Comments for Spire Security Viewpoint

Comment on Does “Risk = T * V * I? Notes on Pr(t) * Pr(v) = Pr(event) by Saso Virag

Saso Virag — Wed, 21 Aug 2013 23:28:51 +0000

Yes, yes indeed. Agree with the “baby steps” approach because anything that turns COSO-style risk managers’ world upside down isn’t going to work.

Matter of fact, I made this same argument on R=(T x V) x I some time ago – and then the need for the presentation disappeared.

https://www.dropbox.com/s/031qpofycyq9s4w/Risk%20-%20It%27s%20not%20an%20easy%20formula.pdf

Comment on Verizon PCI Report: the PCI 80/20 Rule by Wade Baker

Wade Baker — Fri, 08 Oct 2010 02:00:02 +0000

Hey Pete,

As you know we talked a decent amount about this during the analysis. I find the 80/20 split very interesting. The 80/20 rule has show up not only in the annual PCI assessments as you discuss but that’s the same ratio we find when doing a post-breach PCI assessments as well (except it’s reverse).

I’d like to know if the rule could be applied to effectiveness within the DSS. ie, do 20% of the controls provide 80% of the security value of the DSS? One day I’ll find some time to study that one a bit more…

Comment on Rudeness, risk and vulnerability disclosure by Wade

Wade — Tue, 04 May 2010 02:06:19 +0000

Last paragraph is very well-stated (not that the rest was bad…just saying).

Comment on Should we change passwords every 90 days? by Pete

Pete — Fri, 11 Dec 2009 14:57:07 +0000

@ds -

You make a good point. See here for a previous take on it: http://spiresecurity.com/?p=355. I would point out, as I tried to in the previous article, that there is more to password compromise than the crack itself. I would assert that the crack is much less common than the phish and that my argument still holds up with phishing. In addition, we shouldn’t forget the time/effort it takes to get the hash prior to the crack.

“Best practice” is a tricky concept but I agree some sort of multifactor auth solution would fit. I just don’t believe the risk is particularly high for many of the things we require passwords for and so “best” is unnecessarily costly and “reasonable” would work fine.

Comment on Ramblings while reading Microsoft’s Security Intelligence Report by kurt wismer

kurt wismer — Mon, 16 Nov 2009 20:26:38 +0000

“page 8: “the most significant trend in 1H09 was the large increase in worm infections detected
in many countries and regions worldwide.” I wonder if this is due to more worms or better detection capabilities.”

not sure, but i have long been predicting a renaissance for self-replicative malware – the economy of effort is just too tempting for the practice to stay out of favour.

“# page 9: “Computers in enterprise environments (those running Microsoft Forefront™ Client
Security) were much more likely to encounter worms during 1H09 than home computers
running Windows Live™ OneCare™.” Again I wonder if this is an anomaly of better detection techniques.
# page 9: Conficker is top threat with enterprises and not in top ten with consumers. Is this because Conficker targets enterprises or simply because consumers have many other threats that are well-controlled in enterprises?”

one word – patching. enterprises are much less likely to leave automatic updates turned on. as a result vulnerabilities stay unpatched longer in those environments and worms exploiting those vulnerabilities spread better.

“page 12: “Compromised servers acting as exploit servers can have massive reach; one exploit server can be responsible for hundreds of thousands of infected Web pages.” I would not have characterized the number of affected web pages on a single server as “reach”. Am I reading this wrong?”

i wouldn’t characterize it that way either. perhaps the affected webpage stat is to demonstrate *how* such a reach could be accomplished.

Comment on Confirmation Bias at work? by admin

admin — Mon, 09 Nov 2009 04:00:37 +0000

@Evan -

The interesting aspect of your post was not that it is possible to derive a scenario where what you say is not contradictory; it is that it would be much easier to succumb to Occam’s Razor if your analysis points you in a different direction.

Also, whether or not I dispute some of these points (I do, but more on that later), I was more surprised by your level of certainty with limited evidence. I think some of the points would be very difficult to prove in any case.

Point-by-point:

1) Your reduced rate for covering the same incidents is interesting but beside the point. I think that any breach of more than, say, 1,000 records would be reported on if the media has knowledge of it. Heck, they report on obituaries and everybody dies. They also report on vulnerabilities and there are many, many more of them than breaches. Yes, I dispute this one.

I would be pretty impressed if you could show me a letter to a victim about a breach that wasn’t covered. Clearly, this would be difficult to do.

2) & 3) It is always in the best interests of retailers, etc. and lawyers to downplay breaches. It is also fairly easy to see where you can legally do this and has been for the life of these regulations. If anything, the growth of regs/laws makes it harder in my opinion to hide, not easier.

4) This point doesn’t refute whether data breaches are on a downward trend; it is a hedge against the possibility that they are. Regardless, it would be pretty simple to say something like “in 2004, the average number of records compromised was x; in 2009 that number is now y,” where x

5) This point in particular doesn’t seem to jibe with your claim that retailers are getting better at security. The evidence is good that the duration of a compromise before discovery is months. I don’t see why how you can say this is getting worse – which it would have to in order to contribute to your major assertion.

I am not really asking for “more” proof because no proof was offered to begin with. As I mentioned, my main point was that you had a level of certainty that was hard for me to see and you seemed to ignore the most obvious/simplest explanation in order to fit into some sort of preconceived notions.

Pete

Comment on Confirmation Bias at work? by Evan Schuman

Evan Schuman — Sat, 07 Nov 2009 17:14:42 +0000

Thanks for the note linking to this story, but I wanted to try and better articulate what that piece was trying to say. As a practical matter, there is no contradiction between the fact that retailers have gotten better at security compared with five years ago (If you remember what things were like with the major retailers about five years ago, it would have been hard for them to have NOT gotten better) and the fact that breaches haven’t sharply reduced.
Consider a neighborhood burglary ring. In a hypothetical community, five years ago was a time when neighbors left their doors unlocked all day, deadbolts were all-but-nonexistent and people regularly and publicly discussed when they’d be out of the house and for how long. Today, this hypothetical community locks their doors, keeps their mouth shut and uses high-security deadbolts. Is the security in that neighborhood much better? Sure. Can you tell me from that the burglary rate in that neighborhood has dropped? Not at all. There are many high-crime neighborhoods that routinely lock and deadbolt and they still have lots of burglaries.
What would more likely happen in that community is the thieves would do an ROI calculation. How valuable are the contents of those houses? If they’re storing lots of expensive pharmaceutical products, gold bars, unopened boxes of high-end electronics and trash bags overflowing with millions of dollars’ worth of unmarked bills, the thieves will figure out ways around those deadbolts.
In retail today, the payment card data–and, to a lesser extent, CRM data–is worth a huge amount to cyber thieves. Therefore, there’s no contradiction between pointing out that retailers are much more secure but that the thieves are having to work harder to get at the stored goodies.
You also raised this point: “I have a hard time understanding how Schuman can be so sure when he offers essentially zero evidence for his assertions.” There’s nothing especially mysterious about the points raised. Are you disputing any of them?
Just working off of your summary of the story. I’ll try and explain each element and why I saw no need for further proof (but I’ll be happy to offer more privately, if you’d like).
1) “Media outlets are less interested in data breaches and therefore not publicizing them as frequently.”
We scan tons of media outlets every day as we try and track security issues closely. We have simply seen a marked reduction in how often those stories are covered. There’s nothing surprising there. Data breaches were much more newsworthy a year or two ago. Now the typical small breach is a yawner. Searches on Google, Yahoo, Bing and others will make this abundantly clear.
2) “Retailers, banks, and hospitals (etc) are getting better at hiding breaches.” In talking with retailer and bank IT managers daily, they have learned a lot from the TJX and related breaches and have poured more resources into this. Do you dispute that?
3) “Lawyers are getting better at skirting disclosure laws.”
As more state disclosure laws–often contradictory–get passed, companies are understanding what the exemptions are. The “law enforcement is investigating” exemption is probably the most popular. Again, have you seen that lawyers are getting worse at this? The disclosure laws are relatively new and they clearly are getting better as they learn them.
4) “Even if the number of breaches are lower, there are (or may be) larger numbers of cards/records being compromised.”
As Visa and other card brands crack down and are getting better at detecting fraudulent activity early, the cyber thieves need to target larger numbers of cards during any one heist. It’s the only way that they can emerge with enough valid names to make a strong profit.
5) “Retailers (et.al. I assume) don’t know about some breaches and therefore can’t report them.” As we’ve reported many times, the major breaches are generally discovered first by the card brands and the U.S. Secret Service (or a processor) and the retailer is then given a heads up that they’re the common point of purchase. Are you disputing that? Typically, when someone asks for more proof, it’s usually because they disagree with one or more points. Are you?

Comment on Lindstrom’s Razor is not about security spending by Pete

Pete — Mon, 26 Oct 2009 03:41:41 +0000

@Russell -

I think you are making this too complicated. I stipulate that there are big question marks about value and made a handful of points in this arena in my previous post here: http://spiresecurity.com/?p=1046. But these are non-market goods and value is determined by the stakeholders willingness to pay. There are many reasons that value can change over time and vary from person to person, but at the time a decision to buy is being made I am hard-pressed to believe that any stakeholder a moment after having made a major purchase would say it wasn’t worth it. This is the rule of thumb.

Thanks,

Pete

Comment on Lindstrom’s Razor is not about security spending by Russell Thomas

Russell Thomas — Sat, 24 Oct 2009 05:45:56 +0000

Ah…. thanks for the clarification.

So “Lindstrom’s Razor” is just a rule of thumb to estimate the MINIMUM value of a digital asset, is it?

If so, then I don’t support even this simple rule. It may seem dumb to invest more in an asset than it’s worth, but plenty of people who have studied IT carefully (in an enterprise context) believe it happens all the time. (I’m thinking of Nicholas Carr and Paul Strassman, as the most vocal proponents of this view.)

Going back to the 1960s, Peter Drucker observed that cost streams are only loosely related to revenue streams, and that unless there was active management and discipline (a.k.a. metrics, learning), costs tend to increase due to wasteful or misdirected activities — the same way that committees spawn yet more committees.

So it is with IT systems and digital assets of various kinds. Systems and complexity tend to spawn yet more systems and complexity, with out any necessary connection to the drivers of business value. How much this happens and where it shows up all depends on the nature of the organization, it’s relationships with customers, competitors, and other market forces, etc. Without much “selective pressure” from outside forces, IT systems can bloat all out of proportion and yield negative returns in aggregate and even on average.

I’m all in favor of good rules of thumb, but I don’t think that “spending on an asset” is a good rule of thumb for a minimum asset value.

Thanks for the debate!

Russell Cameron Thomas

Comment on What is “Lindstrom’s Razor”? by On the value of ‘digital asset value’ for security decisions « The New School of Information Security

Fri, 23 Oct 2009 23:45:34 +0000

[...] etc.)” . This came to light as I read the commentary on other blogs by Andrew Jacquith, Pete Lindstrom, Matthew Rosenquist, and Gunnar Peterson. (I’m also anticipating Alex Hutton’s [...]