jump to navigation

Who’s Risk Is It Anyway? June 6, 2016

Posted by wastedspacer in IT Security, Notable Incidents, Risk, Social State, Spam, SPIM and other annoyances, Technologies.
Tags: , , , , , ,
add a comment

Nolan GouldHuman beings as a species are generally terrible at rationally assessing risk. This is particularly apparent when we consider basic everyday risks as well as common threats and risk from an IT security standpoint.

All thanks to the media, blogs, viral videos and security services the general public substantially overestimate the likelihood of spectacular, headline-worthy catastrophes.  At the same time completely ignoring many extreme dangers posed by common, everyday activities.

A prime example of this irrationality is a fear of flying. Fueled by news reports citing terrorism, bomb-threats, near misses as well as mysterious or even spectacular plane crashes. Other perceived threat vectors come from government agencies with a stated vested interest in keeping us safe (and of course themselves funded). Consequently, airport security screening services further amplify this level of latent terror for the misinformed traveler.

The end-result, we in the US put up with paying(as of 2015) another $7 Billion in taxes and even more added to the cost an airline ticket for the illusion of feeling safe. As the former FBI assistant director when asked about an effective method to fund anti-terrorism he put it thus: “Keep Fear Alive”. The FBI can’t even explain their success metrics around the perceived “war on terrorism”. The only real measurement we appear to fall back on is when the security fails! The only answer seems to be: we need to spend more!

Tragically, this appears to be a similar rhetoric that the terrorists themselves use to measure how effective their terrorism is on their intended target populations. The more perceived threats and the larger the anti-terror agencies become the more apparent they are as they broadcast the potential threats posed by future terrorism! Aside from the actual heinous terrorist attacks, the terrorist organization perhaps measures their success by how much additional chaos, media coverage, public inconvenience, fear and growth in anti-terror security services their actions are catalysts for.

Shocking airborne terrorist attacks such as 9/11 understandably leave the vast majority of our world population with a “never again” security-at-all-costs attitude.  Although the total number of people ever wounded or killed by terrorism on air travel is many orders of magnitude less than the number of victims by “ordinary” dangers driving to and from the airport.  Consider events such as having a blow-out or hitting a (deer, cow, dog, pothole) or being hit by (distracted driver, truck, road debris) when driving to the airport, all of these have serious or even lethal consequences to 1000s of travelers every year.

From a pure risk/value/mitigation assessment seems like an absurd disparity we could dramatically reduce the overall risk simply paying a little more money to fix potholes. Our collective thinking is habituated and skewed by sheer terror, amplified by sensational media coverage, augmented by continual terrorist rhetoric and supplemented by security agency threat alerts. As a result the perceived terror risks are far more salient and likely than reality. Consequently we are collectively convinced that it is worth standing up and funding entire government security agencies to combat the potential threats!

OLYMPUS DIGITAL CAMERA

Keeping “Little Jimmy” safe!

As a general rule most individuals underestimate the risks for which there is a perceived benefit to the individual. The intended achievement of a laudable goal (or simply what’s in it for me) often creates tunnel vision where many risks are ignored or at least not adequately considered in context. Consider first-time parents of a small child they need to start taking to kindergarten. They logically purchase a very large SUV, perhaps a Chevy Suburban so that “little Jimmy” can be safe. What they understandably fail to consider is the consequences when the brakes fail on the Suburban. A smaller vehicle would simply bounce off the curb, the airbags would deploy and perhaps some minor injuries. With the height and gross tonnage of the Suburban however, it bounces over the curb and through the wall into the classroom killing six of little Jimmy’s classmates!

car-into-maternity-bvm-school

At least “Little Jimmy” was safe!

A less contentious example is the inevitable project management by dashboard method where NOT delivering on-time and on-budget are the only perceived risks. This conversely leads to the introduction of greater or imaginary risks for activities that have no perceived upside. The perfect IT security solution is a prime example where the pinnacle of success can be measured by “nothing bad happened today”!

We tend to mostly ignore or underestimate the less controllable risks in IT security. For example consider how easily can anyone in our organization get phished, scammed or inadvertently disclose sensitive information? We have awareness training for that but how easily or accurately can it be measured?  A number of security solution providers have a large marketing budget supporting products they can sell you to manage areas, functions and individuals you already have a degree of control over. But what happens when the actual threat is the password that’s shared with a spouse then used and inadvertently disclosed outside the organization? How can their solution address that?

The bottom line is that assessing risk can only be a general guide and not absolute. Perhaps risk assessment is more akin to Heisenburg’s Uncertainty Principle. A thorough unbiased quantitative risk assessment can certainly give a bottom-line risk score but as soon as it is observed and the results consumed by you, me or anyone else, each score will probably be different.

 

Advertisements

Serious Security Threat or Marketing Ploy? – WSJ “Night Dragon” February 10, 2011

Posted by wastedspacer in 1, Global Industry, IT Security, Notable Incidents, Political Issues, Rants, Spam, SPIM and other annoyances, Technologies.
1 comment so far

According to a report from the Wall Street Journal – on “Night Dragon” attacks:
Oil Firms Hit by Hackers From China, Report Says

How convenient for something like this to turn up the week before RSA! Seemed like an important headline and I suspect some additional news coverage could have been imminent given there was even a scrolling ticker about this on a couple of the local TV News channels this morning. Unfortunately for whoever thought this was a perfect time to disclose they got usurped by the Egypt breaking news alerts!

The McAfee PDF report is an interesting enough study however, there appears to be a number of shortcomings in the analysis, far too much circumstantial intelligence and many disclaimers of actual allegations. Furthermore “Night Dragon” is merely McAfee’s selected report moniker for their particular identification of a threat-bundle. Symantec, Microsoft, Trend, Sophos may select the same individual threats but call them different names and may not pull them together into a creative study such as McAfee sponsored. A couple of virus definitions are highlighted identifying known threats several months ago from May and August 2010.

I’m always skeptical when a security products company does a periodic security driven “the sky is falling” in-depth analysis. There may indeed be some bread crumbs of significance, my main concern is that it could just be another thinly disguised “wag the dog” company visibility increase exercise.

My more cynical side suggests that perhaps this is an effective security company marketing strategy that undertakes a “scientific” study around high-visibility targets, periodically wave a headline comprised of: (insert enemy state here) hackers attack (insert newsworthy Western iconic industry here) Gigabytes of data and trade secrets stolen. Then add some vague traffic analysis to show the volume, where it’s going and who’s allegedly controlling it, who knows, maybe some US bank or oil company outpost had been leveraged and was being unwittingly used as a Chinese/Ukrainian managed BitTorrent host for illegal videos? Or is it really corporate sensitive bidding information and active well log data? Without concrete proof in-stream or at the endpoint, any possible botnet C&C and network findings results would show pretty much the same data stream which could allow any security company to allege such a finding without actual proof.

We (or at least corporate executives as the target of this info when escalated to the lofty heights of a WSJ article) certainly appear to fall for it every time and then demand answers around what their internal security experts intend to do about it? Of course in the shadow of “cry wolf” warnings , once in a while there really are dire and present issues that require immediate remedial action so those security experts always have to remain vigilant but circumspect.

Perhaps if we (and apparently the WSJ) are really concerned about threats from “Chinese Hackers”, we should also address the oil industry “best-practice” of off-shoring to low-cost-geographies and perhaps consider that hiring an increasing number of our Western petroleum engineers and geologists from Chinese universities may pose a more insidious threat in the potential espionage space over the long term? We certainly should take security integrity and sustainability in mind when chasing the almighty short-term efficiency and cost savings fuelled drive to top ratings supporting the investors on Wall Street itself.

On a positive side, the WSJ article cited the attack vectors were typically via Microsoft vulnerabilities so companies that take an aggressive stance towards rapidly applying patches to help obviate threats. McAfee and Sophos share threat signatures so in this particular case where the detection was spearheaded by McAfee, at least, customers of these companies may enjoy a slightly better level of immediate protection and thus should benefit from any behind-the-scenes patching that McAfee had put in place to mitigate these threats. I just cant help wonder when Symantec, then Trend, then Kaspersky will see this approach as a “winning” strategy and start spinning their own versions perhaps “Soup Dragon” or “Nuts Dragon” analysis variations?

This seems like an ideal opportunity for security personnel to put in place better detection systems beyond IDS/IPS. Perhaps including honey-pots to at least be in a position to identify the liklihood of actual inside-the-perimeter threat activity. Furthermore, they will be able to consistently state whether they are being actively targeted over time and how frequently. Those metrics could be easily accumulated and used to not only track down current threats but also provide a current state report to executives when these kinds of issues are raised by the media.

In the meantime it’s ok to cry “wolf” (or depending on your security company’s naming convention: “loup”, “mac tíre”, “भेड़िया”, “الذئب”, “lupo”, “úlfur”), CVE goes a little way towards individual definitions but would help if anti-malware security companies got together and agreed upon a common name or at least resolution for a collection of threats from a suspected single source.

What next? – Twitter Spam Stalking June 23, 2009

Posted by wastedspacer in Spam, SPIM and other annoyances.
Tags: , ,
add a comment

A disturbing trend, that it would appear that many Twitter users have experienced, is a significant increase in the number of fake followers who simply have what equates to a spam page and a link! Simply blocking the site is the obvious solution but the numbers have suddenly taken a noticeable increase forcing me to block followers on a regular basis.

The most recent ones were attempts to get the reader to click on what appears to be typical spam Porn, Advance Fee Fraud and Pharmaceutical links. Wondering what steps that Twitter is taking to alleviate this? It certainly appears that this has been emerging for some time and perhaps the more prolific Twitterers have been the initial target but it seems to have trickled down to the rest of us 😦

http://nakedpr.com/2008/06/17/social-media-spam-and-the-death-of-twitter/