The Falcon's View

Here's an interesting dilemma... how does one go about estimating losses in the public sector? NIST RMF side-steps this problem by advising people to assume the worst-case scenario for their estimates, but this leads to all sorts of problems (if everything is "critical," then how do you prioritize?). Given my background with FAIR, I've thought that perhaps it could show me a better way through this question... however, it's a bit of a pickle!

First, a quick primer on FAIR and loss estimates: In estimating losses, FAIR splits the estimate between direct losses to the primary stakeholder and losses triggered by secondary stakeholders. Losses are then estimated (using calibrated ranges and confidence statements) in 6 categories: Productivity, Response, Replacement, Competitive Advantage, Fines & Judgments, and Reputation. In most cases, the first 3-4 categories tend to be primary losses, while the last 2-3 tend to be secondary losses.

However, let's now turn this around to the public sector. Assuming that they're the primary stakeholder, and that the public and other entities are the secondary stakeholders, can we produce a reasonable loss estimate? First off, let's think about those 6 categories... we can immediately remove the last 3 (CompAdv, F&J, and Rep) as not applying. The government doesn't seem to fine itself, and there's really not much you can do if they're compromised. After all, so long as you're within the borders of the US, you're subject to the US Government. It's not like you can physically stay put and opt out to a different government. This just leaves us Productivity, Response, and Replacement. Leaving "government productivity" jokes aside, it's pretty clear that any loss estimates here should be fairly low, and thus not necessarily meaningful or compelling. So, perhaps this is a failed approach...

What then would be a better approach? One notion floated is to flip the stakeholders. What if you were to first estimate the loss to the public as the primary stakeholder, and then considered other costs (such as to the government itself) as the secondary stakeholder losses? That is perhaps a lot more interesting, since there may be some reasonable arguments that the compromise of certain datasets will have a sizable negative impact on the public (especially when viewed as a whole - so each individual loss rolled up to a large aggregate). Suffice to say, this line of thinking certainly opens the door to a more compelling analysis, and it's definitely worth exploring further...

What do you think?

This is an incomplete thought...

Using an analogy to healthcare or epidemiology is certainly not a new thing. Some circles have been talking about this idea for quite a while. In fact, one need only think about malware being referred to as "viruses" to get an immediate connection. It's also fairly similar to the ecological analogy that some have posed in the past, particularly as it relates to application security.

That said, I noticed this week at Secure360 that many risk management people were now talking about the analogy to epidemiology, not only as it relates to evidence-based medicine and evidence-based risk management, but also as an overarching concept.

I've not had adequate time to fully parse through this notion, but intuitively I rather like the concept. It seems to map fairly cleanly to many security and risk management problems, and it certainly aligns very well with the imperative for business survivability. Whether it will continue to hold-up to other practices remains to be seen, but for a starting point we could do much worse. It also provides a very good case of where compliance regimes can be beneficial (think of all the places where checklists are relied upon to ensure patient safety and wellbeing).

Once this idea has had some time to percolate, I'll try to loop back and write more about it...

This past Monday we held the very first Society of Information Risk Analysts Conference (SIRAcon). The event was hosted in the same venue, and in coordination with, the Secure360 conference. For a first-time conference, this was a really remarkable event. We had about 35 attendees, all of whom were very engaged in the conversation. Overall, we could not have asked for a much better event.

Personally, my favorite part of the conference was the "risk practitioners' panel" that I helped organized (I know that sounds a bit ego-centric, but it was a lot of fun!). It was great to have such a range of talented, experienced risk management professionals talk about their experiences, challenges they've encountered, and how they see the future unfolding.

Given the success of this inaugural event, I think it's safe to say that there will be another. It's obviously way too early to say when and where it will be, but it'll definitely happen. We hope that you'll be able to join us next time!

The topic of "cybersecurity" is once again very hot in Washington, DC. Unfortunately, this means it's in the domain and purview of politicians, which should make any self-respecting professional wince. After all, it's not often that politicians get regulations "just right"... one need only look at recent failures like No Child Left Educated (er, Behind, I suppose) to see just how bad things can get when politicians cross the line from legislating toward outcomes vs. legislating very specific practices. The electricity sector provides another ready example, though a bit more complex, insomuch as the detailed NERC Critical Infrastructure Protection (CIP) requirements have overwhelmed organizations that have displayed an underwhelming since of urgency or competency around the topic of cybersecurity.

The point to this mild rant is simply this: the more deeply politicians seem to get involved with cybersecurity, the worse things seem to get. And, lest we be led astray, we should not forget that, aside from the Education sector, civilian agencies in the federal government are perhaps the worst offenders when it comes to failing to implement reasonably solid cybersecurity. There are a few reasons why I think this is the case.

Spring has sprung, and the next concentrated round of travel is nearly upon me. On the off-chance that we've never met, and you'd like a chance, then here are your best bets in the coming weeks. Also, if anybody would be interested in chatting about GRC (and, specifically the LockPath solution), then please drop me a note and I'll work to set something up!

Many problems in infosec trace back to human activities, and are consequently reflective of larger societal issues, which have been often represented by the "fast food nation" and "age of ignorance" notions. Sadly, these characterizations are true, as we see now played out with the BYOD movement, so-called "consumerization" of IT, and difficulties keeping control of data.

What got the wheels turning for me was an article I read back in March on The New York Review of Books blog titled "Age of Ignorance". In the article, they pointedly lament what seems to be a rush toward idiocracy and away from a more golden time where intelligence, academia, and open-ended R&D were considered positives. In fact, tying this back into the security meme of my blog, they marvel at even the most fundamental failing of our current society to even know our own basic histories, pinned largely on extremism on both ends of the political spectrum, and representing a very 1984-like reality.

I had the recent good fortune of having Andy Updegrove's The Alexandria Project: A Tale of Treachery and Technology suggested to me as a book that I might enjoy. It's a techno-thriller set in modern times, complete with a solid infosec storyline that doesn't even mention APT once. :)

The story starts out set in Washington, DC, where we follow perennial slacker security uber-genius Frank Adversego, currently stumbling through a job at the Library of Congress (LoC), thanks in large part to his former mentor tossing him a lifeline. All of a sudden, things start going very bad, first at the LoC, and then elsewhere, and all fingers point toward Frank. Spin in some not-so-friend inter-department uncooperation between the Bureau and the Company, a little bit of international intrigue, and the threat of nuclear war, and you have a fun techno-thriller.

Overall, the techies in the crowd will enjoy this book, even though it manages not to get down in the weeds. Non-techies will likely still enjoy the pace and story, as well as a couple patient explanations of the more technical topics as delivered to Frank's daughter Marla. In the end, this story has a little bit of everything in it, and it even has a couple friends twists and turns that will keep you a bit off-balance.

The book is only $2.99 for Kindle, so hurry up and check it out! In doing so, you'll be helping promote an up-n-coming author from our own infosec ranks, with the promise of more to come!

Here's my question of the day: Is it possible to prevent detailed technical security standards from devolving into a compliance regime (or does it even matter)?

In thinking about this question a bit today (while reading-up on NIST RMF), I started thinking about how this notion fits into risk management approaches. Specifically, in looking at RMF, it appears that rather than achieving a true risk management program, NIST has essentially created a very heavy, bureaucratic compliance regime. Now, I don't think this was even remotely their intent, but rather wonder if it's really just an inevitable outcome from how we as an industry have historically approached information/IT/infosec risk management.

Hey all you risky people - good news! Registration is now open for SIRAcon 2012 - the inaugural conference from the Society of Information Risk Analysts (SIRA). The event will be May 7th, 2012, in St. Paul, MN, ahead of the annual Secure360 conference.

For full details, please check out the event page at www.societyinforisk.org/siracon.

Tickets are now on-sale at siracon.eventbrite.com. The cost is $119, though there is a $20 discount for SIRA members (it's currently free to join, so ping us if you need the code!). Lunch, snacks and refreshments will be provided by the facility and are included in the price of admission.

There is also a special student "cover the cost of food" discount available (please email me for details). Speakers and volunteers are free - if they want to be - OR they can pay the "cover the cost of food" discounted price in order to help SIRAcon achieve it's objective of breaking even. :)

Here are a some of the titles from the confirmed talks:
   * Rolling with Resistance: Because Risk Management Isn't Just About Being Right
   * Organizing Risk Management Programs, or, What I Learned from the Secret Service and the Aviation Industry
   * The Base Rate Fallacy: How Fourfold Tables can help in Information Security
   * OpenPERT: Modeling Expert Opinion
   * Risk Management Practitioners Panel

We hope to see you in St. Paul this May! :)

Here we reach the end of my brain dump on last week's RSA 2012 (see my two previous posts here and here). These are mostly odds & ends - nothing overly well formulated. So, please, forgive the randomness.