Category Archives: Security

Security

Breaches Down for Third Year

Leave a comment

A quick look at the all time datalossdb.org chart of breaches tells you something is up with the data…or down.

The past several conferences I have presented at I explain why the breaches are down but attacks of a certain type on a certain industry are up. But maybe I should start a series called ZOMG BREACHES DOWN 40% FROM 2008, given today’s bone-rattling story from the Washington Business Journal called “Computer security incidents reported by federal agencies increase 650%”

Federal agencies reported more than 40,000 security incidents that placed sensitive information at risk during 2010 — a 650 percent increase compared to five years ago, according to a new report from the Government Accountability Office.

First of all, I think it’s fantastic that more incident reporting is happening and the GAO is on top of reporting progress to the public. But that doesn’t mean a reporter should just throw that number out unwashed and imply the incidents “placed sensitive information at risk”.

Such an implication will confuse readers including me because…second of all, their very next paragraph says incidents are a very, very broad area of concern way beyond just risk of disclosure.

…”security incidents” don’t always equate to an all-out breach. (According to US-CERT, they include successful and failed attempts to gain unauthorized access to a system or its data, unwanted disruption, unauthorized use of a system for the processing or storage of data, and changes to system hardware, firmware, or software characteristics without the owner’s knowledge.)

The big story is that the GAO is seeing the kind of curve in data that the datalossdb project saw right after 2004, the year following the California Breach Notification Law SB 1386. I could talk all day on what we have learned since then about breaches and reporting incidents since 2003. But let’s just say I am disgruntled to see in 2011 a reporter would toss out a headline grenade of 650% increase in incidents while ignoring that overall breaches (not incidents reported, breaches) are in decline.

Here’s a classic quote

The four most prevalent types of security incidents reported to US-CERT during fiscal 2010 include the detection of malicious code, improper usage and unauthorized access, and detected anomolies that warrant further review.

I see that as three types of security incidents and an additional category of stuff not yet figured out. Imagine if the headline was instead reporting a 650% increase in stuff not yet figured out.

Update: I should have also mentioned my earlier post that California has taken a big step forward again with SB 24 and the push for a centralized breach data repository. This issue just came up again at the federal level and the emphasis is clearly on better oversight.

If you can read past the unsubstantiated barking by fearful politicians about “precedent in history for such a massive and sustained intelligence effort” (you obviously don’t have to know history to get elected) there are some actual good nuggets like this advice from RSA

Asked for suggestions on improving U.S. cybersecurity, [Art Coviello, executive chairman of RSA Security] called on Congress to pass a national data breach notification law, and he called on the U.S. government to share more information about cyberattacks with private companies. A quicker method of sharing information between the government and businesses is needed, he said, because in a large majority of successful cyberattacks, businesses don’t know they were breached until the U.S. Federal Bureau of Investigation or some other third party tells them.

A national breach notification law would help reduce much of the confusion about attack source and consequences; perhaps it would even allow us to better settle the debate over what constitutes a “sophisticated” attack. Speaking of RSA, see you all next week at the conference where I’ll discuss many of the above issues.

History, Security

FOX News Gets Stuffed on Wall Street

Leave a comment

The FOX reporter seems unprepared and hesitant in the following video posted by the New York Observer (a paper founded by a former investment banker).

He does a horrible job asking questions and lobs glacially-slow softballs to a man from the Occupy Wall Street protest. No surprise then who dominates the topic, but how well the protestor dominates it is a surprise. It looks so lopsided it’s like the whole thing was staged; maybe they kidnapped a FOX reporter and forced him into an awkward moment.

FOX starts by asking if protests in America are just a copy-cat movement, part of an international conspiracy

Your colleague, she’d seen the protests in Greece and Europe and elsewhere. Did you guys take your cue from that? Are you hoping to cite certainly what was a lot of the tension, if not police activity. I know over the weekend there were over 100 arrests and you guys got things fired up. Are you taking your cues from the international movement and how do you want to see this? If you could have it in a perfect way, how would it be?

And then the protestor retorts with a cruise missle of logic that obliterates the reporter’s question on every angle

its really difficult to answer questions leading to those conclusions. I’d say that we didn’t take our cue leading off of anybody really. It became a more spontaneous movement. As far as seeing this end, I wouldn’t like to see this end. I would like to see the conversation continue. This is what we should have been talking about in 2008 when the economy collapsed. We basically patched a hole on the tire and said let the car keep rolling. Unfortunately it’s fun to talk to the propaganda machine and the media especially conservative media networks such as yourself, because we find that we cant get conversations for the department of Justice’s ongoing investigation of News Corporation, for which you are an employee. But we can certainly ask questions like you know, why are the poor engaging in class warfare? After 30 years of having our living standards decrease while the wealthiest 1% have had it better than ever, I think it’s time for some maybe, I don’t know, participation in our democracy that isn’t funded by news cameras and gentlemen such as yourself.

It would appear that FOX is no longer in the hen house.

Note: also interesting to see someone protesting Wall Street in a forage cap. Maybe it is a sign of interest returning to the People’s Party and the great bank bail-out of 1893.

Panic in 1893

Similar to the Panic of 1873, this panic was marked by the collapse of railroad overbuilding and shaky railroad financing which set off a series of bank failures. Compounding market overbuilding and the railroad bubble, was a run on the gold supply (relative to silver), because of the long-established American policy of bimetallism, which used both silver and gold metals at a fixed 16:1 rate for pegging the value of the US Dollar.

Has someone yet adapted the Wizard of Oz secret story to the modern context? What would we have today instead of Dorothy’s silver shoes (silver standard) and the Wizard’s yellow brick (gold standard) road?

Food, Sailing, Security

USCG seizes squid boat after failed identity test

Leave a comment

News from the waters near Alaska. A large fishing boat about 3,000 miles from the coast of Alaska was asked to identify itself was unable to do so. It was seized by the US Coast Guard but not brought to shore because of a rat infestation.

The vessel Bangun Perkasa didn’t have a valid flag state registration, and Coast Guard spokeswoman Lt. Sara Francis said it was seized Sept. 7 as a stateless vessel for allegedly violating U.S. laws.

[…]

…crewmen were trying to dump the net when the Coast Guard boarded the ship about 2,600 miles southwest of Kodiak. The Coast Guard retrieved the net, and then found 30 tons of squid and 30 shark carcasses on board, she said.

Officials did not find proper documentation on board, however.

“No license or permits, and no records of their catch,” Francis said.

The Coast Guard also discovered rats on board.

30 tons of illegal squid! That’s just what they kept on board. Illegal giant drift nets kill huge numbers of fragile marine life so who knows what the true toll was. Whales and turtles are devastated by these boats.

Dumping 10 miles of net like a piece of garbage overboard also is an incredibly malicious maneuver. All that aside I find the most interesting part of this story in the failure to provide a valid certificate and then the failed authentication process.

The ship’s crew initially claimed Indonesia as their flag state.

“When we contacted Indonesia, they said, ‘Nope, not ours,'” Francis said. “They became flagless at that point, and that’s when we seized them.”

Although, in terms of analysis, I also find this part amusing

“Given the catch they had, I would assume they were a squid boat.”

Not a rat boat?

Poetry, Security

Risk Lessons from the Startup Genome Project

Leave a comment

The findings are in from a business analysis project that models itself after genome research.

The first finding:

Most successful startups pivot at least once. Startups that pivot once or twice raise 2.5x more money, have 3.6x better user growth, and are 52 percent less likely to scale prematurely than startups that pivot more than two times or not at all. A pivot is when a startup decides to change a major part of its business

Pivot? Sounds fancy. If I read that correctly a business that reacts to correct a mistake is more likely to be successful than one that does not correct its mistake. Likewise, a business that corrects fewer mistakes is going to be more successful than one with many mistakes. In other words there is going to be at least one major mistake in a startup plan, which will have to be corrected, but there should not be too many because the cost of correction is high.

Perhaps the same could be said of anything. Take rock climbing for example. A climber that can react quickly to a mistake will climb 2.5x times higher and have 3.6x better time to the summit, and be 52 percent less likely to burn out prematurely than climbers that make more than two mistakes or do not react to their mistake.

The third finding:

The major reason for failure of startups is premature scaling. About 70 percent of our dataset showed up as premature scaling or inconsistency. One driving factor for inconsistency is too much capital, teams that are too large, bad team compositions, too little testing, etc. – pretty much everything a large company does, anticipating high certainty in their planning.

I smell a tautology. What is failure? Premature scaling. What is premature scaling? Failure. So you can avoid failure by avoiding failure, which is like avoiding scaling too soon because of course it is too soon. But seriously, this conclusion equates bad with failure. I suspect some might have reached the same conclusions without the study. You should not need a “Genome” project to state that a bad team will give bad results.

Based on the above findings the solution to startup failures should be obvious — simply reverse the statements. Have just the right amount of capital, teams that are sized just right, teams that are composed just right, testing that is just right…it is starting to feel like they could have called it the Startup Goldilocks Project.

Oh, and I think this qualifies for the most non-humble statement award:

It has been extremely humbling for us to be able to touch the lives of thousands of entrepreneurs living around the globe.

How is that humbling? It’s like saying “it is extremely humbling for us to achieve more than we expected and to be really successful”. New definition?

The whole project appears to be anything but modest. By their name they affiliate themselves with a scientific effort to “complete mapping and understanding of all the genes of human beings“. Yet the findings on risk that they have published seem far from attempting the same kinds of analysis.

Understanding the human genome will have an enormous impact on the ability to assess risks posed to individuals by exposure to toxic agents. Scientists know that genetic differences make some people more susceptible and others more resistant to such agents. Far more work must be done to determine the genetic basis of such variability.

In other words will the Startup Genome Project explain the variability in startups that cause some to be more susceptible to risk — pressure by large companies? What external and internal factors cause one startup grow before it is able to sustain itself but another startup to hold back?

They could assess, for example, whether it helps reduce pressure from large companies to expand if the startup founder has X amount of personal/family wealth and at least one attorney in the family. I use that example because they mention Bill Gates as a successful entrepreneur. It makes me wonder if they collecting the kind of data and searching it for factors like those revealed by the WSJ about the very beginning of Microsoft?

The family support was one reason Mr. Gates decided to move Microsoft to Seattle, where he settled into a house not far from his parents. Mrs. Gates arranged to have a maid clean her son’s house, and made sure he had clean shirts for his big meetings. […] Mr. Gates Sr., drawing from his own experience as a lawyer guiding small companies, helped find Seattle businesspeople to serve on the Microsoft board. […] The father’s law firm would also end up representing Microsoft, which became the firm’s biggest client.

Clean shirts for his big meetings is the key phrase. Someone should decode it properly.

The Startup Genome Project, if it were directed at the human body, so far reads more like a study that concludes premature death is a leading cause of a short lifespan. It’s a new collection of information with some interesting synthesis, but it’s not exactly illuminating an unknown or unmapped world with clues to help us understand how to manage risk.