The idea for such an at-a-glance rating is appealing to risk executives such as Andre Gold, head of security and risk management for ING’s U.S. Financial Services business… Last year Gold oversaw reviews of 176 new technology vendors; his team visited sites as far away as South Africa to conduct security assessments. “It’s a service that we must do, but I think it’s a non-value-add service,” he says.
From Concurring Opinions (and elsewhere), a paper by Chris Hoofnagle “Measuring Identity Theft at Top Banks.” Hoofnagle is asking the question: How does a consumer or regulator measure the incidence of identity theft from a financial institution? In an attempt to answer, Hoofnagle took the number of identity theft complaints collected by the FTC and matched them up with institutions listed on the complaint, with the intent of coming up with a score that could be used by consumers to judge how well the institution protects identity.
Call me crazy if I’m wrong, but Mr. Hofnagle seems to be pushing the data way beyond its utility. Is a complaint to the FTC via a web form a reliable indicator of fraud controls at an institution? In my past experience as an investigator, I handled many cases of identity theft. I’d estimate that at least half, if not two thirds of the allegations of “identity theft” were not, in fact, identity theft. A suspicious charge on a bill, a bad skiptrace, or even a breach disclosure notice could result in complaint of “identity theft.” Crime statistics that involve prosecutions of actual criminals may provide an underreported, but more reliable measure.
Hoofnagle mentions that he believes the number of FTC complaints may be low, due to historic underreporting of identity theft to criminal authorities. Again, according to my experience, which may be non-representative, I’d say that people will fill out a web form that belongs to the FTC sooner than they’d call the police. The FTC is more analogous to the Better Business Bureau than law enforcement.
I was going to write something about my frustration with the publicity that the FTC complaint statistics were receiving. Complaints are easy to count and a handy metric. But I don’t think that they mean much without some evaluation of the validity of the complaint. That is, what is interesting is hard to find out.
Right before I read Hoofnagle’s paper, I read this post from the Microsoft Security Development Lifecycle blog. The author makes the following statement regarding using vulnerability counts as a measure of software security:
“Measuring security is a real challenge, and while we may debate the merits of vulnerability counts, right now it’s the only concrete metric we have.”
I guess I’m saying that the only concrete metric one may have may be misleading, inaccurate, or irrelevant. Concrete isn’t synonymous with valid. I may have issues with “metrics” but I love Metric. Need less, use less, we’re asking for too much I guess, cause all we get is…
Latest news out of France has Finance Minister Christine’s Lagarde’s report saying that in addition to controls being lax, (duh!), someone who understand the controls should have never been able to be a trader.
With all due respect to Ms. Lagarde, this is ridiculous. Just look at their annual report. They’ve got “controls” up the wazoo…This is a lame, puppy-dog, excuse.
The affidavit says that Das told Southerland he was holding the Web site hostage until he received his paycheck. Though Southerland said that checks weren’t being dispersed until the following week, Das hacked into Southerland’s e-mail account and sent e-mails to Southerland’s clients and family defaming the company, according to the affidavit.
One of the hostage servers was a database for a site called Rotten Neighbors, where you can be a neighborhood fussbudget without putting on your slippers and yelling at passing cars in your driveway. Such an operation may not provide a gruntle-rich environment that would provide the last paycheck patience that is in such short supply nowadays.
2. And if we learned anything from SocGen, we learned that misbehaving employees are not always motivated by greed, as local community radio KOOP learned recently as they were arsonized. Like French bankers, they were SHOCKED that a buzz kill playlist would lead to wanton destruction of assets.
1. From toohotfortnr, this article identifies scooters as weapons of insurgency. Have we learned nothing?
I may not be sure what my point is. Black Swans with trading accounts? The letter U and the numeral Two? Or that it actually does take two ringy-dingys. I only know that the following illustrates it in the most vivid fashion possible.
From Forbes account of the Societe Generale billion dollar fraud:
“It’s Nick Leeson, the story is exactly the same,” said Celent’s Pierron. “We have a trader who trades futures, or derivatives, who hides his losses by using weaknesses in the risk-management system.” He said that as long as traders had knowledge of back-office operations, the risks of abuse would always be there.
A spokesperson for Societe Generale said that there would be thorough reviews of internal controls, but noted that this particular case of fraud was “very, very sophisticated.”
From the maddingly brilliant book of the Naples System, Gomorrah, a description of security during the Secondigliano War between the Spanish and DiLauro clans:
I would ride my Vespa through this pall of tension. In Secondigliano I’d be frisked at least ten times a day. If I’d had so much as a Swiss Army knife on me, they would have made me swallow it. First the police would stop me, then the cararbinnieri, sometimes the financial police as well, and then the Di Lauro and Spanish sentinels. All with the same simple authority, the same mechanical gestures and identical phrases. The law enforcement officers would look at my driver’s license, then search me, while the sentinels would search me first, then ask lots of questions, listening for the slightest accent, scanning for lies. During the heat of the conflict the sentinels searched everyone, poked their heads into every car, cataloging your face, checking if you were armed. To motorini would arrive first, piercing your very soul, then the motorcycles, and finally the cars on your tail.
I was struck by the difference in approaches to the basic “airport security problem” between those who were obliged to obey the rule of law, and those who knew an error in their judgment would likely mean their own death.
Foto of the arrest of Cosimo Di Lauro from La Repubblica.
“To die doing something you love.” I encountered variations of this phrase three times Saturday.
1. In Chris Jonnum’s biography of the Haydens, the on track death of flat-tracker Will Davis. Davis was a hero of Nick Hayden’s. Mourning his death, Nick said that there is no tragedy if you die doing something you love. Nick did run his next road racing victory lap backwards in Davis’ honor.
2. On the DVD of The Race to Dakar, Andy Caldicott died doing the thing he loved, as described by Charlie Boorman. No one will be permitted to die this way this year, since ASO has cancelled the Dakar race due to threats for terrorism. (You can die doing what you love, not what Al Qaeda loves.)
I figured I’d wait until after my paternity leave was over before I started thinking seriously about words like “control” and “compliance,” but I felt the need to say something after reading Bejtlich’s post “Controls are Not the Solution to Our Problem.”
He illustrates through citing an example of a control, and identifying ways that it fails to achieve total effectiveness. The control may not work and could be superfluous. His alternate approach is a system of assessments, tests and monitoring coupled with a rigorous set of metrics.
If someone describes an asset as “secure,” “safe” or “reliable,” my job as an auditor is to ask the question “How do you know?” The answer is a control. Bejtlich’s “field-assessed” approach is another set of controls, mostly detective rather than preventative. What happens when his approach is codified into a government procedure or a vendor contract? A security practitioner with a preventative approach could grouse about how these pen tests and honeynets don’t address the security needs in his shop (due to scale of operations or type and level of risk).
Tossing out controls is also just not an option. Effective or not, compliance keeps you out of jail. I don’t always feel that on some roads a 55 mph limit is a necessary control to prevent accidents, but that will mean I am not breaking the law when I speed.
I’m not as big a proponent of metrics as a control solution, but I’ll leave that to another post.
The One In Five 