Tag: information security

Why We Don’t Need An AntiSec Hunt

Opinion Piece: A business perspective on the #AntiSec movement from a libertarian and economic viewpoint touched by Asian “Tiger Culture”.

 

PayPal Chief Security Officer, Michael Barrett, has called on industry and government to track down and punish the individuals involved. 

"They can be found, and for the continued safety of the internet, we must identify them and have legitimate law enforcement processes appropriately punish them.”

Is the internet in danger to warrant the inquisition and witch hunt that will follow?  No.  If we reference the The Ethics of Liberty by Murray N. Rothbard we come to an very important passage

The first point is that the emphasis in punishment must be not on paying one’s debt to "society," whatever that may mean, but in paying one’s "debt" to the victim. Certainly, the initial part of that debt is restitution. This works clearly in cases of theft. If A has stolen $15,000 from B, then the first, or initial, part of A’s punishment must be to restore that $15,000 to the hands of B (plus damages, judicial and police costs, and interest foregone).

If we approach the Internet as a society it is not under any threat.  The users and companies that have presence on the Internet and they may be victims of the AntiSec movement, but in Rothbard’s view each entity would be handled on a case by case involvement, preferably with no involvement from The State or society.

 

Proportionality in Punishment

Or where is my private utility?

 

The current system provides little public utility at the large expense of private utility.  Mr. Rothbard describes the issue well.

We must note that the emphasis of restitution-punishment is diametrically opposite to the current practice of punishment. What happens nowadays is the following absurdity: A steals $15,000 from B. The government tracks down, tries, and convicts A, all at the expense of B, as one of the numerous taxpayers victimized in this process. Then, the government, instead of forcing A to repay B or to work at forced labor until that debt is paid, forces B, the victim, to pay taxes to support the criminal in prison for ten or twenty years’ time. Where in the world is the justice here? The victim not only loses his money, but pays more money besides for the dubious thrill of catching, convicting, and then supporting the criminal; and the criminal is still enslaved, but not to the good purpose of recompensing his victim.

Suppose that, as in most cases, the thief has already spent the money. In that case, the first step of proper libertarian punishment is to force the thief to work, and to allocate the ensuing income to the victim until the victim has been repaid. The ideal situation, then, puts the criminal frankly into a state of enslavement to his victim, the criminal continuing in that condition of just slavery until he has redressed the grievance of the man he has wronged.

The criminal justice system and prison are public goods that are non-excludable, by virtue of the fact that anyone can go to prison it the US. Prison is rivalrous though. This is due to the fact that prison is first come, first served which explains why prisons are overflowing with non-violent offenders and violent offenders are automatically let out with an ankle bracelet GPS unit. This can be traced back to the fact that it is easier for law enforcement to apprehend non-violent drug users and petty criminals, rather than don their SWAT gear and take on violent criminals. The People are not getting their money’s worth under the current system and we should not be encouraging the justice system to allow violent criminals on the streets while non-violent criminals, petty thieves, and white collar criminals are incarcerated at the inefficient use of taxpayer funds.

This is important in arguing against hunting the AntiSec movement.  The cost of the witch hunt does not bring economic utility to anyone except the government who can make the case for additional law enforcement and prosecution resources.  This decreases private utility and gives us a bloated bureaucracy that doesn’t help us as individuals.  But doesn’t ignoring AntiSec affect other stakeholders?  To call someone a stakeholder would mean that there is a mutual interest, which there is not one.  We can refer to the other people involved as externalities, not stakeholders.  Remember if someone commits a crime against your neighbor, you should not be paying for it.

In a libertarian community everybody takes care of themselves and resists being dragged into someone else’s business. This keeps costs low for those that have no incidents, and when properly applying moral hazard places third parties at risk which continues to keep an individual’s cost basis low.  When we extend the philosophical concepts of libertarianism to hunting down AntiSec there is little reason to fund such an effort. We as individuals have no private utility or incentive to provide support for someone that we are disinterested in, be it a corporation or a neighbor. Public utility is also inefficiently increased by taking private tax money and funding an unnecessary and undesirable growth of government to track down the offenders.

A Tax On Everyone

Some would say that the shift to restitution, away from incarceration is not the direction we want to take our society. The prison system in Georgia costs approximately $3 million per day to run. That is $3 million too much. Our new Governor has asked the legislature to find a legal mechanism to retroactively lower the sentences of the people in prison because there is not enough tax revenue to support the system. Counties and cities are shrinking their police and fire departments because there is not enough tax revenue coming in due to the housing crisis. Among all these problems Mr. Barrett wants to increase the size of the police state, which we can’t afford and increase the size of the prison system, which we are trying to actively shrink. 

 

Who Pays For That?

 

Are we not our brother’s keeper? Are we responsible for creating a cohesive society and upholding justice?  While there is some economic benefit to pooling resources and funding police, military, and social services it is improper to conclude that we should be our brother’s keeper or that conventional views of society should continue to be encouraged.  All expenditures should be first approached from the private benefit perspective, and all contributions to public good or public benefit must net all people benefit at the same time.  If you are not a Citigroup stock holder or customer you have no private utility from funding law enforcement, the judicial system, or the prison system in dealing with cybercriminals or physical bank robbers.  Enabling the attitude that we as a society should chip in to maintain order and protect corporations from criminals has lead to the corporate welf
are state we live in and the proliferation of Too Big To Fail for any reason.

Who should pay for hunting down cybercriminals or any criminal for that matter?  The direct stakeholders should be paying for it.  In the case of private corporations this will come from the cash flow that they derive from normally conducting business and from the equity that the stockholders (public or private) provide. Applying risk transference to an insurance company along with moral hazard can also provide funds.  Corporations have their own private security forces, both physical and infosec.  Rather than involving the law enforcement and taxpayers who are not direct stakeholders, corporations should use their internal security resources to serve as detectives. 

In the case of crimes that take place across state lines or international boundaries there is a solution that is available as well. These are not called FBI Agents.  They are called Private Investigators (PI’s).  A PI has the same ability as the FBI to go to another company’s datacenter where an attack originated and ask for logs.  That company is free to refuse access PI, and they are free to bill the PI for their time involved who will then pass the cost back to his client.  This provides private benefit for both the company assisting the investigation and if the PI adds a premium to his cost it provides him with benefit as well.  The FBI with a warrant can not be refused.  This takes away from the value of the recipient of a warrant and we should not be encouraging a system where an investigator gets a free ride.  This serves to devalue the time of the professionals being served a warrant to assist in an investigation that they are not stakeholders in.

The most law enforcement should be involved is to compel an offender, once found by the PI or corporate security, to appear in civil court to sit before a judge or arbiter who will rule on appropriate damages to the victim which can include indentured servitude until the debt is repaid.  The state’s expenses would be paid by the victim corporation and would be subject to reimbursement once the defendant is found to be at fault for the damages.  Would this approach make winning a case easy? Of course not, but again unless you are a direct stakeholder there is no reason to care one way or another because your private utility is still zero.  Supporting the current “throw everyone in prison on the planet” philosophy does not add to private utility.

What About The Other Victims?

 

In an infosec breach there may be other victims such as individuals whose personal data has been stolen.  In a pure libertarian society bystanders have no incentive to get involved and we can see that once again for the bystander there is zero private utility to be gained by helping someone that they do not have a personal stake in.  If there is no law enforcement witch hunt to help these victims then what do they do?  Based on their contract with the corporation handling their data, they can sue both the corporation and the Jon Doe thief.  This approach allows the secondary victims to obtain compensation for their loss and inconvenience.  It also preserves private benefit to those who are not involved without depriving the victims of their right to restitution.

We Can’t Turn A Blind Eye To This, Can We?

 

“No one would suggest encouraging improved physical security in the real world by decriminalising breaking and entering and classifying it as a sport; why should the online world be any different?” he [Barrett] said.

Mr. Barrett is very late to the party with this statement.  The libertarian movement is for decriminalizing many things and doing away with the failed notion of every crime in society being a crime against the state.  The legalization movement is a prime example of where Mr. Barrett gets it wrong.  Marijuana use and prostitution are victimless crimes, but are categorized as crimes against the state.  The libertarian movement seeks to legalize these so called crimes. Once they are no longer crimes anyone involved in that activity so no longer a criminal, thus we lower the crime rate.  In the case of a crime with a victim we can apply the same libertarian concepts to the relevant legislation.  This would require reengineering the criminal code to state that there are no crimes against the state except Treason.  Crimes against individuals or property can be handled in civil court with reparations paid to the victim.  Damage of state property would be treated just like individual property damage.  This can work and is working.  Many states are rolling back their criminal statutes because prison and a large police state is unaffordable.

 

Failure to Understand The Free Market

Or my employer has a monopoly and you can’t leave us.

Barrett is employed by a payments company that attempts to assert a monopoly on the market.  It can be clearly seen by his disagreement with people who believe AntiSec can force organizations to improve poor security practice.

The AntiSec movement had existed for around a decade and was loosely guided by a mission statement to reveal poor security practice and put an end to security exploit disclosure which it said gave ammunition to criminal ‘black hat’ hackers and put consumers in danger.

But that was a false philosophy, according to Barrett.

“While many of them claim to be defending the internet they love, in practice it would seem that they are only hastening its demise. A cynical interpretation would suggest that what most of them desire is actually their ‘fifteen minutes of fame’.”

He disagreed with some commentators who argued the AntiSec movement may be effective in its mission to force organisations to improve poor information security practice.

 

Failure can be a great educational tool, as well as the one espoused by Comrade Deng Xioping of China.  It is very practical to force an organization to improve poor security practice and from a free market and economic perspective it should be encouraged, even at the cost of the demise of an organization, the unemployment of all its employees, and the inconvenience of its customers.

Stellaris_Yin_Yang

In the Tao we represent opposites through the symbolism of Yin and Yang.  Good/Evil, Success/Failure, Light/Dark, etc. are all examples of of opposites depicted by Yin and Yang.  This represents balance in the universe. These opposites are absolutes in relation to each other.  In terms of success and failure these absolutes manifest themselves in our daily lives.  For example, in commodities trading success or failure is absolute and is also a zero-sum game on a per transaction basis.  In order for you t
o buy a commodity, there must be someone else willing to sell it to you and take the opposite bet that the value of that asset will go down.  This is especially true if the seller is a short seller.  When you sell the stake in the commodity you are betting that it will not continue to rise, but if it does you lose out on the opportunity while the person you sold it to benefits.  To bluntly put it, the person opposite to your trade is experiencing absolute failure while you are experiencing absolute benefit.  In order for one party to succeed another party must be subject to failure.  Centuries of Asian wisdom can not be wrong.

As business leaders we can apply the same principles to companies in the same absolute terms.  For example, If Bank of A has an infosec breach, its customers are free to do business with Bank of B or Bank of C instead.  Customers and stock holders of Bank of C have incentive to see Bank of A collapse due to the exodus of customers.  All other banks have incentive to see Bank of A fail because they can buy assets such as buildings or accounts receivable for cents on the dollar in bankruptcy court, in addition to their customers being up for grabs.  Stock traders who are short Bank of A shares or who hold Put options also want to see it completely collapse to maximize the value of their position. 

There is nothing wrong with wanting to see an institution fail.  It is good business and if we follow the Tao we know that in order for a small community bank to grow into a regional or national bank it must come at the expense of that larger bank.  In terms of biological organisms, the fit will survive while the unfit will perish.  The same holds true in business and commerce.  Our unwillingness to let go of Too Big To Fail continues to prop up weak institutions that keep making the same mistakes, while preventing smaller competitors that do it right from rising up to take their place.  The use of public funds to enable law enforcement and the current justice system does nothing but set private benefit on fire and does nothing to place poorly run institutions in harms way to see if they can survive.  What about the interim harm that may come to Bank of A’s customers while they’re failing?  We can classify that as an economic externality and therefore rate its overall impact at zero.  After all if it is not taking away from your private benefit, why get involved by devoting resources to the so called problem?

 

How Do We Turn Talk Into Action

To borrow more components from the Tao, we can implement Wu Wei.  The concept means “action without action”.  We can apply Wu Wei to the legislative and judicial process by promoting action by inhibiting the action of others.

Individuals can also take control of the run away police state and tax on the citizenry through the use of Jury Nullification. Georgia’s Constitution allows jurors to decide fact AND law. Jurors can put an end to the incarceration state by simply voting not guilty if it is a criminal case, which then leaves civil court as the only recourse. A juror can say that no crime was committed if a company had less than adequate security practices as viewed by the juror.  That is legal to do and it should be encouraged.

We should also spend time to review relevant upcoming legislation.  Any bill that introduces a new crime or increases the criminal penalty for an existing crime should be flagged. The State House or State Senator, along with the Governor is notified that the bill, if becoming law would create more taxpayer harm than benefit.  Prison is a tax on law abiding citizens and as law abiding citizens we should be doing everything we can to keep people out of prison though decriminalization and promotion of restitution and rehabilitation, rather than incarceration. This also means defunding law enforcement and the district attorney’s office as a means to that end.  With state and local budgets strained by the economy, nothing is off the chopping block. Now is the time to make our voices heard and take back our government through being involved politically, voting out politicians who steal from our private utility by growing the police state, and by stopping every District Attorney in his tracks through jury nullification.

Vote! Be politically active and support libertarian leaning candidates at all levels of government.  Candidates who are willing to take the bold step of defunding the War on <insert noun here> and shrink the size of government in the name of freedom are the ones we should be supporting.

Mr. Garrett is wrong in his calling for an AntiSec hunt.  Such activities strengthen the power of government, destroy private utility, contribute to our Prison Planet, keep small business under the thumb of mega-corporations, and weaken our sense of nationalism on the world stage by making us a nation of weaklings. He is wrong, not for the same reasons that pro-hacktavist supporters believe in, but the economic, libertarian, and Asian ethic points against his reasoning makes him more wrong than right on the issue.

 

 

Resources

Business and Society Ethics and Stakeholder Management 7E Carroll Buchholtz

Foundations of Microeconomics 4E Bade Parkin

Wikipedia

The Ethics of Liberty Ch 13 Punishment & Proportionality  Rothbard

 

Disclaimer: This is an opinion piece. Nothing should be construed as fact unless independently verified.  At time of writing your Dearest Leader does not hold long or short positions in his personal or business brokerage accounts with regard to any company mentioned in this article.  Long or short positions may be initiated in the future without notice.

Booz Allen Hamilton Short

 

Booz Allen Hamilton (BAH) delivered some bad news to the public Tuesday, confirming that they were the victim of an intrusion event. Once again we are presented with opportunity to make money from watching the bad news unfold.  There appears to be resistance around 20.  If BAH doesn’t move above this line in the next few days, it could be a good short opportunity.  This is not a liquid stock, but additional liquidity may move in on the news Wednesday.  Today’s candle does not look encouraging for a short though since the stock went up the entire day.  We’re keeping this on a watch list for a small but entertaining move to the downside.

 

2011-07-13-BAH-TOS_CHARTS

Security and Privacy are Dead and Nobody Cares

 

A casual observation of investor confidence after an infosec breach.

 

One of the issues that security and privacy professionals discuss with our clients is the potential loss of customer confidence if confidential information is compromised.  The responses this concern vary across industry and business size. The controls implemented would vary based on the information collected, the tolerance for risk, and the client’s ability  implement cost effective controls.  Since the downturn in the economy many companies have been scaling back expenditures on security controls and accepting more risk.  This involves taking a more compliance centric view and making expenditures only on technology and personnel to comply with the law or self-regulating industry standards, rather than a risk centric view.  When accepting more risk it is reasonable to assume that the probability of a security incident will increase and/or the impact/remediation will be more costly to clean up.  Does this present any concern for the public?

Several technology executives have implied privacy is dead get over it.  With the proliferation of social tools such as Facebook, Twitter, Foursquare, Gowalla, and Google Latitude, the general public has no problem with letting the their “friends” or the whole internet know where they are and what they are doing.  Many people, especially the younger generations don’t see it as a big deal to broadcast that they aren’t home or their most intimate and politically incorrect thoughts.  Granted GenY is focusing more buying experiences rather than material possessions, so the impact burglary may be less for GenY, but that is another topic we may discuss in detail under a personal finance tag in the future.  The silent death of privacy across generations may also be foretelling the the death of security from the viewpoint of the public.

As company executives accept more security risk, the consumer public has also been accepting more risk or relying on risk transference to protect themselves.  Combine apathy with risk transference and you have a big stiff cocktail of SNMP (Someone’s -Not Mine- Problem).  ATM skimmers are all over the news, and among the GenX and younger crowd there is relatively little concern when compared to older individuals. That is derived from a very small sample so take it as you will.  Why no concern?  Most credit cards have zero liability for the consumer and fraudulent charges can be corrected immediately along with a new credit card sent overnight.  To the consumer this is a minor irritation and the only people suffering are those dirty Wall Street bankers everyone loves to hate.  Even debit card fraud is only slightly more irritating when dealing with small community banks and credit unions who are likely to have the consumer protections as credit cards.

Is the public suffering from apathy when companies experience a security breach?  Is security dead and the inconvenience of having information compromised something that we will just have to put up with going forward?  If we are not there yet we may be getting there soon.  When examining investor confidence of companies that have security incidents there appears to be very little concern, even for large security breaches.  When compared to the overall S&P 500 Index several of these companies rise and fall along with the Index.  This would indicate that any declines in share price are related to the Index itself falling.

In recent days EMC and SPX are up and down together.

2011-06-03-EMC-SPX-PROPHET

 

Lockheed Martin experienced a large percent move relative to SPX, but the ups and downs do have some correlation.

2011-06-03-LMT-SPX-PROPHET

L-3 Communications has moved with SPX very closely since news of the intrusion broke.

2011-06-03-LLL-SPX-PROPHET

 

Sony has underperformed when compared to SPX and their stock price has been affected the by multiple intrusions and related news stories.2011-06-03-SNE-SPX-PROPHET

 

EMC declined in mid March after the breach.  The decline of about 10% was relatively small compared to what it could have been.  Three months later EMC is performing as if the breach and any long term issues are a distant memory.  EMC is currently trading in a range between 27 and 28.75.

2011-06-03-EMC-PROPHET

 

Near the end of May Lockheed Martin announced that they had been the victims of a security breach.  Nothing unusual happened to the stock price and the declines can be correlated to losses in the general market. 

2011-06-03-LMT-PROPHET

 

 

L-3 Communications has also been pulling back, but seeing a shooting star candle and confirmation the next day that could be expected.  We can assume that any loss in value is simply related to overall market corrections.

 

2011-06-03-LLL-PROPHET

 

Sony may be the exception since they have lost a lot of value since March.  Sony is different than Lockheed or L-3.  They have been punished multiple times by various hacking groups and the news stories simply won’t go away.  The decline is about 30%.

2011-06-03-SNE-PROPHET

 

Compare and contrast the charts above with this chart of BP after the Deepwater Horizon explosion.The stock declined almost 50% before beginning to recover and reached –30% after a week.

2011-06-04-BP-PROPHET

 

There are differences between all of the companies which does not allow an apples-to-apples comparison.  Customers of Lockheed Martin can’t obtain a substitute from someone else as easily as Sony customers.  BP is in the business of tangible goods and an oil spill has different impact in the minds of investors and the public than a data breach.

Conclusion:

Based on non-scientific, casual observations, a one-time news event has little effect on the stock price when compared to multiple news stories over a period of time.  This is important to the overall business ecosystem from several viewpoints

  • Short sellers in the market may be able to take advantage of short term moves in price, but if the story fades from the news it would be best to cover and wait for more news.
  • Hacktivists wanting to teach a long term lesson to a company will need to hit them multiple times or release breadcrumbs of information over a period of time to keep the story in the news so it can wear on investor sentiment.
  • Consumers will need to accept that the impact to a company will be relatively minor if they mishandle private data one time. Wall Street will not severely punish the companies for poor data handling practices.
  • Security and Privacy professionals will need to give up on selling the idea that a one-time security breach will harm their client’s business.  Based on these stock charts there is little incentive to spend money on prevention.
  • Consumers are at the mercy of the companies they deal with and simply put up with the inconvenience. There is little evidence of a crippling or destroying exodus of customers or a change in consumer behavior.

 

 

Disclosure: We currently have no long or short positions mentioned in this post. We may have held positions in the past.

Improve Security & Privacy, and Protect Your Patrons by Reducing Security

 

 

The Seattle Times has an interesting story about the King County Library System removing their security cameras.  This is an excellent case study to illustrate that more security equipment does not always lead to better security.  The case stems from an incident where a patron was mugged in the parking lot.  The Des Moines Police asked to see the security footage from the cameras, but the library refused, presumably citing the need to protect their customers’ privacy.  The police obtained a court order to review the footage and eventually caught the suspect.  The police were not happy with the library’s cooperation.

The decision to remove the security cameras "hinders our ability to do police work," Collins (Des Moines PD Spokesperson) said.

The library made the decision to remove the security cameras to prevent similar incidents in the future.  Does removing the security cameras actually present a problem from a security professionals point of view?  We can perform an assessment of the situation to determine if the library is making a prudent decision.  Top management at the library has decided that the confidentiality of the library patrons outweighs any benefit that the security cameras provide.  Under a security management framework such as ISO 27001, top management determines the goals for an organization’s security program.  In this case library management is correct in making the decision to remove the security cameras since the security framework leaves all decisions to top management.

Under the ISO 27001 framework risk assessments must be conducted on a periodic basis.  To visually express top management’s decision we can use CIA in a risk matrix to illustrate their concerns.  The following examples are illustrative only.

 

Risk Confidentiality Integrity Availability
Customer Reading Choice Compromise High Low Low
Vandals Low Low Low
Muggers Low Low Low

 

In this case management has decided that the risk all of a patron’s reading choices being recorded by surveillance cameras is of greater concern than other things that may be seen by the cameras.  Based on the risks it would be logical to remove the cameras.  What about hindering the police in their line of work?  That should not be a concern of a security professional consulting on behalf of or employed by the library.  There are numerous reasons why this is true.  Management at the library has decided there are certain things that the police should not have access to.  This is no different than protecting the physical premises of a business or using logical access controls to prohibit viewing of specific files.  Who the outside threat is should not be a concern to the security professional under the ISO 27001 framework.

There also financial reasons that weigh into the decision to remove the cameras.  In most businesses a compliance professional or paralegal will be fielding court orders for data.  A fulltime resource would cost a minimum of $30,000 a year.  Does spending that $30,000 a year bring $30,000 worth of value to the customer?  It does not bring benefit to the customer, but it does benefit the police.  Since the police are not part of the same organization it makes very little sense to help them from a security professional or management accountant’s point of view.  If the video footage is that important to the police they should provide the equipment and manpower to monitor it or the library should invoice the police for their costs of maintaining the equipment. 

If we take off our security hats for a moment and put on our management accounting hats we can see that helping law enforcement does not provide economic benefit to the organization.  Therefore in order to save $30,000 by not hiring a fulltime resource we would need to remove the reason for hiring a resource.  We now have a business reason to remove the cameras.

Critics may argue that the cameras are already paid for and removing them wastes taxpayer money.  Once again we will need to do a financial analysis to determine whether or not the cameras should stay.  Most camera systems today are linked into a DVR which is usually supported by an organization’s IT department.  For purposes of this illustration we will assume that the camera systems are basically computers.  Computers have a five year depreciation before they are scrapped and removed from an organization’s financial books.  How many companies keep computers more than five years?  From a practical and a financial standpoint we can assume that the camera system would be replaced every five years much like a computer would.

The library system has also stated that the cost of maintaining the camera system is $30,000 per year.  Presumably this is the cost of a maintenance contract.  By removing the cameras the library immediately starts saving $30,000 a year.  One way to express loss of value is to take the current depreciation value of the cameras, subtract the value the library receives from selling the equipment, and subtract the $30,000 a year in maintenance savings.  If the cameras are very old and have a little financial value that it is possible that we will have a negative number, which means that the removal of the cameras provide immediate payoff.  Without knowing the details of the original purchase it is reasonable to assume that if the cameras are one or two years old we would obtain immediate ROI by removing the cameras, selling them, then begin booking the savings from canceling the maintenance contract.  If factoring in the cost of a compliance professional or paralegal is done, it is possible the camera system could be scrapped in its first year of operation based on the savings that would occur in years two and beyond.  There is also the capital budget savings from not purchasing a new camera system every five years.

Security and privacy professionals should not assume that more is always better.  Introducing additional equipment and processes can compromise the security and privacy of a client’s customers.  Top management at the organization determines what risks face that organization.  While it may be unconventional to assume that law enforcement is a security risk, there is certainly nothing wrong with that approach if the organization chooses to classify them as a risk.  Security and privacy professionals must also wear many different hats.  By taking unconventional approaches to security and privacy, and by involving other disciplines such as accounting and finance, security and privacy professionals can better serve their clients by protecting what their clients determine to be valuable.

Sony Continues To Get Punished

 

Sony shut down several of their Internet services in Canada, Thailand, and Indonesia today. Sony stated that their Thai site was accessed to gain customer information to conduct phishing attacks.  Sony Music Entertainment was also infiltrated leading to source code theft.   Organizations face many security challenges but some level of organization and planning can alleviate some of the headaches caused by a breach.

One popular framework that can be used to help develop your security is ISO 27001.  ISO 27001 provides a management framework to guide organizations in making sure they have all the bases covered when it comes to security.  ISO 27001 is not just about technology security, but also includes sections on physical security, and legal compliance.  It is considered by most organizations a complete approach to managing an organization’s security program. 

These sections are of importance in improving the security standing of an organization before and after a data breach.

A.10.6 Network security management – Objective: To ensure the protection of information in networks and the protection of the supporting infrastructure

A.13.2 Management of information security incidents and improvements – Objective: To ensure a consistent and effective approach is applied to the management of information security incidents.

There are specific topics in each section such as defining network controls and incident handling procedures.  A little planning before an incident can go a long way to making the cleanup and prevention of future intrusions much easier to deal with .

When Anonymous Attacks Sony Go Short

Today we have a purely speculative idea based on past history.  Since Sony foolishly decided to litigate their customer base for modifying their own hardware they are now in the crosshairs of Anonymous.  Shortly after Anonymous turned their attention to Bank of America, there was a market pull back.

Now that Anonymous has turned their attention to Sony we might be able to play the same strategy, especially if Anonymous manages to interfere with any revenue generation.  If we look at a recent daily chart of Sony we can see that it formed a descending triangle with a break down below support.  Today it continued below a double top on 3/14 & 3/15.  In after hours trading Sony continued lower. 

 

Stock-Chart---SNE-2011-04-06

If Sony opens lower tomorrow we might have a short opportunity.  Hopefully as time goes on Anonymous will learn to coordinate their DDOS attacks against public companies with weak chart patterns at key support and resistance levels for maximum impact. That will make it easier to get a larger move if Anonymous’ target is resting at support.

Regardless of whether or not you support Anonymous, they do serve a purpose in the information security ecosystem.  As security professionals we can see how effective anti-DDOS hardware is by observing the results of Anonymous’ attacks.  As traders, we can take advantage of the news of Anonymous’ DDOS attacks and play the short side of the trade.  Charlie Sheen would call that bi-winning!

 

He who is prudent and lies in wait for an enemy who is not, will be victorious. – Sun Tzu

Green Energy Deployment Needs Resiliency Just Like Information Security

 

 

Christopher Mims has a great piece at Grist on the state of Germany’s photo voltaic(PV) system compared to Japan’s Fukushima nuclear complex.  We can skip over the math arguments that the PV system in Germany is 20% more efficient than Fukushima at the height of the day.  The point now is that Fukushima is producing ZERO watts of electricity.  The design of future green energy systems should incorporate concepts from Information Security.

Information Security attempts to build the CIA triad.  CIA is

  • Confidentiality – Is the data protected from unauthorized access?
  • Integrity – Has the data been tampered with?
  • Availability – Is the data available for people to use when they want it?

 

We will look at Availability.  Information systems are typically protected by an Uninterruptable Power Supply (UPS) which has a battery backup.  If electricity is lost the batteries continue to power the servers.  In most cases the UPS is supplemented by a diesel or natural gas generator to recharge the batteries.  In very scenarios where interruption of service is a high impact event, a company will deploy backup servers along with the resilient electrical resources in a geographically separate area.  In some cases this can be cross continent or across the world.  The objective is to prevent a total loss of your business from a geographically isolated event.  The second objective is to provide the customers with a service that is available when they want to use it.  For example, a business in Japan may have located servers in another country.  If the datacenter were destroyed by the tsunami, the severs in the other country would take over automatically and the customers would not know the difference or know immediately that something was wrong.

Green energy needs the “A” principle of CIA in order to be useful.  Pundits on both the green energy side and fossil fuels side have advocated for a one size fits all solution.  Windmills, solar panels, and ocean power have not reached the efficiency levels to replace fossil fuels.  Fossil fuels are reliable, but are subject to supply chain disruption and competition for the resources themselves which results in higher prices for everyone concerned.

Green energy sources should initially supplement fossil fuels and should be used much like a hedging strategy in a stock portfolio.  If there is a disruption of the main power plant, the green alternatives can take up part of the slack while the main facility is being repaired.  As more green capacity is brought online it can be built in a decentralized manner.  This reduces the exposure that consumers face from the loss of a centralized power source.  Green energy is great, but if it is unusable due to a natural disaster the effort is wasted.

GMail Disruption Loses Thousands of Accounts

CNN is reporting that a disruption at Google may have caused the loss of 150,000 GMail accounts.  Google is working on restoring the email, but one user in the help forum asks, “What if the cloud fails”?

Most home users have been using “the cloud” since the 1990s via hotmail or through email hosted by their dial-up or broadband ISP.  Today users mostly rely on some kind of web mail for both business and personal communication.  As we have moved away from client applications we rely more and more on the service provider to ensure that we can access our data when we need it using a web browser.  For a small business owner or freelancer loss of data can mean loss of revenue from downtime, if not wiping out your entire business.

One step that users can take is to consider using client applications again. This may seem like a backwards step until you need to access your data while the service provider is down.  GMail works with any program that is compatible with Microsoft Exchange or using the IMAP protocol.

GMail support details how to configure IMAP in your email client.  Since IMAP synchronizes with the mailbox there will be a copy of the email on the server that can be accessed with a web browser or it can be accessed through a client program like Outlook or Thunderbird.  Using IMAP can be a cheap (free) form of insurance in the event that the email provider has a permanent failure.

Small business users may want to consider the benefits of using an email client to keep a copy of their email.  Hard drives can fail or experience a fire, flood, or other catastrophe in both the datacenter and in the home or office.  Keeping multiple copies of email in different locations is one way of protecting your business.

Legalizing Retaliation is the Answer to Cyber Attacks

Ellen Messmer at Network World poses the controversial question as to whether cyber retaliation is justified to thwart cyber attacks.  Most information security professionals will agree that it is illegal to counter attack, but should it be?  We are not asking the question of the ethics of cyber self-defense , but questioning current legislation.  The proposal is to simply legalize cyber self-defense and leave it up to the market to determine the best solution.  In the physical world you are allowed to defend yourself from an attacker.  Why not apply the same standards to the cyber world?

 

The Castle Doctrine is one such example of real world defense.  Several states have implemented the Castle Doctrine as part of their legal code.

A Castle Doctrine (also known as a Castle Law or a Defense of Habitation Law) is an American legal doctrine claimed by advocates to arise from English Common Law[1] that designates one’s place of residence (or, in some states, any place legally occupied, such as one’s car or place of work) as a place in which one enjoys protection from illegal trespassing and violent attack. It then goes on to give a person the legal right to use deadly force to defend that place (his/her "castle"), and/or any other innocent persons legally inside it, from violent attack or an intrusion which may lead to violent attack. In a legal context, therefore, use of deadly force which actually results in death may be defended as justifiable homicide under the Castle Doctrine.

A company or personal network can be treated like a castle under the law just as a residence or business office.  Self-defense under the Castle Doctrine also protects the defender from both criminal and civil liability.  This means any person who uses a gun, kitchen knife, baseball bat, samurai sword, fire axe, etc. in defense of their castle can not be charged with a crime and the offender or their survivors are prohibited from filing a civil suit.  The Castle Doctrine also removes the duty-to-retreat from an intruder.  In the technology world we could assume this to mean that an IT department does not have to tune firewalls, perimeter routers, and IPS to mitigate the attack before launching their own counter strike.

Some may say that this does not apply directly to the internet where Company A’s servers may be hijacked and used to direct an attack against Company B.  In actuality it does translate almost perfectly.  In the physical world if Person A coerces Person B into harming or killing Person C, Person C has the right under the Castle Doctrine to defend themselves against Person B.  The type of coercion applied is not relevant to the case since the imminent threat against Person C is Person B, not the manipulation caused by Person A.  In the previous example the cybercriminal is Person A, the compromised system or bot net is Person B. Using the principles above it would be possible to create a cyber Castle Doctrine.

 

Sample Legislation to create a cyber Castle Doctrine

 

Immunity from prosecution; exception

A person or legal entity who uses computer force against an attacking computer system  violating O.C.G.A. § 16-9-93   shall be immune from criminal prosecution.

No duty to retreat prior to use of force in self-defense

A person or legal entity has no duty to mitigate the actions of an attacking computer system prior to using computer force against an attacking computer system violating O.C.G.A. § 16-9-93 

Immunity from civil liability for threat or use of force in defending technology resources

A person or legal entity using computer force against an attacking computer system violating O.C.G.A. § 16-9-93  shall not be held liable to the person or legal entity against whom the use of force was justified or to any person acting as an accomplice or assistant to such person in any civil action brought as a result of the threat or use of such force.

 

The advantages of applying Castle Doctrine to cyberspace are much like those of physical space:

  • Reduces court and law enforcement costs
  • Applies individual responsibility for both perpetrator and defender
  • Fewer people in jail serving time reducing prison costs

 

Creating a Castle Doctrine for cyberspace has numerous advantages.  It effectively increases security by raising the stakes for companies and individuals who do not secure their systems.  In addition to facing downtime from a counter attack, the company risks further embarrassment in court when the defender produces security logs showing that they were defending against an attack from that IP address.  Consumers can quickly gain visibility into which companies are regularly getting compromised and turned into bot zombies from such court records.  They may then assume if intruders control the systems, they probably control customer information contained on those systems.  Even without court records if a company is down from a defender’s counter attacks they will not be able to process data for their customer and will eventually lose customers to companies that consistently do it right.

Placing more responsibility on companies to keep their systems secure will also lead to growth in the cyber insurance market.  Most of the policies I have reviewed are very weak today, but by legalizing cyber self-defense we can create a market for different levels of insurance coverage.  This can benefit companies by allowing them to insure against downtime caused by intruders or defenders.  It will also help financial companies such as Goldman Sachs create derivatives similar to Credit Default Swaps and Credit Default Obligations that can be applied to the cyber insurance industry.

The potential for downtime caused by a defender will also cause retail and institutional investors to direct funds to companies that provide reasonable cyber security.  BP made decisions that increased risk.  It is not known how visible cutting corners was at BP, but Goldman Sachs sold 4.68 million shares of BP just before the Deep Water Horizon exploded.  Security should weigh just as heavily as safety to investors.  Goldman Sachs was correct to offload their BP holdings, just as they would be correct to offload shares of any company that allows its systems to be taken over by an intruder, then taken offline by a defender.

We have several good results that legalizing cyber self-defense bring.  The Internet should have its own Castle Doctrine and allow the private sector to find solutions to the problem of cyber security.  This frees up law enforcement resources and places responsibility where it should be, back in the hands of the individual or individuals that work for a legal entity. 

Security Pros Should Get Into The Cloud in 2011

ReadWriteWeb has a short but peppy write up on 2011 resolutions for SMBs to get serious about security.  The standard AV/endpoint topics are discussed, but also the need to get serious about cloud computing.  In a recent Global Information Security Workforce Study done by (ISC)2 and Frost & Sullivan, 73% of surveyed (ISC)2 professionals believe that new skills are needed to meet the demands of the cloud computing space. 

Some security professionals may choose to fight the cloud by simply waving a hand and proclaiming that it is not secure.  In the SMB space not every company handles PCI data, and many do not handle PII data that requires special treatment under the law.  The cloud makes sense for companies that are constrained by cash flow or capital budgeting.  For example, a company that operates an 8×5 IT shop may be able to have security and uptime monitored 24×7 by moving into a cloud solution.  This would be cheaper than a 24×7 local staff and the additional capital expenditure for monitoring tools.  Saving money for any company is a good thing.  That allows more money for raises and bonuses, which everyone likes. 

What should security professionals do to prepare for the cloud in 2011?

  • Learn about the cloud
    • Take at least one technical class about cloud computing technology
    • Take at least one business class that will help you with understanding ROI promised by the cloud
    • Collaborate with other security professionals regarding their experiences
  • Work with business leaders to embrace the cloud
    • Talk to your CFO or Controller about cost savings the cloud can bring
    • Concentrate on areas that make business sense. Not everything has to go in the cloud, nor should it
    • Illustrate the risks and benefits of moving to the cloud for those systems
    • The CEO should have the final say on any course of action, be a trusted advisor.

 

Security professionals should provide the expertise needed for the business to succeed.  Under ISO 27001 top management should determine and sign off on the acceptable amount of risk for the company.  At the end of the day this rests with the CEO or President, who is advised by the CISO, CFO, BizDev, and other leaders.