The next time somebody tells you that location data and social medial are an effective way to analyze things…
Try looking at my facebook, google, foursquare etc data for the day.
Do you really thing GPS is special
The ravings of a SANS/GIAC GSE (Compliance & Malware) For more information on my role as a presenter and commentator on IT Security, Digital Forensics Statistics and Data Mining; E-mail me: "craigswright @ acm.org".
For too long information security has been risk-averse. What we actually need to do this over risk strategy that is based on business goals. Sometimes we will accept risk, others we will mitigate or avoid it and in some instances we will stop the risk by not engaging in the activity. The part that seems to be hardest for many people to understand is that sometimes we have to accept risk. What becomes important here is to be able to measure risk. Without adequate metrics and means to capitalize the value of risk we're taking a guess in the dark. That is the riskiest proposition.
Risk is not just about cyber attack. Even limiting risk to information technology, electronic attacks remain a small factor of risk. Hence, security is not about just stopping attackers but rather maintaining an acceptable level of risk which means acceptable level of loss. Yes loss. There are no absolutes and spending too much on security can be more of a loss and suffering an attack.
When thinking about security risk we need to consider more than just cyber attack. In fact, there are many aspects of security the that seem mundane and the commonly overlooked. These are within the realm of management and governance and to be far more critical than the latest product (i.e. toy), such as a new IPS.
Some of the most important but frequently overlooked risk factors of an organization related to information security include:
On top of this third-party issues are frequently a major concern. Contractual problems, failure to deliver or live up to expectations or even a markedly different approach to risk the third parties as a major cause of concern.
So next time we start to think about risk is related to information security we need to start thinking holistically. In this we really need to start to consider the entire environment. Hackers are not our sole risk, our biggest risk comes from not understanding our environment. Most importantly, we need to understand the business that we are seeking to protect and understand that sometimes it is necessary to accept risk and that sometimes it is necessary to walk away from a project.
One aspect of risk is how people respond to increased controls.
We have introduced many technologies that actually make our systems more secure. In fact, we are comparatively more secure from a technological perspective than we were 10 years back. What has happened is that we take more risks. As we make a more secure environment, people will do riskier things.
In the past, we've selected security personnel based on military experience and other highly selective aspects of risk. Having spent time in both environments it took many years to move from that of the military focus to where I am now. At the same time I believe I managed to understand both. Security implications in a military context are incredibly far removed from risk in business. This is one of the reasons we sit behind confidentiality and forget all the other aspects of security.
Example of this is form of misapplied thought is Marcus Ranum's ultimately secure firewall.
The reality is that this is the ultimately insecure business firewall. This device does nothing for integrity and it completely destroys availability. There is some tongue-in-cheek in this post but the fact of the matter is that this also reflects the general attitude of many security practitioners. They are not business enablers, but feel need to determine the risk strategies of an organization rather than meeting the risk profile and budget they have been assigned.
This severe misalignment is one of the sources of increasing tension between different groups and departments within many organizations. For those of you who are upcoming security practitioners and professionals I would recommend actually spending some time learning about risk. It is a skill that is lacking within the information security community.
DoS vs DDoS
Along these lines of you to personal anecdotes. The first is from here in Australia. It's around a decade ago. The company I started was providing intelligence to various government departments concerning cyber security. In one of these instances we were alerted to a planned DDoS attack against Department of Treasury.
The aim was to mount an attack between Christmas and the new year when the majority of information technology personnel were away on vacation. Treasury saw this as a major concern and took steps to respond. Over the Christmas period they shut down major Internet connections on a number of systems and hence stopped any possible DDoS scenario. With the system disconnected there was no way to actually attack it. That at least was the argument.
The next scenario was similar, another DDoS. In this instance a major network player in the US had a client experiencing a DDoS. The senior architect at that organization did not decide to forgo his lunch acted on the attack in a manner that allowed him to enjoy his lunch before returning more still de-escalating the attack. His response was to black hole route the entire network of the client. So instead of having nearly no connectivity due to the DDoS, the client was taken off the Internet completely.
His explanation for this act was the same that was offered by treasury.
It was explained to that a DDoS was significantly worse than a DoS attack.
This is the flawed logic used by many in the security industry. In place of understanding and outcomes-based solution we look at the cause and effect. Clients do not care whether they are attacked using distributed means all from a single server being taken out. They do not care if it's a botnet of 10,000 hosts or a router that has been compromised. What they care about is availability. In each case the "security professional", and I do use that term lightly, changed degraded service to no service. In fact, they significantly reduced availability.
This is the problem with security today. We have this flawed idea that nothing is better than an attack. What we need a risk professionals and not risk adverse business impeding personnel. A good security professional is a business enabler. It is our job to ensure the ongoing activities of the organization that we work for. This means accepting risk. It doesn't mean taking a blind acceptance of everything but understanding the risk and limiting loss to a level set by management. I will say that again, to a level set by management. It is not the place of the security professional to decide what the risk position of the organization will be.
Personally, I think risk professionals need some training in finance. This includes information security personnel. We need to understand the value of the systems and processes we're working with. We need to start to understand that those systems that we value most may not be the ones that are most valuable to the organization
Mostly, security people need to start to understand risk.
Charles Sturt University offers a unique IT Doctorate that is applied, flexible and industry relevant. However, studying a Doctorate is a big commitment so we are offering this short course so that you can get a feel whether you are ready to take the plunge into a Doctorate.
Well. Nothing magnificent, but all of these (the skull shot glass, skull moneybox, picture hanger and Uni logo) are printed at home.
Why is manufacturing set to change? Well 3 color 3d printing is here as well.
So people, do not let you children work in factories. They have no future.
Yes, manufacturing is alive, but it is really in an old age home and starting to fade.
Lights out factories and assembly. Start programming or learn to assemble parts for others at home.
Career of the future, Ikea style assembler.
I've just finished reading a post on the CDFS mailing list concerning an article on forensics. This is the digital forensics list. The title of this post is "No Forensic Background? No Problem". It is a little rant of the type I have engaged in many times. There is some value in it. However it is rather misguided in many ways. The author talks about how he obtained a certificate from the ACFEI after completing a 90 minute instruction video and see a 100 multiple choice question test. The site provided him "an impressive-sounding credential that could help establish my qualifications to be an expert witness in criminal and civil trials."
Now this sounds terrible. Being able to become an expert witness at the drop of a hat. Yes and no. What matters is not a determination from a piece of paper that you are an expert witness. The general definition of an expert in a forensic sense is basically only that within a court of law is an expert if they are a person who possesses a body of knowledge outside the ordinary experience of people. That's it. You can gain this knowledge through either practical experience and/or formal study and training.
That does not mean you are an expert for all things. I have qualifications as a CCE (Certified Computer Examiner), various university degrees and more. I have testified in law courts as an expert and I even have a Masters in Law degree. However, this does not make me an expert in every single aspect of computing technology. I am not for instance an expert with regards to an Informix database. I am a registered Microsoft developer and write code for Windows phone 8. This does not make me an expert on Apple's iPhone. In fact I have not the foggiest idea about current Apple products. I actively avoid them. Being an expert in one area is different to being expert in another.
As strange as it may seem the American College of Forensic Examiners is actually correct me and saying this person could be "an expert witness in criminal and civil trials". In fact, legitimately so.
Let's read part of the piece, "This is how I -- a journalism graduate student with no background in forensics -- became certified as a "Forensic Consultant" by…".
Let's now analyze this. The individual is a journalism graduate student. This means the individual has an undergraduate degree.
Now an undergraduate degree is evidence of experience outside that of an ordinary person. As such, what matters is what you purport to be an expert in.
The court will decide whether the qualifications held by witness will suffice in any selected case. This will change based on the type of testimony that the expert has to give. Sometimes practical experience will be held to be more effective and a better qualification than a graduate degree from an educational institution or even research.
For instance, a person who has worked as a barkeeper in a dive of a bar for 40 years five nights a week watching people get intoxicated will be considered an expert on intoxication. In fact, it is likely that they will be held to have more expertise than a person who is a general practitioner physician with little experience with intoxication. The physician can have an M.D., the barkeeper no qualifications. It is a barkeeper who becomes the expert. And rightly so.
Saying the can be an expert is not the same as being an expert in a particular field.
The sole use of an expert in court is opinion evidence. A lay witness can only provide fact-based evidence on what they have personally experienced. This is seen, smelled, felt, tasted etc. That is sense based observation.
The difference in an expert is an allowance to offer an opinion based on specialized knowledge within the court. Experience using in case makes you a type of expert. Experience using C. sharp makes you a type of expert.
Yes their are issues from public perception. Primarily we need to move away from this idea that forensics is some sort of arcane science.
Today I had a Telstra tech come and lay cables. I needed another 6 pair for what I am seeking to do, which is to host multiple BDSL bonded Ethernet links with ADSL redundancy.
Yes, I like my Internet and the interim cable is just TOO slow.
With all the hype over NBN you would think I could just wait a few weeks and there we go.
That is the issue. NBN is long term. A FEW and by FEW I mean extremely few people will have this in the next three (3) years, but so few it does not make a difference.
So, I have a bill for $1,647.80. This is the install fee. Not cheep, but when you start to look at fibre lines at a cost of $4,000 for an install the economics is simple (if there is a point in the street and I do not have one requiring a 6 km install…).
This is, I can have a bonded copper connection NOW. This is not the slow 25mbps touted by the LNP or the vaporware of the Labor coalition, bit is an Ethernet line tomorrow.
So, even though I am around 2km away from the exchange (too far for ADSL2) I am able to get a copper based connection that can handle up to 200mpbs NOW.
Yes, 200 mpbs. Not 100 mpbs as the fibre guys have right now. No vapourware what we can do by 2020, 200mpbs NOW!
I will be limited below that speed as I do not want to pay for it all right now, but I have the option. More, I have dedicated bandwidth. Unlike all those poor saps on the NBN, my connection is a complete SLA set Ethernet line with a guaranteed symmetric rate. No congestion, no shared services.
Then we have to remember, government has never been a force for innovation. NBNco or RentSeeking inc?
So, my answer to all the politicized BS… Leave it all alone and get out of the business of business. Even the damn Liberal party, the ones meant to be supportive of deregulation are in on this. Again, why are we taking tax payer money to install a poor substitute for commercial options that can already occur.
The dire understanding in NBN policy is one of economics. It's a misunderstanding of delayed gratification. When you spend later you earn interest. As such it is better to obtain something as you need it rather than building it now despite the cost. A real analysis of the economics will look at the options as they are now compared to future costings. Many aspects of the future are of course uncertain but even taking existing technologies into account it is simple to see that a forced install of fibre to all locations is a bad idea.
The choice of economic models is important. Variations in interest rates, CPI figures and even technology changes alter the outcomes in unpredictable manners. That stated all governments and all economic growth starts with the creation of models. In this case I have selected a simple model based on a few installation possibilities and a yearly 12% investment rate. This is not excessive and a decent fund manager should be able to earn more.
For the purposes of this model I have selected two bonded DSL options. The first is installation of multiple pairs in northern Sydney. This is from a distance of just under 2 km from an exchange. That is a distance that is considered too far to install ADSL2+. The other option is an installation that was completed in rural Bagnoo. This involves laying of copper cable to a property 5 km from an exchange. This involved the installation of multiple bonded pairs to gain 20mbps symmetric Internet access from a rural location where it was originally stated that only satellite would be available. Multiple pairs were of course needed to boost the signal loss to acceptable level. The cost of having this cable installed including the bulldozers and trenching was $2,350 give or take a few cents.
The side benefit of this exercise was that the flow on effect was for the Byabarra exchange to be upgraded. The end result of this upgrade was that the local school and small village could also then get ADSL2 services.
Different rural locations would have to be modelled differently, however Bagnoo is not significantly different to many small isolated properties.
In this model I have displayed the costs over time. The assumptions I made are based on a $4,000 cost to install fibre. This costs listed in this model include one that I have been quoted for an existing installation, the other being a cost of rural fibre I arranged to be installed. The reason for selecting bonded copper was for this reason an economic decision.
Current bonded Ethernet solutions allow up to 200mbps speeds although at a cost greater than his economical. If one currently needs this type of speed over a two-year period it becomes a better investment to install multiple fibre lines. That stated, where the total connectivity is between 60mpbs and 100mpbs dedicated to the Internet many areas of Sydney a better served using bonded copper cable.
A table detailing the cost calculations over time is included below.
|Fibre||City BDSL||Rural BDSL||Rural fiber|
What we can see from this model is that the arguments that we need an installation in the future are flawed. If we simply installed the solutions people need now and invest the money saved we can fund the future installation of fibre at a reduced cost. In fact this also neglects the changes in technology. In this, we've ignored that an increase in mobile technologies using wireless technologies in development that offer over 1gbps are just around the corner and will be available commercially before the completion of the NBN. Even ignoring these however we can see that the NBN does not make commercial sense.
There are always limited funds. This is the hard side of economics. Every dollar we spend is a dollar we could've spent on something else. Every dollar wasted on the NBN is a dollar taken from health, defence, education and everything else we can think about.
Posted by Craig Wright at Wednesday, April 10, 2013
In Australia both sides of the political spectrum have weighed in with anticompetitive solutions. Right now we see two options from both Labour and the Liberal party for Australia's national broadband network or NBN. In both cases it involves government rolling out an already dated non-commercial network that has to be paid for by government.
Why you may ask?
Well it's fairly simple. But neither party has faith in commercial offerings. Right now they are many technologies that can offer broadband better than the NBN is providing. These solutions are generally offered commercially as a business is not covered under the same restraints as a home user. This of course means increased cost as the business SLA or service-level agreement requires high levels of uptime and availability. Primarily, the SLA dictates dedicated bandwidth. This means that when you pay for a 80mbps symmetrical connection that you get 80mbps directly to the Internet. The problem many home user networks including those offered by the NBN from either side of the political spectrum is that you don't actually get dedicated bandwidth. You get a shared connection at what is potentially very fast locally but which is actually limited.
This political in game of putting all our eggs in one basket often comes from a misapplied and false notion of fairness. Political forces like to play games. This is one of them. The touted reasoning is that the NBN will create universal access for all Australians. The reality is it will limit some as others pay for an inefficient distribution to have a limited service. Right now, they are better, less expensive and better expandable options available.
The problem comes in when we start looking at technology as a solution to all our issues. Then we start to require universal access to the same technology. Even in rural areas where we're not trying to do is offer fibre broadband. What we're trying to do is offer high-speed Internet access no matter how that is provisioned.
This means using different solutions for different regions. The NBN of course is a one-stop universal solution that costs more for everyone. Instead of offering the best of breed solutions where they're needed we force the same technology to be applied everywhere.
Fibre Internet has its place. In densely populated urban areas with the capability of running cable (as occurred time and time again in the Optus, Telstra, AAPT, etc. cable rollouts) fibre is a great option. In other areas, bonded copper solutions connected to fibre backbones can offer just as high-speed connectivity using direct Ethernet-based solutions rather than those found on ATM. In some cases there is actually less latency and overhead.
That said, it still comes down to the amount of dedicated bandwidth offered at the ISP.
In rural areas, wireless, VSAT, LTE and a plethora of other technologies can offer high-speed connections at a far lower cost than direct fibre connections. What we need to start doing is to stop assuming that there must be one option for all people universally.
Posted by Craig Wright at Tuesday, April 09, 2013
I've spent a little time learning a few skills that are outside the sphere of influence for many security people. This has led to some altered thinking on the value of messages. For some time I have been somewhat of a pariah and definitely a Cassandra. I know, in stating this I am of course biased but the fact of the matter is the true message of security is lost. The reality is that we concentrate on the wrong aspects in many cases. More, we avoid many emotional phrases that would help sell the to the general public. What of course we need to do is to sell a concept based on reality, the reality remains far from that.
Any search on security in relation to health for instance will grant you many pages covering the confidentiality of material that is actually far from confidential on a paper-based system. In fact, many paper-based systems are far more open than the lowest secured Internet connected system. This may seem outlandish claim that the fact of the matter is that between doctors, nurses, nutritionists, hospital administrators, exercise coordinators, cleaners, kitchen staff, and all variety of auditors and reviewers even with paper-based records, hundreds of people can view medical records routinely.
The perceived difficulty in accessing paper-based medical records is the fallacy.
The truth of the matter is that paper-based records are the confidentiality Chimera covering the reality that electronic records are actually more secure when privacy is the key concern.
But this is the rub.
Privacy is not always the key concern. When we talk about security we hear comments on privacy and confidentiality as if these are the be all and end all of security. They are not. This is more so when it comes to health data. In the case of health data what really matters are the other two aspects of security. That is integrity and availability of data. Security is always a trade-off. The more we place into one aspect of security the less we gain in the other areas. This is, for the same economic investment any increase in confidentiality is likely to reduce the integrity and availability of the service.
Security is not only about confidentiality. To understand security we need to understand what we are actually providing. In healthcare what matters most is not protecting records but making them available to the right people. If we want to secure health data we need to reframe the question.
We should not be asking how do we stop people accessing my data, but rather we should ask how do we ensure that my data remains available only to those who need it. This is a move to ensure a system where we know that we need to make data available where it is needed. More than this, we need to make sure the data we are opening access to is correct. That is, the integrity of the data is beyond reproach.
Right now paper records are highly inaccurate. More than this they are difficult for the end-user to correct. If an individual moves house, gets married, has a family, as an accident or any other number of the innumerable incidents occur then those records are not updated.
To take a personal example, I rock climb. I've done many other things that lead me to a potential stint in hospital. In fact of had several. In this process of breaking bones and having bits of metal become part of me I've learnt that I cannot handle opiates. Morphine sent me around the bend and I've only gone through that experience once and never again when I had a foot facing 180° in the wrong direction but it is as simple as codeine. Even the simple headache tablets have a severe adverse effect on me and I do not take them.
The records concerning my ankle reconstruction exist in a hospital 400 km away from where I live. The records concerning my adverse reaction to opiates are even further removed in many cases. How then would medical staff know not to inject me with morphine if I came into an emergency room unconscious?
The reality of the matter is that we need to concentrate on the best outcomes. These are often not the ones that are touted to us emotionally. This is what the aspect of FUD or fear uncertainty and doubt is really about. Security is a risk based approach not an absolute. In seeking to secure any system what we really need to do is look at what we already have and then balance what we can achieve with the cost that will take.
In the case of the healthcare system the argument against electronic records is flawed. Big data has already done more to out your information than any amount of activity from hacker groups such as anonymous could ever hope to achieve. The arguments against insurance companies knowing information about you are even more ludicrous. When you take out an insurance contract and you fail to disclose you have committed fraud. This is not just a statement of fact of law. Material disclosure in insurance policies is a requirement and is illegal essential in enacting that contract.
Whenever you withhold any information from the insurance company they have a right not only to not pay you but also to rescind prior payments with interest. You think you are protecting your privacy in protecting genetic data? The reality is that information from siblings, parents and your environment gives just as rich a source of data as many genetic profiles. Sometimes this information is actually richer in content and discloses more than the public information we feared to be breached and leaked. And the thing is this information is publicly available in many cases. In other cases, insurance companies mine information that is proprietary to their own organization. Insurance companies happily take your money knowing that you have lied about the occasional cigarette.
When you add all the sources of information becoming available including social media, you have little privacy now. The reality is little brother has already eroded privacy beyond repair.
Security is not about absolutes
Security is a balancing act. Before we make emotional statements concerning privacy we need to weigh up the existing scenario. Not only is paper based record keeping inefficient, it does little for confidentiality. But worse, it adds nothing to availability or integrity of data.
Next time you look at an emotive article calling for additional protection that the medical data and electronic health records think about the alternatives. Ask does this improve the integrity and availability of my health records. Ask if the confidentiality of those records is any worse than it was before. If in fact, the confidentiality the records is not decreased and remember paper-based medical records are highly open for scrutiny, then any increase in the integrity and availability of those records is an increase in the security of your medical data.
We can never achieve a perfect result in anything, security is no different. We always need to balance the economic cost of providing a service against the risk faced. Most importantly however we need to remember that we cannot measure security as an absolute but have to compare it against the alternatives. In the case of medical records it is comparing obsolete paper-based systems with online systems. This does not mean that we should take no notice of user privacy. What it does mean is that we have to balance this and understand what the cost and benefits of any proposed system truly are.
Posted by Craig Wright at Tuesday, April 09, 2013
Verify my SANS/GIAC status by entering my name in the following link: