A number of links in the chain:
Mr. Walsh asks Why We Fight?
Which spurs Mr. Hoffman’s Nam flashback.
Bloginfosec says it’s safe to surf this beach, so its safe to surf this beach.
Meanwhile, Charlie squats in the bush, everyday getting stronger, and the BS piles up so fast, you need wings to stay above it.
Me? I’m an errand boy sent by grocery clerks to collect the bill.
The imperial raftload of opinions on who really is the victim of credit card fraud, stemming from the Boston Globe article on the legislative reactions to the Stop and Shop Skimming Shenanigans, is centered around this quote as much as any:
“If this legislation passes, all retailers, all companies, and all
banks will know they’ll be responsible for absorbing every cost
associated with a data breach.”
Of course that quote doesn’t make a whole lot of sense once you parse it, it just seems to be pluralizing the victims in a bizarre twist on bystanderism, i.e., if were just going to sit around and watch the crime happen, let’s all be victims!
Most puzzling to me are the voices of the outraged merchants on the Slashdot thread, sounding too much like a hoodlum’s fence pleading ignorance to the cops on the legal state of goods in his possession. The merchants are no doubt getting the shaft in the current credit card fraud scheme. They may not have the financial resources and high powered lobby as the banks and credit card outfits, but the merchants do have the capacity to do more to validate a transaction that to make sure the magnetic strip is functional. Are credit card transactions getting to the point were they need to be validated as vigorously as a personal check. Remember those?
I see a business opportunity here. Heck, I’m in love with the modern world and I’ll be out all night.
An article in the hometown press on our great state’s efforts to protect its citizens from crooked locksmiths and security guards with misdemeanors.
Like many state licensing agencies, such as those watching over doctors, electricians and architects, the Private Security Bureau checks the criminal backgrounds of applicants. But unlike virtually every other such agency, the bureau doesn’t then evaluate whether applicants’ past behavior has any relevance to their current work, how long ago the crime occurred or whether they have tried to rehabilitate themselves. Instead, applicants with a record sullied by most crimes above a traffic ticket are automatically rejected.
The result: Locksmiths and other professions regulated by the Private Security Bureau must have cleaner legal backgrounds than child care workers.
I also thought about the numerous unlicensed, unmonitored quasi-professionals that serve the security of consumers, businesses and government in the electronic rather than physical realm. Configuring a server, or setting up a home PC may grant access as lucrative as whatever a locksmith or security guard may obtain. Who configured the server for the accounting firm who does your taxes? Is the guy from Geek Squad who just serviced your computer a part-time carder? (I tried to see if there are any ethical or background requirements to become a member of the Geek Squad, but my mind boggled at their Ranks and Titles page. It’s the Masons meets Homeland Security. I’d wager their pee is clear of non-approved substances, though.)
I’m not calling on the State of Texas to regulate this issue, but ethics and compliance with ethics doesn’t seem a priority for the ISC2 and the CISSP designation, a point made eloquently elsewhere. I have more thoughts on how the CISSP could be salvaged, but I’ll make them later.
photo by Monceau
Interesting discussion on the secret language of security.
Which shovetails nicely into a panel discussion I saw yesterday. An assortment of CSOs and a Forrester analyst discussed the future of security. Essentially all the tech stuff is being outsourced, and the head of security is being molded into a Risk Officer. I can infer from this that the tech stuff (firewalls, antivirus, and the three letter acronyms) can scale. But the risk cannot. Risk is corporation’s own, to be honed, polished and cherished like a treasured logo that no can quite figure out what it means. Risk is the new black, a point made elsewhere, and with more vigor.
One of the CSOs also mentioned that privacy will be shoved aside as a compliance thing, over with the lawyers. I stifled my desire to spring up and shout “HERESY!” for fear that it would awake my CEU seeking comrades from their deep and well deserved slumber.
Dark Reading has an article on identifying the insider threat, although it seems to be more focused on how to spot a bad employee. The article, which seems to be anecdote-based information from Rob Enderle and RSnake, lists the top ten warning signs that you may have a bad employee, or, as they term it, an “insider.”
Sure, the insider threat may be a subset of the bad employee, but these ten warning signs don’t seem to indicate anything else. The IP thief is not the same as the disgruntled vandal is not the same as the black market carder. The article conflates all these threats, and winds up with recommendations so broad as to be meaningless. For example:
Well, this is bad employee behavior. But an employee who is about to leave is no less damaging a threat than an employee who has an ongoing scheme that requires constant maintenance. The classic anti-fraud control of requiring an employee to take vacation seems to run counter to the cited behavior. Is the dude taking extra sick days as dangerous as the dude who routinely funnels dozens of credit card numbers or SSNs to his buddy on CarderPlanet but keeps a low profile?
Bad stuff, but is there really a high enough incident rate to justify it as a “red flag” for a potential bad guy? If not, this advice seems to confuse as much as clarify.
I believe the employee would be participating in the “outsider threat” at that point.
The real meaty threats and red flags associated with them are a bit more nuanced, and have been hashed out in the fraud investigation field for years. Computer crime is just crime. Vandals are vandals. The computer security industry seems to be genuinely befuddled when encountering a threat that doesn’t have a 8P8C modular connector jack.
Image from oronzo.
From the Chronicle of Higher Ed comes this link to The Banality of Heroism. It’s worth reading, as are a couple other articles that are part of the Greater Good, which I was heretofore unaware.
Some basic questions in the article (co-authored by one of the researchers behind the Stanford Prison Experiment) can be applied to the corporate realm.
This article on the bystander syndrome is also worth reading. If resistance to the bystander syndrome can be learned, it should be part of training for every auditor.
This bit from my hometown paper, written by ace real estate appraiser David Lewis, uses privacy, identity theft and terrorism to support his objection to a law requiring disclosure of the amount of real estate transactions. In some ways,
The proposed law is also dangerous. This is the era of terrorism and identity theft. Even the individual investors who make a $1 million or less on a property sale can become targets.
When these sales prices are reported, the information won’t become dusty trivia hidden away in the basement of a rural courthouse. The prices will be on the Internet, easily accessible from anywhere in the world. Texans will be exposed. Should the elderly widow have her real estate wealth advertised to crooks and con artists? If we lift the veil on real estate sales prices, we will open the door of opportunity to the criminal element who will misuse this information. These incidences may be rare, but even one tragic case is too many.
According to Mr. Lewis’ byline, he was a founding board member of the Harris County Appraisal District. Check out the website. I remember when they used to have sketches of the houses, they aren’t there anymore. According to the website disclaimer:
Texas law prevents us from displaying residential sketches on our website. You can see the sketch or get a copy at HCAD’s information center at 13013 NW Freeway.
Although hoisting his argument on the image of an elderly Texas widow being robbed of her ranch then being bombed by terrorists is naked fear mongering, there is some point to be made here. As Texas law has acknowledged, there is different level of privacy between public records available on the Internet, and public records you can only get by waltzing into an office and get face to face with a human, J. J. Gittes style.
No. No. Not me.
I was meditating on reputation risk the other day, and behold, the Daily Dave belches forth the documents I sought. (I remembered something on Emergent Chaos on this topic, but hadn’t dug deep enough into their archives.)
The study I remembered and cited by Adam Shostack was “Is There a Cost to Privacy Breachs? An Event Study.”
The salient quote:
“[Privacy breach] impact is statistically significant and negative, although it is
short-lived.”
Which is supported by anecdote (check out the TJX stock price).
So how do you convince your management to follow privacy principles? Appeal to the better angels of their nature? Start eavesdropping and pretexting them and see how they like it? (HP probably did as much good as the CDT, EFF or ACLU as far as advancing the privacy agenda in Congress).
I’m guessing the shift, as a result of the “privacy fatigue” and the “identity theft fatigue” should be to the high risk transactions, that expose the data’s subject to verifiable risks, not just the lost computer tape or missing laptop. But I need data to support that, dagnabit. Else:
An’ everyone can say what they wanna say, it never gets better anyway.
Infoworld on a session at RSA: The Cybercrime Blame Game.
Although a conference center ballroom may not be conducive to rational discourse (see: US Political Party Conventions), this discussion appears a bit over the top:
I find few concepts as boring as “Safe Internet Day.” Except maybe “Is Open Source as Secure as Closed Source?” I mean good grief. If it weren’t for my incredibly uncomfortable shoes digging trenches into my Achilles tendon, I would have fallen asleep just thinking about writing the above sentence.
How about a pretty chart and a map with like scans and stuff on it?
Still pretty boring.
To hold off the stultification, I’ve decided to rename the blog. Also, there are other blogs out there about being alone, or cheese, or being alone with cheese, that I feel would dilute my burgeoning brand. And maybe not everyone gets the Omar reference.
So the new name will be:
“Another Set of Teeth” – from “Teeth” by the Mekons
What, no, not another set of teeth
each crisis bites, but not so deep.
What, no, not another set of teeth
And through the shadows we always creep.
I think “through the shadows we always creep” is part of the CISSP Code of Ethics, but I’d have to look it up.
The One In Five 