The InfoSec Blog

http://www.nytimes.com/2012/04/03/opinion/how-china-steals-our-secrets.html

This is better written than most ‘chicken little’ pieces, but please can we have ‘history’ of how most nations, including the USA, have engages in ‘industrial espionage‘.

I recall a presentation by CSIS that was making the point that Canada’s greatest threat on the Industrial Espionage scene was France, and France had been practising Industrial Espionage against the “English Speaking World” for centuries. And he had evidence to back that up from at lest Napoleonic times.

But then don’t forget that the “English Speaking World” stole such secrets from China as “Tea“:

For centuries, the secret of growing tea was one of China’s
most closely-guarded treasures. Along with silk, tea was an
extremely valuable agricultural commodity, prized as a luxury
item across Asia and into Europe.

In the mid-19th century, however, Briton Robert Fortune
dressed as a Chinese man (complete with queue) and set out
to discover the secret of tea-growing. He located the bushes
that produce tea, and stole seedlings that he transported to
British India. China’s tea monopoly was broken.

Robert Fortune (1812-1880) (Photo credit: Wikipedia)

Fortune’s explorations are detailed in a new book, For All
the Tea in China, by Sarah Rose. She frames this not
simply as a tale of Victorian exploration, but as early
industrial espionage – which, of course, it was.

I’m not saying this justifies anything, any more that the Opium trade or forcing products from the Industrialized West onto Asian markets, also part of or common historic context, justifies any reprisals.

I’m just saying Context is Everything and if you ignore history (especially when dealing with people for whom history is an important context) then you are setting yourself up for a sea of troubles.

Related articles

• For All The Tea In China – Sarah Rose (scottjb.wordpress.com)
• Different Ethical Issues Faced by the Global Software Companies (thinkingbookworm.typepad.com)
• Howes calls for cyber espionage inquiry (news.smh.com.au)
• Corporate Espionage Is Real – Even In The Pharma Industry (bioresearchonline.com)
• “Cyber Czar” wants Homeland Security to patrol America’s Internet borders (blacklistednews.com)
• Former Pentagon Official Says All Chinese Electronics In The US Could Have Built-In Trapdoors (businessinsider.com)
• FBI: Economic Espionage (gloucestercitynews.net)
• Trade Secrets and The Economy (psliplaw.wordpress.com)
• Richard Clarke: China has hacked every major US company (zdnet.com)
• FBI cracks down on economic espionage (wjla.com)
• Peter Thomas Senese’s THE DEN OF THE ASSASSIN Is A Geopolitical Financial Espionage Thriller Thrust In The World Of Cyber, Biological and Chemical Warfare (prweb.com)
• Chinese Economic Espionage: An Overlooked Concern (heritage.org)

http://www.forbes.com/sites/insertcoin/2012/02/03/you-will-never-kill-piracy-and-piracy-will-never-kill-you/

NEW YORK, NY - JANUARY 18: Protesters demonstrate against the proposed Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) on January 18, 2012 in New York City. The controversial legislation is aimed at preventing piracy of media but those opposed believe it will support censorship. (Image credit: Getty Images via @daylife)

The full article is a bit wordy, and manages to avoid lecturing about how the media industry failed at “service” when it came to view tapes and DVDs, how they objected even those turned out to be immensely profitable. We all know that and we all know that despite the opportunity for profits that just about everyone else in the world seems able to cash in on, the RIAA etc seem to want to shut it down.

Well if they did there would be outcries not from all the people who had minor copyright infringements from quoting one another, but from all the businesses that were loosing customers, not just from direct action but from the word-of-mouth style propagation, reviews, snippets that had nothing to do with them but caused shut-downs and lockouts. A ripple effect. The Laws of Unintended Consequences doing what it always does, biting in the ass.

Yes, if the media industry provided the service that customers want piracy wouldn’t be an issue. As the article says, look at the economics.

It’s not a physical product that’s being taken. There’s nothing going missing, which is generally the hallmark of any good theft.

There’s a corollary to that: if the media companies were selling on the net their cost of reproduction is zero. They can sell the same movie hundreds of times over and it doesn’t cost them any more.

With VHS and DVD there is the cost of production, shipping and retail mark-up. There’s that for every sale. And those are costs that are going up year by year. And if there’s a mistake in estimates about volume then either there are lost sales for lack of product, or waste as it gets remaindered.

But with a ‘Net based distribution scheme there is only the cost of storage and bandwidth, and those are going down.

Its as if the RIAA have it exactly backwards.

So it costs, what, lets say $20 to buy a movie as a DVD.
That’s my budget. If I got to the store and found the movie I wanted was $5, then I’d be inclined to buy some more. Maybe at $5 a shot I’d spend more than $20 as I found other movies that I marginally considered. Now suppose that I didn’t have to drive to the store? Many people I know buy more books at Amazon than they ever did in a bricks-and-mortar store. many bricks-and-mortar bookstores are shutting down. Lower the cost of a movie to $1 and make it available on the ‘Net, mail buyers about new releases and packages the way Amazon does and there will be more impulse buying. See low-res, high-res and super-high res/HD, alternate endings, have consumers write reviews … you know how it goes, Amazon does it well.

Amazon have shifted from selling books to selling e-books. No more packaging, inventory or shipping. Instant gratification.

The RIAA are not just stupid, they are extremely stupid.

A stereotypical caricature of a pirate. (Photo credit: Wikipedia)

Related articles

• A Peek at a Few Trends (laf.ee)
• Software piracy in Canada exceeded $1.1B in 2011 (ctv.ca)
• What’s the true cost of piracy? (infographic) (venturebeat.com)
• US mistakenly seizes a music domain – and holds it for 18 months (art2science.org)
• Study: BitTorrent music piracy increases album sales (electronista.com)

http://compliancesearch.com/compliancex/insider-trading/senate-votes-to-ban-insider-trading-by-its-members/

And this doesn’t actually stop them form making use of ‘insider information’ they just have to declare it within 30 days.

No, wait, sorry … you mean that the legislators are saying that legislators shouldn’t do something that is illegal anyway? Or that, if they do something that
is already illegal, it is OK as long as they declare it within 30 days? …

It gets worse:

http://compliancesearch.com/compliancex/insider-trading/house-republicans%E2%80%99-insider-trading-bill-accused-of-catering-to-insiders/

I’d like to claim the system is rigged so ‘the rich get richer’ but if I did that some people who claim they are right wing would accuse me of being left wing. Indeed, this tells me that their political outlook has not progressed since 20 June 1789. This one-dimensional view fails to
describe the rich variety of political attitudes in the Washington, never mind the rest of the USA and points elsewhere on the physical compass.

http://en.wikipedia.org/wiki/Pournelle_chart
http://en.wikipedia.org/wiki/Nolan_Chart

Just those two show we need more that 4 axes to describe a political stance. But as I mentioned in a previous post, journalists are simple-minded and expect the rest of the world to be as limited in outlook and understanding.

http://en.wikipedia.org/wiki/Political_spectrum

Try this test:
http://www.politicalcompass.org/

How does this all relate to InfoSec, you ask.
Well part of that Political Compass is a view of ‘how authoritarian’.
And that gets back to issues we have to deal with such as Policy and Enforcement, Do We Let Employees have Access to the Internet, and the like.

Hans Eysenk pointed out that the right wing (e.g. Fascism and Nazism) had a lot in common with the left wing (communism). Both are repressive, undemocratic and anti-Semitic. So on these issues, at least, the left-right distinction is meaningless.

How many more such simplistic distinctions such as those foisted on us by journalists are equally meaningless.

Some while ago my Australian fellow ex-pat Les Bell, who apart from being a CISSP is also a pilot, pointed out to me that the method of ‘root cause analysis‘ is no longer used in analysing plane crashes. The reality is that “its not just one thing”, its many factors. We all know that applies in most areas of life.

I suspect most people know that too; its not restricted to the digerati.
There is the old ditty that explains how because of a nail an empire was lost, but no-one is proposing that we fix the failing of the “American Empire” by manufacturing more nails.

Except possibly Journalists.

Related articles

• Is your political compass OK post the election? (greenwichlib.wordpress.com)
• Political Compass: May (spinelessliberal.wordpress.com)
• The downsides of experience (cdevroe.com)
• The US Election – 2012 (www.politicalcompass.org)

http://www.techsecuritytoday.com/index.php/our-contributors/michael-vizard/entry/lifting-the-veil-on-cybercrime

This says it all:

At the end of the day, cybercriminal activity is not all that different
from more traditional forms of organized crime. Obviously, the way the
crime is perpetrated is new, but the ways in which cybercriminals
operate is not all that different from anything that has gone on before.

Heck, once upon a time there was no telegraph, no “Royal Mail” (or whatever the equivalent in your state/nation). But when those came along they offered new opportunities for fraud. Most places have laws in place again fraud perpetrated by mail or telegraph and telegraph
includes the telephone.

And this is where I get to wonder at how our politicians work, the knee-jerk “something must be done NOW” attitude.

Here in Canada we have a criminal code. It covers fraud. We don’t need new laws to deal with cybercrime because the ways our laws are written they are general and not reductionist. They specify the crime, not the technology used.

I get the impression that in the USA (and possibly other places) its the other way round. That’s why they need lots of new laws to address every fine-grained detail as the technology advances. Personally I don’t think this is a good way of working since it piles laws upon laws.

In science we was that in astronomy before Newton. The classical “Ptolemaic” system piled epicycles upon epicycles as corrections because the underlying model based on a geocentric approach and the idea of ‘perfect spheres’ was fundamentally flawed. Piling human laws upon human laws to deal with special cases of what is really a general
situation is no less flawed in approach.

Fraud is fraud is fraud. It doesn’t matter if its perpetrated by a hustler in person as in the scenes in “Paper Moon“, by mail, over the phone or using the Internet. Fraud is fraud is fraud.

We don’t need new laws; we just need a better understanding of how criminals use technology. We perhaps we security droids don’t, perhaps the public, the police, the legislators and the managers of the firms and organizations impacted by such criminals need that understanding.

But that’s not what detailed, reductionist legislation is going to achieve, is it?

Related articles

• Guarding your business against cybercrime (premierlinedirect.co.uk)
• Interpol Promises New Center to Fight the E-Mob (spectrum.ieee.org)
• Russian Cybercrime pays! (toinformistoinfluence.com)
• Cybercrime ‘cannot be stopped entirely’ (premierlinedirect.co.uk)
• Former National Cyber Czar Creates Cybercrime TV (prweb.com)
• There’s no business like Cybercrime business! (blog.bt.com)
• Impact of cybercrime underestimated as most crimes go unreported|Network security (c24.co.uk)
• European Commission wants a cybercrime centre (h-online.com)
• Everything you thought you knew about cybercrims is WRONG (go.theregister.com)
• FBI finds scammers impersonating the FBI now one of worst online threats (theneteconomy.wordpress.com)
• Educate Customers on Mass Marketing Fraud (ibaeducationblog.com)
• Cybercriminals offer bogus fraud insurance services (zdnet.com)

http://www.linuxfordevices.com/c/a/News/Kootol-joins-Lodsys-as-a-patent-troll/?kc=LNXDEVNL072111

The Debt ceiling crisis will pass; even if there is a crash, the USA can recover from it …

IF its core economic worth, that is its industrial productivity, is unharmed.

There are a number of ways this can be harmed, poor credit rating among them, lack of availability for investments. Read the rest of this entry »

Image via Wikipedia

http://www.vancouversun.com/news/Sony+backs+cybersecurity+legislation/5030033/story.html

“If nothing else, perhaps the frequency, audacity and harmfulness of
these attacks will help encourage Congress to enact new legislation to
make the Internet a safer place for everyone,” the Sony executive said.

“By working together to enact meaningful cybersecurity legislation we
can limit the threat posed to U.S. all,” he said.

To people like us, IT Audit and InfoSec types, ‘control‘ come in 3 forms

• preventative
• detective
• compensatory

It seems that this legislation focuses on the 3rd and not the first.
It might even be seen to discourage the second.

Related articles

• Sony backs U.S. cybersecurity legislation (canada.com)
• DOD Website Sells Public On Cybersecurity Strategy (informationweek.com)
• Companies To Spend $130 Billion On Cybersecurity In 2011 (teamshatter.com)
• Obama to Introduce Cybersecurity Proposal (circleid.com)
• White House to unveil cybersecurity proposal (theglobeandmail.com)
• What do we need to do to reach “cybersecurity awareness”? (nakedsecurity.sophos.com)
• White House Cybersecurity Plan: What You Need To Know (huffingtonpost.com)
• Microsoft Endorses White House Cybersecurity Plan (blogs.wsj.com)

http://www.zdnet.com/blog/apple/congressman-blames-us-unemployment-crisis-on-ipad/9968?tag=nl.e539

In it U.S. Representative Jesse Jackson Jr (D-IL) blasts Apple and Steve
Jobs claiming that the iPad is responsible for killing thousands of
American jobs.

Image by Socialdemokrater via Flickr

In the rambling manifesto Jackson claims that the iPad is to blame
because it enables anyone to easily download books and newspapers. Thus
everyone who works at bookstores (i.e. Borders) or the publishing
industry will lose their jobs to workers making iPads in China.

Over the top?

Well, he is a politician.

However, there is this:

Yet, last week, the president met with eight CEOs such as the heads of
Xerox and American Express to ask what he could do that would give them
confidence to invest in the United States. But these are precisely the
wrong people with whom to consult and the question is precisely the
wrong question. They are the wrong people because they have benefited
enormously from offshoring and from the distortions built into the
global system. Their interest is not the same as that of the United
States but rather that of their shareholders and, in some cases, of the
authoritarian governments of the countries to which they have moved much
of the production capacity. The question is wrong because rather than
trying to bribe them the president should, a la The Godfather, be making
them “offers they can’t refuse.”

In South Carolina, Governor Perry emphasized that he would make
Washington disappear from the lives of the people in his audience. That
did not strike me as the comment of a person using all his power to find
jobs.

But think about it for just a moment. There will be no more significant
fiscal stimulus for the economy. The emphasis is all on debt reduction,
cutting expenditures, and retrenching. Not only will the federal
government be cutting back, but the state and municipal governments are
already slashing and burning. All of this will result in further job
reduction, less consumer spending, and declining stimulus which in turn
will lead to reluctance on the part of business to invest. In these
circumstances, the only possible source of jobs is a reduction of the
trade deficit.

He or she who wakes up to this fact first is likely to be the next president.

That’s my emphasis in red.

These executives are responsible to the shareholders, though the board.  If the economic climate and system of taxation – that is the employment costs, make it favourable to employ foreign workers rather than American workers than that is what these people will do.  If they do otherwise then they are clearly not acting in the best interests of their corporations and will be dismissed and replaced by someone who will.   This is basic corporate economics, and any politician who fails to recognise it may popular for crowing about “America First” but is displaying woeful ignorance.

The other way to look at it is that US workers have priced themselves out of the market.

Image via Wikipedia

A people that values its privileges above its principles soon loses both.
– Dwight D. Eisenhower, Inaugural Address, January 20, 1953

Related articles

• The Biggest Problem With iPads (tomrippon.wordpress.com)
• The first restaurant to rely completely on iPads in New York City (thenextweb.com)
• Controversial Congressman Plays Outsized Role In 2012 Race (huffingtonpost.com)

We were discussing which should be done first and someone said:

The first has to be risk assessment as it is foundation of information
security. You first need to know where is the risk before putting up
any controls to mitigate that risk. Putting up adhoc controls will not
make the controls effective nor will it protect the organizations
against the risk.

While I understand the intent, I think that is very prejudicial language.

Donn Parker makes a very good case that we have the cultural context – read that sophistication and awareness of the baseline risks – to see that there should be a set of baseline controls. IAM, firewall, AV, backups and so forth. We don’t need to leave the assets exposed to threats while we we wait around for a Risk Analysis to tell us that these baseline protective controls are needed.

You don’t need to know the specific risks any more than you need to know the specific risks to have a lock on the front door of your house and close your windows.

I certainly wouldn’t call this approach “ad-hoc”. Read the rest of this entry »

http://www.bankinfosecurity.com/articles.php?art_id=2914

Fascinating.

I get a lot of enquiries from wannabes who, as they put it, want to “break into security“. I presume they see it as more interesting than the work they are doing.

They come in all varieties, from high-school kids asking about what degree they should take to people with no actual work experience asking if they should take a CISSP or CISM.

The luminaries of our profession, be they CISSPs or people like Marcus Ranum and Bruce Schneier who lack such certifications, all came up the same way that Stephen Northcut did and many of us here did – the long way. And gained the practical experience and understanding of the issues along the way. Read the rest of this entry »

http://www.zdnet.com/blog/india/rim-vs-indian-government-continues/135?tag=nl.e539

… and the UAE.

RIM is between a rock and a hard place.
They say no to this and they loose a market; and the Indian market is big. They say yes to this and the customers don’t trust them, so why should they buy RIM rather than some other insecure service? Read the rest of this entry »

http://www.zdnet.com/blog/virtualization/when-organizations-put-a-lot-of-eggs-in-one-basket-desktop-side-of-the-story/2103?tag=nl.e539

This is a chicken-little story.

We’ve been putting many computer eggs in one hardware basket for a long, long time.
What do you think mainframes running MVS and VM/CMS were?
What were things like air traffic control?

The ‘desktop’ is a fuzz concept that gets confused with a GUI.
Those mainframes – think airline ticket and reservation – could handle many hundreds of remote terminals, keeping them updated.

What’s a dumb terminal if not the ultimate in ‘thin clients’? Read the rest of this entry »

http://www.h-online.com/security/news/item/Report-Google-phasing-out-internal-use-of-Microsoft-Windows-1012679.html

“According to a report in the Financial Times, Google are phasing
out the use of Microsoft‘s Windows within the company because of
security concerns. Citing several Google employees, the FT report
reports that new hires are offered the option of using Apple Mac
systems or PCs running Linux. The move is believed to be related to a
directive issued after Google’s Chinese operations were attacked in
January. In that attack, Chinese hackers took advantage of
vulnerabilities in Internet Explorer on a Windows PC used by a Google
employee and from there gained deeper access to Google’s single sign
on service.

Security as a business decision?
Don’t make me laugh!
Look at what precedence they’ve shown!
Look at Microsoft’s attitude and approach to security (no matter how flawed the end result) and compare it with the public stance Google has taken.

No, this is about Business Politics.
Microsoft has been ‘staggering’ this last decade and now Apple is on the ascendency and the real battle will no longer be in the PC world but in the consumer world with embedded systems.
On the surface this will be Android vs Apple, but since embedded Linux goes so much further, embedded in TVs, GPS units, traffic light controllers, and perhaps it will even replace UNIX in telephone
exchanges (ha-ha-ha!) there’s more potential.
(Freudian slip: I just wrote portential.)

Yes, Microsoft hasn’t been asleep in the embedded market, or the phone/PDA market, but compared to Linux its a resource hog. To top that, its also proprietary, so vendors rely on Microsoft for the porting to new processor/hardware and for support. Linux/Android doesn’t have that limitation. And there are plenty of ‘kiddies’ eager to play with Android (source) on a new toy.

No, this isn’t a security issue, its a business and political issue.
If Google is pushing its range of Android products then it doesn’t want to have people – journalists, investors, bloggers – saying “yes, but you USE Windows even though you preach Linux”.

Or perhaps you though Google was taking the “High Moral Ground”?
No, I think they are taking the advice of Sun T’Zu and applying it to business

“For them to perceive the advantage of defeating the enemy, they must
also have their rewards.”

Betcha Google will be supplying Android phones/slates/pads to its workers.

“He who knows when he can fight and when he cannot, will be victorious.”

Look at that ZDNet article and think about the timing of Google’s announcement.

“It is essential to seek out enemy agents who have come to conduct
espionage against you and to bribe them to serve you. Give them
instructions and care for them. Thus doubled agents are recruited and used.”

Think about that one.

“Opportunities multiply as they are seized.”

And look how Android is spreading.
Balmer said Linux was a virus – yes a “meme”.

“Thus, what is of supreme importance in war is to attack the enemy’s strategy.”

Indeed. Microsoft has proclaimed a commitment to “security”. Bill Gates said so. That is their “strategy”. But Google is working on the fact that Microsoft products still have security flaws. Regardless of the reality, that is “voice” of this announcement. They are saying that Microsoft’s strategy isn’t working. They are attacking it in the minds of the consumers.

Related articles by Zemanta

• Mac OS X and Linux are no magic security bullet for Google (arstechnica.com)
• Google to ban Microsoft Windows: report (cbc.ca)
• Google bans Microsoft Windows over security concerns: report (business.financialpost.com)
• Microsoft counters report of Google’s dumping Windows (infoworld.com)
• Silicon Alley Insider: Google Dumps Microsoft Windows Company-Wide — Blames Windows For China Hacking Attack (businessinsider.com)
• Who Needs Windows? Google Starts Putting Their Computers Where Their Mouth Is (techcrunch.com)
• ‘Quit Microsoft’ Day and ‘Quit Apple’ Day? (techrights.org)
• Google vs. Microsoft: It’s On! (fool.com)
• Google bans Microsoft Windows on office computers (telegraph.co.uk)
• Google is phasing out the internal use of Windows (joostteam.com)

I never like to see the term ‘impact’.
Its not a metric.

I discuss how length, temperature, weight, are metrics whereas speed, acceleration, entropy are derived values. In the same sense, ‘impact’ is a derived value – “the cost of the harm to an asset”. The value of an asset can be treated as a primary metric, but how much it is “impacted” is a derived value.

This is the same kind of sloppy thinking, the same failure to identify tangible metrics as we see when people treating ‘risk’ as if it were something tangible, never mind a metric! Read the rest of this entry »

Take a look at

Forget ROI and Risk. Consider Competitive Advantage
by Richard Bejtlich

I note the line that so many of us in the InfoSec business have encountered and complained about …

As we’ve seen during the last few years, “risk” has turned out to be a dead end too. The numbers mean nothing. Even if you could somehow measure risk, it’s easy enough for managers to accept a higher level of risk than the security manager.

Indeed.

But so many ‘authorities’ – ISO-2700x, ISACA’s COBIT, ValIT and RiskIT as well as its Professional Practices – all focus on Risk Analysis.

We’ve recently seen mention of NIST 800-30.
There on page 9 a nine-step (why not 12-step?) program for what they call “Risk Assessment”. Actually it isn’t; it involves controls and results. I makes it look sooooo simple! But as many practitioners have pointed out, in many ways, its not like that in reality. Many of us question if its doable.
Read the rest of this entry »

On the one hand there this:

http://www.theregister.co.uk/2008/06/10/new_york_isp_crackdown/

and on the other, when it comes down to practice, there’s this

http://www.theregister.co.uk/2008/02/20/australian_adult_content_filter_failure/

Now please don’t think I support p0rn.
But surely …

One of the principles of good home economics is to pay down your most expensive (usually credit card) debts first. Surely there’s an analogue here about applying censorial leverage where its most effective.

Sadly, the media, and hence the government and also the “do something about it now” pressure groups, are very good at making use of broad, overly inclusive labelling. It saves having to deal with fine issues, use discernment and judgement and making people actually stop and think about things rather than have an emotional reaction.

So where does pornography begin and end? Read the rest of this entry »

Thank you Howard! This has long needed to be said by someone in authority!

Yes, crime and espionage will cripple us all economically.
We won’t see enemy troops occupying our land.
(We might see the same result from ‘enhanced homeland security’: troops and law enforcement on every corner checking papers, breaking down your front door at 3am and other Stasi SS-Sto�truppen tactics. But that’s another matter, and when it happens you know not only have the
Terrorists have won, but your own government is the main source of Terror..)

Howard Schmidt, the new cybersecurity czar for the Obama administration,
has a short answer for the drumbeat of rhetoric claiming the United
States is caught up in a cyberwar that it is losing.

“There is no cyberwar,” Schmidt told Wired.com in a sit-down interview
Wednesday at the RSA Security Conference in San Francisco.

“I think that is a terrible metaphor and I think that is a terrible
concept,” Schmidt said. “There are no winners in that environment.”

Instead, Schmidt said the government needs to focus its cybersecurity
efforts to fight online crime and espionage.

His stance contradicts Michael McConnell, the former director of
national intelligence who made headlines last week when he testified to
Congress that the country was already in the midst of a cyberwar — and
was losing it.

Related articles by Zemanta

• There Is No Cyberwar (yro.slashdot.org)
• White House Cyber Security Guy: There Is No Cyberwar (techdirt.com)
• Howard Schmidt, White House Cyber Czar: ‘There Is No Cyberwar’ (huffingtonpost.com)
• USA’s Cyber Generals (tech.bl0x.info)
• White House Cyber Czar: “There is No Cyberwar” (wired.com)
• Cyberwar Doomsayer Lands $34 Million in Cyberwar Contracts (wired.com)
• Is there really a cyberwar? Term might be misused (seattletimes.nwsource.com)
• Cyberwar Cassandras Get $400 Million in Conflict Cash (wired.com)
• Check the Hype – There’s No Such Thing As ‘Cyber’ (wired.com)

It seems that to make better cybersecurity-related decisions a senior FBI official recommends considering a simple algebraic equation:

risk = threat x vulnerability x consequence

rather than solely focusing on threat vectors and actors.

To be honest, I sometimes wonder why people obsess about threat vectors in the first place.  There seems to be a beleive that the more threats you face, the higher your risk, regardless of your controls and regardless of the classification of the threats.

Look at it this way: what do you have control over?

Why do you think that people like auditors refer to the protective and detective mechanisms as “controls”?

Yes, if you’re a 600,000 lb gorilla like Microsoft you can take down one – insignificant – botnet, but the rest of us don’t have control over the  threat vectors and threat actors.

What do we have control over?

Vulnerabilities, to some extent. We can patch; we can choose to run alternative software; we can mask off access by the threats to the vulnerabilities. We can do things to reduce the the “vulnerability surface” such as partitioning our networks, restricting access, not exposing more than is absolutely necessary to the Internet (why oh why is your SqlServer visible to the net, why isn’t it behind the web server, which in turn is behind a firewall).

Asset to a large extent. Document them. Identify who should be using them and implement IAM.

And very import: we have control over RESPONSE.

Did the FBI equation mention response? I suppose you could say that ‘awareness’ is a part of a response package. Personally I think that response is a very, very important part of this equation, and its the one you have MOST control over.

And response is – or should be – totally independent of the threats
since it focuses on preserving and recovering the assets.

I think they have it very, very confused and this isn’t the most productive, most effective way of going about it.  But then the FBI’s view of policing is to go after the criminals, and if you consider the criminals to be the threat then that makes sense.

But lest face it, most corporations and are not in the business of policing.  neither are home users.

Which is why I focus on the issue of “what you have control over”.

Related articles by Zemanta

• School Spy Program Used on Students Contains Hacker-Friendly Security Hole (wired.com)
• The Top 10 Reports For Managing Vulnerabilities (lockergnome.com)
• FBI searching for ‘Flavor Flav Bandit’ (seattlepi.com)
• Why Security Vendors are loosing (tech.bl0x.info)
• Editorial: Flawed F.B.I. Background Checks (nytimes.com)
• FBI details surge in death threats against lawmakers (americablog.com)

Yesterday, my friend and collegue, Rob Slade, noted that …

Idly leafing through yet another IT executive rag (preparatory to recycling it),
and noticed an article on privacy by the head of a data destruction company. He
was talking about the problem of “data reminisce.”

Well, it may not have been the author at fault.
We’ve criticized journalists for lacking knowledge of various technical professions and so mangling and misinterpreting reports, but what about typesetters? And editors?
Read the rest of this entry »

Now this is interesting!

With code visibility, you and your vendors become partners in trying to make something work. The vendor can’t over-promise, but you can’t over-assume either. This may be one of main hidden reasons for IT failure, the two sides of the transaction not being on the same page.
Read the rest of this entry »

http://www.cnn.com/2009/HEALTH/05/03/swine.flu.react/index.html?eref=rss_topstories

And in world terms how does this compare to nuclear tests in North Korea?
Read the rest of this entry »