jump to navigation

Security, Exploits & Vulnerabilities- Security is Never 100% February 16, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , , , ,
add a comment

In light of the recent disclosures of breaches of major security technologies and vendors, I felt compelled to write this post.  One of my favorite subjects to debate (and argue over) is security theory in general, and specifically the topics of vulnerabilities & exploits.  They are concepts that are critical in the fields of information security, risk management and other areas of security.  In truth, the concepts extend beyond IS but they are very common in the IS World and easier, in my opinion, to discuss in the context of IS.  So what are exploits & vulnerabilities and why are they important?

First, we need to understand that there is no “guaranteed security” and security can never be 100% as there are always vulnerabilities which can be exploited. We may not have identified them yet, but they do exist.   Given enough time, effort, and the right tools, any security control can be circumvented.  Security should be viewed as a function of time and effort. (this will be discussed below)  Second it is important to understand that the concepts of exploits and vulnerabilities are inextricably entwined and are mutually dependent. This is where the debate begins so first lets get a working definition of the terms. (more…)

Nortel Network Compromised for a Decade; Chinese Suspected February 14, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , , ,
1 comment so far

According to MSNBC, Nortel’s network was open to hackers since at least 2000.  It is suspected that the hackers are Chinese.  The data thieves appear to have had nearly “unfettered access” to the network and were able to download: ” “technical papers, research-and-development reports, business plans, employee emails and other documents.”  How did they access the network?  Simple. (more…)

“Slicing the Pie”; Risk Management 101 February 11, 2012

Posted by Chris Mark in Risk & Risk Management.
Tags: , , , , , , , , ,
add a comment

This is a followup to “Risk 101: an Introduction to Risk” Security, and Risk are interesting topics that lend themselves to endless debate (and the occasional argument).  They are concepts that are bandied about quite frequently but, in my experience, are often not well understood by those using the terms.  I have been asked by clients to describe risk management and security in business terms.  At the risk of over simplifying the concepts, I will explain the concepts in this post.  Security can be described rather simply as the implementation of controls to counter address a vulnerability or address a threat.  Consider your house as an example.  If you install a lock on the front door, you are implementing a control (the lock) to address a vulnerability (an unlocked door) and a threat (that an unauthorized person will enter).

Risk can be described as the function of the likelihood of an event occurring and the impact should it occur.  Risk can be quantified using a simple formula (R=P% x I$) or expressed qualitatively.  In the scenario used above, there is a risk that your house will be burglarized.  Depending upon where you live, and other factors, the likelihood (expressed in terms of probability) will vary from unlikely to more likely to very likely.  The impact of the burglary will be determined by, among other things, the value of the assets that can be stolen.  So how does this relate to security?  The concepts are (or should be) inextricably entwined.

Controls should be implemented commensurate with the identified risk.

This is a very important concept.  Consider the following scenario.  If I were to offer you $1,000 to either 1) install a burglar alarm in your house or 2) install a fence to keep lions out of your yard, which option would you choose?  Likely most readers would respond with the statement; “it depends upon where I live”.  This demonstrates the example of security and risk management.  There are two risks we are considering in this scenario.  First, is the risk of burglary and second is the risk of lion attacks.  If you live in the Kenyan bush, you may be more concerned about Lions as the probability is likely higher of a lion entering the yard then of a burglar.  If you live in New York City you are likely more concerned about burglaries than lions as lions are not found in NYC (at least not legally).    The controls you are considering are either a lock (to address the issues described previously) or a fence to address the threat of a lion entering the yard.  Additionally, when we talk about ‘commensurate with the risk’ it means that the controls should be enough to address the risk but not too great.  You would not put a $1,000 alarm system on a $500 car.  It simply does not make sense and is an inefficient use of your limited resources.

With those topics covered very briefly, how do we discuss risk management from business terms?  Easy.  Consider that the risks to which you or your business are exposed are infinite.  You may not believe there is a risk of being hit by a meteorite but I can assure you that as infinitesimally small as the chance may be, there is a chance (probability) and the impact is likely not very good (injury or death).   If you question the example, read about the Sylacaugqa Meteorite here.

Now consider that the resources at your disposal (man hours, money, expertise, technology, information) is finite.  You may have a huge budget, and world class expertise but the fact remains that you have finite resources to address infinite risks.  The goal of risk management is to slice the pie of resources in a manner that allows you to address the greatest risks in the most efficient and effective manner possible.  There are four primary methods of risk mitigation; Avoidance, Reduction, Sharing, and Retention or Acceptance. Using the burglary example.

Avoidance– You can ensure you don’t own anything that could be stolen. Or you could live in an isolated area where nobody else lives.

Reduction– You can reduce the risk (by reducing probability or impact) by installing locks or using a safe to protect your assets.

Sharing– You can get insurance for your assets to reimburse you if they are stolen.

Acceptance– you can simply accept the fact that burglary is a possibility but one you are willing to accept if the likelihood is remote or you have no assets to steal.

The idea is to allocate the pieces of pie (which represents your finite resources) in a manner to address as much of the risk as possible.  It should be noted that there will always be residual risk and the possibility of Black Swan events.

Why Regulation Cannot Prevent CyberCrime (TransactionWorld) February 6, 2012

Posted by Chris Mark in InfoSec & Privacy, Laws and Leglslation, Risk & Risk Management.
Tags: , , , , , , ,
add a comment

As the maritime industry is increasingly focused on protection of data assets, I thought it would be beneficial to include an article on the topic.  This article is one I wrote for TransactionWorld in July, 2011.  It is titled: “Why Regulation Cannot Prevent CyberCrime” and is a continuation on the discussion of the impact of deterrence on behavior.

“Data security and privacy regulation have increased significantly over the past 10 years. The U.S. now has 46 state breach notification laws and there have been numerous bills introduced in Congress that propose to regulate personally identifiable information and to dictate security of such data. In spite of this increasing regulation, data breaches continue to plague the industry. Some have proposed that more regulation is the answer. Unfortunately, regulation alone is inadequate to prevent data theft and protect data.

At its core, data theft and network intrusions are crimes. At the risk of oversimplifying the work of criminologists, crime prevention can be summarized as using deterrents to affect protection of assets and prevention of theft. Protection applies to the ‘hardening’ of targets by implementing controls that increase the level of difficulty of perpetrating a crime. A vault is a good example of a protective measure. While no vault is completely impenetrable, vaults do provide significant protective value. Data security controls are protective measures. They are designed solely to limit attempts to obtain the target of value. Without a deterrence effect, criminals are free to attack companies at will without fear of retribution. This article will explore the value of deterrence in the prevention of crime.” (read full article here)

Rant Alert- Security Neophytes January 30, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , ,
add a comment

Like others who read this blog, I have worked in several areas of security over the years including physical security and information assurance.  Irrespective of the domain of security in which you work, the underlying principles are similar. Risk management, defense in depth, and incident response are common principles in all areas of security though the implementation may differ.  Security is a discipline that, like any discipline, requires study and experience to become proficient.  Physical security is about more than holding a gun and information assurance is about more than having a firewall.

I recently came across a the website of a company that states in uncertain terms that that they are experts in cybersecurity (and several other domains).  To demonstrate their “industry leading” expertise they state that they can manage ‘various firewalls’ and that they have experience with ‘intrusion detection systems’. Really? This is expertise?   While we shake our heads at their approach, some company will hire them because they can offer services at lower rates (due to the lack actual expertise) and there will be the inevitable incident.   It is this amateur approach to security that results in companies being hacked in the information assurance business and people being arrested or killed in the maritime security arena.

For what ever reason every tom, dick or harry (or sally) that has ever carried a rifle or worked for the government believes that he or she is now a “security professional”. Unfortunately, these companies make their way into the various industries and create issues for those professional organizations that have actual expertise borne of hard earned experience and have paid their dues to understand the issues and understand their discipline.