Beat To The Punch

Yesterday, Sammy Migues talked about the risk of too much risk management. The only problem is that he completely misused the term Risk Management. I was all set to post a rant about that here, and in fact spent far too much time last night writing up a response. In the meantime, the Hoff and Alex responded with far better explanations and analysis then I had. So just go there and read what they had to say instead.

Breach reporting rates

Adam’s comment to my previous post prompted me to think about breach reporting rates again. Above, there’s a slide (click for a larger image) from the presentation I delivered at FIRST 2007. It shows the breach reporting rate for different time periods, from different sources.
I think the results are pretty interesting when combined with this info from the OMB.

Disaster Preparedness by Conair

Mini-me guest posting on The Guerilla CISO tells us all some hard learned lessons in Data Centers and Hair Driers. In it we learn (yet again!) that Disaster Recovery/Emergency Response/Business Continuity rely heavily on documentation, process being followed and above all regular testing. Regular testing is more than just practicing via drills or table top exercises, but also verifying that your documentation is accurate for the entire infrastructure down to capacity, wiring for alarms (at one employer we found out the hard way that one of the fire sensors wasn’t hard wired to the Emergency Power Off rather than to the cutout board and as a result, took down the data center while doing some emergency welding) and servers are facing the right way in the racks. In the end, it’s far better to find out in non-emergency situations that something is wrong. Also never forget that a hair dryer can help you test your fire alarms system…
[Image is Dog Fluffer by Phitar]

15-30 dataloss incidents daily, sez top Fed cyber-beancounter

The Office of Management and Budget issued a memo in July 2006 requiring agencies to report security incidents that expose personally identifiable information to the U.S. Computer Emergency Readiness Team within one hour of the incident. By June 2007, 40 agencies reported almost 4,000 incidents, an average of about 14 per day. As of this week, the average had increased to 30 a day, said Karen Evans, administrator of the Office of Electronic Government and Information Technology at OMB.

Emergent Breach Analysis

When I started blogging about breaches and breach notices way back in early 2005, a number of friends wrote to say I was sounding like a broken record. They were right, and at the same time, I felt there was something really big going on, and I wanted to push it and shape it. Over the last couple of years, we’ve gone from fearing breach data to analyzing it, and even the lobbyists are a little less frantic in trying to roll things back. (Only a little, as their arguments dissolve one after another.)

So I was really happy to get mail from David Litchfield, pointing me to his new blog, and his opening entry, “SQL Injection and Data Security Breaches.”

Dan Geer has also been at the data, and has posted “some statistical analysis” of Attrition’s data.

It’s great to see more breach analysis, and I fully expect that we’re going to start seeing such data being used in presentations from Gartner, Burton, and other analyst firms. Why not take some time to look at the data and figure out how your organization could make use of it?

Have data breaches affected your information security plans? Here is your chance to have a say

Alan Shimel writes:

My friend Ilena Armstrong, Editor-in-Chief over at SC Magazine is conducting a survey on on how news of breaches, thefts and exposures are affecting organizations info sec plans. Below is a note from Ilena inviting you to participate. If you have a moment please take the time fill out the survey. Everyone who does gets a copy of the results as well as a chance to win a full boat pass to RSA. Sounds like a good deal to me!

Dear IT Security Professional,

I am writing to ask if you will take a few minutes to help with some vital industry research.

A legion of data exposures have occurred over the past year, with many affected companies not
only being forced to address customer and investor concerns, but also pay fines and adhere to prolonged sets of requirements administered by the Federal Trade Commission. So just how is news of such breaches, exposures and possible thefts affecting the way organizations — large and small — focus on information security plans?

This survey, Guarding against a data breach, aims to find out and should take less than 15 minutes to complete. Click here to take the survey.

What Would One Actually Do With A Persona?

I asked Bob Blakley and Mike Neuenschwander some questions about Limited Liability Personae. Rather than focusing on the implementation, I wanted to talk about the high level purposes, as well as concerns that most people have with the idea of a persona. Whenever I discuss personae, there are issues that frequently come up, for example:

Mordaxus: What do you have to hide? That’s the obnoxious way to ask why one needs a persona. What problem does a persona solve? Is there another way to do this?

Bob Blakley: It has nothing fundamentally with “hiding”. It has to do with compartmentalizing risk.

There’s no good reason getting my social security number stolen should result in my bank account getting cleaned out and my credit record being polluted. This only happens because I have to “invest” my bank account in a transaction (and hence put it at risk) every time someone asks for my SSN. If I have a persona which has its own ID number and a separate bank account with a limited amount of my money in it, when I engage in a transaction I only have to put “as much of my resources and information as necessary” into the transaction. This means that my other resources (the ones I “hide”) do not have to be exposed to thieves and other bad actors.

One can of course use a persona to adopt a personality other than the one used at work or socially. This can be destructive (as when it’s used to perpetrate fraud or otherwise deceive) or constructive (as when one builds an interesting character in an online game, or constructs a persona as an artist, and so on).

Mordaxus: Won’t this just let people run amok? Many people think that “anonymity” (which I put in quotes because it includes pseudonymity
to these people) is the root of many evils. I disagree and think it
is a lack of accountability. It doesn’t really matter, though. How
will personae make the situation better for anything from identity
theft, to paying one’s bills, to politically-motivated Wikipedia edits?

Bob Blakley: An LLP isn’t anonymous, and it is accountable. The government agency which creates it requires a registration process. If something socially harmful is done using the LLP, the normal legal process can be used to associate the LLP with its owners (in fact ownership is usually public information). But as long as the law is followed, the liability incurred by the LLP does not transfer to the owners, and the owners can shield their “real” identities from transaction partners as long as the follow the law and the rules of LLC operation.

Regarding Wikipedia edits, assuming for the moment that there is actually a problem with them, an LLP is not designed to prevent politically-motivated activity of any kind including edits, and, as noted above, it’s not designed to be a vehicle for unbreakable anonymity.

Mordaxus: How will it actually protect me? This comes back to asking what a persona is actually good for.

Bob Blakley:Liability limitation is what LLCs are all about. The fundamental notion of the corporation is that it allows individuals to invest some of their resources in an enterprise which might sustain significant losses, without putting at risk resources which are not invested in the corporation.

Today the liability-limitation (and taxation) benefits of incorporation are enjoyed by business enterprises and the wealthy, but mostly not by private citizens who are not wealty. The LLP proposal is essentially intended to provide the risk-management benefits today enjoyed by the rich to everyone.

Mike Neuenschwander Good questions. I know Bob already took the bait on this one, but I’ll add a little more in the way of theoretical background.
First, persona building is an important human activity. In everyday experience, it’s easy to perceive the self as unified, fixed, separable identity, but that’s not the case at all. (The philosophical / scientific discussion of the topic can be found here.)
When you probe the idea of self bit deeper, you realize that people construct personas for nearly every relationship they engage in. They do this to fill a role that the relationship requires. Personas help set expectations among participants in a relation, provide protections for participants, and set parameters for behavior. Personas also “instruct” participants on how to behave. Role playing an archetypal character is an efficient method for humans to disseminate wisdom throughout society and across generations.

In the natural world (vs the online world), mechanisms exist to place costs on the creation of personas, so people can’t create an indefinite number of them. The natural world also makes it costly to shed personas or to defect from relations and society. In other words, there are natural processes in the natural world from keeping the system in check. In the digital world, they’re woefully sparse. We have “emoticons” (which emote individuals’ feelings) but we need “social emoticons,” which promote empathy, reciprocity, and trust among individuals.

Should Email Address Breaches Be Notification-Worthy?

Brian Krebs raises the issue in his column in the Washington Post, “Should E-Mail Addresses Be Considered Private Data?” The question raises some fascinating economics questions and a possibly unique opportunity for interesting information security signals:

A database of e-mail addresses and other contact information stolen from business software provider is being used in an ongoing series of targeted e-mail attacks against customers of several business clients, including SunTrust and Automatic Data Processing Inc. (ADP), one of the nation’s largest payroll and tax services providers.

I have a few responses:

  • First, I’m generally in favor of breach notice, as regular readers are tired of hearing about will know, and I’m always glad to see the debate extended chaotically.
  • Second, this would dramatically push up the overall cost of notifications, by requiring a rise in the quantity of notices.
  • Third, I might be willing to entertain the “too many notices” idea a bit more around email addresses. Why that’s risky isn’t obvious to most people, who use addresses like bkrebs@, rather than adam+securityfix@whatever or Is the disclosure of an address like bkrebs worthy of notice?
  • Fourth, it’s not obvious what the security expectation really is here. I think of + addresses and vanity addresses as ways for me to dump junk mail, and track who’s selling it. If I tell my bank that my address is ddfc1a093efd108181d86f0bd90bcc6f@emergentchaos, I might well have an expectation that only they have it, along with their mail processor, my domain service provider who sends all emergentchaos email to me, my buddies who operate a mail server, and everyone sniffing a network if any of those players aren’t using “StartTLS for Opportunistic Email Encryption.” That’s a lot of people. I’m not sure it’s a reasonable assumption.
  • [Updated to add] Email addresses such as that random string are a very useful part of an anti-phishing email strategy. If I sort email to ensure that only email to that address goes into a “bank” email folder, then phishing emails are far, far less effective because they’re in the wrong place.

I think that a bank could win points for customer service, and actively distinguish themselves for security purposes by offering to do this as part of their terms of service.

It’s actually a very interesting signal in that it’s somewhat hard to forge if the bank can be relied on to follow through. Each time you notify you’re reinforcing a message that you care about security, and that you’re willing to own up to mistakes.

Unfortunately, it’s easy to promise and not follow through at all, claiming that you’ve not been breached. (I’ve written more on signaling in “Security Signaling” and “Signaling by Counting Low Hanging Fruit?“)