Are You an Acqui-Hire?

There has been some criticism of Yahoo’s acqui-hire strategy. There are those who believe that it clearly sends the wrong message to existing staff. Rather than work for a meager salary, one should simply quit to become part of the acqui-hire bandwagon. Yes, that is clearly the advice that staff should follow for the right reasons.

Contingent workers are becoming the norm in the US. It is estimated that 50% of the workforce will be contingent workers by 2020. The trend is that there will be fewer full time employees and most workers will be self-employed and have multiple clients to make a full week. Workers have nothing to lose by going out on their own and potentially a lot to gain. Will everyone win the lottery by selling their company? Of course not, but we should look at business ownership for what it is.

When a startup is acqui-hired, there are assets other than the people that are transferred. These assets could be servers, and patents among other things. The buyer is getting a complete company as part of the deal. The technology may be integrated into the buyer’s offerings or it may simply be shut down. In the latter case it is clear that the acqui-hire was purely for the talent and not the technology; however, the assets still have value and can remain on the buyer’s balance sheet continuing to add value.

A commodity small business such as book keeping or project management is less likely to have patents, lots of source code, and tons of servers. That does not diminish the value of what they have to offer. The value of the owner’s investment is different, but not less. Most small businesses will not have an early exit strategy. Instead they become lifestyle businesses that will maintain the founder for many years.

When starting a small business, the founder must consider what the exit strategy (if any) will be. A business is a form of investment in terms of time and capital. Since a business is an investment we should consider the various types of investments in one’s time to illustrate the various value propositions.

  • Employee – employees can be seen as investment-grade bonds. Investment-grade such as high rated corporate or certain government bonds are considered a safe investment for the long-term. They tend to pay very little interest, but it is unlikely that the investor will lose their capital. Working at a traditional day job is a low risk opportunity because the employee has little to no capital invested in the business.
  • Commodity Business Owner – this class of worker represents the next and most common step in entrepreneurship. They can be seen as high yield bonds. High yield bonds do pay more, but they have a higher probability of losing money. This represents the higher professional rate that a commodity business owner can charge. The downside is there is volatility risk such as lack of steady work that the Employee (investment grade bond) does not face. There is also the possibility that the investment in the high yield bonds could be worth less than the initial investment. This would occur where the business fails and is worth cents on the dollar in liquidation when the owner shuts down.
  • Acqui-Hire Business Owner – the acqui-hire business owner invests time and energy with the expectation that the sale of valuation will increase in the future. The acqui-hire is like an equity investment. The value is based on the appreciation of the asset and the expectation that someone will pay more in the future than the previous investor.

Most entrepreneurs will set out to be the commodity business owner. While it does not have the safety and routine of being an employee, it does have the potential to be a medium to long term investment in one’s time and energy. In the world of bonds this is referred to as the hunt for yield. All things being equal, an investor will sell a bond and replace it in a portfolio with a bond that pays a higher yield. A commodity business owner will replace lower paying customers with higher-paying customers. It does lack the excitement of being an acqui-hire, which is the equivalent of seeing a stock portfolio double, triple, or more. On the other hand it can be the best of both worlds in terms of having an easy to manage investment strategy.

Entertainment Industry Wants Rootkts, Ransomware, and More

In an interesting piece at Boing Boing, the entertainment industry wants a piece of the APT action.  The report from the Commission on the Theft of American Intellectual Property, coincidentally copyright 2013 by The National Bureau of Asian Research, proposes taking rights management software to the next level.  Not only can one restrict who can open certain files, but now one can scan the hard drive to determine if there is additional IP that has not been paid for.  Not only that, it would legalize password protecting ALL the files on the computer much like ransomware until someone could verify that the law was not being broken.

The real prize is is in Chapter 13 page 81:

Recommendation:
Reconcile necessary changes in the law with a changing technical environment.
When theft of valuable information, including intellectual property, occurs at network speed, sometimes merely containing a situation until law enforcement can become involved is not an entirely satisfactory course of action. While not currently permitted under U.S. law, there are increasing calls for creating a more permissive environment for active network defense that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized
network. Additional measures go further, including photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the  hacker’s own computer or network.

The entertainment industry is opening up an extremely large can of worms.  First, let us consider that they manage to lobby to have the entertainment industry only exempt from prosecution in these instances.  Our favorite article at Forbes suggests that 50% of the workforce will be freelancers or entrepreneurs by 2020.  A lot of thought doesn’t have to go into discovering how to use this sort of lobbying against the industry that created it.  If 50% of the workforce works for one-person corporations, it is very easy to create an offshore subsidiary as a separate legal entity with separate bank accounts for the purposes of “entertainment licensing”.  

Such nonsense of invading common citizens hard drives would be stopped by mutually Spartacusassured destruction.  All of these offshore subsidiaries could start contracting Hacking as a Service (Haas) at other offshore companies to install ransomware into these mega-corporations as part of intellectual property enforcement.  If the subsidiary collecting royalties is off shore along with the HaaS provider, it makes it very difficult for the entertainment industry to do anything but pay a licensing fee. 

As traders we can follow these patterns and attempt to capitalize on 10-20% movements from short selling the companies getting shut down.  History has shown us that having intruders in your network does not affect stock value to a large degree; however, adding companies to a watch list for ease of reference does not hurt.

While the entertainment industry is proposing outrageous solutions to a problem they have, it is still possible for other professionals to make money if these solutions become law.  These professions stand to benefit:

  • Lawyers  because no mater what happens, lawyers always win.
  • Infosec professionals, both on the offense and defense side
  • Management Consultants who may setup subsidiary companies for the purpose of launching both legal (see Lawyers above) and virtual attacks
  • SMBs who may manage to obtain licensing fees for their “one off” ebook or song being on the wrong network at the wrong time
  • Day Traders who can capitalize on a single day news event where a company’s operating capability is shut down.

The measures proposed by the entertainment industry may never pass.  The industry should hope so.  In less than 5 minutes we have devised a way to create off shore companies bent on collecting licensing fees for misappropriated intellectual property, in a manner that may be in full compliance with the law, and untouchable depending on what country they are located in.  That is something the entertainment industry should understand is possible and relatively easy to setup with today’s technology.

The Connection Between Employee Retention And Security

Security professionals are regularly informed that security should align to the business need.  In most cases security professionals consider alignment to be meeting other business units half way or compromising on an issue.  Another way to align to business need is to solve a non-security related problem for another department that has a beneficial outcome for security.

Cross training and personnel rotations can enhance your security program in addition to helping you meet some of the guidelines in ISO 27001/27002.  Gaining support for personnel rotations for the sake of security is normally a difficult thing to win from management.  What if it were possible to show that there is some business value to personnel rotations?

A recent WSJ article on big data reveals some interesting points about workers in certain industries that we should consider.

 

The bank gathered data on turnover, promotions, job changes and external pay to create a statistical model predicting why workers quit. Though the bank had used frequent pay raises to keep staff, the results showed that raising pay across the board by 10% might only shave a half point off the turnover rate.

Workers felt dissatisfied, not underpaid. More rapid job changes, even without promotions or corresponding rises in pay, made it much more likely that high-performing employees would stay, Mr. Nalbantian says.

Rather than sell personnel rotations as a security benefit to executives, we should partner with Human Resources to create a personnel rotation program that is designed to reduce turnover (thereby reducing the risk of disgruntled employees, or risks from hiring new employees) and increase job satisfaction.  If HR gets executive support then it benefits security.  It is also an opportunity to work closely with HR in designing the program.  Any opportunity to take a break from APT, Cloud, DLP, and other BS Bingo phrases to establish better relationships with the business leadership could be a welcome change.

 Personnel rotations by themselves have the benefit of potentially surfacing fraud or wrongdoing if proper observation and inspection are part of the program.  The added benefit to personnel rotations is that the staff is now cross trained.  That puts certain chapters of the business continuity plan ahead, such as the pandemic readiness portion.  The complication of cross training personnel to be ready for the pandemic has already been taken care of.

These are some benefits to working with another part of the organization to help them to help us. HR can be a powerful ally in leading change.  Giving them the encouragement and support can lead to positive security changes and recognition to the security team that goes out of their way to help another department look good.

Court of Justice Of The European Union Rules On Used Software Sales

In a recent release from the Court of Justice of the European Union has ruled that the author of software can not prevent the resale of that software on the used market.  The case involves UsedSoft who sells used software licenses.  Consumers of these licenses then download the software from the creator’s website.  Oracle ($ORCL) had sought to block this practice.  The court has ruled that a copyright holder who sells in the EU loses the right to oppose the resale of the intellectual property.  The ruling applies to both physical copies and to downloaded copies of the software.  It also nullifies any language in the license agreement binding the purchaser to not resell the software.  It also entitles the purchaser to updates and patches for an unlimited period.  If the creator updates the software, the license holder is has the right to obtain those updates even if the maintenance agreement is for a limited period.

This has some interesting business implications in the EU.  Companies can now buy used software at a fraction of the cost of going to the creator.  UsedSoft is only selling the license.  Malware should not be an issue since the license holder is entitled to downloads of the most recent version from the software vendor’s website.  This new ruling can benefit companies of all sizes who have an office in the EU.  Open Source solutions are useful in some circumstances, but an ERP system will most likely be a commercial purchase due to capabilities and workforce experience with a particular platform.  Another interesting implication is for multi-national companies to consider running their IT operation out of their European subsidiaries.  Since a legal entity in the EU would be making the purchases of used licenses they would fall under the coverage of this ruling.  Offices outside the EU could “outsource” their IT needs to the European subsidiary.  The accountants and attorneys would need to determine the best structure for that business.  It is unlikely that a company would open a European subsidiary for the sole purpose of taking advantage of used software licensing; however, if a European office is in your company’s future, software will be much cheaper in Europe.

From an investment perspective, this may somewhat disruptive and will push companies to pursue a SaaS model if revenues from new boxed/downloaded software begin to decline.  If legislation in other countries allows for this it could be very bad for traditional software sales.  Entrepreneurs should take note if there is legislation in your country that has a possibility of passing.  Setting up a used software business could be quite lucrative like the used CD/DVD business was, but in this case electronic distribution is covered as well so it should have even better longevity.

Preparing For The Next AMZN Cloud Outage

Amazon ($AMZN) made headlines over the weekend with the regional failure of AWS.  We won’t go deep into the details of what happened or who was affected since that has been covered by many other outlets.  In general, a incident caused loss of service in a particular region.  The service providers were not able to deliver to their customers during the outage.  While it is sexy to call it a cloud failure, the same end result could have occurred with any single site implementation.  Hosting in your own data center, using the co-lo facility downtown, or an unfortunate GoDaddy location could cause your net presence to disappear.

Business leaders should evaluate what needs to be improved or changed in terms of resiliency.  Decisions will need to be made based upon the size of your business and what your concerns are.  A nano cap company (sub $50M market cap) will most likely have different requirements than a Large Cap global enterprise.  Rather than invent the wheel, you can make use of frameworks to organize your activities.  There are many out there, but today we will focus on ISO 27001 and ISO 22301.

Business Continuity is a component of ISO 27001, while ISO 22301 attempts to address Business Continuity as a whole.  Section 4.2.1(d) of ISO 27001 requires that you identify the assets of the in scope portion of the business and the business owners of these assets, the threats to the assets, vulnerabilities that might be exploited by the threats, and the impacts to confidentiality integrity and availability.

Conducting a risk assessment in its most rudimentary form is a good exercise for any business of any size.  The information that you put together as part of the risk assessment can be useful in other areas as well, such as obtaining the right insurance coverage at the right price.  Fire or flood could impact your data center or it could impact manufacturing and logistics.  Knowing this up front, you can take action to mitigate those risks or accept those risks.

Not everything needs to be corrected or addressed in some way, but having a running checklist of issues can be a good road map.  A pizza restaurant with an online shopping cart may not care if the cloud provider of their online order application goes down.  There’s always telephone, fax, and walk-in that will keep the business running.   Cash flow, CapEx, OpEx, and other business drivers will influence the need for availability.  Not every business will need multiple data centers if they are self-hosting or multiple availability zones in the cloud.

 

Scanlon Plans for Opportunity and Success

 

This week we continue our previous piece on HR Keywords for Growing Your Infosec Skills and Career.  In our previous installment we examined some training and knowledge cultivating terms for increasing the value of their team or themselves.  This week we will focus on another aspect of creating opportunity in your career, the Scanlon Plan.

Scanlon Plans are gain sharing programs where employees are rewarded for cost savings.  This can be something as informal as placing ideas into a suggestion box, to company wide assigned areas for cost reduction or efficiency improvement on a recurring basis.  If your company does not have a Scanlon Plan, then this is a great opportunity to bring it to the attention the executives in your organization.  Who doesn’t want to hear about improved efficiencies, reduction in waste, and better margins?  With a properly designed Scanlon Plan employees can receive financial rewards for making the organization more efficient.  Who doesn’t want extra money?

How does this relate to Information Security or anything else?  Do we really want to cut costs in our own area?  Companies that implement Scanlon Plans as a suggestion box are looking for any way to save costs.  This does not necessarily apply to your department, but the company as a whole.  This can be an opportunity for Infosec personnel to help other departments find ways of cuttings costs.  Working with other departments may be an “extra-curricular” activity to some supervisors; however, the importance of supporting the business should factor into middle management’s support for these programs. 

Proactively working with other managers provides the opportunity to understand the business more, which will help Infosec personnel understand what is important to the business, and what needs to be protected.  For example, working with manufacturing to reduce waste by implementing a recycling program can reduce costs which frees up capital for other purposes, such as information protection.  Some of the scrap from the manufacturing process could be sold to a recycler, reducing the overall operating costs of the manufacturing operation. These savings are not only of interest to the manufacturing department, but it could be helping the goals of the Corporate Social Responsibility (CSR) department or program if one exists. This provides recognition from management, but can also help with improving security.

Another example involves finding something unrelated to Infosec that allows the VP of Operations to save money. That’s great!  What if Infosec professionals approach him/her and offer to help them implement the changes that will save them money? In exchange for becoming the project manager and seeing the changes through to completion, the VP agrees to spend part of the savings on additional security measures.  The VP of Operations gets a bonus for reducing their budget, the Infosec professional receives their bonus for a cost reducing idea, and security was improved during the process.  A little barter was used in this scenario, but several end goals were accomplished.

This approach is a transition from employee to stakeholder.  It offers opportunity for Infosec professionals to grow into GRC roles over time by helping the organization with its efficiency.  Inefficient business processes are one Risk in GRC.  By promoting process improvement and efficiency Infosec professionals go from the department that always says, “No!” to true stakeholders in the business.  This gets us a seat at the executive table because we are involved in the business and we can demonstrate value by using our creativity to solve business problems.  That alone can be a career changer or career booster.

 

Further Reading:

Scanlon Leadership Network

Human Resource Management 12th ed.  Mondy

The Hartford to Offer Data Breach Insurance

Good news for small firms.  The Hartford (NYSE: HIG)is now offering data breach insurance targeting small business.  Insurance is a good control to invest in to supplement other information security controls or as the main control if your business is very small.  Some E&O policies may also have riders that cover data breaches.  If you own a business you should review all your policies to be sure that your coverage objectives are met.

Relying on insurance is a form of risk transference.  The policy holder is transferring some of the risk in the form of impact costs to another party.  This can be useful and could potentially save a small business from severe financial damage if it has to absorb the costs of investigating a breach or cover the cost of credit monitoring for its customers. 

In trading terms buying a Put is the same as buying insurance.  The purchaser is given the option to sell their investment for potentially more than the current market price.  An unexpected oil spill or embezzling scandal could be the equivalent of intruders or dumpster divers getting their hands on your customer’s data.

There’s a very small range in HIG.  There is support around 16 so this could be played different ways.  Shorting the stock with a stop above the trend line is one option.  The Oct 18/16 Bear Put Spread is going for .69 and has a max profit of 131.  Since front month IV is higher than November a put calendar may be an alternative if you want to play the descending triangle pattern.  The 16 Oct/Nov Put calendar is going for .47.  There is a possibility the stock could drop to 12 if the descending triangle follows through.2011-09-21-HIG-PROPHET

Why We Don’t Need An AntiSec Hunt

Opinion Piece: A business perspective on the #AntiSec movement from a libertarian and economic viewpoint touched by Asian “Tiger Culture”.

 

PayPal Chief Security Officer, Michael Barrett, has called on industry and government to track down and punish the individuals involved. 

"They can be found, and for the continued safety of the internet, we must identify them and have legitimate law enforcement processes appropriately punish them.”

Is the internet in danger to warrant the inquisition and witch hunt that will follow?  No.  If we reference the The Ethics of Liberty by Murray N. Rothbard we come to an very important passage

The first point is that the emphasis in punishment must be not on paying one’s debt to "society," whatever that may mean, but in paying one’s "debt" to the victim. Certainly, the initial part of that debt is restitution. This works clearly in cases of theft. If A has stolen $15,000 from B, then the first, or initial, part of A’s punishment must be to restore that $15,000 to the hands of B (plus damages, judicial and police costs, and interest foregone).

If we approach the Internet as a society it is not under any threat.  The users and companies that have presence on the Internet and they may be victims of the AntiSec movement, but in Rothbard’s view each entity would be handled on a case by case involvement, preferably with no involvement from The State or society.

 

Proportionality in Punishment

Or where is my private utility?

 

The current system provides little public utility at the large expense of private utility.  Mr. Rothbard describes the issue well.

We must note that the emphasis of restitution-punishment is diametrically opposite to the current practice of punishment. What happens nowadays is the following absurdity: A steals $15,000 from B. The government tracks down, tries, and convicts A, all at the expense of B, as one of the numerous taxpayers victimized in this process. Then, the government, instead of forcing A to repay B or to work at forced labor until that debt is paid, forces B, the victim, to pay taxes to support the criminal in prison for ten or twenty years’ time. Where in the world is the justice here? The victim not only loses his money, but pays more money besides for the dubious thrill of catching, convicting, and then supporting the criminal; and the criminal is still enslaved, but not to the good purpose of recompensing his victim.

Suppose that, as in most cases, the thief has already spent the money. In that case, the first step of proper libertarian punishment is to force the thief to work, and to allocate the ensuing income to the victim until the victim has been repaid. The ideal situation, then, puts the criminal frankly into a state of enslavement to his victim, the criminal continuing in that condition of just slavery until he has redressed the grievance of the man he has wronged.

The criminal justice system and prison are public goods that are non-excludable, by virtue of the fact that anyone can go to prison it the US. Prison is rivalrous though. This is due to the fact that prison is first come, first served which explains why prisons are overflowing with non-violent offenders and violent offenders are automatically let out with an ankle bracelet GPS unit. This can be traced back to the fact that it is easier for law enforcement to apprehend non-violent drug users and petty criminals, rather than don their SWAT gear and take on violent criminals. The People are not getting their money’s worth under the current system and we should not be encouraging the justice system to allow violent criminals on the streets while non-violent criminals, petty thieves, and white collar criminals are incarcerated at the inefficient use of taxpayer funds.

This is important in arguing against hunting the AntiSec movement.  The cost of the witch hunt does not bring economic utility to anyone except the government who can make the case for additional law enforcement and prosecution resources.  This decreases private utility and gives us a bloated bureaucracy that doesn’t help us as individuals.  But doesn’t ignoring AntiSec affect other stakeholders?  To call someone a stakeholder would mean that there is a mutual interest, which there is not one.  We can refer to the other people involved as externalities, not stakeholders.  Remember if someone commits a crime against your neighbor, you should not be paying for it.

In a libertarian community everybody takes care of themselves and resists being dragged into someone else’s business. This keeps costs low for those that have no incidents, and when properly applying moral hazard places third parties at risk which continues to keep an individual’s cost basis low.  When we extend the philosophical concepts of libertarianism to hunting down AntiSec there is little reason to fund such an effort. We as individuals have no private utility or incentive to provide support for someone that we are disinterested in, be it a corporation or a neighbor. Public utility is also inefficiently increased by taking private tax money and funding an unnecessary and undesirable growth of government to track down the offenders.

A Tax On Everyone

Some would say that the shift to restitution, away from incarceration is not the direction we want to take our society. The prison system in Georgia costs approximately $3 million per day to run. That is $3 million too much. Our new Governor has asked the legislature to find a legal mechanism to retroactively lower the sentences of the people in prison because there is not enough tax revenue to support the system. Counties and cities are shrinking their police and fire departments because there is not enough tax revenue coming in due to the housing crisis. Among all these problems Mr. Barrett wants to increase the size of the police state, which we can’t afford and increase the size of the prison system, which we are trying to actively shrink. 

 

Who Pays For That?

 

Are we not our brother’s keeper? Are we responsible for creating a cohesive society and upholding justice?  While there is some economic benefit to pooling resources and funding police, military, and social services it is improper to conclude that we should be our brother’s keeper or that conventional views of society should continue to be encouraged.  All expenditures should be first approached from the private benefit perspective, and all contributions to public good or public benefit must net all people benefit at the same time.  If you are not a Citigroup stock holder or customer you have no private utility from funding law enforcement, the judicial system, or the prison system in dealing with cybercriminals or physical bank robbers.  Enabling the attitude that we as a society should chip in to maintain order and protect corporations from criminals has lead to the corporate welf
are state we live in and the proliferation of Too Big To Fail for any reason.

Who should pay for hunting down cybercriminals or any criminal for that matter?  The direct stakeholders should be paying for it.  In the case of private corporations this will come from the cash flow that they derive from normally conducting business and from the equity that the stockholders (public or private) provide. Applying risk transference to an insurance company along with moral hazard can also provide funds.  Corporations have their own private security forces, both physical and infosec.  Rather than involving the law enforcement and taxpayers who are not direct stakeholders, corporations should use their internal security resources to serve as detectives. 

In the case of crimes that take place across state lines or international boundaries there is a solution that is available as well. These are not called FBI Agents.  They are called Private Investigators (PI’s).  A PI has the same ability as the FBI to go to another company’s datacenter where an attack originated and ask for logs.  That company is free to refuse access PI, and they are free to bill the PI for their time involved who will then pass the cost back to his client.  This provides private benefit for both the company assisting the investigation and if the PI adds a premium to his cost it provides him with benefit as well.  The FBI with a warrant can not be refused.  This takes away from the value of the recipient of a warrant and we should not be encouraging a system where an investigator gets a free ride.  This serves to devalue the time of the professionals being served a warrant to assist in an investigation that they are not stakeholders in.

The most law enforcement should be involved is to compel an offender, once found by the PI or corporate security, to appear in civil court to sit before a judge or arbiter who will rule on appropriate damages to the victim which can include indentured servitude until the debt is repaid.  The state’s expenses would be paid by the victim corporation and would be subject to reimbursement once the defendant is found to be at fault for the damages.  Would this approach make winning a case easy? Of course not, but again unless you are a direct stakeholder there is no reason to care one way or another because your private utility is still zero.  Supporting the current “throw everyone in prison on the planet” philosophy does not add to private utility.

What About The Other Victims?

 

In an infosec breach there may be other victims such as individuals whose personal data has been stolen.  In a pure libertarian society bystanders have no incentive to get involved and we can see that once again for the bystander there is zero private utility to be gained by helping someone that they do not have a personal stake in.  If there is no law enforcement witch hunt to help these victims then what do they do?  Based on their contract with the corporation handling their data, they can sue both the corporation and the Jon Doe thief.  This approach allows the secondary victims to obtain compensation for their loss and inconvenience.  It also preserves private benefit to those who are not involved without depriving the victims of their right to restitution.

We Can’t Turn A Blind Eye To This, Can We?

 

“No one would suggest encouraging improved physical security in the real world by decriminalising breaking and entering and classifying it as a sport; why should the online world be any different?” he [Barrett] said.

Mr. Barrett is very late to the party with this statement.  The libertarian movement is for decriminalizing many things and doing away with the failed notion of every crime in society being a crime against the state.  The legalization movement is a prime example of where Mr. Barrett gets it wrong.  Marijuana use and prostitution are victimless crimes, but are categorized as crimes against the state.  The libertarian movement seeks to legalize these so called crimes. Once they are no longer crimes anyone involved in that activity so no longer a criminal, thus we lower the crime rate.  In the case of a crime with a victim we can apply the same libertarian concepts to the relevant legislation.  This would require reengineering the criminal code to state that there are no crimes against the state except Treason.  Crimes against individuals or property can be handled in civil court with reparations paid to the victim.  Damage of state property would be treated just like individual property damage.  This can work and is working.  Many states are rolling back their criminal statutes because prison and a large police state is unaffordable.

 

Failure to Understand The Free Market

Or my employer has a monopoly and you can’t leave us.

Barrett is employed by a payments company that attempts to assert a monopoly on the market.  It can be clearly seen by his disagreement with people who believe AntiSec can force organizations to improve poor security practice.

The AntiSec movement had existed for around a decade and was loosely guided by a mission statement to reveal poor security practice and put an end to security exploit disclosure which it said gave ammunition to criminal ‘black hat’ hackers and put consumers in danger.

But that was a false philosophy, according to Barrett.

“While many of them claim to be defending the internet they love, in practice it would seem that they are only hastening its demise. A cynical interpretation would suggest that what most of them desire is actually their ‘fifteen minutes of fame’.”

He disagreed with some commentators who argued the AntiSec movement may be effective in its mission to force organisations to improve poor information security practice.

 

Failure can be a great educational tool, as well as the one espoused by Comrade Deng Xioping of China.  It is very practical to force an organization to improve poor security practice and from a free market and economic perspective it should be encouraged, even at the cost of the demise of an organization, the unemployment of all its employees, and the inconvenience of its customers.

Stellaris_Yin_Yang

In the Tao we represent opposites through the symbolism of Yin and Yang.  Good/Evil, Success/Failure, Light/Dark, etc. are all examples of of opposites depicted by Yin and Yang.  This represents balance in the universe. These opposites are absolutes in relation to each other.  In terms of success and failure these absolutes manifest themselves in our daily lives.  For example, in commodities trading success or failure is absolute and is also a zero-sum game on a per transaction basis.  In order for you t
o buy a commodity, there must be someone else willing to sell it to you and take the opposite bet that the value of that asset will go down.  This is especially true if the seller is a short seller.  When you sell the stake in the commodity you are betting that it will not continue to rise, but if it does you lose out on the opportunity while the person you sold it to benefits.  To bluntly put it, the person opposite to your trade is experiencing absolute failure while you are experiencing absolute benefit.  In order for one party to succeed another party must be subject to failure.  Centuries of Asian wisdom can not be wrong.

As business leaders we can apply the same principles to companies in the same absolute terms.  For example, If Bank of A has an infosec breach, its customers are free to do business with Bank of B or Bank of C instead.  Customers and stock holders of Bank of C have incentive to see Bank of A collapse due to the exodus of customers.  All other banks have incentive to see Bank of A fail because they can buy assets such as buildings or accounts receivable for cents on the dollar in bankruptcy court, in addition to their customers being up for grabs.  Stock traders who are short Bank of A shares or who hold Put options also want to see it completely collapse to maximize the value of their position. 

There is nothing wrong with wanting to see an institution fail.  It is good business and if we follow the Tao we know that in order for a small community bank to grow into a regional or national bank it must come at the expense of that larger bank.  In terms of biological organisms, the fit will survive while the unfit will perish.  The same holds true in business and commerce.  Our unwillingness to let go of Too Big To Fail continues to prop up weak institutions that keep making the same mistakes, while preventing smaller competitors that do it right from rising up to take their place.  The use of public funds to enable law enforcement and the current justice system does nothing but set private benefit on fire and does nothing to place poorly run institutions in harms way to see if they can survive.  What about the interim harm that may come to Bank of A’s customers while they’re failing?  We can classify that as an economic externality and therefore rate its overall impact at zero.  After all if it is not taking away from your private benefit, why get involved by devoting resources to the so called problem?

 

How Do We Turn Talk Into Action

To borrow more components from the Tao, we can implement Wu Wei.  The concept means “action without action”.  We can apply Wu Wei to the legislative and judicial process by promoting action by inhibiting the action of others.

Individuals can also take control of the run away police state and tax on the citizenry through the use of Jury Nullification. Georgia’s Constitution allows jurors to decide fact AND law. Jurors can put an end to the incarceration state by simply voting not guilty if it is a criminal case, which then leaves civil court as the only recourse. A juror can say that no crime was committed if a company had less than adequate security practices as viewed by the juror.  That is legal to do and it should be encouraged.

We should also spend time to review relevant upcoming legislation.  Any bill that introduces a new crime or increases the criminal penalty for an existing crime should be flagged. The State House or State Senator, along with the Governor is notified that the bill, if becoming law would create more taxpayer harm than benefit.  Prison is a tax on law abiding citizens and as law abiding citizens we should be doing everything we can to keep people out of prison though decriminalization and promotion of restitution and rehabilitation, rather than incarceration. This also means defunding law enforcement and the district attorney’s office as a means to that end.  With state and local budgets strained by the economy, nothing is off the chopping block. Now is the time to make our voices heard and take back our government through being involved politically, voting out politicians who steal from our private utility by growing the police state, and by stopping every District Attorney in his tracks through jury nullification.

Vote! Be politically active and support libertarian leaning candidates at all levels of government.  Candidates who are willing to take the bold step of defunding the War on <insert noun here> and shrink the size of government in the name of freedom are the ones we should be supporting.

Mr. Garrett is wrong in his calling for an AntiSec hunt.  Such activities strengthen the power of government, destroy private utility, contribute to our Prison Planet, keep small business under the thumb of mega-corporations, and weaken our sense of nationalism on the world stage by making us a nation of weaklings. He is wrong, not for the same reasons that pro-hacktavist supporters believe in, but the economic, libertarian, and Asian ethic points against his reasoning makes him more wrong than right on the issue.

 

 

Resources

Business and Society Ethics and Stakeholder Management 7E Carroll Buchholtz

Foundations of Microeconomics 4E Bade Parkin

Wikipedia

The Ethics of Liberty Ch 13 Punishment & Proportionality  Rothbard

 

Disclaimer: This is an opinion piece. Nothing should be construed as fact unless independently verified.  At time of writing your Dearest Leader does not hold long or short positions in his personal or business brokerage accounts with regard to any company mentioned in this article.  Long or short positions may be initiated in the future without notice.

Improve Security & Privacy, and Protect Your Patrons by Reducing Security

 

 

The Seattle Times has an interesting story about the King County Library System removing their security cameras.  This is an excellent case study to illustrate that more security equipment does not always lead to better security.  The case stems from an incident where a patron was mugged in the parking lot.  The Des Moines Police asked to see the security footage from the cameras, but the library refused, presumably citing the need to protect their customers’ privacy.  The police obtained a court order to review the footage and eventually caught the suspect.  The police were not happy with the library’s cooperation.

The decision to remove the security cameras "hinders our ability to do police work," Collins (Des Moines PD Spokesperson) said.

The library made the decision to remove the security cameras to prevent similar incidents in the future.  Does removing the security cameras actually present a problem from a security professionals point of view?  We can perform an assessment of the situation to determine if the library is making a prudent decision.  Top management at the library has decided that the confidentiality of the library patrons outweighs any benefit that the security cameras provide.  Under a security management framework such as ISO 27001, top management determines the goals for an organization’s security program.  In this case library management is correct in making the decision to remove the security cameras since the security framework leaves all decisions to top management.

Under the ISO 27001 framework risk assessments must be conducted on a periodic basis.  To visually express top management’s decision we can use CIA in a risk matrix to illustrate their concerns.  The following examples are illustrative only.

 

Risk Confidentiality Integrity Availability
Customer Reading Choice Compromise High Low Low
Vandals Low Low Low
Muggers Low Low Low

 

In this case management has decided that the risk all of a patron’s reading choices being recorded by surveillance cameras is of greater concern than other things that may be seen by the cameras.  Based on the risks it would be logical to remove the cameras.  What about hindering the police in their line of work?  That should not be a concern of a security professional consulting on behalf of or employed by the library.  There are numerous reasons why this is true.  Management at the library has decided there are certain things that the police should not have access to.  This is no different than protecting the physical premises of a business or using logical access controls to prohibit viewing of specific files.  Who the outside threat is should not be a concern to the security professional under the ISO 27001 framework.

There also financial reasons that weigh into the decision to remove the cameras.  In most businesses a compliance professional or paralegal will be fielding court orders for data.  A fulltime resource would cost a minimum of $30,000 a year.  Does spending that $30,000 a year bring $30,000 worth of value to the customer?  It does not bring benefit to the customer, but it does benefit the police.  Since the police are not part of the same organization it makes very little sense to help them from a security professional or management accountant’s point of view.  If the video footage is that important to the police they should provide the equipment and manpower to monitor it or the library should invoice the police for their costs of maintaining the equipment. 

If we take off our security hats for a moment and put on our management accounting hats we can see that helping law enforcement does not provide economic benefit to the organization.  Therefore in order to save $30,000 by not hiring a fulltime resource we would need to remove the reason for hiring a resource.  We now have a business reason to remove the cameras.

Critics may argue that the cameras are already paid for and removing them wastes taxpayer money.  Once again we will need to do a financial analysis to determine whether or not the cameras should stay.  Most camera systems today are linked into a DVR which is usually supported by an organization’s IT department.  For purposes of this illustration we will assume that the camera systems are basically computers.  Computers have a five year depreciation before they are scrapped and removed from an organization’s financial books.  How many companies keep computers more than five years?  From a practical and a financial standpoint we can assume that the camera system would be replaced every five years much like a computer would.

The library system has also stated that the cost of maintaining the camera system is $30,000 per year.  Presumably this is the cost of a maintenance contract.  By removing the cameras the library immediately starts saving $30,000 a year.  One way to express loss of value is to take the current depreciation value of the cameras, subtract the value the library receives from selling the equipment, and subtract the $30,000 a year in maintenance savings.  If the cameras are very old and have a little financial value that it is possible that we will have a negative number, which means that the removal of the cameras provide immediate payoff.  Without knowing the details of the original purchase it is reasonable to assume that if the cameras are one or two years old we would obtain immediate ROI by removing the cameras, selling them, then begin booking the savings from canceling the maintenance contract.  If factoring in the cost of a compliance professional or paralegal is done, it is possible the camera system could be scrapped in its first year of operation based on the savings that would occur in years two and beyond.  There is also the capital budget savings from not purchasing a new camera system every five years.

Security and privacy professionals should not assume that more is always better.  Introducing additional equipment and processes can compromise the security and privacy of a client’s customers.  Top management at the organization determines what risks face that organization.  While it may be unconventional to assume that law enforcement is a security risk, there is certainly nothing wrong with that approach if the organization chooses to classify them as a risk.  Security and privacy professionals must also wear many different hats.  By taking unconventional approaches to security and privacy, and by involving other disciplines such as accounting and finance, security and privacy professionals can better serve their clients by protecting what their clients determine to be valuable.

Security Pros Should Get Into The Cloud in 2011

ReadWriteWeb has a short but peppy write up on 2011 resolutions for SMBs to get serious about security.  The standard AV/endpoint topics are discussed, but also the need to get serious about cloud computing.  In a recent Global Information Security Workforce Study done by (ISC)2 and Frost & Sullivan, 73% of surveyed (ISC)2 professionals believe that new skills are needed to meet the demands of the cloud computing space. 

Some security professionals may choose to fight the cloud by simply waving a hand and proclaiming that it is not secure.  In the SMB space not every company handles PCI data, and many do not handle PII data that requires special treatment under the law.  The cloud makes sense for companies that are constrained by cash flow or capital budgeting.  For example, a company that operates an 8×5 IT shop may be able to have security and uptime monitored 24×7 by moving into a cloud solution.  This would be cheaper than a 24×7 local staff and the additional capital expenditure for monitoring tools.  Saving money for any company is a good thing.  That allows more money for raises and bonuses, which everyone likes. 

What should security professionals do to prepare for the cloud in 2011?

  • Learn about the cloud
    • Take at least one technical class about cloud computing technology
    • Take at least one business class that will help you with understanding ROI promised by the cloud
    • Collaborate with other security professionals regarding their experiences
  • Work with business leaders to embrace the cloud
    • Talk to your CFO or Controller about cost savings the cloud can bring
    • Concentrate on areas that make business sense. Not everything has to go in the cloud, nor should it
    • Illustrate the risks and benefits of moving to the cloud for those systems
    • The CEO should have the final say on any course of action, be a trusted advisor.

 

Security professionals should provide the expertise needed for the business to succeed.  Under ISO 27001 top management should determine and sign off on the acceptable amount of risk for the company.  At the end of the day this rests with the CEO or President, who is advised by the CISO, CFO, BizDev, and other leaders.