I’ve often read people who say that we (security, risk management) need to “think like the attacker”.  And when you read this sort of article, that usually alludes to trying to anticipate the tactics an attacker might use to mess with your C, I, or A.  Smart stuff, that, and very useful when architecting security solutions.  But as I was training some folks Monday, I was thinking in the back of my head about Threat Capability (TCap) in FAIR.  As you might know, we like to estimate the capability of a threat to apply some level of “force” against our assets.  This ability to apply force is a byproduct of the attacker’s skills and resources.  And thinking of how an attacker applies skills and resources, I came across another way we might “think” like an attacker.

Traditionally, I’ve thought of “skills” as being a byproduct of the toolset an attacker has.  This mindset probably stems from my time with Penetration Testing teams, where in the process of scoping the  PenTest I would ask our clients to select the level of effort that they wanted us to throw at them.  If a client chose “high” we’d throw every ‘spoit we had at them.  If they chose “low” we’d limit ourselves to a more commonly available toolset.

But while the resources part of TCap is time & materials (money) - the skills are really more than just the toolset.  Skills would include the ability of the attacker to be creative and innovative.    As an example of that innovation from those PenTesting days - when we got a “high” effort request, we would always try to couple that with some “social engineering”-type of attack, or some unique means of delivering an existing exploit.  Our creativity was not necessarily a byproduct of a unique exploit or tool we had, but the process by which we might deliver pre-existing or commonly available exploits.  I remember when we first got ahold of a handful of 32mb thumb drives (hey, 32mb was huge back then) and “dropped” a few in the lobby of a client’s retail space.  The keystroke loggers and phone-home script weren’t new, but using the thumb drive as delivery vehicle certainly was.

So I’ve started to really think about this concept of innovation, and how if “thinking like an attacker” means to be innovative, we ought to do the same.  I’ve been thinking of two main categories of innovation this morning.

INNOVATION

The first I’ll call Technology Innovation.  And by Technology Innovation, I mean some new, unique, “ahead of the curve” technology that an attacker can use against us.  The obvious example of which is a zero-day.  It’s that “high” tool set our PenTesters would use against the clients.  For security departments, this might be the latest security product designed to enhance our ability to P, D, and/or R.

Alternately, we can be creative in the way we deliver (manage) existing technology.  I think of this as Process Innovation.  It’s doing more with what we already have, just like the PenTest team would be creative in the delivery of an existing exploit.

Unfortunately for us - attackers have traditionally had quite a leg up on us in terms of Process Innovation.  It is much easier fro them to be creative, as they are free of political constraints and bureaucracy.  In contrast, when the security industry tries Process Innovation, the results are checklists and “standards”.  It’s committees and consensus.  An extreme example of which might be something like SABSA - a great work if you want to understand some very smart people’s comprehensive understanding of organizational security  - but the “adoption”of which will do very little to help you be innovative in P/D/R.

It’s worth noting that ultimately, this is one reason I don’t like regulatory compliance efforts - they simply serve to prove how mundane your security department is,  wasting valuable resources that could be spent on creating ways to be more effective.

PROCESS INNOVATION AS A SUBSTITUTE FOR TECHNOLOGY INNOVATION

As we come to the close of 2009, some surveys suggest that security spending isn’t horribly impacted yet by the economy (the latest from E&Y points to only 5% of their respondents getting budget cuts).  But if this is a protracted downturn, and because InfoSec is an operational expense, I would expect cash to become more and more difficult to keep.  And regardless if technology spends do slow, I believe it makes sense to think about Process Innovation because I see Process Innovation as a means to increase effectiveness without significant capital expenditures (effectiveness increases because our ability to manage risk has a direct correlation to the amount of risk we have).

The bad news is, of course, that great innovation is hard.  It is R & D.  Failure is usually a pre-requisite to success.

The good news is, our current state is so bad that many of us don’t need to come up with a whizbang new way of reducing software defects in the SDLC as innovation.  Simply inserting a risk analyst into the PMO’s processes might count as a big enough victory. Be cautioned, though,  that if we’re substituting the risk reductions provided by technology acquisition - Process Innovation might actually be even more “expensive” as it requires us to expend political capital.   But there are (forgive the term) innovative ways to spend this political capital.

For example, by taking a second now and figuring out the 3 things that the rest of the organization can do to make your life easier, when that “I need to reduce your budget” talk comes, you can be prepared to negotiate.  Get a political capital “loan” or “investment” from the C-Suite reducing your budget.  Something to the effect of: “I expected this, and am happy to give up my budget.  But if our tolerance for risk hasn’t changed, what I’d like to do is get you to personally back my office on three projects I’ve identified that can reduce our risk without requiring significant capital expenditure.”

In any case,  excitement is a good cause for sharing  it. So, why am I excited? Is it only the “new-ness” of my position?

Not so.

I am most excited to be building again. That is building as opposed to talking. I loved being an evangelist and I think I did make the world love logs just a bit more. However, I happen to think that while speaking and writing leaves a scratch on the fabric of the Universe, building products that solve people’s problems, that make people happy and that are  both affordable and enjoyable to use is leaving A BIGGER scratch.  As one old wizard said, it allows one to “strike sparks off the guard rail of the Universe!”

That is exactly why I am excited. What I do today will soon [hopefully!] translate into new products that people will enjoy to use (despite the fact that they are compliance-related :-)) and that will solve problems that cause “pain and suffering” on a grand scale.  (No, I am not saying what these are :-))

Having you define things THEN seeing them actually manifest in the real world THEN seeing people smile and say “Thanks!” is HUGELY exciting. Earning revenue in the process definitely doesn’t hurt either :-)

BTW, now I read all this stuff about “security and clouds” and laugh (I can tell you later why it is so funny to me now)

The technologies, generally regarded as promising but unproved, have yet to be widely accepted as evidence — except in India, where in recent years judges have begun to admit brain scans. But it was only in June, in a murder case in Pune, in Maharashtra State, that a judge explicitly cited a scan as proof that the suspect’s brain held “experiential knowledge” about the crime that only the killer could possess, sentencing her to life in prison.

[...]

This latest Indian attempt at getting past criminals’ defenses begins with an electroencephalogram, or EEG, in which electrodes are placed on the head to measure electrical waves. The suspect sits in silence, eyes shut. An investigator reads aloud details of the crime — as prosecutors see it — and the resulting brain images are processed using software built in Bangalore.

The software tries to detect whether, when the crime’s details are recited, the brain lights up in specific regions — the areas that, according to the technology’s inventors, show measurable changes when experiences are relived, their smells and sounds summoned back to consciousness. The inventors of the technology claim the system can distinguish between people’s memories of events they witnessed and between deeds they committed.

A similar arrogance is happening in CEP-land, where, it seems, each and every financial services event processing application is now a “CEP application” just because someone in capital markets puts “CEP” in the same paragraph. I find it ridiculous that the same market of folks who have helped destroy the global economy are now the world’s self-proclaimed authorities on complex event processing. Amazing, if you really think about it, isn’t it?

I read many posts these days by folks in the capital markets trading world, claiming their message routing application is “CEP,” or their algo trading application is “CEP,” - feeds and speed, typical of what “turns on” the financial services folks. As an editorial note: I recall when I worked for a software company, folks on the same team who worked on Wall Street would look down on folks with many years of IT experience outside of financial services. Some would say “he is only a security guy” in their attempt to put down anyone who does not have trading floor IT experience on their resume. I found it all quite ridiculous and foolish.

My resume, for what it is worth, has a number of financial services companies, including either assessing, architecting or building large scale security systems for S.W.I.F.T, Chase or SBC. This experience does not seem to “count” with the trading floor folks, since security is more about getting things right, not just supporting a form of gaming or gambling with other peoples money, with more feeds and speeds the better.

Of late, as I have watched the CEP/EP space evolve, and unfortunately, I see a similar type of “capital markets virus” spreading into CEP-land. Folks on the trading side of financial services seem to think that whatever they say or do is right, and whatever others outside of the trading side do is wrong. These folks are quick to ridicule others who have far more experience than they do, outside of the trading floor of capital markets.

After all, mostly what they do on the trading side is route orders - and if a little old lady in a small town in Iowa loses her life savings because of a bad investment decision, it means little to the folks on the trading floor, the market folks are into feeds and speed - just keep the beast alive. Place your bet on this market or that one! Away we go, faster and faster!!!!

I am sometimes a little sad to observe the same audacity in the CEP world. Instead of focusing on the hard complex problems that require accuracy, the original set of problems defined when the phrase “complex event processing” was minted, the capital market folks have hijacked the term for their marketing purposes in algo trading and order managment systems. These same people ridicule others who are working to solve the (originally stated) complex event processing problems, problems the capital market traders seemingly cannot understand, since they have never worked on complex network or security management problems.

Nevermind, that these “ultra low latency” systems cannot accurately detect a complex money laundering scheme or an elaborate fraud. Nevermind that these “CEP engines” cannot accuracy insure that Average Joe does not lose his hard earned money in a fraud scheme.

I have no problem with folks in capital markets using the term CEP, but they should not ridicule those in technical areas that are not focused on keeping the “trading beast” alive so people can lose their life savings in a blink of an eye; but instead focused on solving complex problems such as the class of problems called out when the three letter acronym “CEP” was created.

Several of the defendants have been convicted of stealing dead people’s identities to cover up their status as illegal immigrants, military deserters or convicted drunken drivers, federal officials said.

Between July 2005 and August of this year, 112 people were charged in federal court as part of the investigation, which federal officials called “Operation Deathmatch.” Authorities seized $650,000 in cash, a Mercedes-Benz, three guns and more than 80 of the fraudulent passports.

For more case studies, read the article in the SF Gate (online version of the Chronicle).

• Moderator: Jim Metzler, Vice President, Ashton, Metzler & Associates
• Rowan Snyder, CIO, KPMG
• David Michael, CIO, United Business Media Group
• Joanna Young, Chief Information Officer, Corporate Information Systems & Enterprise Services, Liberty Mutual

Jim: Is the CIO a technical job anymore? For example, inside Liberty there are business projects with an IT component.

Joanna: We are organized to partner with internal business clients or vendors who provide objectives and business requirements. We strive to figure out the smallest amount of an IT investment we can make to get this to work.

Rowan: We have both. Part of the dilemma is that the thing that sells the best is fear. I don’t want to use that to get business.

Joanna: One good example is security from an application perspective. It’s hard to talk about security investments in business terms. We put it into terms like “this is what it will cost us if we DON’T do this.” For example, a solution for spam required us to do research into what it was costing us overall. Once we put it together, the business was all for it. You have to put your business hat on and think “how can I make this important for a businessperson?” If you can’t, you may need to ask yourself why you’re pushing services on them that they may not need.

Jim: Can you give us insight into business-IT alignment? What about governance?

Rowan: Governance is the hardest part of IT. It’s not like the technology is easy. If it’s a business project with an IT component, I don’t usually get involved. It comes down to overall budget. The infrastructure we own and let people know exactly what it will cost to do it. We are a distributed IT firm, there are multiple groups. This is the most distributed and risk-prone organization I’ve worked in. It can be difficult for the business to exert control. It demonstrates risk, in security, compliance, methodologies, etc.

Joanna: Governance has become a word that nobody wants to use. It suddenly implies that IT is the holder of all the money and they are the ones that get to decide. We stopped using that word and position IT as a strategic business partner.

David: We have a highly decentralized IT set-up. We have about 600 globally and around 40 in the headquarters. We have 10 CIOs for each division, and within each division it is decentralized. We try to run each unit as autonomous. This is a close alignment with IT and business. However, then the problem of how do you have commonality between divisions and collaboration?

Jim: How can you minimize risk in distributed environment using standards and procedures?

David: The reality is it can be impractical for an organization. You end up with a patchwork of platforms and technologies. We have to accept that we’ll have multiple solutions. We can attempt to push a standard, but overall have a much more relaxed approach to manage everything. There is a lot of equality between divisions in what they can choose to purchase.

Joanna: Standards are easier to apply the further down the staff you are. The most important thing with any of this is to understand why you are making the decisions. If there is a process and pros and cons are identified, there is a clear record of why decisions were made.

Audience Poll: Everyone raised their hand that MORE standards were needed.

Audience Question: Are there inefficiencies in the data center in terms of energy and green IT? What are you doing about it?

Joanna: Everyone focuses on cars for carbon footprints. But, it’s really buildings…and then data centers. The data center has the same importance as any other efficiency. They need to be running as cheaply as possible. Corporations have a responsibility to make sure they are energy efficient.

Rowan: We recently did a carbon footprint analysis, and found that half of carbon comes from electricity, with half of that from the data center.

David: Every company does have a responsibility to look at its carbon emission globally. Consider international travel, flying, etc. As much as possible, we are not building data centers. We are using other people’s data centers in an effort to get out of the data center business.

Audience Question: How do you balance the good from standards with agile development and possible roadblocks?

Joanna: Luckily agile development is under the CIO’s control. You can see the lifecycle and savings that occur. When I look, I check what the standards are that I’m measuring by.

Jim: Does web 2.0 have any business meaning in your environment? If so, what are you doing about it?

Joanna: I’ve been in IT for 20 years. It’s another component to business IT investment, and has to be presented as such. As IT professionals we have a responsibility to identify what Web 2.0 is, and then translate to see if there is anything the company should be doing with it. Monitor it based on your current portfolio, and consider its impact.

David: It’s pretty important to our business as a media company. I don’t think it means one thing, it’s a term people use to talk about the web and what’s going on online. From mobile, to ajax, cloud computing or mashups - you can draw multiple conclusions. More and more business is being done online. We have a lot of growth opportunities online.

Rowan: Compliance, security, and privacy issues just explode with Web 2.0.

• "Schneier on Security ROI": "It's a good idea in theory, but it's mostly bunk in practice." and "The term just doesn't make sense in this context."
• Richards adds to it: "Schneier Agrees: Security ROI is "Mostly Bunk""
• "Security ROI - The debate continues": "ROI  ... reared its ugly head."
• "FOI, Failure of Investment":  "Not that you asked, but IMHO: ROI and TCO are SWAG at best. And, they are rarely at their best." The secret weapon of ROI war - FOI -  is thus unleashed!
• This is also very relevant :-)

Overall, I love it when educated peoples' debate just falls waaaay down to the level of "I won't care what YOU call it as long as you don't care what I call it...." Yuck! :-)

All security ROI coverage is tagged here: http://delicious.com/anton18/ROI. The previous, "First ROI War", is summarized here.

I observed that provided one considered “real” aardvarks and zebras — addresses that received good email amongst the spam — then aardvarks got 35% spam and zebras a mere 20%.

This has been widely picked up, first in the Guardian, and later in many other papers as well (even in Danish). However, many of these articles have got hold of the wrong end of the stick. So besides mentioning A and Z, it looks as if I should have published this figure from the paper as well…

… the point being that the effect I am describing has little to do with Z being at the end of the alphabet, and A at the front, but seems to be connected to the relative rarity of zebras.

As you can see from the figure, marmosets and pelicans get around 42% spam (M and P being popular letters for people’s names) and quaggas 21% (there are very few Quentins, just as there are very few Zacks).

There are some outliers in the figure: for example “3″ relates to spammers failing to parse HTML properly and ending up with “3c” (a < character) at the start of names. However, it isn’t immediately apparent why “unicorns” get quite so much spam, it may just be a quirk of the way that I have assessed “realness”. Doubtless some future research will be able to explain this more fully.

Target has settled a class action lawsuit with the National Federation of the Blind over accessibility complaints with Target.com. Despite the law being unclear as to whether the Americans with Disabilities Act (ADA) applies to websites, the company will pay a substantial fee and update its web site to make it accessible to the blind.

In February 2006, Bruce Sexton Jr., a student at the University of California-Berkeley and president of the California Association of Blind Students, sued Target because its web site was inaccessible to the blind. Filed in conjunction with the National Federation of the Blind, the suit was used as to spotlight many corporate sites that don’t play well—if at all—with screen reading technology.

Read the full article here.