In a new paper, Bernd Roellgen of Munich-based encryption outfit PMC Ciphers, explains how it is possible to compare an encrypted backup image file made with almost any commercial encryption program or algorithm to an original that has subsequently changed so that small but telling quantities of data 'leaks'.

Here's the paper. Turns out that if you use a block cipher in Electronic Codebook Mode, identical plaintexts encrypt to identical ciphertexts.

Yeah, we already knew that.

And -1 point for a security company requiring the use of Javascript, and not failing gracefully for a browser that doesn't have it enabled.

And -- ahem -- what is it with that photograph in the paper? Couldn't the researchers have found something a little less adolescent?

For the record, I doghoused PMC Ciphers back in 2003:

PMC Ciphers. The theory description is so filled with pseudo-cryptography that it's funny to read. Hypotheses are presented as conclusions. Current research is misstated or ignored. The first link is a technical paper with four references, three of them written before 1975. Who needs thirty years of cryptographic research when you have polymorphic cipher theory?

EDITED TO ADD (10/9): I didn't realize it, but last year PMC Ciphers responded to my doghousing them. Funny stuff.

During this coming period, it is a reasonably safe bet that we may be in for a flurry of phishing attacks targeting the customers of these institutions using ruses like share “windfalls” and the like to tempt individuals into disclosing their credentials. However, in this blog, that’s not what I want to talk about. The implications for the employees of these organisations are, of course, also huge, and the degree of uncertainty and change that will ensue for a period of time will provide ample opportunity for the criminal fraternity to exploit....

Weldon, who is currently being investigated by the FBI over alleged corruption during his time in office, visited Libya in March to discuss a possible military deal, according to a letter describing the trip from Weldon to Defense Solutions CEO Timothy Ringgold. In May, Weldon, together with Ringgold and another company representative, traveled to Moscow to discuss working with Russia's weapons-export agency on arms sales to the Middle East.

Both trips were part of the company's effort to tap into the growing -- and often legally murky -- market for selling weapons from former Eastern Bloc countries to the Middle East and Afghanistan.

Ex-Rep. Curt Weldon, R-Penn., is helping broker deals between Russian weapons suppliers and the Iraqi and Libyan governments through his company, Defense Solutions.
Photo: H. Rumph Jr/AP

The Russians want to sell weapons to Iraq directly, but "must go slow on Iraq because of political reasons" and want to work with an "intermediary" like Defense Solutions, CEO Ringgold subsequently wrote to colleagues. "They have not spoken with any American company that can offer the quid pro quo that we can or that has the connections in Russia that we have," he boasted.

A few years ago, an American company proposing to sell weapons to Libya might have triggered a congressional hearing. So, too, would have a proposal to conduct arms deals with Russia, which the United States has accused of selling high-tech weapons to Syria and Iran.

However, U.S. government efforts to rapidly equip countries like Afghanistan and Iraq -- which have largely Soviet-origin weapons -- have created legal ambiguities and loopholes in export controls that didn't exist in years past and given rise to a new class of arms trade middlemen. So, even though both Libya and the Russian arms export agency are on official U.S. blacklists, government officials and analysts involved in weapons sales say the rules have become unclear as the push to equip allies in the global war on terror has blazed new but uncertain legal ground.

Eagerly stepping into that virgin territory is Defense Solutions, a Pennsylvania-based company that is carving out a small but lucrative niche in a new international arms bazaar. The firm boasts as its advisors a number of influential Washington insiders, such as retired General Barry McCaffrey, the former White House drug czar.

Helping the firm make key connections is Curt Weldon, a former Republican congressman from Pennsylvania at the center of an FBI investigation into alleged conflicts of interest during his time in office. Weldon, now a key executive at Defense Solutions, is working with the company to set up these weapons deals.

Defense Solutions has also proposed refurbishing Libya's BTR-60 armored personnel carriers, according to a sales proposal seen by Wired.com. Defense Solutions denies drafting a sales proposal to Libya.

It's an unusual, if not an entirely unexpected chapter for Weldon, whose time in office included frequent trips to Russia. As an influential member of the House Armed Services Committee, Weldon pushed for multibillion-dollar defense programs, like ballistic missile defense, and earned a reputation as a foreign policy gadfly, boasting of his contacts with officials in nations labeled by the administration as "rogue states" such as Libya and North Korea. Weldon's wild claims about a 9/11 cover-up and his sensationalist book warning of an Iranian terror plot, sometimes earned him official scorn and public ridicule, but it was accusations that he steered contracts to Eastern European businesses linked to his daughter's lobbying firm that drew the government's attention.

Weldon was voted out of office in 2006 just weeks after the FBI raided his daughter's home, and that of one of her associates.

Weldon did not respond to e-mails and phone requests to be interviewed or comment for this article. But in a 2006 interview, before the FBI probe was public, Weldon spoke enthusiastically about setting up a "front company" to work with the Russian arms agency, Rosoboronexport. Weldon hoped this company could sell weapons to the Middle East, and other regions, particularly to countries where the U.S. has strained relations. He claimed the director of Rosoboronexport approached him to work with "an American company that would act as a front for weapons these nations want to buy."

Weldon called the proposal an "unbelievable offer."

The administration, he acknowledged at the time, did not welcome the idea of an American company selling Russian weapons to potentially unfriendly countries. But two years later, Weldon, now a private citizen and chief strategic officer for Defense Solutions, appears to be working on precisely that sort of deal. And whether illegal or not, Defense Solutions' business represents a new phenomenon in the international arms trade business.

In years past arms brokers -- firms or individuals who serve as middlemen to facilitate weapons sales between countries -- were largely the stuff of spy thrillers. Unlike traditional American defense companies, like Lockheed Martin or Boeing, which typically sell weapons directly to NATO countries or other governments regarded as friendly to the United States, brokers are often small outfits run by people with sometimes questionable experience and reputations they will sell to anyone. One of the most infamous arms brokers, a Russian named Viktor Bout, is charged by the United States, United Nations, Interpol and others of funneling arms to terrorists and rebels around the world. He was recently arrested in Thailand. The United States is requesting his extradition on charges of supplying arms to a terrorist organization.

Two Marines lower the trim vane on the front of an Iraqi BMP-1 mechanized infantry combat vehicle that was captured during Operation Desert Storm. The American defense consulting firm Defense Solutions has proposed refurbishing Libya's aging fleet of BMP-1s. Defense Solutions denies drafting a sales proposal to Libya.

But ironically, Iraq has fueled a new market for these professional middlemen; the United States is funneling billions of dollars into modernizing Iraq's army so that the country's government can fend for itself after coalition troops withdraw. And Iraq's largely Soviet-equipped military is a natural market for Eastern European countries brimming with old or out-of-date equipment they would like to unload. The middlemen, in these cases, serve a key role by allowing the U.S. government to do business with an American company, which in turn buys equipment from Eastern Bloc countries in deals worth hundreds of millions of dollars, much of it financed with U.S. taxpayer dollars.

One of Defense Solutions' sales -- a deal to sell Hungarian-owed T-72 tanks to Iraq in 2005 -- was typical of these new foreign military sales. But on the more questionable side is the company's plans to work with Rosoboronexport, which is barred from doing business with the U.S. government, and Libya, which is still on the State Department's arms embargo list.

The Eastern European-Middle East arms-brokering business, while in some cases sanctioned by the U.S. government, has run into problems, including outright corruption and quality. Defense contractor Dale Stoffel, the president of Wye Oak Technology, and another American were gunned down in Iraq in December 2004 after Stoffel alleged that the Iraqi Ministry of Defense was involved in a kickback scheme. Like Defense Solutions, the company Stoffel worked for was refurbishing the Iraq's army Eastern Bloc equipment.

Another problem is quality. Weapons from the former Soviet Bloc, which the U.S. military euphemistically calls "nonstandard equipment," have been flagged as substandard, acknowledges Brigadier General Charles Luckey, who is in charge of security assistance at Multi-National Security Transition Command-Iraq. In an interview from Iraq, Brigadier General Luckey said: "One of the frustrating things about buying nonstandard [weapons], is that I'm the guy who has to deal with the fact that some broker I've never heard of allowed weapons to get to Iraq before they were inspected."

Defense Solutions is carving a new niche in the arms trade, selling Soviet-made weapons to Middle Eastern countries like Afghanistan and Iraq. Defense Solutions sold Hungarian-owed T-72 tanks to Iraq in 2005.

In one high-profile case, Iraqi officials alleged that a corrupt firm sold them $400 million in shoddy helicopters from Poland. More recently, a company led by a 21-year-old and a former masseur was offered a U.S. government contract worth nearly $300 million to sell ammunition to Afghanistan. The ammunition turned out to be outdated and of dubious origin and several people connected with the company have been indicted. A congressional investigation concluded that the company, which was on a State Department watch list, was able to take advantage of regulatory loopholes by using middlemen.

For those concerned about illicit arms trade, this new wave of weapons deals is rife with the potential for corruption and abuse, but for companies eager to pursue markets once regarded as dubious, it represents a lucrative business opportunity. The problem in these cases, according to those familiar with arms sales, is that it's no longer clear what's legal and what's not.

Rachel Stohl, an expert on international arms trade and a senior analyst at Center for Defense Information, says that in many ways, the rush to equip Iraq has led the United States to throw caution to the wind. She points to a report by the Government Accountability Office last year that found that some 190,000 weapons sold to Iraq have gone missing. "I think the reality is we won't know, until way after the fact, about all of these irregularities with the Iraq weapons provision program," she said. "We were providing them all these assault rifles that have gone missing. Why? They were not following the standard procedures that were in place."

But Iraq and Afghanistan aren't the only markets available to arms brokers like Defense Solutions. The gradual normalization of relations with Libya opens another door into a quasi-legal area of sales.

Like Iraq, Libya has a substantial arsenal of Soviet-origin military weapons, offering a potential market for brokers working with Russia and other former Soviet states. But even when there's not an outright ban, sales to the Middle East are often fraught with controversy, particularly to countries like Libya, which was under international sanction for more than a decade. Even as sanctions against it have been lifted, European companies proposing to sell arms to Libya have faced steep criticism, particularly since the country is still ruled by dictator Muammar Gaddafi, who took power in a military coup in 1969.

While the United States lifted Libya's "state sponsor of terrorism" designation in 2006, other restrictions, such as on the sale of arms, remain in place. A State Department spokesperson confirmed that exports of "lethal munitions" to Libya, such as tanks or related equipment, are still banned, although sales of nonlethal equipment are now allowed on a case-by-case basis.

In late March, Weldon traveled to Libya for a weeklong trip at the invitation of the Gaddafi Foundation, a group run by the son of Libya's leader, and the chairman of Libya's foreign affairs committee, according to the report he sent to Defense Solutions (.pdf), a copy of which was obtained by Wired.com. The trip reports states: "Agreement reached for Weldon to quickly return to Libya for meetings with son [of Libyan leader Gaddafi] Morti regarding defense and security cooperation."

A document dated April 16, just two weeks after Weldon's trip, outlines Defense Solutions' proposal to Libya to refurbish the country's fleet of armored vehicles, including its T-72 tanks, BMP-1 infantry fighting vehicles, and BTR-60 armored personnel carriers. A copy of the sales proposal, also provided to Wired.com, is on Defense Solutions' letterhead, appears to bear the signature of company CEO Timothy Ringgold, and is addressed to Libya's defense procurement council. "Defense Solutions is committed to delivering a full end-to-end solution to its clients," the proposal states. "Besides refurbishing these vehicles, we are capable of providing a full logistics support package, including a two year supply of spare parts, maintenance and repair services, and operator, maintenance, and repair training."

In an interview with Wired.com, Ringgold admitted that he's interested in doing business in Libya and confirms receiving Weldon's trip report from Libya, but denies drafting or signing an arms-sale proposal. "I've never made such a document to Libya," Ringgold insisted, after being read the proposal, and told that his signature is on it.

In addition to the Libyan arms-deal document, Wired.com has also reviewed copies of e-mails from Ringgold discussing the Libyan deal.

While Ringgold denies proposing an arms sale to Libya, he is open about speaking with Rosoboronexport, which has been on a U.S. government sanctions list since 2006, after the Russian state agency allegedly violated the Iran and Syria Nonproliferation Act. An April e-mail provided to Wired.com describes Ringgold, Weldon and Stephan Minikes, a senior advisor to Defense Solutions and a former ambassador, meeting with Rosoboronexport. The conversations included a number of potential deals, including supplying Mi-17 helicopters to Afghanistan and spare parts for Iraq's infantry fighting vehicles. Ringgold wrote to colleagues following the visit, describing the meetings as a "spectacular success," saying the Russian agency "has the ability to undercut all cost proposals from brokers."

Ringgold confirmed those discussions and said that his company has sought to do business with Rosoboronexport. Asked whether Ringgold considers his dealings with Russia to be legal, he argued that U.S. companies could work with Rosoboronexport on a "case-by-case" basis. "The particular purpose of the meeting we had -- and I want to be crystal clear -- was in response to a U.S. government requirement," he said.

A number of officials at the State Department and in the Pentagon, when contacted for this article, could not say whether working with Rosoboronexport is legal or not. A Pentagon spokeswoman said she was familiar with the issue, but deferred the question to the State Department. When asked about Rosoboronexport's status on the blacklist, John Herzberg, a State Department spokesman replied: "What's on there is on there."

Asked whether, given the ban, there was any way a company could legally work with Rosoboronexport, as Ringgold suggested, Herzberg provided an equivocal answer. "At the stage of the process we're at, I'm unable to give you an answer," he said. "You can try elsewhere in government, and maybe they'll be braver than me."

In an interview from Iraq, General Luckey conceded it was a murky area, but said, "My understanding is they are currently on our no-go list."

The confusion over debarred parties has even led the U.S. government into its own legal tangles, according to Jim McAleese, a Washington attorney who specializes in government contracting and foreign military sales. Because the Russian government violated U.S. nonproliferation laws, even NASA had to go to Congress to ensure it could work with Russia on Soyuz flights to the international space station. "What I'm warning you about is, don't be surprised by the confusion," McAleese said. "There are a whole bunch of different statutes that were adopted piecemeal and were never intended to be reconciled."

But it's the very ambiguity of the law that troubles those who monitor export control. "It's highly unusual to do anything with the Russians, particularly Rosoboronexport," said Scott Jones, director of Export Control Programs at the Center for International Trade and Security at the University of Georgia.

Legal or not, reputable American companies simply don't want to work with banned entities, Jones said, for fear of risking their reputations and business. "Even if it's not an outright prohibition, most companies don't want to put themselves in a liability situation that has really bad PR … and they stay away from it," Jones said. "But if that's your business, pimping out arms from the U.S. or Russia, that's the way it works, and you push as much as possible."

Finding any U.S. defense company working with the Russian government at this point would be "remarkable," Jones added.

In the meantime, the future for Weldon is unclear. The FBI investigation continues and Weldon's former chief of staff recently pleaded guilty to a conspiracy charge and is cooperating with the government, notes Melanie Sloan, the executive director of Citizens for Responsibility and Ethics in Washington, which filed a complaint against Weldon in 2004. Sloan speculated that Weldon may be charged with "honest service fraud" for misusing his office for personal gain. "It's an easier standard than bribery," she said. "I wouldn't be surprised [if he's charged] with bribery, but I think it will be honest services fraud."

Ringgold insists that he and Weldon are on the right side of the law. "Everything we do is in strict compliance with international and U.S. law and we operate only in the best interests of the U.S. government," he said. "I didn't serve 30 years in the United States Army to throw that away on a whim."

Asked if Weldon is still working for the company, Ringgold replied: "Absolutely, proudly so."

1. To permanently remove the ability to engage in unfair play;
2. To complete its investigation and come to a full understanding of what occurred;
3. To refund the affected customers; and
4. To implement measures that prevents future incidents.
   

• January 2008: UltimateBet is alerted to suspicions of unfair play on the part of the account "NioNio". Within 24 hours, UltimateBet contacts the KGC to provide formal notice that UltimateBet has initiated an investigation of the incident. UltimateBet subsequently forwarded a copy of all related data to the KGC.
• January 2008: The "NioNio" account and related accounts are suspended pending further investigation.
• February 2008: Preliminary findings indicate abnormally high winning statistics for the suspect accounts. After discussions with the KGC, UltimateBet engages third-party gaming experts to assist with the analysis.
• February 2008: Investigators confirm that the suspect accounts are associated with individuals who had worked for UltimateBet under the previous ownership.
• February 2008: UltimateBet discovers the unauthorized code that allowed the perpetrators to obtain hole card information during live play. The code was part of a legacy auditing system that was manipulated by the perpetrators of the fraud.
• February 2008: UltimateBet immediately removes the unauthorized code and works with the KGC and with third-party auditors to verify that the security hole has been eliminated.
• March 2008: Six player accounts are confirmed to have participated in this scheme. No accounts were deleted at any point, although some account names were changed multiple times. The following account names are known to have been used in the fraudulent activity: NioNio, Sleepless, NoPaddles, nvtease, flatbroke33, ilike2win, UtakeIt2, FlipFlop2, erick456, WhackMe44, RockStarLA, stoned2nite, monizzle, FireNTexas, HeadKase01, LetsPatttty, NYMobser, and WhoWhereWhen.
• May 2008: The investigation confirms that the fraudulent activity took place from March 7, 2006 to December 3, 2007.
• May 2008: Gaming Associates certifies that the software code that enabled unfair play was removed from UltimateBet servers in February of 2008.
• May 2008: Customers affected by this incident are identified, and plans for corrective action are reviewed with the KGC.
  

• The security hole identified in UltimateBet's investigation has been permanently eliminated.
• UltimateBet is establishing a state-of-the-art software Security Center that consolidates and greatly enhances existing security capabilities. The first release of the new Security Center focuses solely on the immediate detection of abnormal winnings. Gaming mathematicians, poker professionals, and security software developers have all contributed to the specifications for the new Security Center.
• UltimateBet customers are no longer permitted to change account names unless they have suffered abuse in chat rooms. Requests for changes must be supported by proof of abuse and must be approved by the Chief Compliance Officer.
• In addition to its existing security department, UltimateBet has established a new specialized Poker Security team of professionals dedicated to fraud prevention.
• The refund process will begin immediately. The accounts associated with fraudulent activity did not use an unfair advantage in all play sessions. Regardless, UltimateBet is refunding all losses to these accounts.
• Accounts related to the fraudulent activity have been disabled, and the individuals associated with those accounts permanently banned from the site.
• UltimateBet has worked closely and transparently with its governing body, the KGC and its designated expert auditors, to determine exactly what happened, how it happened, and who was involved, and has taken action to prevent any possibility of this situation recurring.
• Tokwiro is pursuing its legal options in regard to this incident.
  

1. We don’t believe that the goal of Quantitative Risk Analysis is to be precise.  We believe the goal is to be accurate. Subtle but important difference.
2. FAIR can be used both Quantitatively and Qualitatively.   The decision on which method to be used depends on various factors that Steve lays out nicely in the article there.
3. We believe that Risk Management is more than looking at specific vulnerabilities, their likelihood and impact.  It must encompass all aspects of the organizations ability to effect the probable frequency and magnitude of loss on an aggregate level, not just within the context of a discreet technical or policy issue.

That last point is important.  And it’s related to my post today.

WHAT DO YOU MANAGE TOWARDS?
This blog is blessed to have some very smart people be part of it.  There are security managers from all sorts of industries that read and comment and contribute.   And so today’s blog is more of an open-ended question for you all.  It’s a question that, if I have a comfortable relationship with the organization I like to first ask the senior manager, and then subsequently ask the direct reports.

When you think about it, Sales & Marketing managers have goals they manage towards.  CFO’s have goals that they manage towards.  COO’s have goals and measurement that they manage towards (cost management, production, etc…).  So what does the CSO manage towards?  I’m guessing if we took a national poll, we’d get all sorts of very nice sounding answers to that question.  I thought I’d list some of the answers I’ve heard and talk about them with you today.

1.)  Being Secure or “Managing to Security”

Generally, this concept of being secure is the most common answer.  And when I’m given that answer, it generally means that management focuses on Vulnerability Management, Patch Management, and to some degree, log analysis from various sources.  These are very basic core security functions, and the  belief is that if we do these well, we will be “secure”.  Ok, well… what does this “secure” mean, and how can we talk to management about whether we are meeting this goal?   If you examine that question, you actually find out what a “Being Secure” organization is really managing towards, another answer I hear often:

2.)  Being Incident-Free or “Managing to Perfection”

Security Person:  “Alex, our goal is not to have any incidents.”  Alex:  “Good luck with that.”

OK, that’s not what I really say, but here’s the problem I see with this common answer and the one above both of these common answers:  How do you know if you’re good or just lucky?

Well, are you, punk? (youtube link)

In my six years of working with a Penetration Testing team, nobody ever really “passed” with a perfect score*.  Some did better than others, some folks looked really, really good - but the degree  of good/bad was really more dependent on scope than the actual state of controls or the ability of the team to overcome them.  That is to say, when pressed, the mature security professional must admit that, given a strong, capable threat community -  there is no secure.   And therefore any state of “incidentlessness” deals with some combination of amount of control strength, and some lack of attacks (frequency!) by someone with enough skills and resources to overcome those controls.  If that last sentence sounds very FAIR-Like, that’s because it is.  If FAIR really accounts for those things that create Risk, then Managing to security or lack of incident means that you’re primarily concerned with FAIR Vulnerability, and ignoring other critical aspects of risk (like frequency of attacks, controls that reduce the probable impact of an event due to an ability to respond well to external stakeholders, etc…).

3.) Being Compliant or “Managing to Compliance” (External Compliance Pressures)

Because that’s what business buy, right?  They buy compliance!   Or so I’m told.  So let’s say that you go out and actually twist senior managements arm to get them to cough up enough dough so that you can be as compliant as Large Accounting Firm says you need to be.  Good on you!

But what I always wonder is, what happens when you want to manage something beyond compliance?  What happens when the checklist you’re managing towards is run by a bureaucracy that can’t keep up with a changing threat landscape?   For many people, the answer is “GOTO 1″ and try to sell upper management using FUD (hey, it used to work, maybe it’ll work again).  An alternative is to get to the next step:

4.)  Being Measured or “Managing to Metrics”

Say what you will, but “quants” have one thing right.  What gets measured gets done.  And a few mature organizations have spent a ton of time and effort on being able to create dashboards of KPI’s that attempt to measure security.  Problem is, that we don’t know if a 98% on patch levels is good or bad or just right.  We don’t know what value, if any, does creating metrics around the number and severity of vulnerabilities found in a monthly scan actually have.  So we’ve come up with this thing called “GRC” that’s supposed to make sense of those things we can measure empirically and help you find out if/when you’ve fixed them. And while GRC tools can tell you some good information about systems out of compliance, they tend to give you fantastic information like how your “risk = 57“.

Wha….?

Risk = 57 means very little to someone who doesn’t spend their life in the machinations of the GRC indicies.  So again, measurement without a (good) model still falls down when faced with that ultimate business decision.  Or, as Shurdlu so eloquently puts it in her post on GRC:

“By contract, risk is personal.  It’s variable as hell.  It “governs” what you spend your money on, and therefore, with or without a dashboard, your CEO is already doing risk assessment every time she decides what your security budget is going to be.  Will you really be able to change her mind by showing her the dashboard and saying, “But—but—the needle is pointing to RED!” when you’re sitting there with your line items in your fiscal shopping cart? “

5.)  Using Risk or “Risk Management”

Which brings us to my favorite, using risk (as defined as the probable frequency & probable magnitude of loss event(s)) as a means to manage.  Now many industry veterans will tell you how jaded we all are on the term “Risk Management”.  And we have every right to be, as Risk Management has been horribly abused by vendors, committees and standards bodies alike.

These days, the term has been narrowly defined to mean an extension of vulnerability management.   This is small, small thinking, IMHO.  To me, Risk Management isn’t the management of individual issues deemed as “risky” as much as it is measuring (see 4) our ability to make decisions through the lens of risk.  Maybe I should start saying “Risk-Based Management” instead of “Risk Management”.

This Risk-Based Management approach provides meaning to metrics. We can know what we’re measuring and why we care about it.  And why we care about it needs to match what management cares about.  If your approach to Risk Management results in some metric or KPI that non-IT (or non-security) management doesn’t understand or speak to them in an evident language, it’s time to find a new model.  This is why “Quants will win” and where risk = 57 is wrong.  Risk, expressed as “expect a once in 5 year chance to lose $875,000 if we don’t spend $90,000 now” actually gives executives something beyond an arbitrary ordinal number or color to work with.  And what’s interesting is, if your model does the right things in getting you to that expression - then metrics and KPIs - those “why/when/where” questions we have a tough time answering about metrics - they become easier to discover.

DISPROVING RISK MANAGEMENT

As a side note, originally I was going to write today a completely different post on how we can disprove whether or not OCTAVE or 800-30 or ISO 27001 risk management efforts are really “Risk Management” - and one significant point was “Does your non-IT management really care about the deliverable?”   This thought came to me after seeing a few too many emails into the ISO27001 mailing list asking “How can I get management to fund ISO 27001 certification?”  Of course, the value of implementing the ISMS and the value of certification are two separate business propositions, but if you can’t sell the first, then are those efforts really good risk management?  You know, the kind of effort that we can use to make meaningful reporting?

=============================

* I can tell you that at times we were asked to test products out for clients before they made a significant investment.  One biometric device stands out in memory as not being “hacked” in the time alloted for the engagement by a defense contractor.  After it passed the “Gummi Finger” test - we were going to try using a recently severed finger, but oddly enough nobody on the team volunteered their digit for the sake of security.  Bunch of slackers.