Security Pie

When I’m reading an article or an analysis about the effectiveness of a specific security tool I often get upset. The main reason is that security researchers (at least the one that I’m reading) are taking an “all or nothing” approach to security products analysis – it either works or not. Even when talking about defense in depth in conjunctions with Information/data/network security some people have a tendency to write about this “all or nothing approach”.

When I read Rich’s post on Web Application Firewalls I thought that it would be very useful if anyone could come with detailed analysis on the effectiveness of different products. Similar to the way that the National Highway Traffic Safety Administration (NHTSA) is measuring the effectiveness of seat belts. Even when using amperic data, researches will argue about the effectiveness of data:

A recently publicized claim by one analyst that seat belts reduce vehicle occupant deaths 70-80 per cent is based on studies found to contain fundamental systematic error. Deaths occur only 50 per cent less often to belted compared to nonbelted vehicle occupants in crashes, according to previously unanalyzed data from three U.S. states during recent years.

I’d like to see more information providing statistical analysis like used in this US Roads 1997 article, showing the effectiveness of security solutions under different circumstances:

• Mode of deployment
• Attack vector
• Policy used
• Other combined security tools/methods used

This will allow to measure the effectiveness of security tools and provide proper analysis that will allow an organization to perform proper risk analysis.

How it works?

Every few days I am sorting through Securitypie’s spam queue. Our anti-spam engine detects most of the spam messages but there are few that it asks one of the administrators to approve. Most of those messages are targeting a single post. Assaf’s self confession “Why I miss the Soviet Union is like a spam magnet.

Why? What is so unique about those 875 words that make it different? Could it be that the desire to see “a visionary CTO with a set of brass balls. Not a Cisco kowtowing CIO” makes the difference?
It would be interesting to see how the spammers threat this post. If you have a clue, send us a comment.

Assaf wrote about the need to have a consistent message. Let’s remember that it is even more important to set the right message.  Using Rafael’s “one of the worst marketing movie”  as an example:

If you believe Rafael’s marketing director, they are pretty consistent in the way they think about marketing movies:  ”We try to make the movies about the place where the defense expo is located,” the company source said, adding that in previous years Rafael had won prizes for its pavilions and marketing techniques. 

Whether you think that the movie is bad and wrong or just not according to your taste, it proves again that there’s no bad marketing.  Just look at the youtube counter. 116,000 and growing..

lightning will hit the same place more then once

I like to revisit good restaurants. If I like the place they will see me again. In  one or two places I even don’t have to see the menu. I’m using the good restaurant analogy to describe why hackers revisit previously hacked sites: They know the place and feel comfortable. Hackers would return to the “scene of crime” and hack if they can.

Recently one of our salesmen forwarded me a note from one of his prospects that were hacked in the past. The team at that company decided that since they were hacked once, the chances to get hacked again are very low. “Lightning does not hit the same place twice” the prospect wrote.

That’s wrong of course.  Lightning can strike any location more than once. It’s not just statistical, given enough time, it is actually inevitable. Some places (like high radio towers) will get hit several time within a single lightning storm.  See also here

Poorly secured applications and databases are for hackers like radio towers to lightning. They will get hit several times.  One cannot change the weather or prevent a lightning storm but he sure can prevent the next hack, data theft and lose of data.

Shamelessly copied from Internet Security and Operations Intelligence 6 (ISOI)  meeting agenda. 

I wish I could be there but I have better plans.

Gadi,  I hope that CC copyrights do not apply.

Lack of clear communications between departments never ceases to amaze me. I have spent considerable time translating security requirements between different groups of the same organization. Security requirements have a propensity for corruption: I have countless examples where the CEO wants are rarely aligned with what the Security team delivers.

Of the different security disciplines, information security and specifically classification is the one requirement that tends to get corrupted the most and might seem almost out of reach to many.

My early career centered around the military. In those days, security was part of the fabric of day to day operations. Documents had to be labelled according to their classification and if you left a classified document on a desk, you risked being fined or thrown in jail for a few days. Security was a well communicated requirement and considered as a necessary cost-of-doing-business. Security operations would throw you in jail. However, it was the ‘business’ that set the goals.

Classification was decided owned by the business owners (operations), who had an acute awareness of just how valuable the information was to the tasks at hand, and to the reference competitors enemies. Classification was based on the level of damage that releasing the information would cause (be it financial, operational, information gathering or other).

(Note: For more information about national security classification practices, visit the Information Security Oversight Office or download their interesting Marking Classified National Security Information booklet.)

Organizations, who now see their competitive edges blunt ever more rapidly, are taking notice. CIOs, CISO and others are being tasked with producing information security practices with similar results within the commercial industry. A CISO colleague remarked that the CEO wanted their company to be “more like Apple”, alluding to the iPod manufacturer’s well know secretive culture. But, he also confided, no-one seemed to agree upon which of the terabytes of information was confidential.

In the best of cases, I work with CISOs who are tasked with figuring out how to effectively carry out a classification exercise. In many cases, however, the work is relegated to a security practitioner, who might have the technical understanding but has yet to understand how exactly the business earns a living. Having little buy-in from the business owners, the latter effort is doomed to fail.

Achieving alignment requires communication and some level of determination

Classification efforts must be owned and led by the business owners and should take into consideration the risk to the business. Security departments can and should assist by creating the nomenclature, infrastructure,  processes and systems required. Systems can and probably should be used to assist, but cannot replace the business owner in assigning risk to data or data types. I will discuss how systems can be used to facilitate faster classification in a seperate post.

Many CISO also find that business owners are reluctant to assist. Business owners have a justification: In many cases communication break down  between the busienss owner and the security team. Language differences, top-down vs. bottom-up viepoints all contribute to this, and some CISO utilize business savvy personnel or consultants to conduct discussions with the business owners. Over time, and with delivery of relevant solutions, business owners will have a reason to participate more freely with security teams.

Some security organizations have come to terms with the importance of maintaing business ownership of security requirements and have implemented a vertical organization that spans senior management (head in the clouds) to security analyser (feet on the ground) that allows full top level access to the business owners as well as direct influence on the technology and operations side of the house. This organization structures allows the security organization to get the real requirements from management and deliver effective solutions that answer corporate needs. For these organizations, the road to classification is much clearer.

-al