I could probably make a long post refuting all sorts of dogmatic blame statements made in this thread from one side of the political spectrum or the other with various forms of mildly informative evidence. Fact is there is plenty of blame to go around.
Models - That didn't account for data reliability (the frequentist/objectivist problem)
"Risk Management" - Modern approaches to risk management are naive in their requirements of what creates "risk" and what risk factors are most important to measure.
Decision Makers & Traders - The models weren't non-informative, but decision makers who decided to accept risk are motivated by short-term results, and didn't really seek information about the CDO's.
Regulators - Cox & the SEC allowed "creative" risk taking. Greenspan screwed up. Congress screwed up.
Consumers - Being duped by the "there is no bubble" nonsense spouted by mortgage givers.
Like all significant events, there is rarely one "big" cause, there are many causes (long-tail events are driven by multiple factors, not simple causes). And we simply don't have enough information to create wisdom concerning the situation at this point. Anyone to be dogmatic about a specific "why" is simply a fool.
I'm sorry, but in that very brief article linked, I saw absolutely ZERO analysis concerning frequency.
YAY! There's an exploit and toolkit. The existence of which is, in some sense, a useful piece of prior information for establishing the probability that there MIGHT BE an increase in frequency in the future - but it's quite a leap to have a freakin'/. link to a corporate article that uses hyperbole in claiming that there is some State of Nature or State of Knowledge that points to.pdf attacks being "On the rise".
When I've seen Fortune XXX companies deal with this similar issue, it's rarely been that Company XXX "doesn't care about security" - almost always it's been that Information Security Department doesn't understand the fundamental question "are we secure enough" within the context of the risk tolerance of the organization. When security is ignored, it's usually because we don't use "risk" in a means that is useful to the rest of the business.
So I'd first get a proper definition of risk. I'd start with:
(probable frequency x probable magnitude of loss)
Risk must be a probability issue, and it needs to be expressed as a derived value (how frequently something bad will happen, and how much it will most likely hurt). I recommend using FAIR (see the Open Group website) as a means to derive risk. FAIR was developed by a Fortune 100 CISO who had a similar problem.
It is a Bayesian Network for risk expression, which results in the best probability outcome that your prior information will allow, but more importantly it will help you work with auditors and the data owners to identify any dispute about the amount of risk the organization has by working through the composite factors involved. FAIR also provides KPIs for discreet risk issues.
Next, you need to expend whatever political capital involved and get some flavor of Risk Tolerance/Appetite from the C-Suite. A 15 minute with the CFO with the right questions prepared ahead of time should suffice. Join ISACA and find someone who is all hyped up on COSO. The COSO evangelist will likely help you develop the right questions for the price of a nice lunch. There are good things and things that suck about COSO, but you can use the "Internal Environment" and "Objective Setting" functions of COSO to develop a risk tolerance.
Finally, you need to stop thinking about security in terms of IP addresses, and think in terms of the business processes they support. Businesses, outside of Information Security Departments, usually couldn't give a rats@ss about what a scanner says about an IP address. They want to know the risk (FAIR, above) around the business process that makes them money.
Let me also suggest that if you're already feeling commoditized there, the business isn't going to care about "compliance" either. Hitting them over the head constantly with a large GLBA/HIPAA/PCI/SOX/Whatever hammer might get you some budget, but it's not going to get you credibility.
I'd also work with your CISO to get the company to change the name of your group to Information Risk Management to better reflect your value to the company. You may also want to join the SecurityCatalyst.com website (smart people there) and subscribe to the RSS feed of the Security Bloggers Network on Feedburner.
I think Linus may want to think hard about creating a distinction there.
``...the subjectivist states his judgments, whereas the objectivist sweeps them under the carpet by calling assumptions knowledge, and he basks in the glorious objectivity of science.'' - I.J. Good
The standard, while a nice list of controls, has only a slight chance of helping those cannot/will not manage their risk. In the mean time it is nothing but another layer of wasteful bureaucracy (redundant?) for those who do a good job of managing their risk.
But we call all rest easy knowing that some vendor has spent $5 per IP to get a "hackersafe" badge to throw up on his webiste.
I guess that's not the publicity they were looking for....
To bad
Really Lousy Use of Security Lexicon
on
Nessus 3.0 Released
·
· Score: 2, Insightful
(Sorry for the following soapbox, but I'm really tired of the profession using terms interchangably)
"Common Vulnerability Scoring System (CVSS) that can be used to express the criticality of a discovered vulnerability or threat."
1.) Outside of a box infected by a Worm, how can it find a threat?
Does it actually track down the human or natural threats?
2.) How does it find "vulnerabilities"? Does it understand the capabilities of the threat source? Make an intuitive judgement on how skilled the attacker is? How does it measure the strengths of surrounding controls that mitigate the vulnerability?
3.) How does it measure criticality? It instincitively knows that the IIS vuln. on the intranet blog is less critical than the same IIS vuln. on an e-commerce app?
Perhaps what they mean is that the scanner finds weaknesses, and that the CVSS really makes an educated guess as to the *level of effort* it would require to exploit that weakness by what is in their mind the average attacker.
Oh, well, at least they aren't claiming to find "risk".
Yeah, because all those OS X security updates revolve around Apple UI vulnerabilities.
Seriously, your statement:
"I see Linux, Unix, and Opensolaris as the future of the server market. Same for desktops, except X Opensolaris/polaris etc. for desktops."
Is just wonderful. Your prognostication concerning the server market is obviously the result of many hours spent in the corporate environment, where Windows server is loosing footing every day.
And your desktop views? Fantastic. I hope you are right, because if any UNIX does win over the corporate desktop, it'll be Apple's OS X.
Finally, I'm SO all down with patent anarchism! Maybe if we vote in Ralph Nader in 2008, he'll appoint Stallman as head of the patent office! That'll show'em!
in 96-97, SCO and HP and Intel were all joined in happy hands developing what was going to become Itanium.
HP and SCO were going to merge their flavors of UNIX, as well - a move that fell apart (rumor has it) when SCO showed up to the table with something like 1/10th of the developers HP did.
Remember that it takes a while for Monterey-like deals to be created from a BizDev standpoint, maybe as much as 6-12 months - so it's likely that Monterey came about as a response from SCO's viewpoint as a substitute for the aborted HP collab. (A quick google for Monterey will turn up all sorts of anti-HP language circa 1998). IBM had nothing to lose, AIX was already a poor performer - heck up until 2000 or so the largest Sun reseller was IBM (one of the smartest things IBM did was embrace Linux).
And knowing SCO circa 1998 - I really doubt they thought of Linux as much more of a fad... a predominant source of income at that point being support contracts and services (NT 4 was the major threat to platform migration away from SCO at the time).
One thing this book doesn't do a good job of is explaining the deficiencies in current risk assessment methodologies, be it OCTAVE, NIST, whatever....
the numerical data presented is crap.
Too many times some CISSP (either inhouse or outsourced) who sees possibility and confuses it with probability sticks his finger in the air and delcares that there's "high" risk today. There's no common taxonomy amoung Infosec professionals, there's no common rating system, and there's not enough data to drive probability analysis.
Subsequently, run off with your Risk Assessment data to line of business management outside of IT, and they're laughing at infosec - and the credit card processing system remains a Tandem machine, the assembly line remains on the same segment as the rest of the network and the contingency plans remain "pen and paper".
Don't get me wrong, the methodology in OCTAVE (and this book) are fine. Great places to start. But Infosec itself will remain in its infancy until there's a probabilistic means to express risk outside of IT.
So in the meantime, you can run and do OCTAVE or NSA/NIST all you want, your CFO is still going to rely on the morons in the PWC/E&Y/DT&T infosec practice because they have some percieved authority to express risk (and they're getting their quantification the same place you are, from their behinds).
Slashdot Mirror
irony.
Must have been the Mac he used in school.
Get it? Only graphic designers and schools use Apple computers?
I missed the memo, when did /. become digg/reddit?
Or is it just that /. has become the new, oldmedia?
I could probably make a long post refuting all sorts of dogmatic blame statements made in this thread from one side of the political spectrum or the other with various forms of mildly informative evidence. Fact is there is plenty of blame to go around.
Models - That didn't account for data reliability (the frequentist/objectivist problem)
"Risk Management" - Modern approaches to risk management are naive in their requirements of what creates "risk" and what risk factors are most important to measure.
Decision Makers & Traders - The models weren't non-informative, but decision makers who decided to accept risk are motivated by short-term results, and didn't really seek information about the CDO's.
Regulators - Cox & the SEC allowed "creative" risk taking. Greenspan screwed up. Congress screwed up.
Consumers - Being duped by the "there is no bubble" nonsense spouted by mortgage givers.
Like all significant events, there is rarely one "big" cause, there are many causes (long-tail events are driven by multiple factors, not simple causes). And we simply don't have enough information to create wisdom concerning the situation at this point. Anyone to be dogmatic about a specific "why" is simply a fool.
I'm sorry, but in that very brief article linked, I saw absolutely ZERO analysis concerning frequency.
YAY! There's an exploit and toolkit. The existence of which is, in some sense, a useful piece of prior information for establishing the probability that there MIGHT BE an increase in frequency in the future - but it's quite a leap to have a freakin' /. link to a corporate article that uses hyperbole in claiming that there is some State of Nature or State of Knowledge that points to .pdf attacks being "On the rise".
"with all their known and potential security holes"
Yeah. That's just complete trolling. If it wasn't meant to be, it shows an amazing naiveté regarding Information Security, Vulnerability Research and the economics of Information Risk. Every platform has many "known and potential security holes". This, of course, is not a direct correlation with information risk, and I'd hesitate to even ascribe significant meaning to any vulnerability reports on any phone platform, regardless of Operating System without a significant change in the current threat landscape.
When I've seen Fortune XXX companies deal with this similar issue, it's rarely been that Company XXX "doesn't care about security" - almost always it's been that Information Security Department doesn't understand the fundamental question "are we secure enough" within the context of the risk tolerance of the organization. When security is ignored, it's usually because we don't use "risk" in a means that is useful to the rest of the business.
So I'd first get a proper definition of risk. I'd start with:
(probable frequency x probable magnitude of loss)
Risk must be a probability issue, and it needs to be expressed as a derived value (how frequently something bad will happen, and how much it will most likely hurt). I recommend using FAIR (see the Open Group website) as a means to derive risk. FAIR was developed by a Fortune 100 CISO who had a similar problem.
It is a Bayesian Network for risk expression, which results in the best probability outcome that your prior information will allow, but more importantly it will help you work with auditors and the data owners to identify any dispute about the amount of risk the organization has by working through the composite factors involved. FAIR also provides KPIs for discreet risk issues.
Next, you need to expend whatever political capital involved and get some flavor of Risk Tolerance/Appetite from the C-Suite. A 15 minute with the CFO with the right questions prepared ahead of time should suffice. Join ISACA and find someone who is all hyped up on COSO. The COSO evangelist will likely help you develop the right questions for the price of a nice lunch. There are good things and things that suck about COSO, but you can use the "Internal Environment" and "Objective Setting" functions of COSO to develop a risk tolerance.
Finally, you need to stop thinking about security in terms of IP addresses, and think in terms of the business processes they support. Businesses, outside of Information Security Departments, usually couldn't give a rats@ss about what a scanner says about an IP address. They want to know the risk (FAIR, above) around the business process that makes them money.
Let me also suggest that if you're already feeling commoditized there, the business isn't going to care about "compliance" either. Hitting them over the head constantly with a large GLBA/HIPAA/PCI/SOX/Whatever hammer might get you some budget, but it's not going to get you credibility.
I'd also work with your CISO to get the company to change the name of your group to Information Risk Management to better reflect your value to the company. You may also want to join the SecurityCatalyst.com website (smart people there) and subscribe to the RSS feed of the Security Bloggers Network on Feedburner.
We will only be free of nonsense like this study when the mainstream realizes that vulnerability is not the same as risk.
Cue: Rob Halford:
I'm Your Turbo Linux!
I think Linus may want to think hard about creating a distinction there.
``...the subjectivist states his judgments, whereas the objectivist sweeps them under the carpet by calling assumptions knowledge, and he basks in the glorious objectivity of science.'' - I.J. Good
"These documents are excellent for true security engineers"
No. They're not. And for *true* risk managers, they're a joke and a waste of time.
The standard, while a nice list of controls, has only a slight chance of helping those cannot/will not manage their risk. In the mean time it is nothing but another layer of wasteful bureaucracy (redundant?) for those who do a good job of managing their risk.
But we call all rest easy knowing that some vendor has spent $5 per IP to get a "hackersafe" badge to throw up on his webiste.
I guess that's not the publicity they were looking for....
To bad
(Sorry for the following soapbox, but I'm really tired of the profession using terms interchangably)
"Common Vulnerability Scoring System (CVSS) that can be used to express the criticality of a discovered vulnerability or threat."
1.) Outside of a box infected by a Worm, how can it find a threat?
Does it actually track down the human or natural threats?
2.) How does it find "vulnerabilities"? Does it understand the capabilities of the threat source? Make an intuitive judgement on how skilled the attacker is? How does it measure the strengths of surrounding controls that mitigate the vulnerability?
3.) How does it measure criticality? It instincitively knows that the IIS vuln. on the intranet blog is less critical than the same IIS vuln. on an e-commerce app?
Perhaps what they mean is that the scanner finds weaknesses, and that the CVSS really makes an educated guess as to the *level of effort* it would require to exploit that weakness by what is in their mind the average attacker.
Oh, well, at least they aren't claiming to find "risk".
"crappy OSX update"...
Yeah, because all those OS X security updates revolve around Apple UI vulnerabilities.
Seriously, your statement:
"I see Linux, Unix, and Opensolaris as the future of the server market. Same for desktops, except X Opensolaris/polaris etc. for desktops."
Is just wonderful. Your prognostication concerning the server market is obviously the result of many hours spent in the corporate environment, where Windows server is loosing footing every day.
And your desktop views? Fantastic. I hope you are right, because if any UNIX does win over the corporate desktop, it'll be Apple's OS X.
Finally, I'm SO all down with patent anarchism! Maybe if we vote in Ralph Nader in 2008, he'll appoint Stallman as head of the patent office! That'll show'em!
"Apple has a very narrow focus and their core market is creative professionals."
That is SO 1993!
Nice Troll...
It very well could be an ARM chip for an upcoming ipod upgrade - video ipod, whatever...
-
To the best of my ability to recall...
in 96-97, SCO and HP and Intel were all joined in happy hands developing what was going to become Itanium.
HP and SCO were going to merge their flavors of UNIX, as well - a move that fell apart (rumor has it) when SCO showed up to the table with something like 1/10th of the developers HP did.
Remember that it takes a while for Monterey-like deals to be created from a BizDev standpoint, maybe as much as 6-12 months - so it's likely that Monterey came about as a response from SCO's viewpoint as a substitute for the aborted HP collab. (A quick google for Monterey will turn up all sorts of anti-HP language circa 1998). IBM had nothing to lose, AIX was already a poor performer - heck up until 2000 or so the largest Sun reseller was IBM (one of the smartest things IBM did was embrace Linux).
And knowing SCO circa 1998 - I really doubt they thought of Linux as much more of a fad... a predominant source of income at that point being support contracts and services (NT 4 was the major threat to platform migration away from SCO at the time).
Considering the original engineering and marketing Cobalt staff were all ex-Apple....
They were ex-Quadra/Pippin/Newton, etc.. guys who left pre-Steve Jobs.
Section 404 talks about protecting the "integrity" of financial data.
Read from that what you will.
Oh, and NSA/NIST is a better methodology, anyway.
One thing this book doesn't do a good job of is explaining the deficiencies in current risk assessment methodologies, be it OCTAVE, NIST, whatever....
the numerical data presented is crap.
Too many times some CISSP (either inhouse or outsourced) who sees possibility and confuses it with probability sticks his finger in the air and delcares that there's "high" risk today. There's no common taxonomy amoung Infosec professionals, there's no common rating system, and there's not enough data to drive probability analysis.
Subsequently, run off with your Risk Assessment data to line of business management outside of IT, and they're laughing at infosec - and the credit card processing system remains a Tandem machine, the assembly line remains on the same segment as the rest of the network and the contingency plans remain "pen and paper".
Don't get me wrong, the methodology in OCTAVE (and this book) are fine. Great places to start. But Infosec itself will remain in its infancy until there's a probabilistic means to express risk outside of IT.
So in the meantime, you can run and do OCTAVE or NSA/NIST all you want, your CFO is still going to rely on the morons in the PWC/E&Y/DT&T infosec practice because they have some percieved authority to express risk (and they're getting their quantification the same place you are, from their behinds).
Because I've about had it.
I had the full agreement of the person on the other end. But that's an interesting point.
what about recording a video chat?
With the latest release.
.aiff file.
use Wiretap. Worked like a charm, creates a nice