Twitter Weekly Updates for 2011-12-25

Powered by Twitter Tools

Discussing Norm Marks' GRC Wishlist for 2012

Norm Marks of the famous Marks On Governance blog has posted his 2012 wishlist.  His blog limits the characters you can leave in a reply, so I thought I’d post mine here.

1.  Norm Wishes for “A globally-accepted organizational governance code, encompassing both risk management and internal control”

Norm, if you mean encompassing both so that they are tightly coupled, I respectfully disagree.  Ethically, philosophically, these should be separate entities and ne’r the twain should meet.  Plus, accountants & auditors make poor actuaries.  See the SoA condemnation of RCSA.

Second, the problem with a globally accepted something is that it limits innovation.  We already have enough of this “we can’t do things right because we’ll have to justify doing things differently than the global priesthood says we have to” problem to deal with now.  Such documentation will only exacerbate the issue.

2.  Norm wishes for: “The convergence of the COSO ERM Framework and the global ISO 31000:2009 risk management standard.”

See #1, part 2 above.

3.  Norm wishes for:  “An update of the COSO Internal Control Framework that recognizes that internal controls are the organization’s response to uncertainty (i.e., risk), and you need the controls to ensure the likelihood and effects of uncertainty are within organizational tolerances.”

First, risk only equals uncertainty if you’re one of those stuck in the early 20th century Knightians.  For those that aren’t, and esp. actuaries and Bayesians alike, uncertainty is a factor in risk analysis – not the existence of risk.

Second, this wish seems to be beholden to the fundamental flaw of the Accounting Consultancy Industrial Complex – that Residual Risk = Inherent risk – Controls.  Let me ask you, what controls do you personally have against an asteroid slamming into your house?  But is that “high” risk?  Do you operate daily as if it’s “high” risk?  Why not?  Certainly you have weak controls, and most people would argue that their house and familys are of high value…

The reason it’s not “high risk” is because of frequency.  Yes, frequency matters in risk – and your RCSA process doesn’t (usually, formally) account for that.

4.) Norm wants “guidance that explains how you can set guidance on risk-taking that works not only for (a) the board and top management (who want to set overall limits), but also for (b) the people on the front lines who are the ones actually making decisions, accepting risks, and taking actions to manage the risks. The guidance also has to explain the need to measure and report on whether the actions taken on the front lines aggregate to levels within organizational tolerances.”

Great idea, but for this one to work, you’d have to establish guidance around reward-taking, tolerance, etc., too.

5.) Norm wants “A change to the opinion provided by the external auditors, from one focusing on compliance with GAAP to one focusing on whether the financial reports filed with the regulators provide a true and fair view of the results of operations, the condition of the organization, and the outlook for the future.”

I’m going with “bad idea” on this one.  Accountants != entrepreneurs.  Despite all their longing for control, power, and self-importance.

6.)  For Norm, Regulators should receive ” An opinion by management on the effectiveness of the enterprise-wide risk management program. This could be based on the assessment of the internal audit function”

I’m confused, how is the internal audit function in any way at all related to the quality of decision making?  Assurance is *an* evidence, a confidence value for specific risk factors.  It seems that Norm is saying that assurance is *the* evidence in total.

Frankly, very few accountants have training or exposure to probability theory, decision theory, or complexity theory.  Until they *do*, my wish for 2012 is that CPAs  reserve judgement on people trying to use real methods to solve real problems.

7.) Norm wants:  A change in attitude of investor groups, focusing on longer-term value instead of short-term results.

AGREED and +1 to you Norm!

In 10.) a, Norm desires that “audit engagements should be prioritized based on the risk to the organization and the value provided by an internal audit project.”

ABSOLUTELY NOT.  Unless Audit engagements are to be prioritized by the faulty idea of “Inherent Risk”.

Example, as a risk manager – I may have relatively stable frequency and magnitude of operational losses.  They may fall into a “low” tolerance range established by an ERMC or something.  But even though I am doing a good job (or really lucky) I may really be concerned about the process enough to warrant a high frequency of audit.  There are just so many concerns about this sort of approach by an auditor (from a risk/actuary standpoint) that I can’t disagree more.

In point 11 Norm’s wish is “An improved understanding by the board and top management of the value of internal audit as a provider of assurance relative to governance, risk management”

Me too, but I don’t think Norm and I agree on that “value.”

Again, for a mature risk management group, the value of assurance is simply the establishment of confidence values for certain inputs.  And frankly, if the board and top management understood that, I’m not sure Norm would really want them too, because many times the assurance is really a reinforcement of confidence/certainty, and frankly is a job that can easily be done with a risk model that reduces SME bias.

Finally, Norm “would like to see the term “GRC” disappear”

AMEN.  To use the ISACA/Audit terminology, Compliance is just “a risk.”  To use risk terminology, Compliance is a factor that contributes to secondary or indirect losses.

So, I’m with you – I’d like to see GRC taken out behind the shed.  Where I differ is that’s not because it becomes coupled with risk management, but rather because for me compliance aligns better with the authoritarian world of audit rather than a discipline like risk whose goal is to reduce subjectivity, or a discipline like governance whose role is to optimize resource expenditures.

Niels Bohr was right about predictions

There’s been much talk of predictions lately, for some reason. Since I don’t sell anything, I almost never make them, but I did offer two predictions early in 2010, during the germination phase of a project a colleague was working on. Since these sort of meet Adam’s criteria by having both numbers and dates, I figured I’d share.

With minor formatting changes, the following is from my email of April, 2010.

Prediction 1

Regulation E style accountholder liability limitation will be extended
to commercial accountholders with assets below some reasonably large
value by 12/31/2010.

Why:  ACH and wire fraud are an increasingly large, and increasingly
public, problem.  Financial institutions will accept regulation in order
to preserve confidence in on-line channel.


Prediction 2

An episode of "state-sponsored SSL certificate fraud/forgery" will make
the public press.

Why: There is insufficient audit of the root certs that browser vendors
innately trust, making it sufficiently easy for a motivated attacker to
"build insecurity in" by getting his untrustworthy root cert trusted by
default.  The recent Mozilla kerfuffle over CNNIC is an harbinger of
this[1].  Similarly, Chris Soghoian's recent work[2] will increase
awareness of this issue enough to result in a governmental actor who has
done it being exposed.


But only because for this one I forgot to put in a date (I meant to also say “by 12/31/2010”, which makes this one WRONG! too.

I was motivated to make this post because I once again came across Soghoian’s paper just the other day (I think he cited it in a blog post I was reading). He really nailed it. I predict he’ll do so again in 2012.

The New School of Security Predictions

Bill Brenner started it with “Stop them before they predict again!:”

My inbox has been getting hammered with 2012 vendor security predictions since Halloween. They all pretty much state the obvious:

  • Mobile malware is gonna be a big deal
  • Social networking will continue to be riddled with security holes
  • Technologies A, B and C will be dead
  • Microsoft will release a lot of security patches
  • Data security breaches will continue to get more expensive

Looking at the predictions I got this time last year for 2011, I found that any of them could be repackaged as 2012 predictions and nobody would know the difference. Here are some examples from the Zscaler Labs Research Team…

Jack Daniel followed up with “The Pandering Pentagram of Prognostication :”

The five points of the pentagram represent the key elements of “good” predictions, get them all and your prediction will land in the center of the pentagram, assuring a center brain shot to your victim. I mean reader. Whatever.

The five elements are outlined below, miss even one and your prediction may be off target and you will fail to hit your target.

  • Your prediction must be self-serving.
  • Your prediction must suck up to your customers, prospects, or others whose favor you are trying to win…

I’ll respond with a prediction that 90% of 2012 infosec predictions will contain no numbers and no dates. If someone selects a group of 10 or more predictors (say, bloggers in SBN, or 2011 BlackHat speakers with blogs) and proves me wrong, I’ll donate $100 to a charity of your

Both Bill and Jack are helping the community by pointing out the “best practices in predictions” so that people can recognize them for the self-serving (ad-serving) linkbait that most of them are.

To get something positive out of this, I encourage everyone to ask anyone who sends you predictions about the lack of underlying data.

The Pre-K underground?

Not my headline, but the New York Times:

Beyond the effort was the challenge of getting different families to work together. When matters as personal as education, values and children are at stake, intense emotions are sure to follow, whether the issue is snacks (organic or not?), paint (machine washable?) or what religious holidays, if any, to acknowledge. Oh, and in many cases, forming a co-op school is illegal, because getting the required permits and passing background checks can be so prohibitively expensive and time-consuming that most co-ops simply don’t. (“The Pre-K Underground“, The New York Times, December 16)

Read the whole thing, and then give some thought to how effectively those policies, combined with the drug war, are de-legitimizing governments, and convincing people that to live their lives involves avoiding government rules. Eventually, even legitimate and necessary functions of government like courts will fall apart.

Think I’m exaggerating?

“There’s a fairly stringent code and byzantine process for getting certified and code-compliant,” said City Councilman Brad Lander, a Democrat from Brooklyn, whose office held a meeting over the summer for any co-ops interested in pooling their resources and securing permits. “Some are genuinely for the safety of kids, and some are more debatable.”

There’s a city councilman driving doubt over the system. What does that do to the legitimacy? What happens to the social contract?

Will the war on coop kindergardens join the war on drugs?

Owning Up to Pwnage (Part 2)

On Saturday, I discussed how “I bolluxed our blog theme.”

“More to the point, we here at the New School talk a good game about how we need to talk about problems, rather than cover them up. So here’s our money where our mouths are. I, Adam Shostack, screwed up the blog presentation by not testing the upgrade before rolling it into production.

See! That wasn’t so bad. It didn’t cost that much to talk about what went wrong. Of course, it’s small stakes, but doing these things when the stakes are small develops the habits of talking about them and makes it easier to talk about them when the stakes are (or feel) higher.”

So let me talk about another issue. A few years ago, the server at got turned into a botnet controller, and I want to talk about what happened.

The short story is easy: we failed to keep awstats up to date, and a known vuln was used to take over the account.

I could discuss some of the usability challenges associated with staying up to date, but don’t want to get into a Windows/UNIX debate here. (Just the facts: compare versions here and here, or look at this and consider how you’d decide on up-to-dateness.)

I think it was discovered by random sysadmin work, but we’re not entirely sure. Tripwire (or some variant) was running, but not covering the directory where the bot code was dropped.

More important though, is that we didn’t actually stay up to date on a service that was exposed to the entire net.

I take a couple of lessons. First, keeping everything up to date is hard. Second, we exposed awstats to everyone. We’ve since corrected that, adding a password to get to the page (and code).

The meta-lesson is that it’s easier to keep quiet than to own up to this stuff, but I’m willing to offer up a start.

Once again, if you think that talking about security incidents is a good thing, or could move us forward, I urge you to start small and disclose more as you can. It’s easier than you might think.

Twitter Weekly Updates for 2011-12-18

Powered by Twitter Tools

APT didn’t eat our theme. Adam did.

If you read this blog with a web-reader, you’ll note our (ahem) excellent new theme, and may be saying, wow, guys, “nice job”

Yeah. Ooops.

I upgraded to WordPress 3.3, and upgraded our theme, and in so doing, overwrote some of the CSS that Alex had tweaked. I didn’t test, and so things were wonky. What you see is quick hack fixes.

We could cover this up, pretend it didn’t happen, or blame APT. Hey, it’s true! Adam’s Paucity of Testing led to…oh, I can’t. Really? Even mocking people who blame everything on APT should be over by now. It’s just sad.

More to the point, we here at the New School talk a good game about how we need to talk about problems, rather than cover them up. So here’s our money where our mouths are. I, Adam Shostack, screwed up the blog presentation by not testing the upgrade before rolling it into production.

In more detail: we run this blog on the cheap. We don’t have production and test servers because it costs more. I failed to communicate with my team about the upgrade because past upgrades have gone smoothly. I didn’t bother to see if Alex would have free time to make pretty again if I created this problem, or any other problem. I just went ahead and pushed the button. Somewhere, Gene Kim is weeping at our change control process. Or maybe he’s saying “I told you so.”

No one likes to admit these things. Will we change process in the future? Probably. I haven’t brought Emergent Chaos up to WP3.3, because I’m going to try to test more. Will we backslide? Most likely. You know, these blogs, they’re a hobby, and when a security update hits, I’ll likely slap it out willy-nilly and then test to see if there’s issues.

See! That wasn’t so bad. It didn’t cost that much to talk about what went wrong. Of course, it’s small stakes, but doing these things when the stakes are small develops the habits of talking about them and makes it easier to talk about them when the stakes are (or feel) higher.

Your turn.