nCircle Patterns Blog: May 2011 Archives

I thought it might be interesting to use certain aspects of a sports event like the FIFA World Cup to understanding Products, Compliance, and Security in a more holistic manner.

The FIFA World Cup has been held every 4 years since 1930, and the appeal of this event spans geographical and political boundaries hopefully making it a great explanatory device. There are three aspects to the World Cup that I'll highlight to make my point: technology, fitness, and gaming. All of these are present in this sporting event and are understood in multiple languages and cultures.

Products, compliance, and security will be explained in the same way we understand the Technology, Fitness, and Gaming in the World Cup.

Products play an important role, but like soccer, technology alone will not win games. We can talk about fancy shoes or the technology of the ball itself but they are just infrastructure supporting higher level goals and objectives.

We can speak about compliance as being like the fitness program and training a team must painfully endure in order to even have a shot at the World Cup. Compliance alone is a great gauge of operational fitness but even the fittest teams can be out played.

Lastly, there is a gaming strategy aspect to the World Cup and this is truly what the discipline of security is all about. Let me point out here that, unlike the game of soccer, IT security is a game that is not played to win; you are playing to 'not-lose' -- a much more appropriate framing of the strategy. You cannot plan offensive measures so you must concentrate mostly on the continuity of your business. Your dominant strategy is to raise the costs for your adversary.

IT operations have matured to a point where fitness and compliance are well understood but unless we frame security as a game, measurement and management will be difficult. For example, instead of asking the operational question of 'how long does it take to patch', a better security game question would be 'how feasible would it be for the adversary to know that this target is unpatched'. I've spoken about this concept of a knowledge margin before and I will be talking about it more in upcoming posts.

Compliance, like fitness, is about operational integrity while security is about gaming. We are playing the security game to not-lose.

I heard a few people the other day speaking about metrics, and they said that measuring risk was hard --- if only it was as easy as their fitness program.

Since I'm interested in both, I needed to stop everything and jump into the conversation. The claim they made was that their fitness program was as simple as measuring the calories they took in and the calories that they burn; given some deficit, they are able to stay fit. In one case the objective was weight loss and they clearly were making progress. Good deal. Not to just be a pain in the ass, but I had to argue their claim based on: 1) their understanding of a calorie was wrong, and 2) even if wrong, it was good enough to get to the results they required at this point in their fitness program. At some point, they would hit a wall and need a more precise understanding in order to move forward, and this is an exact parallel to what happens with IT risk measurement and risk management in general.

Let me explain the calorie thing first and then return to how it connects with risk metrics. Counting calories on everything we ingest is how most people early in their fitness program go about managing their intake; counting calories from your heart rate monitor or some fancy exercise machine is how we go about measuring the intensity of a workout. When you first start out, this level of understanding is sufficient but, as you progress, you quickly discover that 500 calories of fruit and Greek yogurt is not the same as 500 calories of Twinkies. Remember, a calorie is a simple unit of measurement for heat developed in the 19th century. At the time, a method of measurement was needed to explain the theory of heat conservation around the leading technology at the time: Steam Engines. Dude, last I checked, my understanding of my biology was not that of a steam engine. Although I did enjoy a science project with my youngest where we got to set fire to all kinds of foods. My point here is that, while almost misrepresented as a parameter, it is 'good enough' to speak about calories (kCals in this case eaten and burned, and as you become more and more fit, you will need to get more precise and actually deal with the stuff your body is really using --- carbohydrates, protein and fat. Mitochondria and the billions of them that make up the engine that is your body are just slightly more complex than steam engines.

Back to risk metrics and management: for an organization that is not fit at all, the measurement of any crude parameter will yield improvements or at least the opportunity for a interdepartmental conversation that aligns objectives and goals. As you get more and more fit, you will need to get more refined in what you measure and how those measurements are socialized.

The last thing to remember is that just because you are operationally fit, it does not mean you are secure. To use an analogy, when you watch the World Cup, all the teams train hard and all the players are among the most fit individuals in the world, but that does not guarantee any of them the World Cup. Being operationally fit is 'table stakes' but winning at security is about knowing how to play the game well. More on this in another blog post.

IDS is dead...no I mean pen-testing is dead...
[Check out http://carnal0wnage.attackresearch.com/node/440]
What does it mean when a person makes the assertion that something 'is dead'? This conversation comes up over and over again and, although posted back in December of 2010, this article is a great example of the 'is dead' phenomenon.

We all know what this guy is talking about because we see it firsthand in our customers. The traditional pen-testing like 'Sneakers' (1992 film) does not scale in terms of time or space, so evolution brings us automation with any domain. While he is at it, the blogger might also mention that, for the most part, these are dead too:
- Bank Tellers
- Grocery Line Cashiers
- Postal Mail
- Business Cards
- Butcher Shops
While things do die, most services that provide value find a way to continue to add value and persist.

In all seriousness, what is important here is not manual versus automation but domain expert versus non-domain expert, in other words the evolution of a craft or function. This is the techno-social feedback loop that propels us forward, and technology/process/people around this function, called penetration testing, is evolving. We go from 'absolutely perfect' to 'good enough:' we go from hundreds of experts to millions of semi-experts: we go from huge precise vocabulary of terms to a small set of general terms; etc.

Let me be the first to make the assertion that 'Is dead' is dead!

All this crazy talk around Obama's scanned birth certificate document is bringing the issue of digital authenticity to the top of the news.

For example, how do you know it's really me writing this sentence? You don't, but the consequences of being wrong are not great. On the other hand, there are an increasing number of digital transactions where the consequences of being wrong are very great.

The authenticity problem has been negligible so far because institutions who have reputations on the line can't afford to publish fraudulent information. But when anyone can publish and we still trust almost everything we read, things are going to get very ugly.

We have lots of technology that lowers the cost of checking authenticity in our social lives, but even with that cost near zero, we still have to decide to put in the effort to check. When should you take the extra step to make sure something or someone is authentic and/or feasible? Do you even know how to do this?

Take this document for example: in its physical form, there are many things that protect it from being counterfeit. However, once the document is scanned, you can 'prove' almost anything about it.

There are YouTube videos about Obama's birth certificate that claim to show it's not authentic. Actually, we don't even know if the people who created the videos or the scanned documents contained in the videos are authentic. There is no 'chain of custody' equivalent from an authentic document in the physical world to its equivalent digital version. There are no digital signatures. What do we really know about any of the claims and counter claims around the digital documents presented as the President's birth certificate? Nothing.

I estimate that 95% of the content communicated over the Internet is taken at face value and assumed to be authentic. I'm not talking about obviously sketchy content but content that has been 'manufactured' with the objective of bypassing your good judgment. As human beings, we find people we trust, and then trust their communication; effectively we establish a network of trust. So many people fall victim to 'click-to-infect' scams when the message appears to come from your best friend. Yes, social networks are cyber criminal's playgrounds because all of they can take advantage of established trust networks.

I think consumers are already beginning to demand that digital medium assertions are cryptographically signed for authenticity. I'm not talking about overt cryptography. I'm talking about some kind of technology infrastructure that allows for a digital seal or red/green button on certain digital documents that makes it possible to verify where they came from and have more confidence in the assertions they make.

Without this we will all remain in the equivalent of digital darkness - or worse, we keep getting conned by people who make a living preying on the trust of humanity.