WEIS 2012

Last week I was at the Workshop on Economics and Information Security in Berlin. Excellent conference, as always. Ross Anderson liveblogged the event; see the comments for summaries of the talks.

On the second day, Ross and I debated -- well, discussed -- cybersecurity spending. At the first WEIS, he and I had a similar discussion: I argued that we weren't spending enough on cybersecurity, and he argued that we were spending too much. For this discussion, we reversed our positions.

Posted on July 2, 2012 at 6:20 AM • 11 Comments

Comments

Clive RobinsonJuly 2, 2012 8:14 AM

You were both right twice,

The simple fact is we spend way way to much in the wrong areas and way way to little in the right areas.

Until we get rational debate based on sound scientific measurment this will not change.

ChuckBJuly 2, 2012 10:08 AM

Everyone is right, or everyone is wrong, or some combination all equally likely given the absence of data and the abundance of theories.

Brandioch ConnerJuly 2, 2012 11:53 AM

How about both sides being right? Too much spent on the wrong stuff and not enough spent on real computer security?

For example, still trying to use signatures to identify the "bad" software instead of using multiple checksums to make sure that the stuff that is there is what you intended to be there.

AnonJuly 2, 2012 12:06 PM

The big unknown is in the debate is the extent of IP theft of corporate secrets. I don't know if most corporate IP departments are capable of determining A) that they were hacked, B) who did it, and C) what they took and why. Further, since losing IP secrets looks bad to investors and hurts share prices, corporations have an incentive to do everything possible to prevent events from becoming public knowledge.

CurbyJuly 2, 2012 3:27 PM

That couldn't possibly have been Ross's strongest point, could it?

The cost of fighting spam involves a lot of fixed costs independent of the amount of spam received, especially for end users who will buy the same commercial solution whether they receive 700 or 1000 spam messages a day/month/etc.

Taking down a botnet that sends out 30% of the world's spam is great for everyone, but it will not result in a decrease of 30% in antispam spending. The mental leap to saving $300M is suspect, and weakens the argument.

The article seemed to have some issues with composition, so perhaps it misrepresented the original argument made.

Wzrd1July 2, 2012 6:24 PM

I've listened to both sides of that discussion for ages. I've lived in environments where the expense and effort to protect was considered a bad investment. I've lived in excessively protected environments, such as the DoD.
In BOTH environments, I've watched compromise after compromise. Indeed, I watched the DoD pay over a billion dollars to clean up one massive compromise in the war theaters and another cleanup that was larger, but the expense remains classified.
Of note, my installation had no compromise during those events. Only singular machines infected by personnel transiting to/from the downrange locations.
We all had the same IDS systems and monitors. We all had the same OS running. We all had the same IPS system. We all had the same antivirus solution. We all had the same patch schedule.
Two areas we differed:
Compliance. Both with antivirus being operational and up to date and patch management. More importantly, when the Undersecretary of Defense ordered USB disabled, OURS was disabled. Theirs wasn't.
In short, compliance and due diligence. Attention to details. Maintaining proper baselines for the environment.
The additional sensors and software only added an additional layer of protection that was rarely needed when the above were observed.

It's not how much you spend to protect your investment and property, it's HOW you spend it, implement it and monitor it.
So, I tend to agree with BOTH sides, as most CIO types tend to purchase what the vendor "swears by", not necessarily what is needed. There is a dearth of scientifically studied, peer reviewed studies on the massive number of packages in use today and their effectiveness. There are plenty of whitepapers from vendors though, each of which declares their product the be all and end all of IP protection and security.

Clive RobinsonJuly 3, 2012 1:46 AM

@ Brandioch Conner,

For example, still trying to use signatures to identify the "bad" software instead of using multiple checksums to make sure that the stuff that is there is what you intended to be there.

"checksums" are a form of signiture, sadly usually used on static binaries not active code.

There is nothing wrong with signiture analysis when you know what things should look like. Sadly we use it mainly to look for "known knowns" malware only. It would be way way better to use it on the "known known" that is the running code. That is as long as you executable always matches it's signiture both in terms of memory location values and order of execution then you have quite a high probability it's not had malware injected into it at the executable code level.

The downside of this is software developers need to develop their code to have strong signitures with little or no unpredictable variance. This is something they appear very reluctant to do. currently.

Clive RobinsonJuly 3, 2012 2:06 AM

@ Anon,

The big unknown is in the debate is the extent of IP theft of corporate secrets. I don't know if most corporate IP departments are capable of determining...

This is actually all their own fault and is primarily to do with a failure in the "audit process".

For some reason many places will upgrade hardware etc for the latest OS or Apps but they won't upgrade the hardware to run the necessary audit functions.

Oddly some industries are required to run a high level of auditing but fail to do the job properly.

Atleast one place I know of recorde every single byte that comes in or goes out of their internal network as well as monitoring all traffic to various servers and which files by whom and at what time etc.

They have caught and fired a number of employees who were basicaly doing thing they should not do for personal gain as well as finding several types of malware that various AV venders and equivalent failed to catch. Oh and nearly all the stuff they use for this is open source. And the last time I spoke to them it ran at around 10% of resource capabilities so is actualy not that significant a load when compared to many closed source offerings.

Clive RobinsonJuly 3, 2012 2:20 AM

@ Anon,

The big unknown is in the debate is the extent of IP theft of corporate secrets. I don't know if most corporate IP departments are capable of determining...

Apart from the "who" this is actually all their own fault and is primarily to do with a failure in the "audit process" (usually none or insufficient).

For some reason many places will upgrade hardware etc for the latest OS or Apps but they won't upgrade the hardware to run the necessary audit functions.

Oddly some industries are required to run a high level of auditing but fail to do the job properly.

Atleast one place I know of record every single byte that comes in or goes out of their internal network as well as monitoring all traffic to various servers and which files by whom and at what time etc (yes they have a method of getting inside out bound SSH via a MiTM proxie).

They have caught and fired a number of employees who were basicaly doing the things they should not do for personal gain as well as finding several types of malware and equivalent that many AV venders of note failed to catch. Oh and nearly all the stuff they use for this is open source. And the last time I spoke to them it ran at around 10% of resource capabilities so is actualy not that significant a load when compared to many closed source AV offerings.

Currently they don't "instant patch" they mitigate, test the patch and if all ok then patch (which is what you should all be doing).

Peter DowleyJuly 3, 2012 5:34 AM

On the topic of other WEIS sessions - Ross Anderson's liveblog comments on the WEIS talks are well worth a read (link in the original post above). I particularly enjoyed the items about "Why Nigerian scammers claim to be from Nigeria" and on Fake Pharma.

Bob DobbsJuly 3, 2012 1:49 PM

Since your current and past risk appetites and value perceptions vary, I would argue you're both correct, respectively.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..