When a data owner's (a business) sensitive data is breached it is difficult to quantify the monetary loss. According to respectable survey sources, the average cost of sensitive data breach for a large size company is about $50,000. I am attempting here to think about this in simple mathametical terms:

There is a data breach. From the data owner's perspective the loss is:

Loss = Cost to protect data + Loss of business due to data theft aka cost of competitive disadvantage

From the data thief's perspective

Net Gain= [Cost of producing the data  *  Data freshness factor] - Cost to steal the data + Profit of business due to data aka gain of competitive advantage

From the above two equations it is very clear that this is not a zero sum game. There is a clear cost asymmetry for a data owner and for a data thief. When there is an asymmetry there is an opportunity. Data owner would not even know that the data is lost because the original copy of the data may be still intact - data thief could have simply copied the data. Data theft does not look like a car theft, there is no vacuum left behind. 

This motivates a data thief to keep the cost to steal low, steal highly valuable data that has a long shelf life and in a way that data owner will never even be aware of theft.

From a data thief's perspective, the cost to steal data if kept high would disincentive him. Moreover, Data freshness factor, i.e. how valuable this data is over period of time plays an important role. A good example is content of today's newspaper is hardly valuable tomorrow, but the content of newspaper two days ahead (if can be procured)would be invaluable. Data relevance is a function of time and other marketplace variables -  Data freshness Factor accounts for that variable. A good way to discourage data thief is to increase his/her cost to steal the data. There are other inferences from the above equation. If there exists no competitive advantage with the stolen data, hardly any thief would even venture to steal the data in the first place. If the cost of producing data is very low, then probably thief can just produce the data himself and would not attempt to steal the data. If the cost of theft is kept high, it would definitely deter the data thief from stealing data using technical mechanisms, then the data thief would exploit weak links in data security such as use of social engineering to get access to the data.

From data owner perspective protecting data becomes very important. How much would the owner be willing to spend? Not definitely the cost equal to cost of producing the data. 1% to 10% of cost of producing data is considered prudent. For a data owner it is difficult to estimate cost of data protection of a specific data, because it is not easy to chunkify data protection costs. Moreover, as Dan Geer says in his book, a data owner has to protect himself from number of intruders not just one.

It pays for a data owner to: be aware of data breaches (or data leaks), employ appropriate mechanisms to protect the data; the cost of protection which is fractional cost of the valuable data and enhance information security awareness of personnel who handle the data.

Data loss is not a zero sum game. The advantage is in favor of a data thief (data thieves rather). Data owner does not give much thought on the value of data unless there is a data theft. But, a data thief has every reason to think about economics of data theft before he acts to steal the data else data thief won't survive in this game and he is very well aware of his advantageous position.

On the CD-ROM accompanying the book we included a tool called Passgen. In the book, we recommended that you maintain separate passwords on every local administrator and service account in your enterprise. This is, of course, almost impossible to manage without something to automate it for you. That’s what Passgen does. The tool generates unique passwords based on known input (an identifier and passphrase you define), sets those passwords remotely, and allows you to retrieve them later.

For a while Jesper maintained a web site for the book, running on a server in his house. His ISP changed policies and made it impractical to continue running the site. But because the tool is still so useful, I’ve put a copy in my SkyDrive—look in the “Passgen” folder.

Also, note that I’ve put a new section in the right-side column, “Resources for you.” Here’s where I’ll keep links to bits and pieces that many of you will find relevant and interesting.

Blogger: Dan Blum

It is no surprise for us to hear loose lips flapping in India about a capability to decrypt Blackberry and other carrier traffic.

After all, we’ve done basic threat analysis for years and it was only months ago that I was brought into a company-wide CISO meeting at a U.S. defense contractor to help them hash out their travel policy for mobile devices. Going into the meeting, I knew their policy restricted taking devices to a list of countries considered dangerous – but there was an exemption for BlackBerries.

Our research uncovered that BlackBerry is pretty secure in most respects. It has transport encryption along with optional password protection, remote kill, disk encryption, and S/MIME encryption. Viruses have not flourished on this functionally limited and closed platform. Few if any third party add on programs are required for additional protection. Nonetheless, I went into the meeting prepared to talk with the CISOs about the risks and security limitations of life on BlackBerry.

Was the BlackBerry exemption reasonable? At the time, BlackBerry transport encryption was not known to have been broken (to be fair, the article listed above still qualifies as rumor, not certainty of breakage). However, I pointed out that it is dangerous to assume well-equipped attackers like military or intelligence organizations can’t crack transport encryption. And even if they haven’t cracked the BlackBerry network and whole disk encryption features, sophisticated adversaries have other attack paths. Check out Neal Stephenson’s excellent book Cryptonomicon for a description of how a talented adversary might “see” your keystrokes and screen images through a motel room wall, for example.

If one of your employees – such as a key scientist, project manager, or executive – is targeted for surveillance and is carrying sensitive data through certain countries, one could argue that he or she had better undergo serious counter-intelligence training.  Learn to spot and shake tails, sneak into dark alleys for that BlackBerry fix. Learn to paper the closet with layers of aluminum foil and send messages in the dark. Defend that BlackBerry with encryption, long passphrases, and kung fu. But unless James Bond is running your company, I doubt this is what your executives have in mind for the next business trip!

Assuming your organization’s lower level employees are like needles in a haystack and won’t be bothered could be an exercise in wishful thinking. It is always possible that nation states are monitoring some or all of the airwaves. Not so long ago the NSA had a massive a covert surveillance program in place. Years before the government was reportedly snarfing up terabytes of emails and crunching them through a program called Carnivore. And of course, selective monitoring of people on watch lists continues on a large scale. This is just the surveillance we know about in the U.S. We suspect there’s more behind the scenes and especially in countries such as China. Even if you train your non-specifically-targeted low level employees to write and speak in search-keyword-free code, the carnivore programs of the world are pretty good at sniffing out those interesting needles – such as descriptions of your business plans, manufacturing processes, and trade secrets.

Sound paranoid? I admit that I don’t know what the probabilities of being targeted or monitored are – just that it can happen. It’s the height of arrogance to believe that a nation state can’t get your information if they’ve targeted it and you’re within their borders. And it’s dangerous to rely on security by obscurity when medium or high consequence information must be protected.

What can be done? If key personnel can't dispense with the BlackBerry (or any other email device) during international travel to those countries where information may be most at risk, they (the users) should limit communications to what they’d feel comfortable uttering over a potentially-monitored telephone call. Controlling incoming communications – messages sent by others – is a harder problem. Until data loss prevention (DLP) products become more contextually sensitive about the travel issues, it may be best not to synchronize the BlackBerry with the overseas user’s home mailbox. Instead, have the user give out a temporary address for the BlackBerry and warn senders to be discreet.

“Experienced end users are very intelligent.

These end users know the complex event processing problems they need to solve; and they know the limitations of the current COTS approaches marketed by the CEP community.  Even in Thailand, a country many of you might mistakenly think is not very advanced technologically, there are experts in telecommunications (who run large networks) who are working on very difficult fraud detection applications, and they use neural networks and say the results are very good.   However, there is not one CEP vendor, that I know of, who offers true CEP capability in the form of neural nets.

Almost every major bank, telco, etc. has the same opinion, and the same problem. They need much more capability than streaming joins, selects and rules to solve their complex event processing problems that Dr. Luckham outlined in his book.   The software vendors are attempting to define the CEP market to match their capability; unfortunately, their capabilities do not meet the requirements of the vast majority of end users who have CEP problems to solve.

If the current CEP platforms were truely solving complex event processing problems, annual sales would be orders of magnitudes higher.  Hence, the users have already voted.   The problem is that the CEP community is not listening.”

Not to be overly repetitive,  but the last part of this quote from a year ago is worth highlighting:

“If the current CEP platforms were truely solving complex event processing problems, annual sales would be orders of magnitudes higher.  Hence, the users have already voted.   The problem is that the CEP community is not listening.”

Frankly speaking, nothing in the “CEP world” has changed, technologically speaking, since this September 2007 post was written.  From a sales perspective, we have seen less CEP-related sales in 2008 than in prior years.   If these so called CEP products were actually capability of detecting “real” complex network-centric situations (threats) in real-time, they would be selling faster than a cup of ice water in the blazing hot Sahara desert.

Don’t shoot the messenger.  Build better detection engines!

On the other hand, maybe complex detection is too hard for most of these companies and that is why they focus on routing, mediation and relatively simple rule-based scenarios, versus complex event processing?

There are two classes of contraband at airport security checkpoints: the class that will get you in trouble if you try to bring it on an airplane, and the class that will cheerily be taken away from you if you try to bring it on an airplane. This difference is important: Making security screeners confiscate anything from that second class is a waste of time. All it does is harm innocents; it doesn't stop terrorists at all.

Let me explain. If you're caught at airport security with a bomb or a gun, the screeners aren't just going to take it away from you. They're going to call the police, and you're going to be stuck for a few hours answering a lot of awkward questions. You may be arrested, and you'll almost certainly miss your flight. At best, you're going to have a very unpleasant day.

This is why articles about how screeners don't catch every -- or even a majority -- of guns and bombs that go through the checkpoints don't bother me. The screeners don't have to be perfect; they just have to be good enough. No terrorist is going to base his plot on getting a gun through airport security if there's decent chance of getting caught, because the consequences of getting caught are too great.

Contrast that with a terrorist plot that requires a 12-ounce bottle of liquid. There's no evidence that the London liquid bombers actually had a workable plot, but assume for the moment they did. If some copycat terrorists try to bring their liquid bomb through airport security and the screeners catch them -- like they caught me with my bottle of pasta sauce -- the terrorists can simply try again. They can try again and again. They can keep trying until they succeed. Because there are no consequences to trying and failing, the screeners have to be 100 percent effective. Even if they slip up one in a hundred times, the plot can succeed.

The same is true for knitting needles, pocketknives, scissors, corkscrews, cigarette lighters and whatever else the airport screeners are confiscating this week. If there's no consequence to getting caught with it, then confiscating it only hurts innocent people. At best, it mildly annoys the terrorists.

To fix this, airport security has to make a choice. If something is dangerous, treat it as dangerous and treat anyone who tries to bring it on as potentially dangerous. If it's not dangerous, then stop trying to keep it off airplanes. Trying to have it both ways just distracts the screeners from actually making us safer.

---

Bruce Schneier is chief security technology officer of BT. His new book is Schneier on Security.

http://wikileaks.org/wiki/Sarah_Palin_Yahoo_email_hack_2008

Circa midnight Tuesday the 16th of September (EST) Wikileaks’ sources loosely affiliated with the activist group ‘anonymous’ gained access to U.S. Republican Party Vice-presidential candidate Sarah Palin’s Yahoo email account gov.palin@yahoo.com. Governor Palin has come under criticism for using private email accounts to avoid government transparency mechanisms. The zip archive made available by Wikileaks contains screen shots of Palin’s inbox, example emails, address book and two family photos. The list of correspondence, together with the account name, appears to re-enforce the criticism.

Internet security has finally become an issue in presidential politics.

Palin’s use of a Yahoo account has been the subject of recent newspaper articles. The Washington Post published her Yahoo email address, which was likely a precursor to the attack.