Jeff Walzer's List: Security

• Measuring ROI/RISO at www.cio.com - Jeff Walzer on 2008-03-22

• IT security executives must begin using more progressive risk management techniques if they ever hope to get ahead of data  breaches, malicious attacks and emerging compliance regulations.
• Most businesses are already collecting volumes of data that could be put to use in making more informed decisions about IT security and management, but they simply don't know how to put the information to work in a manner that will allow them to do so, according to the  expert.
• "CIOs are already collecting reams of data that could help with risk calculation in their logs, identity management systems, and intrusion prevention tools, but most of the time, it sits uncorrelated, uncompared, and unanalyzed," he said. "These  companies have a wealth of information that could help them calculate risk more effectively; as an industry, we need to talk  more about new data models, analytical tools, and what future standards need to look like. That's the type of thing that the  Data Governance Council believes in."
• Security today is an arms race handled on a weekly or daily basis, and most companies are so challenged by this process that  they don't even have the bandwidth to be strategic about risk calculation," he said. "That has to change, and we instead need  to hold people accountable who create the vulnerabilities; we will always have risk, but we need to start holding the average  employee more accountable, and for those assessing [via risk management and governance techniques], that's already happening."

2 more annotations...

• The reality of security is mathematical, based on the probability of different  risks and the effectiveness of different countermeasures.
• But security is also a feeling, based not on probabilities and mathematical  calculations, but on your psychological reactions to both risks and  countermeasures.
• Or, more generally, you can be secure even though you don't feel secure. And you  can feel secure even though you're not. The feeling and reality of security are  certainly related to each other, but they're just as certainly not the same as  each other.
• Four fields of research--two very closely related--can help illuminate this  issue. The first is behavioral economics, sometimes called behavioral finance.
• Behavioral economics looks at human biases--emotional, social, and  cognitive--and how they affect economic decisions. The second is the psychology  of decision-making, and more specifically bounded rationality, which examines  how we make decisions.
• Neither is directly related to security, but both look at the concept of risk:  behavioral economics more in relation to economic risk, and the psychology of  decision-making more generally in terms of security risks.
• There is also direct research into the psychology of risk.
• A fourth relevant field of research is neuroscience.
• Security is a trade-off.
• Security costs money, but it also costs in time, convenience, capabilities,  liberties, and so on.
• It makes no sense to just look at security in terms of effectiveness.
• in terms of effectiveness.  "Is this  effective against the threat?" is the wrong question to ask. You need to ask:  "Is it a good trade-off?"

• There are several specific aspects of the security trade-off that can go  wrong. For example:

   
   
  1. The severity of the risk.  
  2. The probability of the risk.  
  3. The magnitude of the costs.  
  4. How effective the countermeasure is at mitigating the risk.  
  5. How well disparate risks and costs can be compared.
• The more your perception diverges from reality in any of these five aspects, the  more your perceived trade-off won't match the actual trade-off.
• It's my contention that these irrational trade-offs can be explained by  psychology.
• Most of the time, when the perception of security doesn't match the reality of  security, it's because the perception of the risk doesn't match the reality of  the risk.
• These heuristics affect how we think about risks, how we evaluate the  probability of future events, how we consider costs, and how we make trade-offs.  We have ways of generating close-to-optimal answers quickly with limited  cognitive capabilities.
• The first, and most common, area that can cause the feeling of security to  diverge from the reality of security is the perception of risk. Security is a  trade-off, and if we get the severity of the risk wrong, we're going to get the  trade-off wrong.
• Traditional economics is based on something called "utility theory," which  predicts that people make trade-offs based on a straightforward calculation of  relative gains and losses.
• The authors of this study explained this difference by developing something  called "prospect theory." Unlike utility theory, prospect theory recognizes that  people have subjective values for gains and losses. In fact, humans have evolved  a pair of heuristics that they apply in these sorts of trade-offs. The first is  that a sure gain is better than a chance at a greater gain. ("A bird in the hand  is better than two in the bush.") And the second is that a sure loss is worse  than a chance at a greater loss.
• These two heuristics are so powerful that they can lead to logically  inconsistent results.
• People make very different trade-offs if something is presented as a gain than  if something is presented as a loss.
• Behavioral economists and psychologists call this a "framing effect": peoples'  choices are affected by how a trade-off is framed. Frame the choice as a gain,  and people will tend to be risk averse. But frame the choice as a loss, and  people will tend to be risk seeking.
• Another way of explaining these results is that people tend to attach a greater  value to changes closer to their current state than they do to changes further  away from their current state.
• people also value something more when it is considered as something that can be  lost, as opposed to when it is considered as a potential gain.
• This is called the "endowment effect,"
• Given that, prospect theory implies two things. First, it means that people are  going to trade off more for security that lets them keep something they've  become accustomed to--a lifestyle, a level of security, some functionality in a  product or service--than they were willing to risk to get it in the first place.  Second, when considering security gains, people are more likely to accept an  incremental gain than a chance at a larger gain; but when considering security  losses, they're more likely to risk a larger loss than accept the certainty of a  small one.
• We have other heuristics and biases about risks. One common one is called  "optimism bias": we tend to believe that we'll do better than most others  engaged in the same activity.

• The literature also discusses a "control bias," where people are more likely  to accept risks if they feel they have some control over them. To me, this is  simply a manifestation of the optimism bias, and not a separate bias.
• Another bias is the "affect heuristic," which basically says that an automatic  affective valuation--I've seen it called "the emotional core of an attitude"--is  the basis for many judgments and behaviors about it.

• With regard to security, the affect heuristic says that an overall good  feeling toward a situation leads to a lower risk perception, and an overall bad  feeling leads to a higher risk perception. This seems to explain why people tend  to underestimate risks for actions that also have some ancillary  benefit--smoking, skydiving, and such--but also has some weirder effects.
• Another bias is that we are especially tuned to risks involving people.
• The second area that can contribute to bad security trade-offs is probability.  If we get the probability wrong, we get the trade-off wrong.
• Generally, we as a species are not very good at dealing with large numbers.
• Additionally, there are heuristics associated with probabilities. These aren't  specific to risk, but contribute to bad evaluations of risk. And it turns out  that our brains' ability to quickly assess probability runs into all sorts of  problems.
• The "availability heuristic" is very broad, and goes a long way toward  explaining how people deal with risk and trade-offs. Basically, the availability  heuristic means that people "assess the frequency of a class or the probability  of an event by the ease with which instances or occurrences can be brought to  mind." ²⁸ In other words, in any  decision-making process, easily remembered (available) data are given greater  weight than hard-to-remember data.
• In general, the availability heuristic is a good mental shortcut.
• But like all heuristics, there are areas where the heuristic breaks down and  leads to biases.
• The moral here is that people will be persuaded more by a vivid, personal story  than they will by bland statistics and facts, possibly solely due to the fact  that they remember vivid arguments better.
• More generally, this kind of thing is related to something called "probability  neglect": the tendency of people to ignore probabilities in instances where  there is a high emotional content.
• The availability heuristic also explains hindsight bias. Events that have  actually occurred are, almost by definition, easier to imagine than events that  have not, so people retroactively overestimate the probability of those events.

• The best way I've seen this all described is by Scott Plous:

   

  In very general terms: (1) the more available an event is,  the more frequent or probable it will seem; (2) the more vivid a piece of  information is, the more easily recalled and convincing it will be; and (3) the  more salient something is, the more likely it will be to appear  causal.³⁷
• "Representativeness" is a heuristic by which we assume the probability that an  example belongs to a particular class is based on how well that example  represents the class. On the face of it, this seems like a reasonable heuristic.  But it can lead to erroneous results if you're not careful.
• As the researchers explain: "As the amount of detail in a scenario increases,  its probability can only decrease steadily, but its representativeness and hence  its apparent likelihood may increase. The reliance on representativeness, we  believe, is a primary reason for the unwarranted appeal of detailed scenarios  and the illusory sense of insight that such constructions often provide."⁴¹
• Mental accounting is the process by which people categorize different  costs.⁴⁵  People don't simply think of costs as costs; it's much more complicated than  that.
• "Time discounting" is the term used to describe the human tendency to discount  future costs and benefits. It makes economic sense; a cost paid in a year is not  the same as a cost paid today, because that money could be invested and earn  interest during the year. Similarly, a benefit accrued in a year is worth less  than a benefit accrued today.

44 more annotations...

• fewer businesses are utilizing a strategy that approaches IT risk as a stand-alone skill set or initiative
• "IT risk doesn't necessarily equate to security risk. That's a big shift, and the key takeaway is that organizations are getting  more mature around the portfolio of risks they have to manage,"
• "In the past, people looked at one area as discrete, but now they're addressing the four pillars of compliance,  security, risk, and performance availability as part of a balanced strategy."
• Increasing interdependence on IT systems shared between business partners has elevated availability and performance concerns  above security issues -- and businesses are more worried about causing a bottleneck in their global supply chain then they  are looking to thwart attacks, the expert contends.
• "Part of the problem  is that people only do assessments on a bi-annual basis, or they might inventory their assets sporadically; that gap is what  often leads to exposure in availability, security, compliance, or performance." All the individual projects involved need  to be managed on an ongoing basis, he said.
• "The area where most people need to focus on is classifying their data, what it's used for, and what its sensitivity may be,"  said Kapuria. "Rather than just throwing technology at their problems, companies need to assess, and then apply the appropriate  availability, security, and compliance requirements."

4 more annotations...

• however, the Web Application Firewalls?  Talk about products with a poor  track record.  Also let’s think about what Web Application Firewalls are  good at, signature-based protections.  So, yeah, they’ll help with XSS and  SQL Injection, although I’ll go to the grave saying they don’t prevent the  issues entirely, but they have absolutely no capability to find a huge number of  very serious security flaws, such as (off the top of my head and in no specific  order):

   
   
  1. Authentication issues  
  2. Authorization issues  
  3. Arbitrary File Upload/Download  
  4. Cross-Site Request Forgery  
  5. Improper Error Handling  
  6. Flawed Business Logic

• so, too, can IT officials thwart breaches by customizing security plans for  individual employees in every zone of their companies
• The lessons we learn from craps pits and blackjack tables reveal that it's never  wise to entrust your business's most valuable or vulnerable assets to a single  employee. Instead, compartmentalize access whenever possible, and never hesitate  to look over employees' shoulders
• "People are the weakest link in security. They always have been, and you will  never change that," Schneier says. "But the reality is that you've got to deal  with people, and people are going to make mistakes."
• The people problem continues to grow, since it is now harder to differentiate  between internal and external threats. "The difference between an insider and an  outsider is no longer clear," says Anderson, who cautions corporations to be  aware of the ways that contractors, outsourcers, vendors, partner companies and  suppliers could gain access to sensitive corporate data -- either by accident or  by design.

2 more annotations...

• encrypting card numbers on point-of-sale devices is "the most significant  action" that retailers can take to stop attacks such as the one that hit  Hannaford, said Gartner Inc. analyst Avivah Litan.
• But that doesn't necessarily mean that the new security measures will make  Hannaford -- or other companies that follow its lead -- immune to future  attacks.
• Huguelet said that the planned end-to-end encryption of card data also sounds  good -- on paper. But to make the data hacker-proof, he added, it would have to  be encrypted from the PIN entry devices in stores to the systems of the  payment-processing firm that authorizes card transactions.

1 more annotation...

• The strategy of threat prediction suffers from two major flaws. First, it  assumes predictability in a field that is full of surprises.
• New attacks are not designed in a vacuum; they are designed explicitly to  sidestep our expectations.
• Second, threat prediction causes tunnel vision. It pushes us to focus on attacks  rather than assets, on the “bad” rather than the “valuable.”
• This plays right into the hands of attackers, as tunnel vision narrows our  defenses thereby making them easier to bypass. Rather than trying to predict  threats, we should focus on general security preparedness.
• Rather, secure companies are those that minimize both the incidence of  successful attacks and then further minimize the impact of those few breaches.
• But most companies put a lot less emphasis on preparedness that they do on  specific threats.
• We have seen this in our research year after year, where we find very few  companies with specific, well designed and well drilled incident-response  policies.

5 more annotations...

• Associated risks include:

   

  -- Data loss through unmonitored and/or unauthorized file transfers

   

  -- Compliance violations, both with internal policies and external  regulations

   

  -- Business exposure from malware propagation or application vulnerability  exploits

   

  -- Operational cost increases due to higher bandwidth consumption and added  IT expense

   

  -- Lost productivity from excessive use of personal applications

• Surprisingly, the answer has more to do with management methodology than  security technology.
• it’s not necessarily that a product failed. It’s not necessarily that an  individual failed. It’s that the process failed. There was no end-to-end  workflow and nobody understood where the break points were in the process.
• If you don’t know it and if you can’t see it, you can’t manage it.

1 more annotation...

• Organizations today must protect sensitive data by first identifying where this  data is, then determining who can access it.
• Data discovery or content inventorying is the first step organizations must take  to determine what content exists where.
• Data-at-rest discovery tools can solve this problem by scanning the network to  discover machines and then go on to crawl the content on these machines. The  analysis of content is sophisticated in that pre-defined compliance templates  can be used as well as hundreds of other content classifications.

1 more annotation...