I’m assuming the author wants us to read the title as “Things to Look Out For in Performing Risk Analysis” and not “Risk Management is Folly - Stop, Stop, Stop!” The former is fine, the latter isn’t supported by the evidence presented by the subjects of the article.
The subjects of the article are a good study from Wade Baker & Co. at Verizon, and a report from RSA’s Security for Business Innovation Council. Let’s take a look at each of these and examine why what they’re saying might contribute to poor risk management, shall we?

1.)  THE VERIZON REPORT

The Verizon report is an analysis of some 530 forensic investigations their company performed.  It is well worth your time as it’s chock full of interesting information.  As it relates to the Dark Reading piece, a coarse summary would be that “likelihood” is “different” for different people and so you can’t use the same “likelihood” across different industries.

Distilled through the lens of FAIR:

“different threat communities may be applicable based on Probability of Action factors which include: Value, Level of Effort and Risk (of Getting Caught).”

Or, even further distilled and in the words of my six year old son,

“Duh-uh”.

With regards to what I assume is the purpose of the article (What Doesn’t Work in Risk Analysis) this concept  seems just to rehash the old GIGO argument regarding risk analysis.  Great.  Can’t argue with that, nor it’s corollary QIQO (quality in, quality out).

But let me ask you -  is this really a problem common in your analysis?  Did reading this article make you go “Crap, we’ve been using data normalized across multiple industries in our analysis! They’re all wrong!”  Or have you already been accounting for the unique value proposition your company has to the specific threat community you’re worried about?  See, maybe I’m just not your average analyst, but even in my NIST/OCTAVE days, this has *never* been an issue for me.

Let me be specific, this is not a problem with Verizon’s very cool report.  It’s just that I don’t see what the big deal is.  This article is starting to feel like someone is running through the motions, trying to play the ” a crazy title gets people to read a boring article” game.

Speaking of cool reports - You know what would be cool?  I think it would be interesting to see is the quality of these companies’ “risk management process” established using good criteria,  and then correlated to the frequency and magnitude of real-world losses across the aggregate sample.  In other words, can we establish evidence that strong risk management practices not just reduce “risk” but also reduce actual incidents.

2.)  THE RSA COUNCIL “EXPLORES WHY LEGACY METHODS OF EVALUATING INFORMATION SECURITY RISK DON’T WORK IN TODAY’S CONNECTED WORLD, IN WHICH ANY NEW BUSINESS INNOVATION INHERENTLY CARRIES SOME LEVEL OF RISK TO INFORMATION.”

This report from the RSA council puts forth a seemingly obvious proposition, that risk must be balanced by reward.  Why is this news?  Now as I read the article it’s not clear if:

• The RSA Council is claiming that the CISO’s office should be the ones determining reward.  Absurd.

or

• Businesses aren’t doing a good job at determining risk and reward.

Let’s go with the latter.  So I’m pretty sure (good) businesses do a good job at estimating reward.  Businesses I’ve been a part of?  We LOVE(D) estimating reward.  We don’t tend to start projects all willy-nilly. No we tend to be careful to identify the size of the market and what it will cost to address the market.  So what could the problem be that this RSA council is trying to address?  Maybe it has to do with something like the following:

Yesterday, I got a demo of an IT-GRC application that shall remain nameless.  It seemed to be very good at the “C” bits - lots of information on regulations and expectations and even what sorts of controls would answer the regulations (which is goofy, but we’ll have to talk about that later).  It also gave you the ability to build workflow quite nicely.  But it measured NOTHING.  There really was no observable “G” and “R” was really Medium X Low X Low = High sorts of stuff.  So let’s use this relatively expensive tool as evidence of what your average CISO is armed with going into a Risk/Reward sort of meeting.  I imagine a nice board room with wood-grain paneling and glass bowls filled with little chocolate covered mints designed to give everyone involved in the meeting (CEO, CFO, CIO, CSO, VP S&M, etc…) a little sugar rush when needed and fresh breath.  The conversation goes a little something like this (apologies to Rich):

Business Guy Who Wants to Make Money Because That’s What Businesses Do: Based on market studies, we believe that initial gross revenues from the new product and technology rollout will be eleventy gazillion dollars based on a 37% market penetration in Scandinavia, alone.

CSO: Well now, we have a likelihood of “High” and a “C” impact of Medium, and an “I” impact of Low, and an “A” impact of “High” and because we are a (bank/hospital/retailer/basically any business that breathes anymore) we weight “C” by a factor of 2 - we multiplied those all together and got a “High”.

So can you guys delay the product rollout by 9 months and give me a bunch more money that’s not in the budget so that I can get this thing down to a “Medium”, please?

Again, I just don’t see the problem with Information Risk Management being that our businesses have no idea what the rewards of business might be.  Now maybe we need get a seat in that boardroom just to be able to talk about our “Mediums”, sure.  And maybe we’re infantile in our ability to describe our problem space.  But I cannot fathom that “Risk Management Doesn’t Work” because businesses haven’t been considering “reward”.

WHY RISK MANAGEMENT MAY  NOT BE WORKIN’ FOR YOU

Two meta-categories of causation:

• No skills

and/or

• No resources

Any ancillary “cause” can be mapped to one of these categories.  You could have significant resources but crappy models, and have conversations like our imaginary CSO, above.  You could have really good models and people trained and motivated to use them, but scarce time & money, so no conversation happens.

Now my question for you is - which does it make sense to acquire *first* to solve the “Why Risk Management Doesn’t Work” problems, skills or resources?

Recently I spent one week at a customer in a hotel where the staff obviously was hosting nightly parties down at my end of the hall- from about 2:00am - 5:30am each (yes- every) night I was there. The hotel I’m in tonight has no elevator. Yeah. @#$! That’s what I said. Twice in the past 10 days or so, I’ve been in really nice resort-hotels, so I’ve had the whole spectrum this month and last.

For me, sometimes it’s the little things… I really like it when hotels have conditioner, instead of just shampoo. I like space- so a nice work area is important to me. Of course a big soft bed and plenty-o-pillows is a key ingredient. A whirlpool or jetted tub (in the room) is icing on the cake. Exercise rooms are good, although half the time I’m too tired when traveling or have work to do (I know- excuses, excuses ;). Convenience is also a biggie- I had a run in Las Vegas where *every* room I had felt like it was a 10-minute walk just to the elevators. When I’m on-site for a customer, I also love the hotels with the do-it-yourself breakfast- I can go when I want and grab something before heading out for the day. I love the little lighted makeup mirrors… and of course a full-length for checking out the wardrobe. Plugs! I love lots of plugs. I like hotels that secure the outer doors early and require a key for access to various parts of the building.

Sometimes it’s the bigger things… Hotels with outside-facing doors make me paranoid, and obviously those in neighborhoods where your rims may disappear is not good either. I hate hotels that MAKE me valet park my car. It’s my car, my keys, I park it and I keep the keys- that’s my rule. (My Dad taught me a little trick of telling the valet boys that it’s a company car and against corporate policy for valet- it works!)

Traveling techies sometimes have unique needs or requests, and many of the ‘good list’ is universal for all traveler types.

So, those are some items from my little list… What about you- what do YOU look for in a good hotel?

# # #

I had a long crappy day as anyone who might follow my Twitter may have seen. I was wallowing in my own discontent when I met up with Myrcurial for lunch today. The cheshire grin on his face was something to behold. As it turns out, the weasel had been sitting on a rather significant announcement (for the last month) that he alluded to in his earlier posting today.

Myrcurial will be speaking at Last Hope! Very cool brother! His talk entitled, “From a Black Hat to a Black Suit” will be a must see for any propeller heads that have aspirations for a corner office one day.

From the talk summary:

You want it all. You can see the brass ring and you want to jump for it. But you’re scared. You don’t want to put on a suit and watch your soul shrivel like the spot price on RAM. There is another way.In this session, you will learn: why you want to do this to yourself, how to get the first job (which will suck), how to turn the first job into the next job (while still having fun), how to get the top job (sooner than you thought you could), and how to do it all without feeling like a corporate whore. You want to hack the planet? You’ve got to start somewhere.

I’ll be the smart ass in the back crackin wise.

Article Link

Mike Fratto had an interesting blog up today about Steve Hanna having submitted in essence the TCG/TNC specifications to the NEA working group for consideration as working group documents.  According to Mike these were the only documents submitted.  This actually came as no surprise to me. I have felt for a long time that Cisco was not into leading the effort to blaze their own trail regarding NAC standards any more. They were just looking for a face saving way of going along with the TNC spec without looking like they caved in and crawled to Juniper and some of the other Cisco competitors in the TCG.  The NEA group is the perfect foil to call these standards by another name, but they remain the same. Frankly once Microsoft and the TCG joined forces, the writing was on the wall for Cisco.  Also, the fact that so many of Cisco's NAC customers use the NAC appliance and not the NAC framework, means that frankly the whole standards thing just didn't have the same aroma it used to.  The good news is that NAC customers and vendors (and not just NAC appliances, but everyone involved in the NAC ecosystem) can now all rally around one standard and build NAC systems that work.

Of course Fratto brings up "Grumpy" Rothman's incite about another down year for NAC.  Mike prides himself on predicting the obvious that NAC would not live up to its hype last year.  For this year he sees NAC moving into the network (NS, Sherlock). Mike finishes up with his who gives a hoot about standards spiel.  I think on that score, Fratto sets Mike straight and I will defer to Mike F.

Also to note Mike Rothman refers to another crystal ball blog article, this one by Thomas and Nate over at Matasano. With my history of mixing it up with Thomas, I don't want to come off as sour grapes on Thomas's outlook for NAC.  But I think in a classic case of when you are a hammer, everything looks like a nail , Thomas looks at NAC from the point of view of the kind of research he does.  The fact is what most customers want their NAC to do is not anywhere near what Thomas is talking about or the kind of things he researches. I also am not sure he is up on all of the different technologies used in NAC because you certainly don't need "100 crappy 1U security boxes" to do NAC across the enterprise.  I do think Nate has a better handle on it, with NAC becoming a feature on switches and in endpoint agents.

Frankly, I am always baffled by these predictions on NAC. I always wonder why they are not talking to our customers.  I find it hard to believe that I or the rest of us at StillSecure were that smart.  We have recognized from the beginning that working with network vendors was going to be key in the NAC market.  So we have forged OEM and partner relationships with most of the switch vendors out there. We have tried hard to allow NAC to leverage existing investments in security.  I think most of the customers and people looking at NAC see the value in it.  No, it is not the silver bullet (and maybe that great white hope tag is what is dragging down perceptions by some) but it is a great tool for security and compliance for most companies.  I know we are not alone among NAC vendors seeing this either.  Yes there was a lot of snake oil out there, but I think the shake out is  by real players staying and the BS walking.

Mike Fratto had an interesting blog up today about Steve Hanna having submitted in essence the TCG/TNC specifications to the NEA working group for consideration as working group documents.  According to Mike these were the only documents submitted.  This actually came as no surprise to me. I have felt for a long time that Cisco was not into leading the effort to blaze their own trail regarding NAC standards any more. They were just looking for a face saving way of going along with the TNC spec without looking like they caved in and crawled to Juniper and some of the other Cisco competitors in the TCG.  The NEA group is the perfect foil to call these standards by another name, but they remain the same. Frankly once Microsoft and the TCG joined forces, the writing was on the wall for Cisco.  Also, the fact that so many of Cisco's NAC customers use the NAC appliance and not the NAC framework, means that frankly the whole standards thing just didn't have the same aroma it used to.  The good news is that NAC customers and vendors (and not just NAC appliances, but everyone involved in the NAC ecosystem) can now all rally around one standard and build NAC systems that work.

Of course Fratto brings up "Grumpy" Rothman's incite about another down year for NAC.  Mike prides himself on predicting the obvious that NAC would not live up to its hype last year.  For this year he sees NAC moving into the network (NS, Sherlock). Mike finishes up with his who gives a hoot about standards spiel.  I think on that score, Fratto sets Mike straight and I will defer to Mike F.

Also to note Mike Rothman refers to another crystal ball blog article, this one by Thomas and Nate over at Matasano. With my history of mixing it up with Thomas, I don't want to come off as sour grapes on Thomas's outlook for NAC.  But I think in a classic case of when you are a hammer, everything looks like a nail , Thomas looks at NAC from the point of view of the kind of research he does.  The fact is what most customers want their NAC to do is not anywhere near what Thomas is talking about or the kind of things he researches. I also am not sure he is up on all of the different technologies used in NAC because you certainly don't need "100 crappy 1U security boxes" to do NAC across the enterprise.  I do think Nate has a better handle on it, with NAC becoming a feature on switches and in endpoint agents.

Frankly, I am always baffled by these predictions on NAC. I always wonder why they are not talking to our customers.  I find it hard to believe that I or the rest of us at StillSecure were that smart.  We have recognized from the beginning that working with network vendors was going to be key in the NAC market.  So we have forged OEM and partner relationships with most of the switch vendors out there. We have tried hard to allow NAC to leverage existing investments in security.  I think most of the customers and people looking at NAC see the value in it.  No, it is not the silver bullet (and maybe that great white hope tag is what is dragging down perceptions by some) but it is a great tool for security and compliance for most companies.  I know we are not alone among NAC vendors seeing this either.  Yes there was a lot of snake oil out there, but I think the shake out is  by real players staying and the BS walking.

1. Initial discussion with a link to a paper here
2. Longer follow-up from Mike Farnum is here (scalpel bit is explained too :-))
   
3. "Mr Hoff Strikes Back" discussion is here
   

• Security team usually does not own the 'A' - IT does. If you think "IT availability" equals "DoS defense", your view is painfully narrow
• It sucks that some folks chose 'A' over 'C-I-A', but they do!
• It often takes some effort to explain why people need to care about 'C' and 'I' (no matter how painfully obvious it is for security folks!), but you never have to explain the 'A' part
• Yes, if your data is corrupted ('I' violation), then obviously the right data is not available (leads to an 'A' violation), but this is actually far less common today compared to the following: a crappy solution is deployed to guard 'C' and 'I'; it flakes out and takes 'A' with it ... oops!
• I also disagree with taking it too far to "security against availability" (even those it happens sometimes, especially in the form of "security vs performance" or "security vs usability"); security is definitely not the opposite to availability.
• Information / IT risk management definitely covers all of C-I-A risks; thus, a security team might not be responsible if a lighting strikes a server, but such scenario must be considered in IT risk assessments.
  

10. Penetration Testing Goes Prime Time - No this is not a Tiger Team fan site! I liked the show and looking forward to more episodes and hopefully a few that go more on the computer side.

9. iPhone Hacking Reveals Security Press Whores - I knew this was going to happen and it is really kinda silly. A new device comes out and it is going to have problems. Yes they are cool hacks but you could still smell the press whoring dripping off of some of these.

8. Cross Site Request Forgery Goes Mainstream - Creating an article that diggs itself was just the start. PDP discovered a way to backdoor Gmail accounts via XSRF in April. XSRF has been around for a while under a few different names. Expect big scary things from it in the future.

7. PCI tip toes into Web Application Security - PCI has flirted with Web Application Security with it’s standard for a while. That flirtation continued with the nebulous and specific section 6.6 which says check our code or get a web application firewall. This is a best practive that will be made a must do in 2008. I hope they make it clear by then.

6. McaFee buys another network scanner to kill - In October McaFee announced the acquisition of ScanAlert. I covered my thoughts here. McaFee still has money and needs to diversify from their core AV business. I suspect more news in 2008.

5. Web Application Space Consolidates - First IBM acquires Watchfire, then in a fit of jealous rage HP acquires SPI. Neither of these seems to be spectacular valuations but I am sure the founders made out OK. This leaves Cenzic has the only pure play desktop scanner out there. They are clearly going insane, with there lame attempt to cash in on the virtualization craze. (I still laugh when I read that release.) It remains rather unclear where HP and IBM are going although it seems likely that SPI will end up part of Mercury and Watchfire will end up part of Rational. If the products remain as standalone offerings though is unclear.

4. Full Disclosure Dies - 2007 will go down as the year full disclosure died. Crappy treatment from vendors and now web site owners has driven the good guys out and the only people left are the bad guys that are in it for the money. Which leads to…

3. Russian Business Network gets more light shone on it - Scott Berinato wrote a great series of articles covering the shadowy world of the Russian Business Network and the groups it supports. Amazing stuff and blows my “kids from russia” quip out of the water. These guys are good and for real and are raking in the big bucks.

2. Web Application Security continues to rise - I have been in this space for 10 years now and it seems to have gained more exposure this year than the previous 9 combined. A full track at BlackHat, tons of coverage in the security media, and a general understanding from the CIO crowd makes 2008 look like a breakout year.

1. TJ Max leaks most credit cards in history - Really could there be any other #1. This article gives a good overview of how bad it really was inside TJMaxx. Sadly TJMaxx still had issues well into the year. They finally paid up to make it all go away.

Well there is my list of the top security stories of 2007. If you have any to add post them in the comments.

Post from: Grumpy Security Guy

Top 10 Security Stories of 2007