and ISSMP, the post-CISSP Architecture & Security Management certifications from ISC^2. ISSAP had 181,000 hits, ISSMP had only 69,000 hits, making it the only certification I checked that fared worse than CRISC.
Now that the data is out of they way, I can get to the real question.
Does no one care about CRISC because no one cares about yet-another-super-specialized-certification? And/Or does no one care about CRISC because no one cares about risk assessment?
Well, given that googling “Risk Assessment” (in quotes) got me 12,400,000 hits, I’m going to go with yes on the first question and no on the second.
Now, combining Alex’s CRISC-O post with something Nick Selby said in a conversation he and I had a while back, “You can’t manage a risk you don’t understand,” then all a Risk Assessment Certification can even potentially do is imply that the holder knows how to follow a process–which I would argue is the least intellectually challenging and valuable part of any knowledge work activity.
Personally, I care a great deal about Risk Assessment, both as an interesting intellectual problem and also as a tool for solving real-world problems, even if I generally lack the time to do it right. I certainly don’t have time to get certified as a Risk Assessor, nor do I feel the need. Given my opinion that certifications are just a signalling mechanism in the hiring process, that should come as a surprise to no one.
Lurnene Grenier has a post up on the Google/Microsoft vunlerability disclosure topic. I commented on the SourceFire blog (couldn’t get the reminder from Zdnet about my password, and frankly I’m kind of surprised I already had an account – so I didn’t post there), but thought it was worth discussing my comments here a bit because I think we can see a difference between evidence-based risk management or New School Security and expert opinion. I’m not trying to rip on Lurene here, far from it. But disclosure is such a crazy topic for our industry that I think we should look to back up all the logical assertions we make.
For example, Lurnene says:
“when a vulnerability becomes public it is no longer as useful for serious attackers”
I have to ask, do we have data set to support this claim? What Lurnene is saying makes sense, right? Bad guys like to use special toys for various reasons, not the least of which is our inability to Prevent or Detect those. But to really test this hypothesis, we’d actually need to have a rational scale for describing threat capability and then match a frequency component for particular vulnerability/exploit uses for that population – and then compare that frequency component to a data set that describes known 0day use in data breaches.
Again from the SourceFire Blog:
“The companies with high-value data that are regularly attacked are able to proactively protect themselves.”
My 7th grade science teacher would toss this out on its ear as a hypothesis. And I’m not just picking on Lurnene here, we (the security industry) do this all the time – making statements without enough definition around our loaded terms like “high-value data”, “regularly attacked” and “proactive protection”. As I say in my comments, my experience (small sample size warning) is that there isn’t necessarily always a correlation between “high-value data” (where high-value data is financial, medical, trade secret, or government/defense data) and ability/willingness to create “proactive protection”.
Even more frustrating is when he says “these companies patch within some time frame”. Not faulting Lurnene here, just really lamenting that there isn’t a public data store where I can see “some time frame” and compare against data for “uptick” of attacks.
YOU DOWN WITH APT? (YEAH YOU KNOW ME)
“The loss due to a 20+ company exploit spree such as “Aurora” is significantly greater than the monetary loss due to low-end compromises which can be cleaned with off the shelf anti-virus tools.”
Reviewing the data sets I have at my disposal, I’m seeing:
1.) I don’t have a good estimate for hard (or soft) costs for “Aurora”, though I suppose I would accept a “high” qualitative label.
and
2.) data supporting that breaches of significant value are predominately caused by tools that are not able to be “cleaned with off the shelf anti-virus tools.” Rather, I’m seeing data that supports the notion that the for the significant portion of data breaches, the effort to prevent could have been classified as “simple and cheap” (source: VZ DBIR).
Finally, I’ll add my own editorial point here, just so Lurene can rip me back 
I think I would have difficulty asserting that we should *only* care about ” large corporations, government, and military targets with the goals of industrial espionage and military superiority.” Off the top of my head, I can think of hundreds of millions of records exposed by data breaches that came from organizations we might say are in the “SMB market”.
BOTTOM LINE: Defending the faith might be a lot easier if there were data to support the defense.
http://raffy.ch/blog/2010/06/07/maturity-scale-for-log-management-and-analysis/
Raffael Marty’s great post on how to measure the maturity level for your log management program. Excellent as always.
There’s been a lot of pushback against using Risk Management in Information Security because we don’t have enough information to make a good decision. Yet every security professional makes decisions despite a lack of information. If we didn’t we’d never get anything done. Hell we’d never get out of bed in the morning. There’s a great post by Ben Horowitz talking about how CEOs make decisions:
Courage is particularly important, because every decision that a CEO makes is based on incomplete information. In fact, at the time of the decision, the CEO will generally have less than 10% of the information typically present in the ensuing Harvard Business School case study.
Sound familiar? Sounds like my job every single day. Personally, I like to have some data based rationale for how those decisions get made. Don’t you?
[Hat Tip to @aneel]
What You’ve Said