I just wrapped up the day at the Open Group’s Jericho Forum Annual Meeting.

Lots of good work has been going on within the Forum’s working groups. Unfortunately, other than attending the meetings and carrying the deperimeterization torch back in the office, I haven’t done anything to advance any of it. Many people I speak with looked at the forum’s work early on and wrote it off. I strongly suggest that you take another look if this is an area that interests or affects you.

I think my favorite quote of the day came from Nick Bleech, CSO of Rolls-Royce, who said, “Deperimeterization is happening. It’s not a strategy, it’s an ‘-ization.’ It’s like globalization–it’s happening.”

In the corporate environment, assets can be protected at various levels, ranging from an individual column of a database all the way up to the entire company. Traditionally, IT assets have been protected from outsiders at the network perimeter by firewalls and at the host or application level with passwords.

If perimeter firewalls are the Maginot Line, then most of us are still in the Sitzkrieg, waiting for the killer app or killer business change that’s going to fly over or roll around the perimeter firewall like it’s not even there.

Did you laugh the first time you heard HTTPs referred to as, “Universal Firewall Bypass Protocol?” If so, then you should realize that the waiting is over, you just haven’t noticed it yet.

The good news is that the frameworks and architectures necessary to move this from users “self-enabling” to something that the company can actually manage are about ready. Most of the “hard” problems seem to be well-enough under control from a technical perspective, meaning it’s time to see what happens at the business layer.

And that where the real fun begins. What are the implications of eroding perimeter controls to the business? What new risks are emerging that are not currently being identified, measured and managed as a result? What opportunities are also emerging, and what are the tradeoffs between the two going to look like?

Consider the outsourcing arrangements this makes possible if you can now offer technical controls to (you think) adequately protect your data in an outsourced environment. But how do you either make sure that your lowest-cost provider isn’t going to re-outsource your work to someone else in turn or manage the increase in risk incumbent in doing so? How much of a premium are you willing to pay the outsourcer for that extra restriction? How much should you be willing to pay?

Deperimeterization is increasing volatility in the business world. Businesses need to decide how they’re going to manage the increased risk that comes with it. Will they attempt to mitigate the risk and put the genie back in the bottle? That may work for a while, but only until someone else accepts it, takes bet and wins. At that point, those who chose mitigation are no longer competitive and it’s game over for them. Now that is truely “Security as an Enabler.”

What a great time to be in the Information Risk Management business.

DamnInteresting has an article today about The Balance of Risk which is, pardon the pun, damn interesting.

Let’s suppose your child wants to take a martial arts class. Being a conscientious parent, you check out the local dojos and find two good places. Both are suitable and well equipped. Both practice fighting with contact – but there’s one major difference. One dojo insists on a full range of protective padding – hands, feet, chest protectors, shin guards – the whole works. The other takes a much lighter approach - hands and feet, and sometimes not even those.

To the conscientious parent, the first place is going to look much safer, right? But when you look at the injury rates of the two dojos, you notice something odd: They’re about the same. The kids covered in foam padding are getting just as many bruises, scrapes, and sprains as the kids wearing almost none. What could be going on here?

What’s happening is a process known as risk compensation. It’s a tendency in humans to increase risky behavior proportionately as safeguards are introduced, and it’s very common. So common, in fact, as to render predictions of how well any given piece of safety equipment will work almost useless.

Their key points:
1) People have a risk “comfort” zone
2) People will adjust the amount of risk they perceive themselves as accepting both down and up to get within that risk comfort zone. This is called Risk Homeostasis
3) People only adjust their risk level if it gives some advantage
4) People adjust to their perceived risk level, not the actual risk level

I look at this and ask myself, How can I use this to my advantage?

What I want to do is reduce risk by getting certain people to lower their risk appetite. If I add controls but don’t tell them, then they will not compensate their behavior upwards. If I tell them I’m adding controls, but then I don’t, then they will adjust their risk appetite accordingly as well.

Going back to the article:

For instance, a study of Munich taxicab drivers conducted while the taxicab fleet was being changed over to ABS braking systems. The drivers were tracked by observers unaware of which kind of brakes each cab had. Against the expectations of safety experts who recommend ABS brakes as a safety advance, the drivers with ABS brakes actually had more accidents per vehicle mile than those without. The drivers braked more sharply, made tighter turns, drove at higher speeds, and made a number of other adjustments to their driving, all of which more than compensated for their supposedly safer cabs.

So if I implement a safeguard which only mitigates the risk at certain times or under certain conditions, people will still adjust their perceived risk level based on the safeguard being present all the time.

I don’t have solid data handy, but this would seem to be consistent with what I see with our efforts at protecting mobile users (laptops) from themselves. We do an excellent job of protecting people from viruses, worms, spyware, and other forms of malware so long as they’re on the corporate network and protected by our perimeter controls.

Once they get out in the world, however, most of our safeguards go away, but users still assume that they’re “protected.” The high rate of malware detection in the morning of a given region, with the peak on Monday morning, would seem consistent with this behavior.

So, again, I ask myself, How can I use this to my advantage?

I can see two ways. The first is to view security as an enabler. If the business can take more risks with a decrease (or less than a corresponding increase) in incidents, then I have effectively added value. How much will vary from project to project, but overall, the key is that people are able to do things that were previously “too risky.”

The other way is to find ways to change perception without actually doing anything. This is similar to the old time-motion and productivity studies which found that any change which convinces people they are being measured would increase their productivity. If it is true that any change in perceived safeguards will affect actual risk appetite accordingly, then I should ask myself, What can I do or tell people that will make them take fewer unnecessary risks but doesn’t actually require any more budget than the cost of communicating? I’ll call it Social Engineering For Good.

(Note that there is significant credibility risk in bluffing, usually far out of line with any possible benefit)

So can I have it both ways? Can I provide safeguards and not have users increase their risk acceptance accordingly? Maybe the answer is that I can’t, assuming this truly is human nature. But I can consider the behavioral impacts on actual risk mitigated when adding part-time or limited-case protections, and knowing is half the battle

John Pescatore breaks down phishing, pharming, spam, viruses, and the rest of the social engineering-related Badness starting with his generation and working his way down, finally thinking about the children.

As today’s 9 year olds start using the web, they will be even more suspicious of what they see on their always online PC screen.

This could mean that 10 years from now, as today’s 19 year olds become tomorrow’s 29 year old office workers, that viruses and phishing attacks will be so over - routinely ignored by the targets. Or it could mean that Moore’s and Metcalfe’s laws will give the attackers more ways to create more clever attacks and fool the next generation.

I’m betting on the latter - and not just for job security. Think about the advertising market - they basically have the same problem the online criminals do. They have to try to drive your behavior by showing you a billboard, a TV or newspaper or online ad, or having you listen to an audio ad. They have to trick you into believing that their toothpaste is different than the other 92 brands or that their lite beer will cause Baywatch babes to mudwrestle at the next table over.

I’ve been using email for since I got started with FIDONet over a Hayes Smartmodem 300, or about 70% of my life. I’m in the missing generation of John’s post, which means that I got to see all the Bad Things that could happen even without widespread access to IP networks or the Web.

This includes fun things like having to virus scan a thousand floppies to make sure that you wipe out the office’s Stoned outbreak.

It’s too bad I didn’t have a blog at the time on which to complain about it. Ah, what posts those would have been…
(more…)

Jeffrey Young, a reporter at zdnet, got taken on eBay

So we bid on a bag. As usual (as counseled by our daughter), nothing much happened until the very last half hour, when one bidder pushed up the bid price until it exceeded our “maximum” (the price we had shared with eBay as our limit.) We were disappointed, but philosophical. There were several others on offer after all. One would be ours.

The next morning I was surprised to find an official email from eBay informing me that although I had lost the auction, the winner had backed out and I now had a “Second Chance” to buy the bag for my bid “limit” amount. I was a bit nonplussed that what I had thought was a private amount was now being publicly revealed, and I wondered how the buyer could have decided to back out between Sunday night and Monday morning when the email was sent to me, but no matter. I went ahead and agreed to the “Second Chance” deal. After all, I had been willing to pay that much so what was the problem?

The problem, of course, is that it’s fraud. Mr. Young got taken in more ways than that, though. He paid hundreds of dollars for a cheap fake. Fake goods in the supply chain is something I’ve discussed previously, so I’ll leave this at that. One of the articles I referenced in that post even mentioned eBay as a conduit for passing counterfeit goods.

Today, I’m interested in obvious fraud that could be easily addressed. Good Faith, the premise that both particpants in the transaction are acting honestly, and a little bit of greed are the necessary elements for the fraud to work in the current system.

Nothing can be done about the greed–people have been looking for bargains and taking advantage of one another for thousands of years. What can be changed, however, is the information available to play the ebay game.

The mere existence of “Second Chance” is interesting because it indicates to me that ebay has significant enough outtrade and settlement risk issues that they’re losing a significant number of sellers, so they’ve created Second Chance as a mechanism to help sellers better mitigate settlement risk. Unfortunately, they’ve tilted the balance in favor of unscrupulous sellers in the process.

Look at the risks of Shill Bidding from the seller’s perspective. If they get too greedy, they will exceed the limit of their bidders and wind up “winning” their own auction. This costs them whatever the listing fee on the item was and they still have to re-list (and re-pay the fee), doubling their transaction cost and hope that they don’t overbid the auction again.

Now, thanks to Second Chance, ebay has effectively provided a safeguard which mitigates the risk to a greedy seller of exceeding the buyer’s maximum price. The dishonest seller can now safely discover the real winning bidder’s limit without having to double their transaction fee to obtain the information.

The sad thing about this problem is that there is an easy solution. Just add some transparency to the whole process. This would allow bidders to decide if a seller had a higher outtrade rate than they were comfortable with. Allowing the buyer to make an informed decision about whether or not a seller seemed to have an unacceptably high rate of outtrades or Second Chances would introduce a more objective mechanism than the reputational parody called feedback.

Ebay could provide statistics on the number of auctions a seller offered through “Second Chance,” along with some comparative system-wide data on other sellers of their volume, product, or price point. Sellers who attempted to abuse Second Chance would be relatively easy to spot. Shill bidders would be forced to either curtail their greed, which would be a good thing, since Shill Bidding isn’t going away any time soon despite any effort ebay might make.

All but the most innumerate shoppers could tailor their bidding and, more importantly, make decisions on whether or not to accept Second Chance offers appropriately.

Unless, of course, ebay is more concerned about
1) competition among auction sites for sellers (who are the actual revenue stream) than for buyers; or
2) maximizing prices paid, since they take a percentage of the final auction price
than ensuring that people feel that ebay is running an “honest” marketplace.
3) scaring people off by acknowledging fraud (and how to avoid fraud fight it) than actually fighting the fraud or driving the fraudsters elsewhere*

* This was the case when I first waded into the ecommerce fray. Once I began tackling fraud problems in earnest (despite some initial internal resistance), however, it became a positive piece of our brand. We received significant numbers of unsolicited comments from customers that they preferred us to our competitors because we did a better job of keeping our site “clean.”

The Washington Post breaks it down

It’s easier to rig an electronic voting machine than a Las Vegas slot machine, says University of Pennsylvania visiting professor Steve Freeman. That’s because Vegas slots are better monitored and regulated than America’s voting machines.

Find the fun-filled comparison chart at the link.

Did anyone actually believe that SoX compliance would get cheaper over time?

The pain was supposed to subside for companies after the first year of the Sarbanes-Oxley Act, as business pundits predicted that investments in pricey technologies and accounting infrastructure would peter out after taking a big, one-time bite out of Corporate America’s bottom line.

The pundits were wrong. A Boston Business Journal analysis of 27 public companies in Massachusetts shows their auditing costs spiked 26 percent last year, bringing their total increase to 103 percent since SOX became effective in 2004. In total, the group spent $56.6 million on SOX and related auditing costs last year, or around 2 percent of their 2005 operating income.

Two years ago when IT people would ask me, “What is SoX?” I described it as a law which made CFO’s and controllers or public companies criminally liable for inaccurate financial reports due to controls breakdowns. What that meant to the IT teams, I told them, was that the IT staff would have to actually start following the policies they had been claiming to follow for years.

Why anyone thought that this would get significantly cheaper over time is beyond me.

I think my personal low point of that first year of SoX efforts was the conversation that went like this:

IT Manager: “Oh.”

We have reached the point where malware, like the Blue Screen of Death, is viewed as an inevitable annoyance. Both of them are people problems, the difference being that while I have no control over the behavior of Microsoft’s employees, I can have an impact on the behavior of my own company’s employees.

That is why I am proposing four-step program which I believe will reduce malware in our enterprise by about 98%, require no additional technology beyond what we already have in place today, and will be successful within 90 days.

Once I had time to actually read the New Yorker Article about “Million Dollar Murray” that John Quarterman referenced over at Perilocity, I started thinking about how a similar approach could be applied to our corporate malware problem.

The New Yorker article (by Malcolm Gladwell, of “Tipping Point” fame) focuses on how case workers identified the most on-going, expensive homeless people with a bad habit of winding up in the hospital on a regular basis (he nicknames “Million Dollar” Murray based on the researchers estimate that the man had cost the state over a million dollars in hospital expenses).

Here in the enterprise, I have a similar situation. Based on monthly reports I get from our Security Operations Center, about 98% of our malware problems are caused by 2% of the users, the vast majority of them using laptops. This makes sense, given that our perimeter malware controls are, at this point, supreme overkill.

Right now, my company spends absurd amounts of money, resources, and mindshare dealing with malware of various stripes, and very nearly none of it comes in through the firewall. Nearly all of it is on laptops and malware incidents (i.e. worms) almost always impact us at the start of the work day, confirming my theory that the infections occur while the machines are off-premises.

Which brings me to my Modest Proposal. It’s only applicable to large enterprises, but I figure that this stuff has to start somewhere.

Step 1: Clean Up & Education Teaching
The goal here is to filter out those who either know better but make poor decisions or would do the right things if they knew what they were.

Users are identified and counseled about Acceptable Use. Their machines are rebuilt from scratch to ensure a Known Good configuration is in place at that point in time. They are reminded that the machine is company property and should be treated as such.

They must read and sign the company’s Acceptable Use Policy, a copy of which will be filed with HR. Lastly, their manager is informed that their machine has been rebuilt due to malware.

Step 2: Tethering
Anyone who has been through Step One and winds up with more malware on their machine is not capable of working outside our perimeter controls. To ensure they do not, their laptop will be replaced with a desktop machine.

They will be counseled again. Around here, though, not having a laptop is a significant prestige loss. The perception is that only the Unimportant don’t need to be places, laptop in hand.

Step 3: Termination
If a person manages to get malware onto a desktop machine inside our firewall, they are doing something Very Wrong. They are either malicious or terminally stupid, but either way, their presence in the company is probably a net-negative.

Harsh? You betcha. Effective? I’ll bet that most of those 2% of users are just plain clueless and will get with the program once they realize that we’re getting serious about cleaning up the mess. People think that it’s OK to surf dodgy porn with their work-owned laptop, so long as they’re not at work when they do it. They just don’t understand the risks, even if only to themselves.

Are we going to lose some folks with this policy? Probably. But unlike the State of Nevada and Million Dollar Murray, we can.

Update: Changed the name of Step One from “Cleanup and Education” to “Teaching” to give it a nice alliterative sound.

My secret is out.

Which Nigerian spammer are You?