Results tagged “innovation”

Anton Chuvakin and I were having a fun debate a couple weeks ago about whether incremental improvements are worthwhile in infosec, or if it's really necessary to "jump to the next curve" (phrase origin: Guy Kawasaki's "Art of Innovation," watch his TedX) in order to make meaningful gains in security practices. Anton even went so far as to write about it a little over a week ago (sorry for the delayed response - work travel). As promised, I feel it's important to counter his arguments a bit.

RSA 2011: (dis)Innovation Sandbox

Maybe I don't understand the meaning of the word "innovation." Every year I walk through RSA's "Innovation Sandbox," and every year I reach teh same conclusion: if this is "innovation," then no wonder we're so far behind the opposition! This year's assortment of vendors was no better than the previous years, with a couple exceptions.

Legal Defensibility Doctrine

In August 2009 I wrote about "Defensibility and Recoverability", in which I started developing the notion of using a legal basis for building a defensible position. I later expanded on this notion in the post "Creating Epic Fail Conditions: PCI and Best Practices", along with touching on it in a few other places. More recently, I used the idea of "legal defensibility" through the article "Architecting Adequacy: When Good Enough Really Is" in the March 2010 issue of The ISSA Journal (I'll post an ungated copy of the article when I get a chance). I also floated the idea at the ABA InfoSec Committee meeting during RSA, where I the response was very positive, including getting some air time on a couple panels in the LAW track at RSA.

So, that's a brief background, but what is it, really? What is "legal defensibility" and why do I think it amount to a new doctrine for the infosec community as a whole? More importantly, how can this new notion be used to successfully promote security initiatives, and why should you take it as a legitimate new argument and approach?

Where has all the innovation gone? I was very much looking forward to talking to the startup vendors selected as finalists for this year's Innovation Sandbox at RSA. After last year, I suppose I should have set my expectations a little lower, although realistically it would have been impossible to set them low enough to avoid some level of disappointment. Because, quite honestly, I was quite disappointed.

Of the 9 finalists, 6 had "cloud" point solutions, largely targeted to the hypervisor, with one that did some funky inline crypto stuff that made me wonder. 2 finalists had "new" authentication approaches, which were sort of interesting, but they didn't solve the larger problems with authentication. The 9th finalist was also potentially interesting in that they provided a nice visualization dashboard for risk management, but the biggest downside was that all data had to be independently entered. There was no integration with any GRC products, and so while it looked pretty, it wasn't overly sensible. So, yes, I was a wee bit disappointed.

I grow increasingly impatient over the entrenched status quo. Throughout all the blah-blah from vendors, analysts, consultants, etc., there is very little new - let alone hopeful - news to look forward to. Why? Because the old school mindset fails time and time again. Why? Because the objectives are all wrong. Forget about risk - there's almost no point in trying to manage it right now (for a number reasons, as if organizations are really managing info risk right now anyway). If you want to survive, then you must establish a (legally) defensible position and then focus on recoverability, since it's not if but when bad things will happen.

Fear not... despite the semi-angst-like nature of my opening paragraph, not all hope is lost. In fact, honestly, there's reason to be very hopeful, if only we can get mainstream thinking to shift away from the failed old ways. Old ways such as relying on "best practices" (aka "mediocrity") and checklists (*cough*PCI*cough*). You cannot simply look for a list of known bad things (*ahem*AVIDSIPSFWACLDLP*ahem*) and then hope that everything will be ok. Instead, you absolutely, positively MUST build a program that is flexible (see my Sept. '09 ISSA Journal article "Elasticity: Will your organization bend or break?"), that seeks to achieve a (legally) defensible position, and that optimizes recoverability for its environment (see "Defensibility and Recoverability").

Do You Need a Security Department?

(There's been some confusion about my post here. I'm not saying you "can't" setup a security department. I'm questioning whether you "should" set one up. I wonder if we've not created major problems for ourselves by taking too much direct ownership over the years, effectively creating a "nanny state" where the front-line folks aren't actually expected to act responsibly.)

I had an interesting discussion with my boss today, and I think it warrants further exploration. To give a little background, I'm the head of security for a mid-size tech firm. My role is new, meaning there haven't been any "formal" security practices in the past. Note that this does not mean they've not been doing security "stuff" - just that there hasn't been anything formal around it.

One of my challenges in this position has been to determine how best to setup a formal security program. This is a well-established company, with a variety of obligations and requirements, and that is running on a tight staff. There are not spare people to go around, which means that getting much of anything done is an uphill battle.

When I was studying Physics in college, one of the more common tricks was to take a problem with weird units and use various conversions to get the equation into something with units you knew how to handle. For a basic understanding of this treatment consider a story problem where you're told that you need to travel X kilometers at a constant rate of Y miles-per-hour in a straight line, how many seconds will it take you to get there? Convert mph to kph, then kph to kps, and viola! you can pull the answer out of your hat with basic arithmetic.

Information security oftentimes has this same general quality about it. Think of the whole cloud security scene as a primary example. Yes, it is absolutely new technology representing new challenges. However, that being said, it's also using a lot of old technologies, and there are known good ways to solve many of the "new" problems presented. Fundamentally, it all devolves back to the traditional C-I-A model (as much as people might hate that). What I find most interesting, though, is how often the elephant in the room seems to be ignored.

PCI Is a Distraction (proof!)

I don't care what anybody on the pro-PCI side of the argument says, PCI is absolutely a distraction. How do I know? Because I've just realized that I've been completely distracted by it in my new/current position. For those who don't know me too well, I'm currently the Director of Security & Compliance for a small-ish tech firm in Phoenix, AZ. This position was newly created, and the first task handed to be on the way in the door was to get a suitable PCI remediation plan in place for our merchants (yes, we have 4).

When I started this job back in February, I immediately tackled the remediation plan project, and along the way concluded that it really needed to be framed as part of an overall security roadmap. So, I delved into the massive amount of details that is PCI DSS, as well as overloading my brain thinking about the bazillion things that are components of a full-fledged security program. The result? Complete paralysis from the sheer volume of work required across the board. "How in the world are we going to get this done? We don't even have a budget or staff right now!"

A Realistic Case for Regulations

Mark Curphy had an interesting post last week titled "The Future : Regulation is Futile – Market Forces Will Prevail" with which I take a bit of an issue. In particular, I question his premise, that market forces are able to prevail in this day and age. I would counter that there are no real market forces any more, at least not in the US. Just the opposite, corporate interests have so pervaded life and politics that there is no objectivity and no free market. The US has entered into a prolonged period of protectionism (look at the post-9/11 landscape... look at the current treatment of borders...). Protectionism reduces the number of true level-set competitors in a field, effectively creating monopolies or oligopolies (*ahem* Big 3 anybody?), with the net effect being a reduction in competition, options, and, overall, quality. From the perspective of security and civil liberties, protectionism and an overt focus on corporate interests is a disservice to consumers.

Interestingly, the only place where Mark really tackles the notion of regulations and their role is in this bit:

Super Crunching – Regulations will not work. “You can’t regulate the problem away”. Market forces drive economic change and when the cost of security becomes something everyone considers, people will act on Fact and not FUD. In order to get to a place where people can make informed decisions; you know like “what’s the real likelihood that this XSS will actually get exploited or show up in the media” or “How many security bugs per KLOC is an acceptable ratio” we need to be able to perform detailed analytics. This means data warehousing and mathematical analysis. The reason an insurance actuary can provide a price for me to drive a Ferrari is that there is empirical data to show that a rich middle aged man who goes out and buys a Red Ferrari is more likely to wrap it around a pole (showing off to his blonde bimbo mistress) within a few months than a middle income guy who chooses to drive an Aston Martin DB5 and just loves cars. Market forces (insurance) will drive change. Market forces require empirical data to provide a framework in which to trade.

This quote is a bit of fantasy, for several reasons.

The New School of Privacy

It's 2009 and time for a new notion of privacy... the first decade of the century is quickly coming to a close... the advances in technology over the past 15 years (or more, really) have been astounding... in my lifetime computers have gone from being something only used in special businesses and academia, to being a novelty, to being mainstream, to being a fully integrated part of life. Along with this evolution in technology has come an evolution in the amount and types of data available on us. Some of that data is generated by 3rd party sources, but today much if it is also generated directly by us.

Bruce Schneier had a post up recently highlighting an essay by Marc Rotenberg over on HuffingtonPost.com (full article here). The essay is originally from November 9, 2007, and so may seem a bit dated if you read through it. Moreover, "security" in this context is more about "national security," but some of his points are quite apropos. I like this early quote from his piece:

"First, the privacy laws in the United States came about in response to new technologies. Far from accepting the view that innovation invariably erodes privacy, the United States has an excellent record for creating the legal rules that limit intrusive and unjustified invasions into private life."

The tenet of his article is that too much privacy has been sacrificed in the name of "national security". I would argue that it's much worse than that: we are sacrificing privacy in lieu of corporate interests and at the (in)discretion of our friends, colleagues, and acquaintances.

We had an excellent discussion on this very topic at the annual ABA InfoSec Committee meeting last month. One of the speakers talked about how privacy now means different things to different generations. Traditionally, privacy has been about preventing intrusions - about keeping what's behind closed doors to oneself. In this traditional view, as long as you did something in private (within reason), then it was nobody else's business. One could argue that the 4th Amendment is structure precisely toward this right to privacy.

However, with the advent of social networking technologies (the BBS, public web forums, Instant Messaging, Wikis, MySpace, Facebook, Twitter, and so on), there has been a fundamental shift in how data is made available. Generationally, there is a corresponding shift in thinking about privacy of that data. No longer is privacy viewed as a war against intrusion. The data is there, plain to see, oftentimes more available than is likely sensible. In this new context, privacy becomes a matter of access control and authorized use. Platforms like Facebook and Twitter allow you to control (if you choose) who can see your data ("access control"). With this control of access then comes the notion of authorized use.

To give a concrete example, let's look at Facebook. In the privacy settings you can control who can see what you write, post, etc. One of the options is "friends only". Say you've chosen "friends only" for all of your content. You now post some sort of missive disparaging a co-worker, or your boss, or your employer. You know what I'm talking about - one of those "gosh my boss is a jackass" quips that you only intend for friends' ears. Now say that one of your friends is also a co-worker, and they for whatever reason make a comment to your boss about your quip. Perhaps it's an innocuous comment, like "hey, are you giving [friend] a hard time?", but no matter how you look at it, that data leaks out beyond your intended audience. In essence, the implied authorized use was violated.

Consider this, then, to be the new school of privacy: Privacy is the control and authorized use of personal information. Privacy is not about intrusion, but rather a social contract with those around you; a contract where what you say is intended to stay with those around you and not to wander any further without explicit approval. Pursuing and supporting this notion, of course, introduces a couple interesting challenges.

Culture Shift

First and foremost, there is a fundamental challenge in the current culture. While 20-somethings and younger may natively adhere to this new school of privacy, they are not generally supported by older generations. In essence, what we're talking about is engraining a philosophy of discretion into everyone's core being. This seems to be a problem that even the 20-somethings have encountered brutally in getting punished at school or fired from jobs for their social network missives.

Unfortunately, as is true with most cultural issues, this one cannot be solved quickly. Just as older generations still have funny ideas about information technology, so will they be equally challenged to learn to trust that everyone around them will be discrete (ironic given the swingers of the Baby Boomer generation, but anyway). At its most fundamental level, our culture must shift away from the paparazzi mindset, where nobody has any privacy in public, to a mindset that your life is inherently private unless you explicitly authorize the contrary.

What is particularly interesting is that some cultures already have this kind of value, in varying forms. In India, for example, you do not just take pictures of people, even if they're out in public. In Germany, you own all of your data, and you can require companies to remove all traces of it (even from backups). In France, you'd be unsurprised to see a couple making out on a street-corner, while in Amsterdam you wouldn't be surprised by someone using a pissoirs. In Ancient Rome, toilets were holes lined up next to each other with no dividers.

The point here, belabored in excruciating terms, is that cultural norms have changed over time, and it is time for another shift. In this age we need to revert to a healthier practice and perspective in which we all have our sphere of privacy, regardless of where we are or what we're doing. Just because we open our mouths, or put fingers to keyboard (30 years ago I would have said "pen to paper";), does not mean that we intend a public audience. Just because we buy a certain brand of shoe or a certain type of fruit does not mean that we intend for that information to be tracked.

Legal Support

Perhaps one of the greatest challenges today facing the new school of privacy is that of legal support - or the lack thereof. In this regard, we have a true generational problem. Our elected politicians have very little vested interest in protecting the privacy of individual citizens when compared to corporate interests. Even when SCOTUS judges learn first-hand how easy it is to aggregate a full profile. We are still expected to trust government and corporations, despite having that trust betrayed on a repeatable basis. Moreover, these politicians still live under the old school concept of preventing intrusion. They do not fully understand or appreciate that the data is now out there, everywhere; that our only viable way forward is to construct protections around the individual asserting control and authority over data about them.

Moreover, these protections need to extend beyond basic constructs. It is imperative that aggregate data developed by 3rd parties be part of the equation. If the shopping habits tracked by my supermarket loyalty card is so useful, then why has one of the local major supermarkets dropped it? Why has Wal-Mart never used them? Perhaps it's because there are better ways to accomplish the same goal without violating the privacy of individuals by collecting their data without need or true authorization.

This shift will require much heavy lifting. It's my expectation that it will, in fact, take at least a generation to move in this direction. However, it is an important and necessary change, and one that must come to be if we are to regain some control over our lives.

Final Thoughts

The new school of privacy is about shifting away from traditional values pegged against preventing intrusion to new values pegged against access control and authorization. To facilitate this shift, it will be necessary to improve the underlying legal framework, shifting the power back to the individual. At the same time, cultural values must shift toward a unified principle of discretion. It's time to get out of the paparazzi mindset and start focusing on what we put into our social networks, how we control that information, and how we express our authorization for its use.

Remote Key Copying - Eep! :)

Thanks to Kottke for pointing this out...

"House keys left out on table + telephoto lens at a distance of 200 feet + SNEAKEY key duplication software = perfect working copies of your keys. Eep. The system also works with crappy cellphone camera photos."

So, this means from a physical security perspective, it's probably best not to leave your keys sitting in plain site - especially if they are keys to anything remotely valuable!

Also noted by Schneier last week here.

Death and Renewal

I love Fall. It's my favorite time of year. The weather has that wonderful chilly bite to it, the humidity generally drops away, and then there's the folliage! This Fall, here in Northern Virginia, has been the best of the best. We've never seen colors like these in the last 5 years, and friends who've lived here much longer say they don't ever recall a Fall like this, either. So, suffice to say, I'm rather pleased with the outside world.

Fall, however, is about more than just pretty colors. It's also about the cycle of life. In the grand scheme of things we typically associate Fall with the dying throes of life, Winter with the period after death, Spring with the emergence of new life, and Summer with the peak of living. Putting aside the somewhat morbid aspects of this life cycle, I have to wonder how many organizations apply similar thinking to themselves? How many decisions have - or should have - a life cycle? I would think pretty much everything should be evaluated accordingly, but it doesn't always seem to be the case.

The Value of Dissension

"The important thing is not to stop questioning. Curiosity has its own reason for existing." Albert Einstein

There seems to be a fallacy in American politics and corporate life these days that conformity and blind acceptance of the prevailing BS perspective is the apex of social evolution. Nothing could (or should) be farther from the truth. The fact of the matter is that conformity and the oppression of dissent is a fundamental threat to the very foundations of this society. It undermines creativity and innovation, causing an erosion not only in social values but also in the ability to solve problems.

"Weakness of attitude becomes weakness of character." Albert Einstein

The prevailing problem, as I see it today, is that the powers that be believe their way is the only way, and that anybody who dares question that way is in fact threatening the basis of their existence. One need only look at the examples of oppression at the RNC in St. Paul earlier this month, or to the classrooms that are oppressed by the No Child Left Behind (NCLB) Act. Taking NCLB as a prime example, we find that students and teachers are now almost solely focused on preparing for a single high-stakes test, to the degree that all "education" is rote memorization, with little or no time spent on extension.

Extension of learned concepts and facts is a vital component to being educated. It's not enough to know that 1+1=2, but to then be able to extend this to knowing that 1+2=3 and beyond. It's also the ability to see that 1+x=2 means that x=1, and then to be able to expand that to other topics, like multiplication, such that when you go shopping you can look at a package of 100, 250, and 500 napkins and calculate out the per-napkin cost to see which package is in fact the better deal (yes, I know, many grocery stores put this on the label now).

Coach Your Way to Better Security

As noted earlier, I've recently read James Flaherty's excellent book Coaching: Evoking Excellence in Others. My original purpose in reading this book was to help generate content for an internal training course I'm developing on savvy skills for consultants (I also read Ron Fry's Ask the Right Questions Hire the Best People for the same project). However, as I began reading this work, it occurred to me that what Flaherty describes is really a philosophical shift that has great applicability to the information security profession. In particular, this line jumped out at me: "...command-and-control organizations cannot bring about the conditions and competencies necessary to successfully meet the challenges holistically. For the most part, organizations know this and have attempted to reorganize themselves using the principles of total quality management and reengineering." (p2) Put in a security context, what he's saying is that all these top-down initiatives may be good and fine, but they only serve to reinforce the self-defeating practice of a command-and-control management structure, disincentivizing people to step up and act responsibly.

Within information security, perhaps the number one place where we see this sort of situation is in policy enforcement. Most organizations today have policies, but how well are they enforced? If they are enforced, is it through a heavy-handed approach, or because everyone is onboard? From a psychological perspective, the bottom line - as always - is that people will only change either because they want to or because of a trauma. Unfortunately, as Flaherty notes, simply providing stimuli (pain or reward) is not generally enough incentive on either account.

Resist Strictly Incremental Changes

"IT consolidation is a major undertaking that can require escalating upfront capital costs to achieve long-term cost savings. It can also take between six months and two years to execute. As such, these investments often face senior executive — if not board-level — scrutiny. A business case built or vetted by a major consultancy has a better chance of approval due to higher perceived credibility of the methodologies and rigor behind the business cases built by these firms." (Source: James Staten, principal analyst, Forrester Research)

Shop and Learn about Supreme Fitness and Well BeingOne of the more common sights in enterprises is to see an incremental approach to addressing big problems. From an engineering perspective, this is fine, and really quite a good problem solving tactic. However, when it comes to making meaningful change from a security perspective, I have come to seriously question the utility of incremental changes.

Killing Security, Piece by Piece

Ok, not really, but it's kind of a catchy headline, right? For anyone that caught the RSA Conference (either live or in archive), then you probably picked up on the theme that I've been riding for a few months now: this industry is stagnated and dying. In their keynote, IBM even went so far as to say that the industry has no future. While I think that this is a gross mischaracterization of the situation, it is an interesting stance for a product company to take. RSA Pres Art C said similar things during his keynote, too, but then proceeded to talk about how RSA products would be the solution to the problem (what was the problem again?). Anyway... this week has seen a full surge in this death knell for the industry, though now in the form of dismantling it, piece by piece.

"Insanity: doing the same thing over and over again and expecting different results."
- Albert Einstein

If you've watched the Matrix trilogy of movies, then you might recall one of the themes from the movie. In the second installment, Neo meets the Architect, who tells him that the current Matrix was not the first, but was in fact a later revision. The problem, it seems, was that the original version was too perfect (a perfectly balanced equation), which could not be accepted by the human mind, and which then led to the entire system collapsing. The solution was to create an unbalanced equation, and then a method for managing the remainder as necessary.

In the security industry, we've reached a point where the equation is balanced, at least as far as the business is concerned, and bad things are starting to happen. Over the past 15 years, technology has been able to evolve to match most threats, but the simple truth is that we're still not winning the battle. Businesses are still not properly incentivized to invest more into security countermeasures, but instead do the minimum necessary to keep their shareholders from sacking the lot. Ladies and gentlemen, I submit to you that it is now time to unbalance the equation.

You can lead a horse to water, but you can't make it drink.
As I've recently noted, the information security industry seems to be stagnated. We've come a long way from the old days of "security==firewall" - and yet, it strikes me that we still aren't really getting all that much done. As a consultant, it can be very frustrating to realize one's own mortality; we aren't able to play Superman in all situations. When we succeed in moving a mole hill cum mountain, we're hailed as heroes. When we get something done, our invoices/salaries get paid. Surely there must be more.

Someone recently asked on a mailing list what people thought of the impact of PCI DSS on software security (the current v1.1 of the standard has requirements to follow OWASP practices in secure coding). In thinking about the effectiveness of PCI, I concluded that it, like SOX, has reached a point of equilibrium as ineffectual. Businesses still seem to universally fail to grasp the value of most security practices, and thus resist the up-front costs required to undertake a truly transformational program.

PlayPumps: Kids+Well=Good

This is perhaps one of the most innovative solutions I've seen in recent times. PlayPumps combines a merry-go-round with a water well and filtration system to produce clean water for rural African communities without requiring electricity or expensive diesel engines.

Hat tip to GuyKawasaki.

Awesome. It's so obvious, and yet so brilliant. There's tons of free code out there to setup such a tool, too.

How to Harvest Passwords
Just put up a password strength meter and encourage people to submit their passwords for testing. You might want to collect names and e-mail addresses, too.

Hat tip to guru Bruce Schneier for the find.

2  

My Other Pages

Support Me

Support EFF


Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10