Security Pie

Victor Stampfer knows something about cooking. At the end of his long book he lists this knowledge clearly and articulately:

Cellulose hydrolysis above 120C
Cooking vegetables to hydrolysis pectin and starch > 85C
Pectin Hydrolysis 85C
Cooking vegetables to hydrolysis (starch only) 85C > > 80C
Starch solubilization and hydrolysis 80C
Myofibrilar proteins and myoglobin alteration (loss of waterholding capacity; color is definitely altered) 68C
Cooking of –
– braized, sauteed, steamed or boiled meats
– roasted white meat
– fish
Sarcoplasmic protein alteration (modification of the perception of color) 62C
Cooking of –
– just cooked fish < 62C
- red, roasted or grilled meats <62C
- rare 56-58C
- medium rare 58-60C
- medium well 60-62C
- well done > 62C
Beginning the destruction of vegetative forms of bacteria 52C (careful of spores!)
Bacterial growth, spore germination < 52C

It is really all you need to know to cook some of the best meals of your life.

Since the Fluffinator is a very geeky coffee project of mine, I have posted it on home-barista. Those of you who happen to own a Mazzer Mini E grinder and are somewhat disappointed with the quality of its grind will find it very useful.

All the rest of you won’t, but may appreciate the level of myopic focus invested on diminishing returns exhibited by the people involved. And then some of you will disapprove and comment on the injustice of it all and that half of the world is hungry. Well, that is the half that picks the coffee that both you and I drink. So there – life is not fair.

More details at http://www.home-barista.com/grinders/mazzer-mini-e-grind-distribution-improvement-mods-t12954.html#p156133

So in an effort to better understand the future by reading about the past, and out of respect for Uma, I am reading a famous handbook for Samurai swords by John M. Yumoto.

In the book, Mr. Yumoto discusses the issue of counterfeiting, which apparantly rampant througout Japan at the time the swords were made. “Smiths often used friends’ names; apprentices used masters’ names and sons would use their fathers’ names.”

He quotes a legend from the smiths of Bizen Province:

The village in Osafune, in Bizen province, was known for its swordsmiths. One day Kanemitsu (金光), one of the town’s leading smiths, was enjoying a moment of rest in his shop. He suddenly found himself listening intently to the sound of the chisel of his neighbor in the shop next door.

Angrily he arose, dashed next door, and seized the sword on which the other smith had been chiseling a name.
“You were putting my name on that sword,” said Kanemitsu.

The other smith admitted that he had been doing so and apologized. “How did you know?” The guilty one asked. “Were you watching?”

“No” answered Konemitsu, “but I was listening. You used a greater number of strokes than was necessary if you had been writing your own name”.

Real Samurai use real Kanemitsu swords

A few weeks ago I gave a talk at an ISSA webcast about the importance of monitoring for data security. The Bizen province legend is a great example of monitoring data usage. Somehow, it is oddly comforting to know that data monitoring would have been as important to 14th century swordmakers as to modern day business owners.

/al

Regardless of your religion and belief, Happy Holidays!

It's all about the pie

Recently, I have been enjoying the tower defense (TD) genere game on my iPhone. In the game, I try to prevent little animations of monsters from arriving at my castle and doing some malicious deeds like devouring the cute, helpless inhabitants of the castle.

Now I am not aware of any monsters that are scary, so to get into the mood I imagine that the monsters are packets with malware. Scary.

Also, since I have little experience with bows, arrows, cannons, balistrades and other primitive weapons, I imagine a sequence of firewalls, clusters of network IPS/IDS, proxies and host security apps.

After setting up the defenses, I then watch helplessly as those sinister packets slowly (but determined) make their way towards the castle eventually devouring the residents. In the world of TD you mostly fail. Success means you move onto the next level to spend time yet again watching malicious packets devouring your residents. But then nothing happens. This is where my metaphore for security as a TD game collapses:

1. In TD, you have many failed attempts and one success. As a security expert, you’d better succeed more!
2 In TD, the monsters end by eating the residents. In security, the malicious packets must create value for the hacker: either sabotage, or data theft.

In a data theft scenario, the malicious packets will have to walk back past the defenses with the data. That gives us a whole new opportunity to find and disable the attack vectors.

In security, we are usually told that building the anticipated attack trees and ensuring all branches are covered makes for a safer network. Anticipating attack paths is hard. Anticipating intent is easier (steal or damage). Adding the escape path branch to the list of monitored points just makes sense, even if TD doesn’t.

/al

Last week Greg Shipley wrote a nice epilog in InformationWeek regarding lessons learnt from Albert Gonzalez data heist (http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=219501227). He observed that while we are all cavorting merrily at the prospect of the imminent “hanging” of this thief of “modern data horses”, we did little to address the concern of data security. From my perspective, the CEO’s of the companies involved seemed happier to participate in this modern “burning of the witch” then to address the lack of security for what I sincerely hope is not my data.

Similarly, Sharon’s last post discussed the lugubrious habit of equating encryption with security, with a complete disregard to processes, systems and people.

Well, security is getting to be pretty complex, and we humans, in complex situations, tend to flock to iconography.

Original icons are of the deity sort. But postmodern icons can be anything. Espresso crema, evil high fructose corn syrup, local produce, Ken Lewis lying to investors, reduction of carbon footprint.

Encryption can be an icon.
DLP can be an icon (in fact, DLP is fast appearing as an icon, albeit a useless one, on many a security and network products).

Since data security is a need, it can be addressed via a methodical evaluation of risk and rigorously balancing the business virtue vs. the risk of loss; technology becomes a facilitator of process and methods – a requisite part – but nonetheless just a part – of the solution.

Alternatively, it can also be addressed by installing a system of icons: a statue of ganesh, a road prayer, a hamsa, a statue of the virgin mother, a DLP solution, or an encryption solution will all achieve the same – and wanting – results.

For the security practitioner, icons are comforting: they own the latest, the highest performing, the best rated, etc. But unlike board members, who really account for nothing but their quarterly signatures, comfort does not alleviate the need to deliver. Owning the CD of a multi-million dollar high quality application is useless if you can’t afford the 10 servers it needs to run, the abundance of professional services needed for set up and the 100 administrators needed for it to run. All this while the board is waiting to decide if a sacrificial goat is needed.

This has occured in the past. The roads of security are littered with the carcasses of “ex security experts” who have expired when the icons of firewalls became technologies that had to be configured properly and maintained. Similarly, PKI took its pound of flesh to the security alter and raised it to the PKI as an icon gods.

Data security is already setting up to be the kali of the security world. On one hand, effective, business centric data security makes VPs. I know many system operators and administrators who became security and compliance VPs. Similarly, I know many who have been badly burnt by the data security goddess. Those are better off seeking a different employment (barista, perhaps?).

As for me? I am getting to taste the vice of pride, being involved in a market that is fast becoming the chopping block of mediocrity. Bring it on, icon peddlers!

Security pie was the first to alert you to “The unprecedented use of the term unprecedented in the current crisis is terrifying” back in September 08. Hopefully you used that warning wisely and moved all your money and houses to a safe place like Iceland.

Well, here we are again with another scoop.

“We have hit the bottom” “prices are stabilizing” “leading indicators show us that a recovery is imminent” are all positive leading signs that we had enough with the emotional rollercoaster that are sideffects when we invest our collective psyche in hysteria, and would now like to displace that hysteria with a well earned sense of complacency.

But English is beautiful just like American customers remind me of non-confrontational adolescents: the word imminent is boundless. It can be now, and it can be a year from now (i.e. nascent).

I for one, will start a political movement called “Recovery Now”. That is if I were a non-confronational adolescent.

/al

No – it is not coke.

For sheer geek delight nothing comes close to espresso. Imagine a beverage that comes bundled with a heritage of being invented in 1900′s Italy (that is like Python having the prestige heritage of Fortran: ordained – but miserably failed – to take over the world); a drink so chemically complicated that generations of italians have toiled in garages and basements to create and refine brilliant but dangerous contraptions that would guarantee a perfect cup of joe.

Read the rest of this entry »

Happy asses I assume of users of Toto washlets. http://www.totopartners.com/Portals/0/Product%20Images/66d3dad5-719a-4ab0-bc47-ba38f64e43ab.pdf.  No ambiguity in this picture: the asses are decidedly happy.

Toto CEO Kunio Harimoto decides to take advanced washlets to clean as-of-yet unhappy American asses (http://www.economist.com/people/displaystory.cfm?story_id=14082288).

National ass says: Oh Joy.

Another happy ass:

-al

So by now everyone should be familiar with the fact that a security vendor (which, ironically, sells a DLP solution) has leaked a list of participants to a Sydney security summit conference. Included were their names, email addresses and phone numbers. Over 1000 records were leaked. 

Oops happens. DLP might not be configured correctly. Time to review policies. Time to train marketing folk to review their emails before hitting “send”.

To me what was interesting was something said by their VP of APAC sales who was interviewed on risky biz, a somewhat amusing and deferent Australian security podcast at http://risky.biz/netcasts/risky-business/risky-business-117-mcafee-tries-explain-data-loss-incident. The VP claimed (20:30) that the breach was not as “serious data” as say ”financial information or mission critical information”, but just a contact list. That comment sheds light on misunderstandings and confusion around what constitutes confidential data and the difference between IP and entrusted data.

To the vendor, the data was just a contact list. It was not their “financial data” nor “mission critical information”. In the words of the VP, this was not “serious data” but a “contact list”. What seemed to be overlooked was that the data was important to the customer. The VP was unable to take the customer’s point-of-view (POV) and thus accept the vendors responsibility for customer data. Amusing, but it points to a basic flaw in human reasoning.

In providing DLP consulting I find that the ability to change a POV is a critical competency for the security expert. The ability to realize that “what is important to me” might differ from “what is important to them” is critical for a successful DLP deployment.  The ability to don on HR glasses, R&D glasses or customer glasses and try to understand what is important to them is critical.

Unfortunately, the ability to shift POV is a new requirement  for the security expert. The nature of the threat has changed with DLP.

When dealing with inbound threats, we all face the same challanges. To quote William Shakespeare  “If you prick us do we not bleed? If you tickle us do we not laugh? If you poison us do we not die? And if you wrong us shall we not revenge?”. We are all in the same boat. I do not want a virus to attack my machine. You do not want a virus to attack your machine. I do not want a keylogger to log my bank passwords. You should not want a keylogger to log your bank passwords. I do not want my blog to be made unavailable by a DOS attack. And I guess you do not want your blog to be made unavailable by a DOS attack.

But as for data, my confidential data is (probably) wholly different than your data. We might share an aversion to the loss of credit card data and national ID numbers (or SSNs) but the usage patterns of that data and the need to collect and store that data changes from user to user. And my IP (intellectual property) is wholly different than yours (unless I was careless with my data OR you were careless with your data, and we got to share in the booty!).  For this, the security professional must be able to put themselves in the shoes of their businesses, users and partners (e.g. customers), understand their needs, and assist them in securing their processes and procedures. DLP can help by exposing the uses and abuses of the data, but it cannot do the process work for the professional.

I find that the ability to change POV seems to come with experience and maturity of the professional along with the inevitable tossing out of security dogmatism and the acceptance of practiced pragmatism.  I guess if you wait long enough, it shall come (or not).

Cheers mates,  

/al