Category Archives: Security

APEC, Schmapeck

0,,5644398,00.jpg
Yesterday, a TV comedy team succeeded in driving a fake motorcade with Canadian flags right through all the security barriers and weren’t stopped until right outside President Bush’s hotel. Inside their motorcade was someone dressed up as Osama Bin Laden.

APEC Conference in Sydney Social Engineered, Bruce Schneier, Schneier on Security, September 07, 2007

It gets better. Continue reading

Outrage at Outrage Management

outrage.png
management.png

So we were discussing Peter Sandman’s recommendations for outrage management, which mostly have to do with how to deal with management not doing something that you’ve given them rational reasons to do, because of some emotional resistance or other. The opposite problem also occurs: they believe you; they just don’t care. Then you could use some outrage.

Alex brings up two good points in the previous comments:

I’m afraid that outside of usefulness in those communications channels, I just would hesitate to use the term "Outrage". For example, creating "Outrage" metrics sounds like you’re working in hollywood publicity for Paris Hilton, not protecting business assets. 🙂

Yes, exactly, it’s usefulness in these communications channels, that is, with management, that emotion, up to and including outrage, has to be used and managed.

Continue reading

Non-Asymmetric Malware

<~~T.A.Z~~>

Most exploits through the Internet have been relatively small guys (individuals, gangs, etc.) against big companies and governments. Yet they’re already using botnets to leverage their activity. What happens when botnets start connecting with other botnets via wireless?

Consider the following scenarios:

  • malware infected PCs actually opening a WiFi connection in a port-knocking nature to the wireless botnet master only
  • no need for wardriving, as malware authors would quickly map the entire WiFi vulnerable population around a given region in the age of malware geolocating IPs using commercial services
  • once a PC gets infected inside an organization, it can automatically turn into a wardriving zombie exposing vulnerable WiFi connections within
  • Bluetooth scanning plugins expose even more vulnerable Bluetooth-enabled devices in the range of the infected host

— Distributed WiFi Scanning Through Malware, by Dancho Danchev, @ Friday, August 24, 2007

It already wasn’t clear which side the asymmetry favored, since the bad guys use the full leverage of the Internet and the defenders mostly don’t. Now the bad guys can leverage the leverage of the Internet by also using local wireless connections to further interconnect.

Did we need more proof that there’s no such thing as a perimeter to fortify anymore?

-jsq

Outrage: Less and More

danrather0207.jpg We’ve been discussing Outrage Considered Useful. Alex remarked in a comment:

The term "Outrage" suggests that risk cannot or should not be discussed in a rational manner.

What I think Sandman is getting at is that often risk isn’t discussed in a rational manner, because managers’ (and security people’s) egos, fears, ambitions, etc. get in the way. In a perfect Platonic world perhaps things wouldn’t be that way, but in this one, people don’t operate by reason alone, even when  they think they are doing so.

Outrage x Hazard may be a means to express risk within the context of the organization, but I like probability of loss event x probable magnitude of loss better for quantitative analysis.

Indeed, quantitative analysis is good. However, once you’ve got that analysis, you still have to sell it to management. And there’s the rub: that last part is going to require dealing with emotion.

Continue reading

Security ROI: Possible, but Not the Main Point

gordon.jpg Many people have argued about wondered whether information security can have a computed Return on Investment (ROI). The man who co-wrote the book on ROI, Managing Cybersecurity Resources: A Cost-Benefit Analysis says yes, it’s possible, but in general, “maximizing the ROI (or IRR [real economic rate of return]) is, in general, not an appropriate economic objective.” What, then?
Rather than trying to derive the ROI of security investments, a much better strategy is to work on the related issues of deriving an optimal (or at least desirable) level of information security investments and the best way to allocate such investments. This strategy is the focus of the Gordon-Loeb Model (for a brief summary of the focus of this model, and a link to the actual paper, go to: (http://www.rhsmith.umd.edu/faculty/lgordon/Gordon%20Loeb%20Model%20cybersecurity.htm

Email from Dr. Lawrence Gordon: Security ROI possible but not optimal, use other metrics, Posted by Kenneth F. Belva, bloginfosec.com, 18 July 2007

Belva reads the recommended paper and finds it to say:
The Gordon-Loeb Model also shows that, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability. In other words, organizations may derive a higher return on their security activities by investing in cyber/information security activities that are directed at improving the security of information sets with a medium level of vulnerability.
From which Belva concludes that “we do understand Information Security to have a return.” Well, yes. Continue reading

Connectivity: Engulf or Participate?

circulo_xavante.jpg Can’t pass up an article with “Peril” in its title:
“I don’t think it’s a good thing, because it’s a threat to our culture,” said Tsereptse, who carries a bow and arrow with him at all times as a symbol of his position.

Some of the tribe’s younger members have been trying to convince Tsereptse that computers will have the exact opposite effect — that they can be tools to record and preserve Xavante folklore and traditions, and to disseminate them all over the world.

Awaiting Internet Access, Remote Brazilian Tribes Debate Its Promise, Peril,By Monte Reel, Washington Post Foreign Service, Friday, July 6, 2007; Page A08

These are members of the Xavante tribe in Mato Grosso state in Brazil. They don’t have electricity yet, but they’ve decided to get Internet access. Why? Continue reading