Category Archives: Internet risk management strategies

Security Executive

rmdecisions8.jpg Well, this should seem obvious:

For quite a while now, I’ve been claiming that in order for InfoSec to do it’s job properly, it needs to understand the business.

Whose Line Is It Anyway? Arthur, Emergent Chaos, 10 July 2007

Let’s go a bit farther:

Yesterday, Jack Jones again showed that he’s in the same camp when he asked us: "Risk Decision Making: Whose call is it?" There he shares his thoughts how to decide whether or not the Information Security team should be making information risk decisions for a company or if that should come from upper management.

I would claim that this shouldn’t be an either/or question: it’s a both/and.

Continue reading

Conglomerates’ End

Previously I’ve mentioned that the era of blockbusters is over. Maybe there’s a corollary:
Is the heyday of media and entertainment conglomerates behind us?

A panel of industry analysts and bankers discussed this and other deal making questions as part of a PricewaterhouseCoopers event here Tuesday, with several of them arguing that conglomeratization has no real benefits, especially in the digital age.

“Consolidation in the old media world destroys value,” said Laura Martin, founder and CEO of Media Metrics LLC. “They are buying stuff (and audiences) because they don’t know what else to do.”

Media conglomerates in the past, panel says By Georg Szalai, Hollywood Reporter, 27 June 2007

Soundsl like they’re scared of the long tail and are trying to buy it up to co-opt it. Hm, why does that remind me of telephone companies? Continue reading

WS-Anasazi

pueblo_bonito_aerial_chaco_canyon.jpg Gunnar usually says it better than I did:
Coordinated detection and response is the logical conclusion to defense in depth security architecture. I think the reason that we have standards for authentication, authorization, and encryption is because these are the things that people typically focus on at design time. Monitoring and auditing are seen as runtime operational acitivities, but if there were standards based ways to communicate security information and events, then there would be an opportunity for the tooling and processes to improve, which is ultimately what we need.

Building Coordinated Response In – Learning from the Anasazis, Gunnar Peterson, 1 Raindrop, 14 June 2007

Security shouldn’t be a bag of uncoordinated aftermarket tricks. It should be a process that starts with design and continues through operations.

-jsq

High and Critical

Chandler makes many good points about why people avoid dealing with risk management.  My favorite is this one:

  • People still can’t get their head around the idea of probability.
Why is it that they can understand that there’s a 25% chance of rain tomorrow or how much they stand to gain on a $2 ticket if their horse in the third race wins at 11-1, but not that there is a high likelihood that the critical vulnerability they refuse to patch will get worm’ed?

Reasons not to manage risk, by Chandler Howell, Not Bad for a Cubicle, May 15th, 2007

Because they’re getting paid now and they don’t think ahead?

Continue reading

Metricon 2.0

It’s that time again:
Do you cringe at the subjectivity applied to security in every manner? If so, MetriCon 2.0 may be your antidote to change security from an artistic “matter of opinion” into an objective, quantifiable science. The time for adjectives and adverbs has gone; the time for hard facts and data has come.

Second Workshop on Security Metrics (MetriCon 2.0) — Call for Papers, MetriCon 2.0 CFP, August 7, 2007 Boston, MA

Want to quantify a pesky subjective security topic? You’ve got until 11 May 2007 to submit a request to participate.

-jsq

Ignore What’s Hard to Measure?

Interesting point in Spire Security Viewpoint about measuring important security metrics:
In my mind, this is an endorsement of the Donn Parker approach to risk management which is to not manage risk. It is like suggesting that a fundamental truth about the universe can simply be ignored.

There is one glaring problem with this line of reasoning – it is impossible to ignore loss expectancy and asset valuation in risk management.

This is as fundamental a problem as we have in information security today.

On Value and Loss, by Pete Lindstrom, Spire Security Viewpoint, 18 April 2007

Even advertising can’t get away without some sort of measurements of its effectiveness. If marketing came to the CEO and said “I want to spend X more for this program” and had no metrics to back up what sales, profit, good will, or something that that program had generated last year, nor any prediction for what it might generate this coming year, probably no more money would be forthcoming. Yet IT security operates like that. Continue reading

SCADA Has Holes!

In addition to foreign manufacturers, very long (decade or more) upgrade times, deployments in odd locations that pretty much require network access by non-net-savvy technicians, etc., SCADA also has another bug:
Neutralbit identified the vulnerability in NETxAutomation NETxEIB OPC (OLE for Process Control) Server. OPC is a Microsoft Windows standard for easily writing GUI applications for SCADA. It’s used for interconnecting process control applications running on Microsoft platforms. OPC servers are often used in control systems to consolidate field and network device information.

Neutralbit reports that the flaw is caused by improper validation of server handles, which could be exploited by an attacker with physical or remote access to the OPC interface to crash an affected application or potentially compromise a vulnerable server. Neutralbit has also recently published five vulnerabilities having to do with OPC.

Hole Found in Protocol Handling Vital National Infrastructure, physorg.com, 25 March 2007

Neutralbit also claims this is the first remotely accessible SCADA vulnerability, which the smallest amount of googling shows is not true (I leave that as an exercise for the reader). However, they probably have found a real vulnerability. Continue reading

More Risk Management?

Interesting observation from my apparent twin Chandler Howell:
A lot has changed since I first started bashing random thoughts into WordPress and wondering if anyone but I would care. In March 2005, John Quarterman and myself were pretty much the only bloggers out there talking about Risk in the non-boardgame sense of the word, at least according to Technorati, and we apparently only had 33 posts on the subject between us.

Today, Technorati found a total of 47,001 posts about “risk management,” with more being added at a pace of over 100 per day. A lot of them are spam, but a lot of them aren’t.

Like him, I don’t know that it’s so much that there is actually more risk management going on, but at least more people are talking about it; maybe that will lead to more of it happening.

-jsq

Metricon Posted

All the slides from Metricon are posted. Note especially Dan Geer’s digest, which contains information on how the various presentations and presenters interacted. Lots of good stuff in there.

I already blogged a few items about Metricon: House Construction Security, Why Did the Titanic Sink?, and Risk-Based Funding. More to come.

-jsq

Microsoft Monoculture Myopia

It’s Dan Geer’s report’s anniversary:
Exactly three years later this month, Geer insists that the risks associated with Microsoft’s virtual monoculture remain the same, but a quick glance at the future direction of the world’s largest software maker gives Geer a sense of “total vindication.”

Indeed, three years ago on Sept. 24, Geer penned “CyberInsecurity: The Cost of Monopoly,” a 25-page report he co-authored with a who’s who of computer security experts, including celebrated cryptographer Bruce Schneier and intrusion detection systems specialist Rebecca Bace.

IT Wrestles with Microsoft Monoculture Myopia Ryan Naraine, eWeek, September 10, 2006

In many ways, nothing has changed: Windows still runs on more than 90% of all end-user systems, and buying Microsoft is like buying IBM used to be. Continue reading