One of the biggest problems that I face in my day-to-day job is convincing people that Information Security is even a problem that applies to them. Their lack of awareness means that they don’t even realize they have a problem in many cases. Most (but not all) of us agree that this is where security awareness and user education efforts come into play. While I tend to agree that generic awareness training doesn’t do much good, it’s important to understand why we need to keep the effort.

One word: Utility.

As Peter Bernstein states on page 105 of Against The Gods: The remarkable story of risk, Daniel Bernoulli nailed this one almost three hundred years ago:

“[The] utility resulting from any small increase in wealth will be inversely proportionate to the quantity of goods previously posessed.”

In the case of Security, this means that if someone thinks they have good security, they won’t see much benefit from an increase in protections and will thus be uninterested (or even resistant) to increases in security which have even moderate cost. But if that same person believes they have poor security, then they will perceive great benefit from even a moderate increase in protection and be more willing to invest their resources in efforts which might improve it.

The most dramatic example of this fact comes, I think, from the physical security world. Look at the massive funding and egregious abrogations of Constitutional rights that suddenly became acceptable after the 9/11 attacks.

Nothing had actually changed except that people suddenly felt that they had very little security “wealth” and, as a result, perceived much greater utility from security measures. This applied both to effective measures such as armoring airplane cockpit doors and to those which were either ineffective (such as checking ID’s to go anywhere any more) or had an extremely high cost (such as gross violations of civil liberties).

In the Network Security world, this usually manifests itself as the sudden appearance of funding for some countermeasure that was “too expensive” prior to The Incident.

Be forewarned, though, that this can cut both ways. As Bernstein notes a few pages later,

According to Bernoulli, our decisions have a predictable and systematic structure. In a rational world, we would all rather be rich than poor, but the intensity of the desire to become richer is tempered by how rich we already are. Many years ao, one of my investment counsel clients shook his finger at me during our first meeting and warned me: “Remember this, young man, you don’t have to make me rich. I am rich already!”
This logical consequence of Bernoulli’s insight leads to a new and powerful intuition about taking risk. If the satisfaction to be derived from each successive increase in wealth is smaller than the satisfaction derived from the previous increase in wealth, then the disutility caused by a loss will always exceed the positive utility provided by a gain of equal size. That was my client’s message to me.

Thus, if you actually succeed in getting someone to realize that they are security-poor, that person is probably not going to be happy and you’re probably going to be the first one they look at for an explanation of where all their security “wealth” went.

So be sure of two things before you begin. First, that you’ve got a plan to recreate some of that lost wealth. Second, be sure that what you’re proposing is actually going to improve the situation. It’s been a long time since I mentioned it, but this would be a good time to go back to the basics of evaluating security projects.

I’ve really enjoyed Adam Shostack’s “Friday Star Wars Security Blogging over at Emergent Chaos. Last week’s installment contained this gem, which actually made me laugh out loud.

The overall plans of the Death Star are hard to change. That’s not to say that they should be published, but the security of the Death Star should not rely on them remaining secret. Further, when the rebels attack with stub fighters, the flaw is easily found:

OFFICER: We’ve analyzed their attack, sir, and there is a danger. Should I have your ship standing by?

TARKIN: Evacuate? In our moment of triumph? I think you overestimate their chances!

Good call, Grand Moff! Really, though, this is the same call that management makes day in and day out when technical people tell them there is a danger. Usually, the danger turns out to go unexploited. Further, our officer has provided the world’s worst risk assessment. “There is a danger.” Really? Well! Thank you for educating us. Perhaps next time, you could explain probabilities and impacts? (Oh. Wait. To coin a phrase, you have failed us for the last time.)

Of course, what Adam doesn’t point out is that the nameless OFFICER has also provided the world’s most common Risk Assessment, as well.

Not that it matters, of course, because it seems like most of the time, even when I deliver a beautifully honed Risk Assessment with assumptions documented, threats cataloged and prioritized based on impact & estimated likelihood, control recommendations linked to risks and references back to underlying policies, standards, and internal controls requirements.

Here’s how this same conversation played out in the Real World:

OFFICER ME: We’ve analyzed the proposal, and here is my analysis with recommendations for risks which can be mitigated and risks which must be accepted.

ADMIRAL VICE PRESIDENT: Accepted?

OFFICER ME: Yes. You need to state that you understand and are willing to accept the residual risks.

ADMIRAL VICE PRESIDENT: I think there is no risk.

OFFICER ME: Then you should have no problem accepting it.

(Cue Crickets chirping)

I should have saved the effort and just gone with, “We’ve analyzed the situation and there is a danger.”

In-game abuse isn’t just affecting Second Life. Microsoft/xBox Live & Bungie software are getting medieval on Halo2 cheaters, according to Wired News

Microsoft responded to the glitches quickly and characteristically: In mid-January, the company launched a ruthless wave of anti-hacking enforcement that’s seen, by Microsoft’s count, thousands of players banned from online play for allegedly exploiting the vulnerabilities. Some gamers are complaining in message forums that they were targeted unjustly, but they have no recourse under Xbox Live’s terms-of-service agreement, which lets the company exile anyone for any reason.

“I will not tolerate even the appearance of cheating,” wrote Bungie’s Tom Gioconda in a posting to the official Halo 2 forum earlier this year. “The existence of an exploit does not give you the right to use it.”

As was implicated in iang’s comment on my post about Second Life, we should be very careful what we ask for when it comes to policing of online gaming activities.

I know full well that when I was administering counterstrike servers in the early days of aimbots, I banned countless players for using them. I don’t deny my hypocrisy, although I did provide some degree of Due Process since I made my contact information freely available for people to dispute their bans, an opportunity that several players availed themselves of.

I’ll ruminate on this in my spare time over the coming days. Is it possible to create limited governance of virtual worlds without letting all the messes of the Real World overwhelm us? On one hand, Microsoft’s unilateral action in banning thousands of Xbox live customers without any apparent due process seems offensive and draconian to my sensibilities, but I know that I didn’t do much better when the shoe was on my foot.

I know there’s been a lot of thinking about Virtual Governance that I need to catch up on before I start putting my foot in my mouth about it, but as I enter into my second year of blogging, this may be an interesting area to explore.

Strange things are afoot over at Second Life, according to Freedom To Tinker:

One of the cool things about Second Life is that players can create new kinds of objects, by writing small programs in a special scripting language to describe how the objects should behave, and then launching objects into the world.

Things got really out of hand when the W-Hats created a doomsday device. It looked like a harmless little orb, but it was programmed to make copies of itself, repeatedly. The single object split into two. Then each of those split, and there were four. Then eight, and sixteen, and so on to infinity.

Okay, not exactly to infinity but to billions of copies (after thirty-some generations of splitting), at which point the servers running Second Life crashed, and the whole virtual world was knocked off-line. The W-Hats had created a Weapon of Mass Virtual Destruction (WMVD).

The WMVD was detonated more than once, and on at least one occasion Linden Lab, the company that runs Second Life, contained the damage by taking parts of the world offline as a kind of virtual firebreak.

Now, the operators of Second Life have called in the cops, and like the guys over at Freedom to Tinker, I agree with their decision. I’m just amazed they could get anyone to agree the crime either happened in their jurisdiction or that there was anything to prosecute.

As an aside, the first time I ever took down a shared UNIX system when I was in college was when I kicked off a program which iteratively initialized some data structures thenfork()‘ed itself, creating a copy of itself including its current initialization state. I accidentally called fork() within the initializer and the thing began spawning copies of itself, which spawned copies of themselves, which spawned copies of themselves. The system did not have resource limits properly configuredf, so the number of copies of my program grew exponentially until there was no memory left. The server never crashed, it just was unable to allocate any more memory or spawn any new processes, including a root shell to kill my runaway process. Not my proudest moment, but far from my worst, either. I’ll stop now before I get all nostalgic for the days when I actually did fun stuff like adminster systems and write things other than email and Word docs.

The Register is one of my favorite IT new sites. After all, what’s not to love about a site whose motto was once, “Integrity? We’ve heard of it.”

They also publish stories with gems like these:

Workers across Europe are continuing to place their own companies at risk from information security attacks. This ‘threat from within’ is undermining the investments organisations make to defend against security threats, according to a study by security firm McAfee.

…

Based on its survey, McAfee has identified four types of employees who put their workplace at risk:

• The Security Softie – This group comprises the vast majority of employees. They have a very limited knowledge of security and put their business at risk through using their work computer at home or letting family members surf the internet on their work PC.
• The Gadget Geek – Those that come to work armed with a variety of devices/gadgets, all of which get plugged into their PC.
• The Squatter – Those who use the company IT resources in ways they shouldn’t (i.e. by storing content or playing games).
• The Saboteur – A very small minority of employees. This group will maliciously hack into areas of the IT system to which they shouldn’t have access or infect the network purposely from within

Personally, I suspect the only people in a modern enterprise who aren’t on this list are the ones with no computer access. Other than some of the people in manufacturing environments, I’m not sure who that would be, though. I can’t even think of anyone on the security team here who isn’t either a Gadget Geek or a Squatter. I’m a squatter, myself. Diablo II is much better than DVD’s to kill time on intercontinental flights so long as there’s some sort of power outlet.

So my congratulations to McAfee. They’ve managed to come up with a study in which every single employee is a risk. Now do something useful and help me determine which ones are the risks I can’t accept.

NetworkWorld actually had something rational to say about Skype for a change.

We assessed the state of the encryption and security of the Skype messages and streams, looking for exposed information that could be useful to hackers and susceptible to man-in-the-middle interception and diversion tactics. We evaluated the security of Skype Instant Messaging and file transfer, along with the internetworking of Skype 1.4 and 2.0 beta. We also tracked the effect of Skype operations, in terms of CPU and memory use, on laptops.

Our testing shows that neither Skype VoIP nor Skype Instant Messaging poses any readily exploitable security threat. We also conducted a dozen private interviews with hackers, enterprise network managers and leading network-security-equipment suppliers, none of which could cite one case of Skype being exploited for insidious security assaults.

Of course, next week some vulnerability might be exploited. But as we go to press, we believe that Skype poses more worries about what isn’t known than actual security concerns.

I’ve been saying this for a long time now.

Unless SBC and other carriers succeed in screwing it up to protect their revenue streams, that is.

According to the IT Compliance Institute,

Despite or because of the global spread of corporate governance codes, reports of financial fraud rose 22 percentage points in the last two years, reported Pricewaterhouse Coopers.

…

In North America, 60 percent of the perpetrators were employees of the victim firm, and almost a quarter were senior managers.

As I recall (can’t find a link, sorry), the 60% number is roughly consistent with the FBI/CSI Study of fraud in the financial services industry from 18 months or so ago. This would seem to indicate that traditionally less-regulated industries than financial services are now finding a lot of fraud that they missed before implementing more stringent financial controls due to SoX, GLB, etc. What t also indicates, however, is that regulation alone doesn’t stop fraud.

Now think about this from the perspective of the “Self-Sustaining Value Growth Tipping Point, or GP for short,” that Ian Grigg recently described over at Financial Cryptography. (Go read it if you haven’t already)

In this case, we’re dealing with mature industries and corporations where the self-sustaining value is already present. What has changed is that now we’ve had a significant change in the regulatory environment, specifically with regards to fraud. This has exposed the old, stable methods of committing fraud,

…all will appear to be chaos. Actually, it’s not chaos, it’s just competition for different fraud models, and soon it will settle down to a set of best practices in fraud. At this point, when all the mistakes have been made and the surviving crooks know what they are about, fraud will rise rapidly, then asymptotically approach its long run standard level. Ask any credit card company.

As I see it, the real question is, “When fraud settles back down in the new (pick your law/directive) regulatory environment, will the new standard level be higher or lower than it was before?”

If you want to see what happens when journalists, rather than Security Practitioners, write security columns, take a look at the current Alarmed column over at CSO Online, “Digital (Shopping) Divide. I don’t know why Sarah thinks this is so hard to deal with or even why she thinks it’s a bad thing. But maybe that’s because I can actually look at the problem with hindsight.

With increasing frequency, I see studies pinpointing “bad” neighborhoods on the Internet, supposed hotbeds of hacking and fraud, viruses and spam. South Korea, Romania, Lithuania, Nigeria—they all get fingered. It’s not racial profiling, exactly. Malicious Web traffic and fraud can be traced, at least to some degree, and numerically ranked. (Serious hackers, of course, will cover their tracks pretty well.) Businesses need to protect themselves from fraud, and retailers certainly have the right to choose not to ship to certain countries—or even to any countries except their own.

But it might not take long to get from here (no shoes to Singapore) to there (no Web traffic from Singapore).

What’s the problem here? That network security people are starting to look at how to leverage their knowlege of networks to better support the businesses that pay their salaries? That security people are no longer just Playing With Toys and instead tying their thinking back to its impact on costs or revenue? That companies don’t like to get ripped off and are willing to bear the opportunity cost of limited market reach to minimize fraud?

Personally, I view all of these as Good Things.

What I find interesting about the article is not the discussion of fraud and the eCommerce Redlining of certain regions but the tale of one man’s clever and hopefully effective response.

Consider what he has done. Some companies made a rational risk management decision which prevents certain countries or networks from doing business with them. This man feels that he can, through better local understanding and presence, prevent fraud that the individual sites cannot or cannot at a similar price point. As a result, people in those locales have to pay more for their goods to use an intermediary to establish their credibility.

I view that as a win-win approach to the problem. If it costs more, so be it. I don’t like being forced to pay more for goods and services due to fraud1, but I’m not willing to increase my cost of living to subsidize avoidable fraud costs, either. If eCommerce sites are able to transfer their regional fraud risk onto him, and assuming that he can actually deliver a low-fraud regional customer base to these sites, then it allows the sites to gain a global presence that they otherwise would wind up having to cede to local competitors by default.

If he fails due to an inability to prevent fraud or a lack of customers with enough funds to purchase goods at US/European prices, then those areas of the world may not yet be viable markets for those goods. But if he succeeds, then he will have solved a problem that others cannot and deserves to be rewarded.

Personally, I don’t have an issue with Singapore and would not have recommended redlining them unless something about their Internet behavior has changed, so they may not be a good case study.

But if none of the Web traffic from a netbloc or set of netblocs assigned by arin or ripe or apnic is good, then why would I want it? If I’m generating my revenue based on selling products, then serving that page to someone I won’t do business with is a waste of money.

As soon as fraud comes into play, the leverage can get big in a hurry. Chargebacks add up fast, not to mention the cost of the resources that have to identify and respond to the fraud. If you’ve shipped goods, unless you can redirect them in-transit you’re going to be out the cost of goods sold, too.

While it wasn’t me, but I could easily have been the person that Mikko quoted when he said,

Mikko Hypponen, chief research officer at the threat management company F-Secure in Helsinki, told me, “I spoke to one security officer who hadn’t been shipping any orders at all to [country] for a year and a half because 99 percent of the purchases going to that country were done with stolen credit card numbers,” (He asked me not to name the country. “I don’t want to get quoted as saying [country] is bad,” he explained. “There are lots of good people there, too.”)

Why should I do business with people if I know they are only coming to rip me off? When I comes to business and risk, I believe in Doing Well by Doing Good. But I also believe companies have a duty to their shareholders to make wise business decisions, and would no more counsel that we should do business with regions we know will produce excessive fraud than I would suggest we take a pile of money and burn it in the parking lot to keep warm.

In some cases, we didn’t have a single legitimate transaction from the entire country. Not proactively refusing transactions from countries with an excessive risk profile would be insane. Especially if you follow the definition that insanity is doing the same thing over and over and expecting a different outcome. Lastly, throw in the fact that failing to do so could multiply the cost of every other bad transaction by increasing the penalty charges if total chargebacks broke certain thresholds and I’d worry about the qualifications of anyone who didn’t want to at least develop models for evaluating fraud and banning countries and/or netblocs (a lot of satellite ISP’s providing service to West Africa, in particular, show up as Dutch or Irish IP space and you only find out when you first see the spike and go research the provider).

While the source is PGP, a vendor with a vested interest in people seeing privacy breaches, there is still some interesting research in this article on the Per-Incident costs of privacy breaches over at Network World while catching up on my reading. (Thanks to nCircle’s blog for the link)

The first report is a survey of 14 organizations that lost confidential customer information and had a regulatory requirement to notify the affected individuals. The 14 organizations primarily hailed from the financial services arena but also included retailers, insurance companies, telecom firms, higher education and healthcare.

To cope and recover from a single security breach cost on average $14 million per company per breach or $140 per lost customer record. The direct costs in incremental spending for outside legal counsel, increased call-center costs and related items alone were $5 million.

I bit the bullet and registered to download the actual studies. Here’s what that $14 million includes:

Breaches included in the survey ranged from 1,500 records to 900,000 records from 11 different industry sectors. In general, the largest breaches occurred in financial services, data integration, and retail; the smallest were in higher education and health care. Information in this study covers the costs of almost 1.4 million customer records compromised.

Among the study’s key findings:
• Total costs to recover from a data breach averaged $14 million per company or $140 per lost customer record
• Direct costs for incremental, out-of-pocket, unbudgeted spending averaged $5 million per company or $50 per lost customer record for outside legal counsel, mail notification letters, calls to individual customers, increased call center costs, and discounted product offers
• Indirect costs for lost employee productivity averaged $1.5 million per company or $15 per customer record
• Opportunity costs covering loss of existing customers and increased difficulty in recruiting new customers averaged $7.5 million per company or $75 per lost customer record. Overall customer loss averaged 2.6% of all customers and ranged as high as 11%.

These cost estimates include recovery costs only and do not include the cost of putting in place technology and procedures to ensure such breaches do not occur in the future.

Personally, I’d stop short of trying to claim any more than that $50/record of direct costs if I was using this to justify encrypting, destroying, or otherwise protecting data. Besides, unless you’re talking about more PII than the average personal address book, $50/record should produce a large enough number to get people’s attention and provides an easy-to-work-with number for ROM calculations.

One other interesting thing I noticed about this study. All three case studies were disclosure of credit card numbers, but none of them seemed to include the cost of re-issuing cards. That would mean that there was an unaccounted for externality here since there is a significant direct cost to the credit card issuer.

For some reason, $27/card pops into my head but I’m too lazy to check it right now. Even if that were the total cost of handling an incident, a range of $25-$50/record is still a pretty good figure to work with.

Lest someone call me out in comments for not mentioning it, I should mention HavenCo out on the Republic of Sealand, too. He wanted to be the first extra-national-ish Data Vault like the protagonists of Neal Stephenson’sCryptonomicon.

Simson Garfinkel wrote a long story about HavenCo in Wired back in 2000. It’s a fun and interesting read, a nostalgic romp through the days when bandwidth and crypto were all that were needed to transform the world.

This summer, with $1 million in seed money provided by a small core of Internet-fattened investors, Lackey and his colleagues are setting up Sealand as the world’s first truly offshore, almost-anything-goes electronic data haven - a place that occupies a tantalizing gray zone between what’s legal and what’s … possible. Especially if you exist, as the Sealanders plan to, outside the jurisdiction of the world’s nation-states. Simply put: Sealand won’t just be offshore. It will be off-government.

The startup is called, fittingly, HavenCo Ltd. Headquartered on a 6,000-square-foot, World War II-era antiaircraft deck that comprises the “land” of Sealand, the facility isn’t much to look at and probably never will be. It consists of a rusty steel deck sitting on two hollow, chubby concrete cylinders that rise 60 feet above the churn of the North Sea. Up top there’s a drab building and a jury-rigged helicopter landing pad.

Soon, Lackey believes, powerful upgrades will transform Sealand into something amazing. The huge support cylinders will contain millions of dollars’ worth of networking gear: computers, servers, transaction processors, data-storage devices - all cooled with banks of roaring air conditioners and powered by triple-redundant generators. HavenCo will provide its clients with nearly a gigabit per second of Internet bandwidth by year’s end, at prices far cheaper than those on the overregulated dry land of Europe - whose financial capitals sit a mere 20 milliseconds away from Sealand’s electronic nerve center. Three speedy connections to HavenCo affiliate hubs all over the planet - microwave, satellite, and underwater fiber-optic links - will ensure that the data never stops flowing.

Unless people can’t quit messing with the routers, that is. In 2003, however, Ryan Lackey, HavenCo’s CTO, resigned citing mismanagement and self-incurred network instability:

Lackey, who said HavenCo owes him $220,000 in cash and additional money in stock, said another problem was the Sealand family’s tinkering with the network connection, which caused extended outages and occasionally left it dependent solely on a slow satellite link.

“The key lesson on this is if you’re going to put a ‘co-lo’ facility somewhere, political and contract stability in that jurisdiction is very important,” Lackey said, referring to co-location setups, or virtual site-hosting facilities. “Customers want stability. They don’t want the network to be down for two months.” The 24-year-old Lackey spoke to an audience of about 600 at the DefCon hacker convention here.

Currently, HavenCo says they offer Collocation for $1,500 per server per month and managed services for $3,000 per server per month. Compare that to approximately $100 per server per month for hosting somewhere in Dryland.

While this may close off the “Hosting Provider” branch of the attack tree, the options available to criminals, cops, secret agents, lawyers, or other nefarious types trying to seize your data by going after you (the data owner) directly still exist.

The piece of this that has never made sense to me is that while your data might be secure against physical seizure, your person is still subject to the same physical and legal threats as it ever was. This means that the risk of being forced to disclose under duress has now been transferred from your hosting provider onto your person.

I’m not a lawyer, but from what I’ve observed over the years, if you think that you can now say, “Sorry, it’s not here,” in response to a search warrant or discovery request, then you’ll probably get to learn first-hand what terms like “Conspiracy,” “Contempt of Court” and “Summary Judgement” really mean. Hopefully it won’t go so far as Rendition, but depending on who’s asking, you never know.

I’m not sure that’s a Risk Management option I’d be comfortable with.