[SecurityRatty] tag: protect

Data Mining for Terrorists Doesn't Work

Fri, 10 Oct 2008 02:35:43 +0000

According to a massive report from the National Research Council, data mining for terrorists doesn't work. Here's a good summary:

The report was written by a committee whose members include William Perry, a professor at Stanford University; Charles Vest, the former president of MIT; W. Earl Boebert, a retired senior scientist at Sandia National Laboratories; Cynthia Dwork of Microsoft Research; R. Gil Kerlikowske, Seattle's police chief; and Daryl Pregibon, a research scientist at Google.
They admit that far more Americans live their lives online, using everything from VoIP phones to Facebook to RFID tags in automobiles, than a decade ago, and the databases created by those activities are tempting targets for federal agencies. And they draw a distinction between subject-based data mining (starting with one individual and looking for connections) compared with pattern-based data mining (looking for anomalous activities that could show illegal activities).

But the authors conclude the type of data mining that government bureaucrats would like to do--perhaps inspired by watching too many episodes of the Fox series 24--can't work. "If it were possible to automatically find the digital tracks of terrorists and automatically monitor only the communications of terrorists, public policy choices in this domain would be much simpler. But it is not possible to do so."

A summary of the recommendations:

U.S. government agencies should be required to follow a systematic process to evaluate the effectiveness, lawfulness, and consistency with U.S. values of every information-based program, whether classified or unclassified, for detecting and countering terrorists before it can be deployed, and periodically thereafter.
Periodically after a program has been operationally deployed, and in particular before a program enters a new phase in its life cycle, policy makers should (carefully review) the program before allowing it to continue operations or to proceed to the next phase.

To protect the privacy of innocent people, the research and development of any information-based counterterrorism program should be conducted with synthetic population data... At all stages of a phased deployment, data about individuals should be rigorously subjected to the full safeguards of the framework.

Any information-based counterterrorism program of the U.S. government should be subjected to robust, independent oversight of the operations of that program, a part of which would entail a practice of using the same data mining technologies to "mine the miners and track the trackers."

Counterterrorism programs should provide meaningful redress to any individuals inappropriately harmed by their operation.

The U.S. government should periodically review the nation's laws, policies, and procedures that protect individuals' private information for relevance and effectiveness in light of changing technologies and circumstances. In particular, Congress should re-examine existing law to consider how privacy should be protected in the context of information-based programs (e.g., data mining) for counterterrorism.

Here are more news articles on the report. I explained why data mining wouldn't find terrorists back in 2005.

Hardening the Target

Wed, 08 Oct 2008 00:42:08 +0000

As enterprises increasingly depend on digitized data and seek commercial opportunities from accelerated digital access and transmission, senior management and boards of directors haven't sufficiently updated their enterprises' security protections on digitally stored information. Consequently, new and increasingly frequent attacks have occurred against their digital information assets. Enterprises must "harden the target" to protect against attacks against these assets.

Information Assurance Education: A Work In Progress

Wed, 08 Oct 2008 00:42:06 +0000

The recognition that we need improved computer security education has increased over the past several years. Recent cyberattacks in Georgia and Estonia exemplify the new threats faced by economies that rely on the Internet. Thus, more people see the need to protect cyberspace—which translates into improving computer security in all aspects of computer use—as crucial for everyone, not merely for those who work with technology. In this column, we reflect on emerging opportunities and challenges in instruction as well as the need for increasing the partnerships among industry, government, and academia to foster mutual understanding of challenges and joint participation in solutions.

Cybersecurity, password recall, IT culture and more

Mon, 06 Oct 2008 20:00:00 +0000

As part of a comprehensive cybersecurity push, the U.S. government will focus on improving its network defense capabilities and revamping acquisition rules to protect against malicious code installed during the manufacturing process of electronic devices.

Schwarzenegger again nixes data breach bill

Mon, 06 Oct 2008 00:00:00 +0000

For the second time in 12 months, California Gov. Arnold Schwarzenegger has vetoed legislation that would have set new IT security requirements designed to protect credit and debit card data in retail systems.

Symantec tests a 'Net watchdog for kids

Thu, 02 Oct 2008 20:00:00 +0000

Symantec has developed a new online service to protect children from Internet dangers.

Many computer users lack basic security precautions, survey says

Thu, 02 Oct 2008 00:00:00 +0000

Although businesses and government agencies are getting better at cybersecurity, many U.S. computer users still fail to take basic precautions to protect against cyberattacks, a survey says.

Monthly Blog Round-Up - September 2008

Wed, 01 Oct 2008 12:19:00 +0000

As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is an attempt to remind people of useful content from the past month!

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts and topics.

Shockingly, AGAIN this month, the "Top 11 Reasons to Secure and Protect Your Logs" came up as #1 most popular post (maybe driven by my poll). BTW, see my other logging polls.
Security ROI - and its parent topic "security metrics"/"measuring security" - is definitely an ongoing HOT debate. Indeed, the old post "Security ROI Pile-Up!" takes the #2 spot this month, possibly propelled by a more recent post "Second ROI War."
Some say that "short blog posts rule", but, in reality, good, fun content is the best. Here is an example: "Dumb Luck IS a Strategy!" post makes the top list. In it, I try to explore why people still ignore security concerns even if stare people in the face...
Discussion on what you can do to soften the impact of "getting 0wned" ( "What CAN You Do?") made the top list. Good!
As before, my post "11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!"". It is both humorous and sadly true (and backed up by other sources)
Still burning hot is a post with my irreverent comments on a Terry Childs saga. Namely, "On Doomsaying (Terry Childs case)", "So ... Am I? Maybe I Am!" and "Admins , Good Guys or "I am NOT an Idiot!""

See you in October.

Possibly related posts / past monthly popular blog round-ups:

Technorati Tags: blog,security,loggings,monthly

The asymmetry of data loss - data thief has an upper hand

Wed, 01 Oct 2008 02:33:22 +0000

I read this awesome book by Dan Geer, Economics and Strategies of Data Security. This gave me structure for my thoughts about a complex topic such as data security.

When a data owner's (a business) sensitive data is breached it is difficult to quantify the monetary loss. According to respectable survey sources, the average cost of sensitive data breach for a large size company is about $50,000. I am attempting here to think about this in simple mathametical terms:

There is a data breach. From the data owner's perspective the loss is:

Loss = Cost to protect data + Loss of business due to data theft aka cost of competitive disadvantage

From the data thief's perspective

Net Gain= [Cost of producing the data * Data freshness factor] - Cost to steal the data + Profit of business due to data aka gain of competitive advantage

From the above two equations it is very clear that this is not a zero sum game. There is a clear cost asymmetry for a data owner and for a data thief. When there is an asymmetry there is an opportunity. Data owner would not even know that the data is lost because the original copy of the data may be still intact - data thief could have simply copied the data. Data theft does not look like a car theft, there is no vacuum left behind.

This motivates a data thief to keep the cost to steal low, steal highly valuable data that has a long shelf life and in a way that data owner will never even be aware of theft.

From a data thief's perspective, the cost to steal data if kept high would disincentive him. Moreover, Data freshness factor, i.e. how valuable this data is over period of time plays an important role. A good example is content of today's newspaper is hardly valuable tomorrow, but the content of newspaper two days ahead (if can be procured)would be invaluable. Data relevance is a function of time and other marketplace variables - Data freshness Factor accounts for that variable. A good way to discourage data thief is to increase his/her cost to steal the data. There are other inferences from the above equation. If there exists no competitive advantage with the stolen data, hardly any thief would even venture to steal the data in the first place. If the cost of producing data is very low, then probably thief can just produce the data himself and would not attempt to steal the data. If the cost of theft is kept high, it would definitely deter the data thief from stealing data using technical mechanisms, then the data thief would exploit weak links in data security such as use of social engineering to get access to the data.

From data owner perspective protecting data becomes very important. How much would the owner be willing to spend? Not definitely the cost equal to cost of producing the data. 1% to 10% of cost of producing data is considered prudent. For a data owner it is difficult to estimate cost of data protection of a specific data, because it is not easy to chunkify data protection costs. Moreover, as Dan Geer says in his book, a data owner has to protect himself from number of intruders not just one.

It pays for a data owner to: be aware of data breaches (or data leaks), employ appropriate mechanisms to protect the data; the cost of protection which is fractional cost of the valuable data and enhance information security awareness of personnel who handle the data.

Data loss is not a zero sum game. The advantage is in favor of a data thief (data thieves rather). Data owner does not give much thought on the value of data unless there is a data theft. But, a data thief has every reason to think about economics of data theft before he acts to steal the data else data thief won't survive in this game and he is very well aware of his advantageous position.

IBM software bundle targets retail theft, data breaches

Tue, 30 Sep 2008 20:00:00 +0000

IBM is targeting retail security with a package of software and services designed to prevent physical loss of merchandise, protect against electronic threats and comply with credit card industry regulations.