Malcom Gladwell had a recent blog post where he discusses an unnecessary fatal train accident.

The engineer who had probably caused this very rare fatal accident had what may have been the single worst safety record of 1,000 people driving commuter trains in the metropolitan area. Only five were even in his dubious ballpark. The great majority of engineers had no safety violations at all.

And here’s the kicker: about 8 percent of the engineers accounted for about half of all the violations. Yet not only were they allowed to continue working, they were under no particular scrutiny. Worse still, these three railroads actually did more to police the engineers than most railroads, and more than was required by federal law.

The results made me think of the Christopher Commission report, which I had also covered, and the finding that 44 of 7,000 officers caused the bulk of the problems.

How many incidents of any sort could be avoided by developing good predictive metrics and then taking action on them?

I know that here in the Information Security realm where I work, we see the same people doing the same stupid things over and over. They tend to be low-level staff who are in doing things in violation of our Acceptable Use policies. We can identify them prior to their causing a Major Incident, yet we cant/won’t do anything until after the damage is done.

I’m not saying that we need to fire anyone, although I wouldn’t rule it out for repeat offenders, but I’m also continually irritated that that most of the cost of an incident (specifically, all of the response costs) is an externality to the “guilty” party and their management, which may be the real weak link in the chain.

If we could transfer the externality back onto the high-risk employee’s managers by forcing them to accept the risk, then maybe we’d finally get somewhere. Maybe not, too, but it couldn’t be any worse than what we’re going today.

By far, the more interesting articles I’ve seen thus far about the Tonbridge Heist was the one in The Independent which posed the question, “ They pulled off Britain’s biggest raid, but the police are closing in. What will the robbers do next?”

Dumping the money was the smartest thing the robbers could have done. When police found bank notes worth up to £15m in the back of an abandoned white van on Friday, it was easy to imagine that the gang responsible for the Tonbridge heist had left the money after panicking or being disturbed. But as police made two arrests yesterday, and an emotional statement was read out on behalf of the family kidnapped in the raid, another theory emerged.

Three highly professional south London gangs are now the main suspects and, money-laundering experts believe, leaving some of the loot behind may be another example of the robbers’ meticulous attention to detail.

If the notes discovered in the van had been newly printed, they would be very hard to get rid of. “It would be very foolish to try to spend them or deposit them in a bank account in this country,” said Prem Sikka, professor of accounting at Essex University. “The serial numbers would make them easy to trace.”

Far better to abandon them and carry off only used ones that had been in circulation already and would be untraceable - and which may have been worth up to £35m on their own.

Even for a group of skilled professionals, there’s still significant logistics involved in transporting and laundering large quantities of cash, and plenty of ways the whole thing can come unraveled.

The cash presents a physical problem. The IRA raided the Northern Bank in Belfast in December 2004 and stole £26.5m, but the Irish police found £2.3m stuffed in a wheelie-bin at the home of a suspect. The Tonbridge gang will have had to work out what to do with 800,000 pieces of paper, weighing up to 900lbs.

There are ways to launder that volume of cash, despite the ferocious laws introduced recently to track and stop terrorist money, but to do so will take expertise, time and patience. Vast amounts of patience. Far more patience than bank robbers and their accomplices usually have, however professional they are. Somebody usually cracks.

As the article points out, laundering cash is an extremely high-risk activity, both in terms of operational complexity and not getting caught in the process. The £2 million reward doesn’t make things any easier–that’s a lot of money, especially since it would be legitimate. For the small fish in the plot, it’s a lot of money. The risk of claiming it, however, is that you’re almost certain to wind up dead at some point after claiming it.

A few of the ways the article suggests it might be done include…

COUNT THE CASH. If there are any new, traceable notes, chuck them. Prepare for prison. What we are about to describe is theoretically possible, but the chances of success are extremely slim

BURY IT, put it away, stick it in an inconspicuous lock-up or security vault for as long as you can bear to do so, at least until the fuss dies down. That might take a year

…

TAKE THE MONEY TO A COUNTRY where the customs officials can be bribed to certificate your cash as clean. Start a company. Experts suggest the Balkans would be a good choice

START ANOTHER COMPANY IN DUBAI, where directors do not need to be named. Use the Balkan money to buy expensive products from it (which need not exist)

TRANSFER THE INCOME from Dubai to a tax haven such as the Cayman Islands where secrecy is assured. Set up a blind trust and nobody will know it’s for you

Personally, I think that the cash is being used as collateral for some other large-scale, illicit transaction like a major drug or arms deal in much the same way that things like stolen artwork are used. My pet theory is that it’s armaments and the cash is currently sitting somewhere inside the former Soviet Union, despite having absolutely no evidence to support that theory. Maybe it’s

Eventually, the cash will begin to leak into the legitimate market, but I don’t think it will be the thieves who launder it just like I strongly doubt that it was stolen primarily to be “laundered.”

Most people seem to do their off-topic-ish stuff on Friday. Personally, I need the distraction more on Monday so here it is.

Any security person worth his salt should be familiar with Bruce Schneier’s body armor analogy, which I was too lazy to go dig out my copy of Beyond Fear to quote, so I have to paraphrase:

Just because a security measure is effective does not mean it should be implemented. For example, bulletproof vests are a very effective means of protecting oneself from bullets. But they are also bulky, uncomfortable, and expensive. For most people, the tradeoff does not make sense.

But just how effective are they? Here’s a fun, picture-filled demonstration of what bulletproof vests can and can’t protect you from.

Their analysis:

1. Level IIIA armor stopped the handgun bullets tested, just as designed. Either JHPs or Ball.

2. Once again, “Rifles are rifles and pistols are pistols”. Rifles went right through, just as expected.

3. The armor stopped 00 Buck and Rifled Slugs.

4. If your adversery is wearing armor, don’t depend on pistols or shotguns. Go for a rifle. As Clint Smith says, “The only purpose for a pistol is to fight your way back to the rifle you should have never laid down”.

5. And, as always, shooting stuff is fun.

Happy Monday, everyone!

I see that the Department of Homeland Security is now enlisting bus drivers in the War on Freedom. I’m sure this won’t produce the thousands of false positives tying up scarce law enforcement resources that always seem to plague any program involving well-intentioned amateurs.

Designers of the School Bus Watch program want to turn 600,000 bus drivers into an army of observers, like a counterterrorism watch on wheels. Already mindful of motorists with road rage and kids with weapons, bus drivers are now being warned of far more grisly scenarios.

Like this one: terrorists monitor a punctual driver for weeks, then hijack a bus and load the friendly yellow vehicle with enough explosives to take down a building.

An alert school bus driver could foil that plan, security expert Jeffrey Beatty recently told a class of 250 of drivers in Norfolk, Va. After all, bus drivers cover millions of miles of roads. They know the towns, the kids, the parents.

First off, how is a bus driver going to foil the plan? As long as we’re talking about movie plot scenarios, let’s not forget that other favorite scene which usually occurs at the start of the movie plot scenario. That’s the one where the Bad Guy walks up to the (security guard|cop|bus driver|Chauffeur|teacher|mailman|UPS driver|other random victim), asks a smart-ass question, then shoots them in the head with a silenced pistol.

“As a bus driver, going down the same streets and going into the same neighborhoods every day, you know when there’s a car that shouldn’t be there,” said Bob Pearson, who drives a school bus in Fairfax County, Va. “You have to realize that a school bus goes everywhere.”

Of course, if the “terrorists” have been monitoring the bus for weeks, wouldn’t they now be part of the cars that “should be there?” And isn’t the bus driver supposed to be focusing on other things, like making sure that they get their bus safely from point A to point B? Personally, I’m a lot more worried about an increase in the school bus accident rate as drivers make sure that no “suspicious” people look at their bus rather than the other idiots on the road.

And the kicker, in my personal opinion:

Down in Norfolk, Shelita Hill, a driver for 23 years, acknowledged that she never thought of her school bus as a target of terrorism until she heard Beatty speak. Neither had many others in the class.

There is no threat. Yet she will ignore 23 years of direct experience in the field out the window because some guy from DHS tells her she should. If I did this to someone over the phone, it would be Social Engineering. In this case, I’ll let her off as merely having made a Poor Trust Decision. Just keep your eyes on the road, Shelita. You’ll never see a terrorist, but your passengers will thank you for it.

On the bright side, I’m glad to see that the nation’s ports are now so well-protected and Osama Bin Laden is safely in custody so that the DHS has time to build up silly domestic survellience programs and try to stop people surfing porn at the library.

Alex Tabarrok writes over at Marginal Revolution:

I sometimes find evidence of cheating on exams but I rarely take action, I don’t have to. Almost invariably the cheaters get abysmally low grades even without penalty. Some people I know get annoyed when students without evident handicap ask for and receive special treatment such as extra time on exams. I comply without rancor as the extra time never seems to help. Over the years I have had a number of students ask for incompletes. None have ever become completes.

I call this the law of below averages.

Unfortunately, those same people asking for incompletes go on to get jobs in the corporate world where they ask for exceptions to security policies with a promise that they’ll “remediate after go-live.”

The comments are also priceless and detail one example after another of people attempting to exploit operational weaknesses in academic processes. I’d like to look at a couple of different threat models for analyzing the risk of academic cheating.

For the cheater, I assume they have chosen to accept the risk of getting caught, whatever that may be. When I was at university, the penalty for cheating was receiving no credit on the activity you were caught cheating on. That meant that there was a direct correlation between the potential benefit of cheating (getting, say, an A on the final and thereby improving their letter grade from failing to passing) and the impact of getting caught (getting no credit for the final, probably producing a failing grade in the class). Of course, if you were already going to fail, that effectively meant that there was no down side, thus creating an incentive to cheat.

Even in that case, I thought that relying on the opportunity to cheat even existing was a poor risk decision on the part of the cheater.

I’ll consider a couple of different scenarios for cheating in an exam. Cheating on papers is a whole different issue and has much more to do with the amount of effort the grader is willing to put into it than anything else, thanks to the ease with which Google and a halfway diligent grader can catch all but the most careful plagarists.

Start with the good ol’ Cheat Sheet, whereby the cheater sneaks information into the exam for reference.

First, some sort of mechanism has to be developed for getting the knowledge into the exam without detection, then the course material must be analyzed to determine what subset of it would be most useful.

Secondly, by the time you’ve performed that selection process and prepared the material, you’ve probably spent about as much time as it would have taken to just learn the material.

Third (in my case at least), the reason that I might have needed to cheat was because I had been ditching class, meaning that I wouldn’t have the material to produce the cheat sheet anyway.

So much for Cheat Sheets.

Next is copying answers from someone else.

Consider that in nearly every exam I ever took, the seating was designed to prevent copying, either by spacing out the test takers and/or by using multiple test forms. The academic testing environment definitely is a long-running cat & mouse game between cheaters and proctors. This makes depending on the opportunity to copy a bad risk from the start.

Then, as some of Alex’s commenters relate, the person cheating may choose to copy off someone even less knowledgable than they are:

some years ago, when I was a math TA, another math TA came to me to ask how to handle this situation: one guy had copied from another on a calculus exam. Thing is, the cheater had picked his target poorly: he was the 2nd-worst student in the class. And, of course, the cheater didn’t have enough time to copy everything.

Basically, ignoring the cheating and grading the exam like all others, the cheater’s exam got an F and the target of the cheater got a D. I told my friend that ist seemed the problem took care of itself.

Finally, it was always my experience that the people one would most want to copy off of were aware of their desirability and, expecially if the class was graded On The Curve, fiercely protected their work to maximize their outlier status.

As the number of variables mount, the odds of success start to get very long very quickly. Once again, not a good risk.

Finally, the would-be cheater should take a long, hard look in the mirror and consider that if they can’t be bothered to do a half-decent job of keeping up with their studies, they probably aren’t going to do a very good job of cheating, either.

Of course, since I studied political science there wasn’t much point in trying to cheat on exams. They were all essays and you could either produce a coherent argument or you couldn’t.

No amount of cheating in the world is going to help you explain what you think is the US Supreme Court’s worst decision ever and why if you don’t know the details of one you think was crap. (I chose Katzenbach v. McClung, because I thought it was a horrible cop-out to hide behind the commerce clause when the 14th Amendment existed specifically to address the right to equal protection under the law. If I had to answer that question today, I think I’d have to go with Bush v. Gore, but that’s a whole different ball of yarn.)

Here’s a great example of the United States Army applying Risk Management techniques to the problem of reducing fratricide (aka friendly fire).

It’s an appendix to FM 3-21-31 and the first half could serve as a great primer on Risk Management for any problem. From the introduction:

Risk management is the process of identifying and controlling hazards to conserve combat power and resources. Leaders (to include the staff) must always remember that the effectiveness of the process depends on their understanding of the situation. They should never approach risk management with “one size fits all” solutions to the risks their unit faces. They must consider the essential tactical and operational factors that make each situation unique.

One of the things that I really like about this as an example is that it deals with a real, universally-acknowledged problem, that shooting your fellow troops is bad which hopefully never comes up in your office environment.

Too often, technical Risk Management examples bog down in hypothetical implementation details before they can even begin. This page, on the other hand, provides a basic explanation of how to define a problem, identify and prioritize the threats, then determine appropriate safeguards and residual levels of risk. And best of all, nobody is going to turn it into an argument over whether windows or linux is the “more secure” solution.

Yet another case of trusted insiders abusing their position.

This time, it’s Air Marshalls smuggling drugs.

Two federal air marshals are facing drug charges after allegedly agreeing to smuggle cocaine from a man who turned out to be a government witness, the U.S. attorney’s office in Houston, Texas, announced Monday.

Shawn Ray Nguyen, 38, and Burlie Sholar, 32, were arrested Thursday after allegedly receiving 15 kilograms of cocaine and $15,000 cash delivered to Nguyen’s home and agreeing to take the drugs on a plane, prosecutors said in court papers.

The U.S. attorney’s office accused the two men of agreeing to use their official positions as federal air marshals to bypass airport security and smuggle the cocaine on board a flight from Houston to Las Vegas, Nevada, in exchange for the money.

Once again, the privileged insider is the threat and they would have gotten away with it if it wasn’t for those pesky kids! they hadn’t been narc’ed out.

It’s my understanding that Air Marshalls don’t pass through “regular” airport security because they would have to publicly authenticate themselves as Air Marshalls in order to get their guns past security and they’re supposed to be undercover. Unfortunately, this apparently also means that the same preventative controls that the rest of us are subjected to don’t apply to them.

I guess that everyone forgot that those controls are about preventing more than just weapons getting on planes. Sounds like some additional controls are needed, along with a few remedial viewings of Miami Vice.

In “Thieves outwit high-tech advances“, the Los Angeles Times details the ongoing evolution of car theft.

I’d already guessed how the attack was going to work (replace the security module with a compromised one) before I ever read the description, and that was before I even had any information to work off of.

Just like any automotive technology, antitheft systems differ widely in both their design and effectiveness, said Forrest Folck, who operates Motor Vehicle Forensic Services in San Diego.

The LS 400s that were stolen are among models that use a smart key to tie into the car’s electronic control module, or ECM, the central brain for the engine, transmission and related systems. Unless the smart key sends the proper code to the ECM transponder, the ECM disables the electronic fuel-injection system.

Here’s how a criminal ring has defeated it: First, they force the locks on the door and steering column with a custom-made tool, using a socket wrench coupled to a specially machined blank key that fits any Lexus lock and can deform the wafers and tumblers.

Once inside the car, the hood is popped, the steering wheel lock is broken and the ignition electronics can be engaged. Normally, however, the ECM transponder would recognize that the key is not providing the proper security code.

But a second team member goes straight for the ECM, unscrewing the 6-by-8-inch box under the hood and unplugging the 50-pin connector. It is replaced with an altered ECM with a disabled transponder that does not shut down the fuel-injection system, Folck said.

…

Every generation of antitheft technology is good for a while but eventually gets figured out by criminal networks, a cycle Hazelbaker has seen play out before.

“A new technology is good for two or three years before you see the theft statistics creep back up,” he said. “By five or six years, if the manufacturer hasn’t changed the technology, you see the numbers back to where they were before.”

The attack detailed here is a fairly low-tech response to a high-tech countermeasure. The effective countermeasure would need to be low-tech as well. In this case, it would mean placing the computer so that it can only be removed as part of, say, major engine disassembly.

In that case, though, the tradeoff would be dramatically increased maintenance costs for the car’s owner, since all maintenance would require an hour or two of engine work. This would almost certainly exceed the incremental cost of transferring the theft risk with insurance. That excludes the costs of not deterring theft (catching, prosecuting, and imprisoning car thieves) as an externality to the insurance companies and the victims, however.

It’s also interesting to me is how the organization of car theft is sounds like it’s becoming more and more similar to computer crime. I strongly suspect that a small number of true experts identify vulnerabilities, develop exploits and bypasses, then build tools which they sell or rent to the people who actually steal the cars.

That’s not to say that it’s all going high-tech in the world of car theft, though. As the article also points out,

Some theft teams use casters to elevate a car off its wheels and then roll it onto a flatbed tow truck.

At least nobody is losing a finger this time.

This is the 100th post in my Risk Management category. As I’ve been working on it, this post has turned into sort of a link-o-licious Greatest Hits Show for this blog.

First things first, don’t talk about Security, talk about Risk. All the cool kids are doing it, even if Technorati tags about 200 posts per day as security, compared to one or two Risk Management posts per day. Be sure that whatever you’re proposing can answer these three questions. If you can’t do that, you don’t have a business justification for whatever you’re trying to do and you should wait until you do.

Assuming you made it past that hurdle, it’s time to explain why it matters. Here are three models I have used successfully to sell the need for security effort or expenditure within an organization. Your mileage will vary, of course, and none of them are without pitfalls, but they will probably help overcome Blank Page Syndrome if you’re looking at a blank slide template wondering where to start.

1) Wealth Model - The more security “Wealth” people think they have, the less interested they are in gaining more. The less they have, the more interested they are in gaining more. And if you ever take it away people’s security wealth by pointing out how out-of-line their perception is with reality, they will hate you if you don’t have a solution ready for them.

I discussed this approach previously, so read the detail there.

The Wealth approach also requires that the business understand how basic Risk Management concepts apply to information security. The first steps to Risk Management is understanding that all security needs are not created equal, and that countermeasures only work if they solve a problem the business has. This is also a good time to make sure that the proposed effort isn’t going to turn into a Big Ball of Duct Tape or a sand castle.

2) Decay Model - “Security measures must be maintained or their effectiveness will decay over time.”

This might also be described as either, “The reward for hard work is more hard work,” or the, “Remember how bad problem x used to be? Well it will be again if you don’t…” approach. This works best to explain the need for ongoing Security Operations expenditures like Anti-Virus and Monitoring.

The Decay Model also aligns well with compliance efforts, which are generally recurring adventures in making reality match the paperwork. Present your effort as

It is also somewhat analogous to the Hamster Wheel of Pain approach to security. You do things only to discover at the end of the effort how much more you have to do, usually by buying more security products.

While I’ve never been a huge fan of this approach, personally, I know people who are. My main gripe is that I feel like it ignores the constantly-changing nature of security. I’ve found that this model works well for justifying the inclusion of security into non-security processes, however.

While new threats emerge all the time, well thought out, consistently applied controls and countermeasures will largely mitigate even the unforseen threats. If you’re trying to convince people that cultural or procedural changes are needed to protect the organization, rather than just its servers and workstations, this is a good angle to highlight.

Once again, though, be careful to avoid building a sand castle.

3) Inflation Model - “The value of a countermeasure just isn’t what it once was.”

In the Real World, old things like gasoline or movie tickets get more expensive and new costs like cell phones arise.

In the wider world of IT in general, the number of servers and applications keeps rising. The cost and complexity of the technologies required to run a modern business try to rise. The amount of data being stored, and the cost of securing that data, also keeps rising. Why wouldn’t the costs of securing all that stuff keep rising as well?

This is also true in the Security World. Other than commoditization of specific products like anti-virus, security isn’t getting any cheaper. New threats continue to arise, which in turn require new countermeasures, none of which are free. Keeping up with all these systems now requires Security Event Management (SEM) systems to aggregate and report on it all, and SEM’s aren’t free either.

There are now so many applications within the average enterprise that an Identity & Access Management solution is needed just to keep track of who has access to what with enough accuracy to satisfy, say, the account management standards within the IT Control Objectives of SoX.

This approach plays well in a negotiation process. Just ask which current piece of the countermeasure puzzle the business thinks they can live without in order to fit the new one in. Then either be prepared to lose that piece or explain what risks will have to be accepted if they get rid of it. If the business picks something they really can live without, be ready to ditch the countermeasure. It will gain you credibility and solve the problem at the same time.

(I was hesitant to include this last one until Mish pointed out how many different ways the term inflation is used. This pretty much guarantees that I will be both right and wrong, depending on who you ask.)

These are far from the only way to justify security spending. Much of that work isn’t even done formally. The key, really, is to get friendly with the business’ decision-makers. There are areas where they would love to have some help, but if they can’t accept the risk, they have to ignore it until there is a reasonable mitigation option on the table. These sorts of discussions can really only occur outside of any formal channel, though, so if you don’t have an informal channel with those people, opportunities will be missed and risk ignored unnecessarily.

—————–

Finally, I’d like to say thanks to everyone who’s been reading (and especially commenting!) through my first hundred Risk Management posts. Hopefully you’ll still find me worth reading for the next hundred and beyond.

According to CNN, the security guards at Lawrence Livermore Labs are now going to be packing 50 round-per-second gatling guns as part of their physical security:

The weapon, unveiled Thursday, is a six-barrel Gatling gun called the Dillon Aero M134D. An undisclosed number of the guns will be mounted on vehicles and elsewhere at the lab.

“What we want to do is equip our protective force with the capability that will leave no doubt about the outcome,” said Linton Brooks, head of the National Nuclear Security Administration.

Lab critics questioned the wisdom of putting such powerful guns at the lab, which is across the street from suburban homes. They say the real problem is that the lab site, which is relatively small at 1 square mile, is not a good place for nuclear materials.

I also question the wisdom of deploying these things, given that it will be operated by a guy who, based on the CNN photo, is already packing an M4 carbine with at least 400 rounds of ammunition along with a pistol. If they want to step up their defensive capability, I would recommend something different, perhaps increased armor penetration from LAW’s, rather than just the ability to put another 3,000 rounds per minute into the air.