[SecurityRatty] tag: council

Kentucky Gambling Domains Case Stayed by Court of Appeals

Mon, 17 Nov 2008 04:08:40 +0000

As reported on Poker News, the Kentucky Court of Appeals has granted a stay of a lower court's order to seize 141 gambling-related domain names. That order was made in a case brought by the state under its "gambling devices" statute, a law intended for things like slot machines. The motion to stay came from the Interactive Media Entertainment & Gaming Association, which is affiliated with the domains playersonly.com, sportsbook.com, sportsinteraction.com, mysportsbook.com and linesmaker.com. Several other outside groups have joined the battle, including the Interactive Gaming Council, the Poker Players Alliance, the Electronic Frontier Foundation, the Center for Democracy and Technology, domain registrar Network Solutions, and the Kentucky office of the American Civil Liberties Union. Hat tip to Domain Name News.

PCI council sharpens oversight of security auditors

Sun, 16 Nov 2008 21:00:00 +0000

The PCI Security Standards Council introduces plan to sharpen oversight of qualified security assessors and approved scanning vendors.

What is the best way to find a P.I.?

Fri, 14 Nov 2008 02:32:00 +0000

Where would you find a good P.I.? Should you even settle for good? Wouldn't it make more sense to find a great one? PInow.com Investigation news gave some useful pointers in their editorial yesterday.

I decided to write about this after seeing a request on a local listserve. I wrote and advised the person that it would be difficult to judge the quality of the investigator by such a general posting. To my amazement, the reply came back; "I know...some time I just post the job, close my eyes and hope for the best".

Hope for the best? Surely nobody would say such a thing to their client when they are getting that retainer. I can understand "hoping" for the weekend to be dry if you are having a picnic, or "hoping" that your football team wins the game on Sunday...but "hoping" an investigator does a decent job?

One of the better and more professional way to find a reputable investigator or investigaive agency, is to contact a local State association such as PIAVA (www.piava.org), or an international association such as the Council of International Investigators (www.cii2.org). Members of these associations have not only been carefully vetted, but they are held accountable since their professional reputations are riding on every assignment.

Good investigators can help your attorny win that child custody case, save the company from a false suit by an unethical employee claiming a make believe injury, help you find the fraudster that ran off with the company's clients or funds and many other useful tasks. A bad one can take your money and give you next to nothing in return.

Please make sure you only ever hire the good ones.

Censorship in Dubai

Wed, 12 Nov 2008 09:56:09 +0000

I was in Dubai last weekend for the World Economic Forum Summit on the Global Agenda. (I was on the "Future of the Internet" council; fellow council members Ethan Zuckerman and Jeff Jarvis have written about the event.)

As part of the United Arab Emirates, Dubai censors the Internet:

The government of the United Arab Emirates (UAE) pervasively filters Web sites that contain pornography or relate to alcohol and drug use, gay and lesbian issues, or online dating or gambling. Web-based applications and religious and political sites are also filtered, though less extensively. Additionally, legal controls limit free expression and behavior, restricting political discourse and dissent online.

More detail here.

What was interesting to me about how reasonable the execution of the policy was. Unlike some countries -- China for example -- that simply block objectionable content, the UAE displays a screen indicating that the URL has been blocked and offers information about its appeals process.

Nigeria needs more workers for Internet security

Wed, 29 Oct 2008 21:00:00 +0000

Nigeria needs about 6,000 qualified Licensed Penetration Testers (LPTs) to manage its Internet security issues optimally, according to Sanjay Bavisi, president of the EC-Council University.

Facing Year-End Deadlines for PCI Compliance?

Tue, 28 Oct 2008 21:00:00 +0000

As I was listening to the review of PCI DSS 1.2 at this year’s annual PCI Community Meeting (click here for a recap of the event), a QSA stepped up to one of the many microphones scattered throughout the audience. Rather than asking a question, he explained that many midsized merchants have reasonably large and complex environments, yet lack the internal resources required to evaluate, procure and implement the enterprise-class security controls needed for PCI DSS compliance. The QSA then asked the Council if they would recommend a specific set of actionable technology recommendations to help these organizations in their efforts...

Data Mining for Terrorists Doesn't Work

Fri, 10 Oct 2008 02:35:43 +0000

According to a massive report from the National Research Council, data mining for terrorists doesn't work. Here's a good summary:

The report was written by a committee whose members include William Perry, a professor at Stanford University; Charles Vest, the former president of MIT; W. Earl Boebert, a retired senior scientist at Sandia National Laboratories; Cynthia Dwork of Microsoft Research; R. Gil Kerlikowske, Seattle's police chief; and Daryl Pregibon, a research scientist at Google.
They admit that far more Americans live their lives online, using everything from VoIP phones to Facebook to RFID tags in automobiles, than a decade ago, and the databases created by those activities are tempting targets for federal agencies. And they draw a distinction between subject-based data mining (starting with one individual and looking for connections) compared with pattern-based data mining (looking for anomalous activities that could show illegal activities).

But the authors conclude the type of data mining that government bureaucrats would like to do--perhaps inspired by watching too many episodes of the Fox series 24--can't work. "If it were possible to automatically find the digital tracks of terrorists and automatically monitor only the communications of terrorists, public policy choices in this domain would be much simpler. But it is not possible to do so."

A summary of the recommendations:

U.S. government agencies should be required to follow a systematic process to evaluate the effectiveness, lawfulness, and consistency with U.S. values of every information-based program, whether classified or unclassified, for detecting and countering terrorists before it can be deployed, and periodically thereafter.
Periodically after a program has been operationally deployed, and in particular before a program enters a new phase in its life cycle, policy makers should (carefully review) the program before allowing it to continue operations or to proceed to the next phase.

To protect the privacy of innocent people, the research and development of any information-based counterterrorism program should be conducted with synthetic population data... At all stages of a phased deployment, data about individuals should be rigorously subjected to the full safeguards of the framework.

Any information-based counterterrorism program of the U.S. government should be subjected to robust, independent oversight of the operations of that program, a part of which would entail a practice of using the same data mining technologies to "mine the miners and track the trackers."

Counterterrorism programs should provide meaningful redress to any individuals inappropriately harmed by their operation.

The U.S. government should periodically review the nation's laws, policies, and procedures that protect individuals' private information for relevance and effectiveness in light of changing technologies and circumstances. In particular, Congress should re-examine existing law to consider how privacy should be protected in the context of information-based programs (e.g., data mining) for counterterrorism.

Here are more news articles on the report. I explained why data mining wouldn't find terrorists back in 2005.

"Catch Me, Yes YOU Can": Realized Threats at the Corner Store

Thu, 09 Oct 2008 20:00:00 +0000

just returned from the Payment Card Industry's 2008 Members Council Meeting in Orlando, Florida. We had a blast despite the mood being somewhat dampened as a result of the uncertainty of the global financial markets (heartfelt thanks to those wise souls who've been living outside of their means and taking undue personal and commercial financial risk...). Anyhew, I met so many interesting people from both merchants and from the card brands like Visa, MasterCard, American Express, Discover & JCB International Co., Ltd.

Why Risk Management Doesnt Work (?!)

Wed, 08 Oct 2008 13:15:14 +0000

Several folks (Hi Daniel, Brent, David!) sent email & twitters asking us our opinion on a Dark Reading article called “Why Risk Management Doesn’t Work” which if you click on the link should come up for you after seeing someone’s advertisement for a few seconds.

I’m assuming the author wants us to read the title as “Things to Look Out For in Performing Risk Analysis” and not “Risk Management is Folly - Stop, Stop, Stop!” The former is fine, the latter isn’t supported by the evidence presented by the subjects of the article.
The subjects of the article are a good study from Wade Baker & Co. at Verizon, and a report from RSA’s Security for Business Innovation Council. Let’s take a look at each of these and examine why what they’re saying might contribute to poor risk management, shall we?

1.) THE VERIZON REPORT

The Verizon report is an analysis of some 530 forensic investigations their company performed. It is well worth your time as it’s chock full of interesting information. As it relates to the Dark Reading piece, a coarse summary would be that “likelihood” is “different” for different people and so you can’t use the same “likelihood” across different industries.

Distilled through the lens of FAIR:

“different threat communities may be applicable based on Probability of Action factors which include: Value, Level of Effort and Risk (of Getting Caught).”

Or, even further distilled and in the words of my six year old son,

“Duh-uh”.

With regards to what I assume is the purpose of the article (What Doesn’t Work in Risk Analysis) this concept seems just to rehash the old GIGO argument regarding risk analysis. Great. Can’t argue with that, nor it’s corollary QIQO (quality in, quality out).

But let me ask you - is this really a problem common in your analysis? Did reading this article make you go “Crap, we’ve been using data normalized across multiple industries in our analysis! They’re all wrong!” Or have you already been accounting for the unique value proposition your company has to the specific threat community you’re worried about? See, maybe I’m just not your average analyst, but even in my NIST/OCTAVE days, this has *never* been an issue for me.

Let me be specific, this is not a problem with Verizon’s very cool report. It’s just that I don’t see what the big deal is. This article is starting to feel like someone is running through the motions, trying to play the ” a crazy title gets people to read a boring article” game.

Speaking of cool reports - You know what would be cool? I think it would be interesting to see is the quality of these companies’ “risk management process” established using good criteria, and then correlated to the frequency and magnitude of real-world losses across the aggregate sample. In other words, can we establish evidence that strong risk management practices not just reduce “risk” but also reduce actual incidents.

2.) THE RSA COUNCIL “EXPLORES WHY LEGACY METHODS OF EVALUATING INFORMATION SECURITY RISK DON’T WORK IN TODAY’S CONNECTED WORLD, IN WHICH ANY NEW BUSINESS INNOVATION INHERENTLY CARRIES SOME LEVEL OF RISK TO INFORMATION.”

This report from the RSA council puts forth a seemingly obvious proposition, that risk must be balanced by reward. Why is this news? Now as I read the article it’s not clear if:

The RSA Council is claiming that the CISO’s office should be the ones determining reward. Absurd.

Businesses aren’t doing a good job at determining risk and reward.

Let’s go with the latter. So I’m pretty sure (good) businesses do a good job at estimating reward. Businesses I’ve been a part of? We LOVE(D) estimating reward. We don’t tend to start projects all willy-nilly. No we tend to be careful to identify the size of the market and what it will cost to address the market. So what could the problem be that this RSA council is trying to address? Maybe it has to do with something like the following:

Yesterday, I got a demo of an IT-GRC application that shall remain nameless. It seemed to be very good at the “C” bits - lots of information on regulations and expectations and even what sorts of controls would answer the regulations (which is goofy, but we’ll have to talk about that later). It also gave you the ability to build workflow quite nicely. But it measured NOTHING. There really was no observable “G” and “R” was really Medium X Low X Low = High sorts of stuff. So let’s use this relatively expensive tool as evidence of what your average CISO is armed with going into a Risk/Reward sort of meeting. I imagine a nice board room with wood-grain paneling and glass bowls filled with little chocolate covered mints designed to give everyone involved in the meeting (CEO, CFO, CIO, CSO, VP S&M, etc…) a little sugar rush when needed and fresh breath. The conversation goes a little something like this (apologies to Rich):

Business Guy Who Wants to Make Money Because That’s What Businesses Do: Based on market studies, we believe that initial gross revenues from the new product and technology rollout will be eleventy gazillion dollars based on a 37% market penetration in Scandinavia, alone.

CSO: Well now, we have a likelihood of “High” and a “C” impact of Medium, and an “I” impact of Low, and an “A” impact of “High” and because we are a (bank/hospital/retailer/basically any business that breathes anymore) we weight “C” by a factor of 2 - we multiplied those all together and got a “High”.

So can you guys delay the product rollout by 9 months and give me a bunch more money that’s not in the budget so that I can get this thing down to a “Medium”, please?

Again, I just don’t see the problem with Information Risk Management being that our businesses have no idea what the rewards of business might be. Now maybe we need get a seat in that boardroom just to be able to talk about our “Mediums”, sure. And maybe we’re infantile in our ability to describe our problem space. But I cannot fathom that “Risk Management Doesn’t Work” because businesses haven’t been considering “reward”.

WHY RISK MANAGEMENT MAY NOT BE WORKIN’ FOR YOU

Two meta-categories of causation:

No skills

and/or

No resources

Any ancillary “cause” can be mapped to one of these categories. You could have significant resources but crappy models, and have conversations like our imaginary CSO, above. You could have really good models and people trained and motivated to use them, but scarce time & money, so no conversation happens.

Now my question for you is - which does it make sense to acquire *first* to solve the “Why Risk Management Doesn’t Work” problems, skills or resources?

RSA Offers new Insights into Security and Innovation

Tue, 30 Sep 2008 20:00:00 +0000

Today RSA, The Security Division of EMC, released the latest research and insights from IDC and the Security for Business Innovation Council on the relationship – and disconnect – between security and business innovation. The IDC report centers on the fact that 80 percent of organizations worldwide confirm that security fears are indeed responsible for stifling business innovation.

IDC also found that although 80 percent of CEOs believe their security teams are being held formally accountable for their contributions to business growth and innovation, only 44 percent of security leaders believe they are being measured on their contributions to innovation. This finding points to a surprising lack of alignment between the expectations of C-level management and the priorities of security professionals...