Security Pie

Happy asses I assume of users of Toto washlets. http://www.totopartners.com/Portals/0/Product%20Images/66d3dad5-719a-4ab0-bc47-ba38f64e43ab.pdf.  No ambiguity in this picture: the asses are decidedly happy.

Toto CEO Kunio Harimoto decides to take advanced washlets to clean as-of-yet unhappy American asses (http://www.economist.com/people/displaystory.cfm?story_id=14082288).

National ass says: Oh Joy.

Another happy ass:

-al

So by now everyone should be familiar with the fact that a security vendor (which, ironically, sells a DLP solution) has leaked a list of participants to a Sydney security summit conference. Included were their names, email addresses and phone numbers. Over 1000 records were leaked. 

Oops happens. DLP might not be configured correctly. Time to review policies. Time to train marketing folk to review their emails before hitting “send”.

To me what was interesting was something said by their VP of APAC sales who was interviewed on risky biz, a somewhat amusing and deferent Australian security podcast at http://risky.biz/netcasts/risky-business/risky-business-117-mcafee-tries-explain-data-loss-incident. The VP claimed (20:30) that the breach was not as “serious data” as say ”financial information or mission critical information”, but just a contact list. That comment sheds light on misunderstandings and confusion around what constitutes confidential data and the difference between IP and entrusted data.

To the vendor, the data was just a contact list. It was not their “financial data” nor “mission critical information”. In the words of the VP, this was not “serious data” but a “contact list”. What seemed to be overlooked was that the data was important to the customer. The VP was unable to take the customer’s point-of-view (POV) and thus accept the vendors responsibility for customer data. Amusing, but it points to a basic flaw in human reasoning.

In providing DLP consulting I find that the ability to change a POV is a critical competency for the security expert. The ability to realize that “what is important to me” might differ from “what is important to them” is critical for a successful DLP deployment.  The ability to don on HR glasses, R&D glasses or customer glasses and try to understand what is important to them is critical.

Unfortunately, the ability to shift POV is a new requirement  for the security expert. The nature of the threat has changed with DLP.

When dealing with inbound threats, we all face the same challanges. To quote William Shakespeare  “If you prick us do we not bleed? If you tickle us do we not laugh? If you poison us do we not die? And if you wrong us shall we not revenge?”. We are all in the same boat. I do not want a virus to attack my machine. You do not want a virus to attack your machine. I do not want a keylogger to log my bank passwords. You should not want a keylogger to log your bank passwords. I do not want my blog to be made unavailable by a DOS attack. And I guess you do not want your blog to be made unavailable by a DOS attack.

But as for data, my confidential data is (probably) wholly different than your data. We might share an aversion to the loss of credit card data and national ID numbers (or SSNs) but the usage patterns of that data and the need to collect and store that data changes from user to user. And my IP (intellectual property) is wholly different than yours (unless I was careless with my data OR you were careless with your data, and we got to share in the booty!).  For this, the security professional must be able to put themselves in the shoes of their businesses, users and partners (e.g. customers), understand their needs, and assist them in securing their processes and procedures. DLP can help by exposing the uses and abuses of the data, but it cannot do the process work for the professional.

I find that the ability to change POV seems to come with experience and maturity of the professional along with the inevitable tossing out of security dogmatism and the acceptance of practiced pragmatism.  I guess if you wait long enough, it shall come (or not).

Cheers mates,  

/al

Some of you may suspect that there is something wrong, almost Kafkaesque in nature to the above question.

Well, according to the Economist, a recent study by the good folk at University of Liege coma science group has discovered that doctors routinely mistake the level of vegetative state of comatose patients. Doctors make mistakes. Scrub. Doctors routinely make mistakes.

How many? Out of 103 patients, the doctors diagnosed 44 as vegetative. However, tests showed that only 18 were vegetative. the rest were in minimally conscience state. 4 out of the 40 diagnosed as minimally coscience were actually out of that state and able to communicate (just imagine the horror of being ignored after sleeping for years…).

Now here is the issue: Insurance companies prefer vegetative state patients because:

1. They can be disconnected (cheap)

2. They have no need for expensive rehabilitation

So, ahem, these same guys (dolts) who figured they should insure deadbeat (and temporary) homeowners on the assumtions that price will ALWAYS go up, created vehicles of investment to hide the risk which they said “will never happen” are now incented to keep those of us unlucky enough to be comatose as vegetative?

Suddenly, state owned healthcare begins to look nice (er).

On the bright side, same Economist has a story of cheaper solar cells and the successful cloning of mice.

I have a passion for Risk Management. In my opinion it does not matter if one is managing information security or financial risk. If we watch closely we see that the financial guys aren’t the best risk managers (Assaf wrote about it many times…). One of less touched areas of risk management is related to food safety. Sure, there are plenty of regulations and mandates as well as different agencies including the CDC, FDA, USDA just to name a few, but overall there are too many health issues with food.

Take sprouts. Those harmless looking, healthy food are known to cause health issues.  According to this article:

Between 1996 and 2005, raw or slightly cooked sprouts have caused an estimated 1,636 cases of illness, or 40 percent of all food- borne illness associated with produce, according to the FDA. Though the number of cases has dropped substantially since 1999 due to stepped-up decontamination attempts by the industry, federal regulators say the current push is necessary because sprouts–a favorite among health-food enthusiasts–still pose a measure of risk to consumers.

Years later, we are still facing food- borne illness associated with sprouts.

Just recently the FDA and the CDC advised people not to eat raw alfalfa sprouts after at least 31 people were sickened by Salmonella Saintpaul infection.  According to the FDA, an investigation shows that the problem may be linked to contamination of seeds for alfalfa sprouts.

The FDA and the CDC note that suspect lots of seeds may be sold around the country and may account for a large proportion of the alfalfa seeds being used by sprout growers, and cases of illness are spread across multiple states.

Even my favorite grocers, Trader Joe had to recall my favorite Nature’s Choice Alfalfa Sprouts.

But now, we can all rest assure.  They always test the product. Where were you during the Salmonella outbreak?

The point I’d like to make is that risk management is a never-ending story process. One should understand the associated vulnerabilities (e.g. sprouts can contain Salmonella) review the business process and add the necessary controls (e.g. test for Salmonella), adding compensating controls if necessary.

At least now I have more confidence. I know that they ARE testing. Good to know.

Brownnose

Yellow brownosed G’s spot. G, as result, was convinced Yellow was leading the pack. Yellow, as a result, too home the Q trophy.

Congrads to ES on yet another smelly victory.

/al

I am a skeptic and have always been one. I believe that a healthy dose of skepticism can do wonders when trying to balance beliefs (many of which are odd: some people do believe that unicorns are real – literally real!) and reality. While odd beliefs are nice (and somewhat amusing), I would not like to base decisions on farfetched, wrong concepts. I can see the disappointment in some soon-to-be Unicorn farmers eyes.

Not all you see is as it is.

For example, take the Barnacle Geese. Here is a picture:

And take the Goose Barnacle. Here is a picture:

The similarity in color is apparent. Early Europeans, having not observed the Barnacle Goose nest, and having been oblivious to bird migrations, assumed that the Barnacle Geese emerged from the Goose Barnacle (hence the name). Furthermore there were eyewitnesses: The Welsh monk, Giraldus Cambrensis, claimed to have seen goose barnacles in the process of turning into barnacle geese in the twelfth century.

It is easy to discount this example as “dumb early peoples who did not know”. But these types of mistakes happen routinely in every discipline.

In security it is always easy to jump to conclusions. A DOS attack might also be a misconfigured device. An employee stealing data might be a risky business practice, process or habit.

The only way I am aware of to combat these mistakes is to dig deeper with methematical rigorosity. Understand not just the What (as in: what is happening) and the How (as in: how is this attack taking place) but the Why (as in: Why is this employee sending these emails).

/al

Ok – so this stuff bugs me. Whenever a company sets up standards for others to live by but fails to live up to the same standards themselves I get annoyed. Amex is the “bully” in point.

See http://www.kpho.com/money/19936013/detail.html for a story in which two guys who worked at Amex were able to abscond with “thousands” of credit card number and “millions” of customer dollars.

I have two Amex cards. So I went to the Amex website to figure out if my card was somehow exposed. NADA. Not a single word anywhere on the site (perhaps I missed it?).

What is the use of PCI if one of the three card peddlers (Visa and Mastercard being the other two) reflect an attitude of indifference towards protecting MY data.

Wake up Amex CEO: Kenneth I. Chenault. I entrust you with my data. It is time for you to protect it! Mighty nice of you to harrass others with odd PCI requirements. Perhaps it is time you pass a PCI audit yourself.

/al

Emeco makes the famous chair below:

Emeco ran the ad below, which indeed may make a point:

My Ikea chair broke and it got me thinking about the security we get from less than stellar designs. Like chairs. Emeco has been making the navy chair since the 1940′s. Their chair works, and it is strong. It is dependable. Dependable like my Checkpoint firewall at home. Dependable unlike my less than my let-me-reset Dlink router and yes, my broken Ikea chair.

/al