Security Pie

Can you tell which of the following is a name for Marijuana (5), which is a name of a rollercoaster (6), and which is both (5)?

1. Tennessee Twister
2. Déjà vu
3. Cincinnati Cyclone
4. Afterburn
5. Pineapple Express
6. California Screaming
7. Brain Teaser
8. Blazing Fury
9. Flashback
10. Humbolt Scorcher
11. Great White
12. Hypersonic XLC
13. Hyperponic XLC
14. Invertigo
15. Woodstock’s Express
16. Bug Out

By Lockie Hunter. Answers at McSweeney’s (http://www.mcsweeneys.net/links/lists/4hunter.html).

/al

Why do we work so hard to protect user data and privacy when it seems users are very happy to place their credit card info online and broadcast their shopping? The concept of blippy.com was shocking to me. It still is. Do users understand that all this information is amassed and can be used at any time by anyone?

What makes blippy trustworthy of access to a bank account? Are they audited? Are they PCI compliant? They are not even public and (unlike TJX) have nothing to lose by compromising the security of the users data…

Yesterday, while analyzing business processes at a DLP account, we ran across a user that sent their entire password list in an unencrypted CSV format. Access to bank accounts, investment accounts, healthcare, Web 2.0 sites, etc.

Perhaps privacy, by 2020, will be replaced by identity insurance…

So I periodically dabble with my hifi setup. I rearrange stuff, I recalibrate my reference levels at the sitting positions using an inexpensive sound pressure level meter, and measure the distances using a cool laser distance meter.

I ignore my acoustics engineer self (that left in place by 10 years of SONAR system engineering) that is screaming (Edvard Munch style) at the banality of my exercise.

My engineer self does have a point: My SPL meter, for example, is a cheapo Radio Shack SPL meter. It measure signal in decibels. But a decibel is a ratio between two numbers: a reference figure, and a measured value. For example, a good measurement would be 12 dB re 1 uPa @ 1m which mould mean that my signal was 12 decidel relative to a pressure wave of 1 micro Pascal (pressure) as measure 1 meter from the source. My practical self dismissed my engineer self by saying “it is all relative anyway, so the exact parameter of the measurement is not important”; to which my engineer self scoffs with a resounding “idiot! If you don’t understand what you are measuring then anything that you measure is suspect. For example, your rear speakers naturally have a different freq response than your front speakers. Hence if you try to balance them using the SPL meter, and you don’t *really* understand how it sums the SPL throughout the frequency range, you might get inconsistent results. This will also be true due to difference in the vertical response of the sepakers vis-a-vis your sitting position“. Now once in a while my engineer self nearly gets a sure footing and I trend precipitously close to acquiring a Bruel & Kjaer measurement system so I can start measuring with aplomb. I usually luck out by ending up reading some article I find somewhere instead of paying the requisite megabucks for B&K Uber Gerate.

Bruel & Kjaer 2230

So here is a question: Most of us know that there is a hifi market denoted as “Audiophile”. There is also a market called “professional audio”. There are very few brands that cater to both (I can only think of Dynaudio, Bryston, JBL, ADAM Audio, PMC, JM labs and a few others) and many of the products are so labelled (pro audio vs. home audio). Now audio is audio – why is there such a distinct seperation between the two markets?

Is this home audio or pro? ADAM HM3 in Black

Is this for Home of Pro use? P33A (Hint: room acoustics controls and the technical designation of near/midfield monitor should make the intended audience clear)

Here are my opinions:
1. It isn’t looks (so called Wife Acceptance Factor – WAF) – Some home audio stuff is as horrid looking as the most functional of pro audio devices. And some pro audio stuff is drop dead gorgeous.
2. It isn’t pricing – Some pro audio stuff is as expensive as audiophile stuff. Even though it is easier to justify the really upper end stuff for home use (the justification is based on expendable income, just like an ultra high-end stovetop for people who only cook steaks, more than any value statement) – it isn’t really necessary for a recording studio.
3. Objective vs. Subjective sensibilities – By far the biggest differentiator – Audiophile makers differentiate themselves by ratings, by reviews, and mostly by subjective assessments. Audio professionals look for objective assessments (impossible to do, but possible to try to achieve). In fact many Audiophiles disregard objective assessments (like measurements) as secondary to subjective assessments (like listening to their favorite CDs). Meanwhile pros (like audio designers) measure first, and then validate the measurement with listening tests (to ensure they haven’t a “lemon”).
Note: The audio engineering market is exceptionally mature. So I have to accept the fact that both approaches have their merit. Audiophiles indeed have to rationalize their choices - and subjective assessments are the most optimal way to rationalize a choice, especially when there is no concensus on “state-of-the-art”. Meanwhile, audio pros have to make rational choices – for example, unlike an Audiophile, they must have a perfectly flat frequency response otherwise their recordings will be equalized to compensate and tend to sound “off” on other equipment. This might be interpreted by their customers as a quality deficiency resulting in fewer, lower paying projects. So both approaches are the correct approaches for their market segments.

What has this got to do with security? Well, security is just like any other market. It has the customers that rationalize their decision, and it has customers that make rational decisions. Now here is the funny fact-of-life: customers in the latter group tend to be assured with their decision and can defend it reasonably well, while customers in the former group tend to hem-and-haw and sort themselves into religious-like user camps. Just like the Audiophiles who flock to like-minded rationalization groups (like the sound-of-wire vs. all wires are identical camp, the Single Ended Triode vs. push-pull camp, the record player vs. CD or BD camps, the solid state vs. vacuum tube camps etc.).

The rational thinking “objective” group (typically early adopters) work like entrepeneurs: They identify a problem, create a list of parameters for their problem, and search for solutions. The decision rationalizing “subjective” group works in other ways, for example by stating top-level decision criteria inconsistent with the problem scenarios.

As an example, to compensate for their inability to achieve a sensible technical decision – or even a sensible description of the problem they are trying to solve – they will choose on other parameters – like integration with other products – whether those integrations make sense or not – or based on analyst opinion, or past relationships, or a reference list, or even past lust (or current bedroom relationship).

This is the “high end” model based on perception of applicability vs. measured applicability to the problem. Security folk are especially prone to this style of analysis since their role is multi disciplinary. The DLP market is becoming the best example of how this multi disciplinary responsibility serves to undermine the decision process eventually resulting in an alarming number of failed projects. For example, assume a security person who came from networking. Their background is reviewing logs, identifying the patterns of malware and they have a keen understanding of exploits. Being the best on their team, they are invited to participate in a DLP project selection committee. What, within their experience, allows them to understand the nature of risk due to information exposure? Not much… For the majority of technical security experts, the meaning of risk (and methodologies to assess and minimize risk) is obtuse. What is worse, risk is the sort of variable that everyone thinks they know and very few actually do. Even banking risk departments, who are supposed to be the leaders in risk class assessments, proved that they had no clue a year or so ago when they piled high risk products into lower risk bundles – just ask any jet airliner designer how wrong that assumption is.
Similarly, consider a CISO. Predominantly a business title, how is a CISO to assess the technical capabilities and applicability to the network of a DLP solution? A good CISO is ill equipped to provide a concrete technical answer to the question of technical suitability.
Add to this equation the fact that business folk and technical folk might as well speak a different language alltogether, and you are left with dire prospects for your selection committee.

This is where the analogy between the Audio Market and the Security Markets ends. An amplifier is an amplifier. It might amplify differently. But all amplifiers, and especially at the high-end side of the market, do a reasonable job of amplification. Almost all pro models are identical. That is the safety of a mature market. But the security market, by its nature, will never mature. Hackers and thieves will ensure that whatever we purchase today will be outdated quickly (as quickly as they can write the scripts to make it outdated). The results of the emotional decisions, in an immature market can be disaster. Remember the sods who bought the original early day $15-25k hi-def plasma displays only to have them become obsolete within 2 years due to the emergence of copy protection (HDCP)?

So 2 years later and the committee finally realize that while they really needed an equivalent of a pickup truck they had mistakingly acquired a dragster. It couldn’t pull the weight of the problem, it was hard to control and it tended to periodically veer off into the ditch. They hired a team of 100 to rebuild the engine every Tuesday and Thursdays. And you needed a semi-trailer to haul the damn thing around.

But at least they purchased “high end”. Colorful, shiney, heavy and what a guilt trip (as well as sometimes career limiting). As one CISO put it to me, it is “the cost of a maturing security organization”.

Back to my speakers. Radio Shack SPL meter useless in calibrating sub level (due to inconsistencies in frequency reponse). Damn it. Perhaps it is time for a B&K measurement station? Gotta love those Danes for their perfect measurement stuff. $5k – Eh? Nah. ETF 5 and a somewhat calibrated Behringer mic (50$) is all I really need.

Happy measuring!

While Sharon is busy waddling knee-deep through Phy (layer 1) terminology, another hardware/lifestyle company has released its gigantic equivalent of their iPod product, named iPad.

Somehow the glitter of lower tech color LCD screens has been noisier than Sharon’s uber technology switches. Go figure.

Victor Stampfer knows something about cooking. At the end of his long book he lists this knowledge clearly and articulately:

Cellulose hydrolysis above 120C
Cooking vegetables to hydrolysis pectin and starch > 85C
Pectin Hydrolysis 85C
Cooking vegetables to hydrolysis (starch only) 85C > > 80C
Starch solubilization and hydrolysis 80C
Myofibrilar proteins and myoglobin alteration (loss of waterholding capacity; color is definitely altered) 68C
Cooking of –
– braized, sauteed, steamed or boiled meats
– roasted white meat
– fish
Sarcoplasmic protein alteration (modification of the perception of color) 62C
Cooking of –
– just cooked fish < 62C
- red, roasted or grilled meats <62C
- rare 56-58C
- medium rare 58-60C
- medium well 60-62C
- well done > 62C
Beginning the destruction of vegetative forms of bacteria 52C (careful of spores!)
Bacterial growth, spore germination < 52C

It is really all you need to know to cook some of the best meals of your life.

Since the Fluffinator is a very geeky coffee project of mine, I have posted it on home-barista. Those of you who happen to own a Mazzer Mini E grinder and are somewhat disappointed with the quality of its grind will find it very useful.

All the rest of you won’t, but may appreciate the level of myopic focus invested on diminishing returns exhibited by the people involved. And then some of you will disapprove and comment on the injustice of it all and that half of the world is hungry. Well, that is the half that picks the coffee that both you and I drink. So there – life is not fair.

More details at http://www.home-barista.com/grinders/mazzer-mini-e-grind-distribution-improvement-mods-t12954.html#p156133

So in an effort to better understand the future by reading about the past, and out of respect for Uma, I am reading a famous handbook for Samurai swords by John M. Yumoto.

In the book, Mr. Yumoto discusses the issue of counterfeiting, which apparantly rampant througout Japan at the time the swords were made. “Smiths often used friends’ names; apprentices used masters’ names and sons would use their fathers’ names.”

He quotes a legend from the smiths of Bizen Province:

The village in Osafune, in Bizen province, was known for its swordsmiths. One day Kanemitsu (金光), one of the town’s leading smiths, was enjoying a moment of rest in his shop. He suddenly found himself listening intently to the sound of the chisel of his neighbor in the shop next door.

Angrily he arose, dashed next door, and seized the sword on which the other smith had been chiseling a name.
“You were putting my name on that sword,” said Kanemitsu.

The other smith admitted that he had been doing so and apologized. “How did you know?” The guilty one asked. “Were you watching?”

“No” answered Konemitsu, “but I was listening. You used a greater number of strokes than was necessary if you had been writing your own name”.

Real Samurai use real Kanemitsu swords

A few weeks ago I gave a talk at an ISSA webcast about the importance of monitoring for data security. The Bizen province legend is a great example of monitoring data usage. Somehow, it is oddly comforting to know that data monitoring would have been as important to 14th century swordmakers as to modern day business owners.

/al

Regardless of your religion and belief, Happy Holidays!

It's all about the pie

Recently, I have been enjoying the tower defense (TD) genere game on my iPhone. In the game, I try to prevent little animations of monsters from arriving at my castle and doing some malicious deeds like devouring the cute, helpless inhabitants of the castle.

Now I am not aware of any monsters that are scary, so to get into the mood I imagine that the monsters are packets with malware. Scary.

Also, since I have little experience with bows, arrows, cannons, balistrades and other primitive weapons, I imagine a sequence of firewalls, clusters of network IPS/IDS, proxies and host security apps.

After setting up the defenses, I then watch helplessly as those sinister packets slowly (but determined) make their way towards the castle eventually devouring the residents. In the world of TD you mostly fail. Success means you move onto the next level to spend time yet again watching malicious packets devouring your residents. But then nothing happens. This is where my metaphore for security as a TD game collapses:

1. In TD, you have many failed attempts and one success. As a security expert, you’d better succeed more!
2 In TD, the monsters end by eating the residents. In security, the malicious packets must create value for the hacker: either sabotage, or data theft.

In a data theft scenario, the malicious packets will have to walk back past the defenses with the data. That gives us a whole new opportunity to find and disable the attack vectors.

In security, we are usually told that building the anticipated attack trees and ensuring all branches are covered makes for a safer network. Anticipating attack paths is hard. Anticipating intent is easier (steal or damage). Adding the escape path branch to the list of monitored points just makes sense, even if TD doesn’t.

/al

Last week Greg Shipley wrote a nice epilog in InformationWeek regarding lessons learnt from Albert Gonzalez data heist (http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=219501227). He observed that while we are all cavorting merrily at the prospect of the imminent “hanging” of this thief of “modern data horses”, we did little to address the concern of data security. From my perspective, the CEO’s of the companies involved seemed happier to participate in this modern “burning of the witch” then to address the lack of security for what I sincerely hope is not my data.

Similarly, Sharon’s last post discussed the lugubrious habit of equating encryption with security, with a complete disregard to processes, systems and people.

Well, security is getting to be pretty complex, and we humans, in complex situations, tend to flock to iconography.

Original icons are of the deity sort. But postmodern icons can be anything. Espresso crema, evil high fructose corn syrup, local produce, Ken Lewis lying to investors, reduction of carbon footprint.

Encryption can be an icon.
DLP can be an icon (in fact, DLP is fast appearing as an icon, albeit a useless one, on many a security and network products).

Since data security is a need, it can be addressed via a methodical evaluation of risk and rigorously balancing the business virtue vs. the risk of loss; technology becomes a facilitator of process and methods – a requisite part – but nonetheless just a part – of the solution.

Alternatively, it can also be addressed by installing a system of icons: a statue of ganesh, a road prayer, a hamsa, a statue of the virgin mother, a DLP solution, or an encryption solution will all achieve the same – and wanting – results.

For the security practitioner, icons are comforting: they own the latest, the highest performing, the best rated, etc. But unlike board members, who really account for nothing but their quarterly signatures, comfort does not alleviate the need to deliver. Owning the CD of a multi-million dollar high quality application is useless if you can’t afford the 10 servers it needs to run, the abundance of professional services needed for set up and the 100 administrators needed for it to run. All this while the board is waiting to decide if a sacrificial goat is needed.

This has occured in the past. The roads of security are littered with the carcasses of “ex security experts” who have expired when the icons of firewalls became technologies that had to be configured properly and maintained. Similarly, PKI took its pound of flesh to the security alter and raised it to the PKI as an icon gods.

Data security is already setting up to be the kali of the security world. On one hand, effective, business centric data security makes VPs. I know many system operators and administrators who became security and compliance VPs. Similarly, I know many who have been badly burnt by the data security goddess. Those are better off seeking a different employment (barista, perhaps?).

As for me? I am getting to taste the vice of pride, being involved in a market that is fast becoming the chopping block of mediocrity. Bring it on, icon peddlers!