Security Trade-Offs

An essay by an anonymous CSO. This is how it begins:

On any given day, we CSOs come to work facing a multitude of security risks. They range from a sophisticated hacker breaching the network to a common thug picking a lock on the loading dock and making off with company property. Each of these scenarios has a probability of occurring and a payout (in this case, a cost to the company) should it actually occur. To guard against these risks, we have a finite budget of resources in the way of time, personnel, money and equipment—poker chips, if you will.

If we're good gamblers, we put those chips where there is the highest probability of winning a high payout. In other words, we guard against risks that are most likely to occur and that, if they do occur, will cost the company the most money. We could always be better, but as CSOs, I think we're getting pretty good at this process. So lately I've been wondering—as I watch spending on national security continue to skyrocket, with diminishing marginal returns—why we as a nation can't apply this same logic to national security spending. If we did this, the war on terrorism would look a lot different. In fact, it might even be over.

The whole thing is worth reading.

Posted on April 22, 2005 at 12:32 PM • 20 Comments

Comments

CypherpunkApril 22, 2005 1:10 PM

Microsoft uses the DREAD model to rank threats for severity. This is for software but it could apply to physical threats as well. They recommend grading each threat on a 3 point scale for each category, and summing the results. This gives a crude but helpful measure to guide remediation efforts.

Damage potential: How great is the damage if the vulnerability is exploited?

Reproducibility: How easy is it to reproduce the attack?

Exploitability: How easy is it to launch an attack?

Affected users: As a rough percentage, how many users are affected?

Discoverability: How easy is it to find the vulnerability?

Israel TorresApril 22, 2005 1:23 PM

Regarding WOT: it obviously becomes difficult to gamble with millions of lives when it comes to unconventional tactics and then having to answer why such a gamble was made or not made. It then appears safer (as in effort applied) to place bets across a non-existent board (or even creating non-purposeful answers).

Israel Torres

Davi OttenheimerApril 22, 2005 1:49 PM

Hear hear! Excellent read.

Just a couple exceptions to jump out at me:

1) CSOs are not usually trained for preventative measures in the workplace. They talk a good game (because it's part of the job) but awareness and education are typically given far far less emphasis than the detective measures such as incident response teams, forensics, and such.

This parallels a shift that is sorely needed; a move away from the style and training of a more traditional (military/peace officer) security expert who thinks that the more attacks they stop the more successful they are. Instead of this "stop, who goes there" syle of leadership, we need more "how may I help you build trust" leadership.

2) The top "killers" listed are mainly health issues. With regard to my first point, we should think carefully about more preventative measures to reduce death as well as detective and corrective measures. I believe the cures are most often based on a simple change in habit or lifestyle, or perhaps even better testing and regulation of toxicity. We would be wise to stop thinking that everything is solved with a magic pill (pharmaceutical) or expensive and technologically savvy last-minute procedure (emergency response).

3) I know I sound like a broken record, but CSOs can actually be in an awkward position that prevents them from effectively guiding policy. Influence, yes; guiding, only with extreme caution. Take for example the top-ranking military experts (Graves, Powell, etc.) who warned not to create a market vacuum in post-war Iraq due to the risk of instability. They were not only pushed aside, but completely removed from their post by the US Administriation that instead sought zealous believers in their fanatical greed-doctrine -- Bush sought rich entrepreneurs who thought a vacuum was exactly the type of risk that would make THEM most successful, and therefore somehow benefit US security. Of course it has been a dismal failure, but the important point is that the security experts lost their position and any chance of effecting direct pressure on the leadership. In other words, urging caution and trying to explain and show another side to the "truth" (that the numbers related to safety and security do not add up) can actually just get you fired and replaced by a parrot. And that's probably why the article is written by Anonymous.

http://www.harpers.org/BaghdadYearZero.html

But I still think it's a great piece that makes for excellent reading. Thanks for posting, Bruce.

Jim DermittApril 22, 2005 2:04 PM

Just look at what is being spent on the fraud infested Internet. The whole thing is not much more than a global security mess. The mess is getting bigger! It seems like the first dotcom bust out wasn't a big enough lesson.

A new generation of visionaries and entrepreneurs has come of age on the internet since the dotcom bust. Remember that your dotcom stock isn't worth the paper it isn't printed on. I know, you guys have a new version of reality and big shacks in LA or Malibu, Bimmers and a membership at the new economy club. Capitalism creates security and people take risks. The internet isn't worth risking real dollars on in any serious way. The internet doesn't create security. You have virtual security, but real things tend to be protected from the internet and not by the internet. Look at virtual gambling and Las Vegas. Las Vegas has security, Las Vegas is real. People give their credit card numbers and personal information to offshore internet casinos. This seems like a security risk to me. People do it and people do all sorts of stuff online because they can. The government can't afford to gamble with security. The internet has a limited set of uses. People like to believe that it is more than it is and then they end up with problems that they can't solve using the internet. It is all that it is cracked up to be and more. It can't replace the library, thank goodness. Go trade some virtual stocks guys and talk about security and how everything is going to the internet as something new cracks apart in cyberspace. Create more links to fix your broken links and be sure to run more sucker bait ads for cheap meds and tech toy gadgets. Parts of the internet are still busted. The ads will help you find them.

Sponsored Links
DotBust
Find deals on DotBust
at dIsmay. Sign up & bid today! Aff
dIsmay.com

mark JohnsonApril 22, 2005 2:08 PM

@Davi
There is also the budget issue. "Here's your yearly (IT, security, infrastructure) budget. Make it last." So now you have X dollars. Spend too much on security and you'll be looking for a new job because you didn't have the money for the latest and greatest email system. Spend too little and the system gets hacked, and you're still out of a job. And if you spent nothing to prevent the one-chance-in-a-million attack that actually happens, well...

And this is all at my lowly level. I can't begin to imagine the responsibility faced by the DHS. It's easy to sit back and snipe at wasted funding. It's far more difficult to spend the funding in a way that everyone thinks is wise. Even if you got a 90% approval rating for the job you did, one deadly attack would be enough to cost you your job and secure your place in history as the person who failed to keep the barbarians outside the gate.

(Having said that, though, I still can't explain why George Tenet got one of the nation's highest honors on his way out the door.)

Jim DermittApril 22, 2005 5:26 PM

Here's a thought from an article at http://www.aviationtoday.com

"James May, the president and CEO of the Air Transport Association, says the Bush administration wants to turn the airline industry into a private tax collection service to fund a whole gamut of new security mandates. Because of the financial problems plaguing airlines, this is like asking airlines to “dig their own grave,��? according to May."

The high fuel costs, uncertain revenues and rising insurance costs should help kill a number of commercial U.S. airlines. This industry has plenty of graves left to dig. With the position some retirees are in, the government may have to pay for the graves when these folks die. There won't be much left to secure in a few years. The era of great airlines, making money is over with. The industry is a mess, the pensions are shot for the most part and it isn't an attractive job market for the future. If you are 20 years old starting out, this industry should be about the last thing you should go into. The government is trying to keep the whole thing going with security measures and police state tactics, but it is at the point of being a flying circus. Take everyones lighters and nail clippers, that will make the system robust again. The whole thing is a monumental waste of time and energy. I've just stopped paying attention to it. It's become pointless and profitless for the most part. Jack up the security fees guys. The high fuel cost will ground the fleet and everything will be safe, secure and quiet. Put big funeral homes in the airports and make aluminum caskets out of the scrap commercial jets. The rich can afford private jets, so they don't care either.

Davi OttenheimerApril 22, 2005 6:27 PM

@mark
Yes, you're right. The author of the article focuses on the budget issue and seems to suggest an approach that is commonly found in Quality Assurance (QA) models. It starts with the notion that in order to get the biggest bang for the buck, you need to rate and then prioritze where resources are best applied.

The problem with this approach is that it depends on people having a similar or at least compatible set of values. For example, in order to agree on the top ten risks, we need to have a common understanding on the value of assets, the number of vulnerabilities, and the level of threat.

In other words, when the author says "assume, first of all, that the ultimate goal of security is to prevent the loss of lives", he simply writes himself out of the picture of current events (and out of the Bush Administration). Clearly the War on Terror is not about saving lives; the Bush Administration is banking that by expending lives, and killing thousands, they can expand corporate influence over the public sector and prevent market regulation. They then hope that this will improve the quality of life by breeding rapid entrepreneurial growth, eventually making it possible for some to have a very high standard of living...ala Milton Friedman economics. I know it sounds harsh, but the people who look at the facts (including this article) all seem to arrive at the same place -- the Bush Administration does the opposite of what appears to be good for America.

Fundamentally, therefore, when the author states "We have expertise in knowing where the government should be putting its poker chips" s/he is actually saying "we respectfully disagree with the core values expressed by this government". That kind of difference of opinion makes it difficult, if not impossible, to suggest a minor change in priorities.

Jim DermittApril 23, 2005 3:51 PM

With security, always consider the source. I know the U.S. government does some strange stuff (who doesn't?), but they are still good at security. Sometimes it may get taken too far, like banning nail clippers or something. I guess there is a reason for doing this, but know knows?

I was looking over this short list. It seems to me that profit and security are going in two different directions. Google profits are swelling, the stock is gaining value and Google is number 2 on this scam list. Everybody likes to complain about the government wasting money, but nobody seems to be complaining about fraud, ID theft and Google hacking scams. I avoid using Google, when I can. You are a security expert Bruce, so what kind of threats does Google present? ID theft seems like the number one growing problem at this time. Is Google making this problem bigger while making money at it?
I don't like the trend, I'm seeing. Even if you don't use Google, it appears Google helps people use you. I consider this a national security issue. Any thoughts would be appreciated.

NEW YORK, April 21 /PRNewswire/ -- The National Cyber-Forensics & Training Alliance (NCFTA) has identified its top-five spam scams of March 2005.

The top five spam scams for March identified by the NCFTA include:

1. Pharming Attacks: Pharming is the redirecting of an individual's Web
request to another location. For example, if an individual with an
infected computer conducts online business with a specific bank, that
person will type the bank link into the address bar, but will be
redirected to a designated phishing site that looks very similar to
the authentic site but is, in fact, fraudulent. Because the
individual did not click on any obscure link, the site will appear to
be legitimate.

Pharming can also result from a hijacked Domain Name Server (DNS), an
Internet service that translates domain names into IP addresses.
When a hacker poisons a DNS, he or she changes the specific record
for a domain, sending individuals to a Web site very different from
the one they intended to access -- without their knowledge. Usually,
the hacker does this by posing as an official who has the authority
to change the destination of a domain name. DNS poisoning is also
possible via software vulnerability.

2. Google Hacking: NCFTA has identified a site advertising several
hundred instances of scammers using the Google search engine to
retrieve sensitive information from individuals. Using an explicit
search command, it is possible for scammers to find business resumes
that individuals have posted on the Web.
These documents often contain information such as Social Security numbers, family history,
dates of birth, home addresses, phone numbers, and education.
Individuals who unknowingly provide all this personal information are
very susceptible to identity theft. NCFTA is compiling information
about the hacking site to be turned over to law enforcement if
specific violations can be identified. NCFTA through The DMA also
has alerted the Federal Trade Commission to this scam.

3. FBI Virus/Spam Hoax: The NCFTA has assisted the FBI with its
investigation concerning a fraudulent e-mail hoax
http://www.ifccfbi.gov/strategy/wn050223.asp The FBI has become aware of spam e-mail fraudulently claiming to be from fbi.gov
accounts. The e-mail sounds official, even threatening, in tone, and
appears to be sent from the e-mail addresses of police@fbi.gov,
fbi@fbi.gov, officer@fbi.gov, and web@fbi.gov. The recipient is enticed to open an attachment that contains a W32.Sober.K@mm worm.
The actual text of the e-mail is shown below:

You have visited illegal Websites.

Dear Sir/Madam,

We have logged your IP address on more than 40 illegal Websites.
Important: Please answer our questions! The list of questions are
attached.

Yours faithfully, M. John Stellford

Federal Bureau of Investigation -- FBI --
935 Pennsylvania Avenue, NW, Room 2130
Washington, DC 20535
(202)324-3000

4. Phishing: Phishing attacks use spoofed e-mails and fake Web sites to
fool recipients into revealing personal information or to have a
Trojan/virus placed into their computer. By using trusted brands of
well-known companies such as financial institutions, online
retailers, ISPs, and credit card companies, phishers attempt to dupe
innocent consumers into revealing their personal information.
Phishing schemes are often delivered via spam e-mail.

5. Nigerian Scams: There are several variations of this scam that, at
its core, either informs the recipient that he/she is allegedly due a large sum of money or asks for their assistance with some form of
illegal money laundering. The recipient either will be asked to
provide money as "processing fees" or personal financial information
to facilitate the transaction. These scams, which were more abundant
last year, have reemerged in conjunction with the tsunami scams.

JimApril 24, 2005 7:29 AM

Exploitability: How easy is it to launch an attack?
Discoverability: How easy is it to find the vulnerability?

Fair enough questions.

Google this.
ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-"

Google makes finding passwords easy. This is a fairly simple Google hack. There are more sophisticated tools for cracking passwords, which I will not go into here.

Here is something to think about.
A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year. A malicious hacker attack could turn millions of PCs into spam zombies.
Once the hackers have broken into a system, they may cause a variety of
problems. You may have a problem and not know it yet. Google won't help you make the problem go away.

Stuart BermanApril 24, 2005 9:04 PM

This is the first significant error in the article: '[as]CSOs, I think we're getting pretty good at this process'. The evidence disputes this statement, companies have a very reactive approach to security and those of us who have had a look under the covers realize that good luck is often the greatest factor.

The rest of the article is equally misinformed.

@Davi
I like your "how may I help you build trust" concept - but your analysis of US policy is simply lame.

Davi OttenheimerApril 25, 2005 10:34 AM

@Stuart
My point exactly, many CSOs would love to be more proactive, but the fact is the budget and culture of the companies they work for rarely allow it.

I mean, just imagine people without a clue about security in senior executive positions wandering around saying "that is simply lame". Some might say it is not even worth responding to such nonsense, but alas, security is about doing the right thing. And sometimes you must press ahead with a different path when you run into a non-intelligent response that reveals a faith-based blinkered grasp on reality.

Also, you perhaps will be happy to note, if you actually read the news, that it is not my analysis of US policy.

Davi OttenheimerApril 25, 2005 11:33 AM

@Stuart
Sorry for the double post, but I thought this article might help clarify:
http://www.salon.com/tech/feature/2004/09/11/...

It's another look at the cost of the war, based on widely varying definitions of "security".

Again, I do not deserve the credit for the anaysis of US policy when there are many sources of non-partisan reports that reach the same basic conclusion. Incidentally, US policy is not necessarily the same as the Bush Administration agenda. Of course some Presidents believe in the Democratic process more than others...

Stuart BermanApril 25, 2005 12:35 PM

@Davi
I do indeed actually read the news but I don't base my positions on 'faith-based' or shallow pieces (the salon piece being a great example of both... you know... weeping over the billions we could have given the poor and secured our ports). Of course simple sound bites sell lots of ads and the abundance of uninformed opinion treated as analysis should be given equal weight with something actually reasoned, right?
I'll take the analysis of Fukuyama, Friedman, Lewis, Ajami, Tanter and Barnett anyday. You want to believe the likes of frauds like Michael Moore - go ahead.
Thomas Barnett, a non-partisan Dem says this:
The Bush administration has promulgated a raft of bold new rule sets for dealing with the twin dangers of failed states/rogue states and the transnational terrorists they enable. These are inevitably quite controversial changes, the biggest one being preemptive war.
... the creation of a Core-wide security order that recognizes the Global War on Terrorism as the means to a worthy end: making globalization truly global and ending the disconnectedness that spawns transnational terrorism.
Also:
Terrorism is but a tactic, not an enemy. Its complete eradication is a chimera. Our goal is to marginalize it as a weapon by delegitimizing its use, and we do that best not by preventing its occurrence completely, but by routinizing its effect to the point of rendering all such acts obviously futile.
From: http://www.newrulesets.com/journals/...

Your positive statements are worth consideration - CSOs need to look at the large strategic picture and find ways to 'build trust' and can not bathe in the excuse that they're not 'allowed' to be proactive because of budget or culture.

vladoApril 25, 2005 6:59 PM

The author's assumption was "that the ultimate goal of security is to prevent the loss of lives". The reality is that there are other goals that may be involved.

Davi OttenheimerApril 25, 2005 7:40 PM

@Stuart
A better retort, to be certain, but you still miss the mark. I'll take back my position (that the Bush Administration clearly defines "safety" and "security" in terms of economic gain and opportunity for their backers, not in terms of saving lives), but only because I am probably giving too much credit. They have cleared out the bank but not actually saved lives, so perhaps they are simply unfit to rule.

Don't get me wrong. I am not against humanitarian intervention or pre-emptive strikes when warranted. For example, it seems to me that Israel's bombing of the Osirak nuclear facility in Iraq in 1981 has been widely regarded as a wise pre-emptive strike for a country that wanted to ensure its safety.

So although you are correct that the Bush Administration sent in Bremer to "render terrorism useless", his policies actually did exactly the opposite by completely destabilizing and destroying the existing infrastructure and creating a complete vaccuum with little or no opportunities for stability -- a situation where violence clearly trumps entrepreneurship and professionalism. Experts warned against this.

Which might actually bring us full circle on this topic. CSOs should be enabled to perform risk analysis such that they can help their employer/owner (e.g. shareholders) avoid predictable disasters. Their warnings should be respected and documented.

What do I mean in terms of Iraq? Consider that Bush said he'd run the country as a CEO would. Well, it turns out that he's the type of CEO that would never allow a CSO to function properly:

(from the neoconservative Bush-backer Robert Kagan)
http://www.washingtonpost.com/wp-dyn/articles/...

"Bush himself is the great mystery in this mounting debacle. His commitment to stay the course in Iraq seems utterly genuine. Yet he continues to tolerate policymakers, military advisers and a dysfunctional policymaking apparatus that are making the achievement of his goals less and less likely. He does not seem to demand better answers, or any answers, from those who serve him. It's not even clear that he understands how bad the situation in Iraq is or how close he is to losing public support for the war, a support that once lost may be impossible to regain."

I submit that no CSO worth his/her salt could survive under that leadership, let alone try to argue risk or present the facts related to the safety and sanctity of human life.

http://www.washingtonmonthly.com/archives/...

"George Bush is genuinely committed to winning in Iraq. He just doesn't know how to do it and doesn't have the skills, experience, or personality to look beyond his own instincts in order to figure it out. America is about to pay a heavy price for that."

Davi OttenheimerApril 26, 2005 12:41 AM

And here's some more reading on why it is verboten to dissent with the Bush Administration:
http://www.time.com/time/magazine/article/...

White House spokesman Trent Duffy explained on Sunday that telecommunications experts who were found to support Kerry in 2004 were removed from the Inter-American Telecommunication Commission. He said "wanted people who would represent the Administration positively" rather than people who were experts in their field. "Only after the start of Bush's second term did a political litmus test emerge, industry sources say."

Again, it appears that if you want to participate in politics yet hold a position counter to the Bush Administration you should also expect to be dumped like yesterday's lettuce. So unless the CSOs in question were generous donors to the Bush campaign, or they are experts in disguise, they have little or no chance of positively influencing this Administration through traditional methods.

Davi OttenheimerApril 26, 2005 10:17 PM

Today's news, just to drive the point home:

The Geneva Convention of 1949 and the Hague Regulations of 1907 forbid pillage and forbid changing the constitution of an occupied country. Bush ran afowl of these international laws when he tried to privatize and sell-off the Iraqi oil after invasion.

Now, the World Bank under Wolfowitz will offer the new Iraq loans in return for privatized oil rights (in close tandem with American oil companies).

It again appears that the Bush Administation definition of "security" is high profit margins with the absence of market regulation. It really has little or nothing to do with human life, although I am certain they somehow believe that pillaging the villagers makes the village safer.

The Bush Administration is quickly making the US into a full-fledged "lootocracy":

http://www.namibian.com.na/Netstories/2000/May/...

AnonymousApril 27, 2005 12:58 AM

It seems that the major flaw in this article is the assumption that every day risk management can be extrapolated all the way out to mitigating risks involving national security. For example, a reasonable automobile insurance policy is significantly different from a reasonable policy for an oil tanker - if you're interested (or if you just need to get some sleep) search for "extreme value theory". But this is a finer point. Personally, I'd be happy to see /any/ amount of reason applied to (US) national security.

AnonymousApril 27, 2005 12:32 PM

One major difference between corporate information security and the war on terror is the public reaction/political component. In a corporate environment, you do have to play with internal politics in justifying various security measures, but you can *try* to get objective measures of threats and react to them. In the WOT, you are largely driven by public reaction. Have a an incident on the news, spend a lot of money to protect against it- even if that is not the best use of resources.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..