Top Ten Web Security Risks

Some commentary on my new blog at www.spiresecurity.com.

Best Practices for creating Best Practices

Need some advice on creating best practices? Read about them on my new blog here. Enjoy!

Should you swap out Windows for security?

Brian Krebs at Security Fix does excellent research into breaches, but I cringed when I saw his advice to "business owners" about how to protect themselves from cybercriminals:

"The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online."

In my opinion, this is horrible advice, especially to small and midsized businesses. Here are some reasons why:

(continued on my new blog site at www.spiresecurity.com - let me know what you think of the pending redesign.)

Information Systems Security Association

I am off to the Information Systems Security Association (ISSA) annual meeting this weekend where I'll be taking over as Director of Operations, a volunteer position. I would be interested in hearing your thoughts about the organization - things it does well, where it could get better, etc.

Comment here or send me an email.

The Question of Low Priced PCI Assessments

Branden Williams at Verisign (who has a great security blog, especially for its coverage of PCI issues) posts about a Bob Carr, Heartland Payment Systems, interview. The gist of the interview is don't hire the low-cost bidder. Branden's final comments:

Of course, this attitude requires foresight. Which would you rather do: ask for more money today, or ask for a TON more money tomorrow because you had a breach? Most would pick the former, but their actions paint a different picture

I think this question makes an assumption that higher prices lead to better PCI audits (which are supposed to lead to lower likelihood of breach). It is worth keeping in mind that the "unwanted outcome" for PCI is a negative audit that rescinds the ability to process credit cards.

The PCI auditor decision can be framed in the same way we perform any risk assessment - comparing the difference in costs between providers to the anticipated difference in value at risk. So it might be worth it "worth it" to use a low-cost provider if the difference in their costs over another preferred provider is greater than the anticipated increase in risk.

Whenever I read a post like this...

Bruce Schneier posts on how he signs guest registers using somebody else's name:

Since I read that, whenever I see a tourist attraction with a guest register, I do the same thing. I sign "Robert J. Sawyer, Toronto, ON" -- because you never know when he'll need an alibi.

This type of thing goes on all the time among friends - it is juvenile humor at its finest. But it makes me (mildly) uncomfortable to read something like this. I guess I can't understand how someone who respects privacy so much could violate someone else's so easily.

I believe the core issues of privacy revolve around loss of control and misperception. This has both.

I find it even more interesting to consider the outcome of exercises like this on a broader scale - let's say many people start doing this many times... assuming there are also many who value authenticity, it only increases the demand for a national ID program.

Implied Value of Life

When I wrote a while back about implied value, I was thinking about this story I saw a while back in the New York Times. In it, economist Stan Smith used an implied value calculation to estimate the value of life experience which he calls "hedonic damages":

THERE is economic damage from a wrongful death: the value of a person's lost work life.

Then there is the loss of life's experience - the daily satisfaction of living. Presumably, says the Chicago economist Stan V. Smith, people cherish life itself much more than their work.

"We value our being far more than we value our doing," he said. So why give the loss of work a dollar value but not the loss of daily experience?

Mr. Smith has tried. He coined the term "hedonic damages" for lives and experiences lost.

"As economists, we can't say there's a limit to the value of life," he said. "But there may be an average value that juries can consider."

That average, Mr. Smith figures, is around $4 million.

Mr. Smith says that people unknowingly set a value on their own lives by what they are willing to pay to reduce their everyday risk of death.

Say a certain home safety feature costs $50. If research shows that for every 100,000 of those devices in use, one life is saved, then the implied value of that life is $5 million:

100,000 devices x $50 = $5,000,000 to save 1 life

The more people are willing to pay for safety features, the more they are implicitly valuing their lives. Mr. Smith has calculated value-of-life figures for numerous purchases, based on their costs and how much they reduce the risk of death.

PURCHASED ITEMS AND IMPLIED VALUE OF ONE LIFE:

Automotive air bags: $598,463
Smoke detectors: $628,618
Auto safety features: $4,198,517
Top-grade tires: $6,031,019

The examples above show a large variance in how people implicitly value their life. It can only make sense if the value of life is higher than every one of the implied values. If the value is lower in some cases, then people may be making poor decisions.

Why won't anyone define what "failure" and "hopeless" mean?

It is easy for security folks to get into a funk. We exhibit huge levels of confirmation bias associated with the publicity associated with "how bad things are" and ignore the often boring and yet extremely more common case of things [on the Internet] being "good". So folks end up saying the Internet is failing and all is hopeless, etc.

But try asking how security professionals define failure and you can't get a straight answer. That is primarily because they haven't thought about it, and the notion of failure reverts back to some anecdote about the latest compromise or vulnerability.

This topic comes up pretty frequently (it came up today on a mailing list I'm on). It sure would help frame the discussion to define things a bit better.

The Scarecrow Knows Compliance... sort of

A line from Michael Connelly's (excellent) book "The Scarecrow":

"...Mr. McGinnis would design and build a facility with the highest level of security in order to meet compliance demands for hosting HIPPA, SOCKS, and S-A-S Seventy.

I'd learned my lesson [referring to an earlier gaffe not knowing what dark fiber was]. This time I just nodded as if I knew exactly what she was talking about."

Sounds like that might have been what Connelly did, too. ;-)

ROI, ROSI and Cost-Benefit of CCTV

There is a good discussion over at Schneier on Security about the value of London's surveillance cameras. It is useful to recognize the value proposition of detective measures - we don't expect to prevent malicious actions, we expect to increase the likelihood that the bad guys will get caught.

The value proposition of detective controls can be a bit trickier than it seems. From a Return on Security Investment (ROSI) perspective, the overall goal is to increase the costs associated with crimes and therefore:

1. Reduce the number of incidents that occur through a deterrent effect;
2. Increase the likelihood that bad guys will be identified;
3. Contribute to the body of evidence available for a crime; and
4. Shorten the time span of active investigation.

From a Return on Investment (ROI) perspective, the cameras may be much less expensive than alternative measures being considered (or replaced) for crime fighting.

Regardless of what side you are on, this is the right discussion to be having.