Security Pie

I have a passion for Risk Management. In my opinion it does not matter if one is managing information security or financial risk. If we watch closely we see that the financial guys aren’t the best risk managers (Assaf wrote about it many times…). One of less touched areas of risk management is related to food safety. Sure, there are plenty of regulations and mandates as well as different agencies including the CDC, FDA, USDA just to name a few, but overall there are too many health issues with food.

Take sprouts. Those harmless looking, healthy food are known to cause health issues.  According to this article:

Between 1996 and 2005, raw or slightly cooked sprouts have caused an estimated 1,636 cases of illness, or 40 percent of all food- borne illness associated with produce, according to the FDA. Though the number of cases has dropped substantially since 1999 due to stepped-up decontamination attempts by the industry, federal regulators say the current push is necessary because sprouts–a favorite among health-food enthusiasts–still pose a measure of risk to consumers.

Years later, we are still facing food- borne illness associated with sprouts.

Just recently the FDA and the CDC advised people not to eat raw alfalfa sprouts after at least 31 people were sickened by Salmonella Saintpaul infection.  According to the FDA, an investigation shows that the problem may be linked to contamination of seeds for alfalfa sprouts.

The FDA and the CDC note that suspect lots of seeds may be sold around the country and may account for a large proportion of the alfalfa seeds being used by sprout growers, and cases of illness are spread across multiple states.

Even my favorite grocers, Trader Joe had to recall my favorite Nature’s Choice Alfalfa Sprouts.

But now, we can all rest assure.  They always test the product. Where were you during the Salmonella outbreak?

The point I’d like to make is that risk management is a never-ending story process. One should understand the associated vulnerabilities (e.g. sprouts can contain Salmonella) review the business process and add the necessary controls (e.g. test for Salmonella), adding compensating controls if necessary.

At least now I have more confidence. I know that they ARE testing. Good to know.

The road to/from deficiency

I found the following definition of “significant deficiency” in a GAO report and I liked it. If you are outside of the US or not regulated by US regulations, you can change the reference regulations mentioned in the first sentence:

A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data reliably in accordance with U.S. generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected.

Then, it also explains what a control deficiency is:

A control deficiency exists when the design or operation of a control does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatements on a timely basis.

lightning will hit the same place more then once

I like to revisit good restaurants. If I like the place they will see me again. In  one or two places I even don’t have to see the menu. I’m using the good restaurant analogy to describe why hackers revisit previously hacked sites: They know the place and feel comfortable. Hackers would return to the “scene of crime” and hack if they can.

Recently one of our salesmen forwarded me a note from one of his prospects that were hacked in the past. The team at that company decided that since they were hacked once, the chances to get hacked again are very low. “Lightning does not hit the same place twice” the prospect wrote.

That’s wrong of course.  Lightning can strike any location more than once. It’s not just statistical, given enough time, it is actually inevitable. Some places (like high radio towers) will get hit several time within a single lightning storm.  See also here

Poorly secured applications and databases are for hackers like radio towers to lightning. They will get hit several times.  One cannot change the weather or prevent a lightning storm but he sure can prevent the next hack, data theft and lose of data.

The below is a true story. Some of the names were changed to protect the innocent. Yes, there is a moral to this true story, but you’ll have to read all the way…

It was a typical day. Jose Arcadio was at his office in Los Gatos CA, probably planning the next perfect restaurant visit.  Consuela Martinez was (as always) at a random hotel. This time it was in Manila, the Philippines, just before bedtime. In Sunnyvale CA Porky Leibowitz was Blackberry-ing .

9:34 AM| Los Gatos CA|Jose: What the heck is wrong with Security Pie – It came up all jumbled.

1:46 AM+1 day | Manila, Philippines |Consuela: Looks fine to me. What exactly do you see, Jose?

9:48 AM |Sunnyvale CA|Porky : See how we see it here in the US: Chrome and FF (screen shoot added )

1:50 AM +1 day |Manila, Philippines |Consuela: Did anyone touch the style or the sidebar plugin recently?

10:51 AM |Sunnyvale CA|Porky : Not me…

10:52: AM |Los Gatos CA|Jose: Ok. So this morning it looked okay. But then I posted my post as a page (by mistake). I then reposted it as a post. It happened somewhere there. But I did not knowingly make any changes anywhere. Just wrote a blog item. But I can hear Silvester saying “did you touch it”? So it was probably me…

1:55 AM +1 day|Manila, Philippines|Consuela : Okay let’s backtrack. What is the sequence of operations that you did, precisely?

10:52: AM |Los Gatos CA|Jose: I think I did the following:

1. Clicked new page.

2. Wrote.

3. Clicked save and then post.

4. Couldn’t find it on front page.

5. Went back, looked around, found Hong Sin’s remark under moderation and allowed it, and then figured out it was a page and not post.

6. Copied the page to a post, named it the same and posted it. It posted corruptly.

7. Deleted the page (but not the post).

2:10 AM +1 day |  Manila, Philippines|Consuela: Okay fixed. The culprit was a <div class=”main”> tag that was somehow transferred with your post when you cut and pasted it. It isn’t visible in the “visual” view, only when you switch to “HTML” view. I suggest you style-edit your post, it contains this ugly link in the middle; I think you can have some text instead where the link is just the target.

What’s the moral?

There is always more one bug. There is always something that can go wrong and you can bet your pie that it would.  Paraphrasing Assaf, I have interest in PCI section 6.6 (don’t sue me).  As I wrote in another place, things will go wrong. The above example takes place every day in different places. Innocent mistakes that can go wrong. This time, nothing serious happened and our man in Manila was able to take care and fix the problem. Is your organization is as lucky as Securitypie ?

‘An unprecedented crisis‘ said Hank Paulson. http://www.politico.com/news/stories/0908/13590.html

‘American economy is facing unprecedented challenges‘ added a concerned George W. Bush http://www.foxnews.com/story/0,2933,425261,00.html

“The Secretary of the Treasury, Henry Paulson, will be granted unprecedented authority in the financial bailout plan” http://www.lockergnome.com/forsythe/2008/09/29/unprecedented-authority-granted-to-henry-paulson/

In a series of moves culminating overnight, Washington took an unprecedented step into the financial sector in a bid to steady an ailing housing market and ease a global credit crunch, analysts said. http://www.theaustralian.news.com.au/story/0,25197,24310593-20142,00.html

Tuesday, Paulson is spearheading an unprecedented global change as the Bush administration point man for the proposed $700 billion bailout of the U.S. financial industry as the economy reels from the credit crisis sparked by the national real estate slump and spiraling mortgage failure rates. http://www.usatoday.com/money/economy/2008-09-22-paulson-treasury_N.htm

But the $700bn (€480bn, £380bn) bail-out marks an unprecedented test of both the Democratic and Republican leadership in Congress, who are seeking to pass a proposal that they know will be unpopular among voters in an important election year and is opposed for ideological reasons by factions within both political parties. http://www.ft.com/cms/s/0/2c86b58a-89a4-11dd-8371-0000779fd18c.html

Bush: ‘unprecedented challenges‘ call for ‘unprecedented action‘ http://network.nationalpost.com/np/blogs/fpposted/archive/2008/09/19/bush-unprecedented-challenges-call-for-unprecedented-action.aspx

Why terrifying?
Because after all these exciting ‘unprecedented firsts‘ everything will be ‘precedented seconds’ or, in other words, bland.

Meanwhile, while things are still interesting, have you placed your bets on September Madness?