March 2011 Archives

You might be wondering how it is that we got to this point in industry evolution. It seems like very little has actually improved over the past decade+. Sure, there are a lot more products out there, but many seem to fall short on delivery (shocking, I'm sure), and the threats have only grown exponentially in number and skill. If you don't think you're pwnd or on the verge of being pwnd, well, I'm here to tell you that nothing could be further from the truth (FUD? maybe, but only if it's not true!).

There's a lot of history in this industry, despite the fact that we seem to keep reinventing ourselves every few years. The irony is that, the more things change, the more things stay the same. That being said, while I'm sure you all know these things, I think it bears covering some of the history, at least as I've seen it first-hand over the past 15+ years.

Subtitle: Why Evidence-Based Risk Management Is As Good As Good As It Can Get

"If you cannot measure it, you cannot improve it." (Lord Kelvin)

I go round-and-round on the whole "information risk" topic... I believed in it for a while, then I didn't, then I did, and so on and so forth. Mind you, I'm definitely not in the Donn Parker camp on things here. I'm also a big fan of FAIR and the work that Jack Jones has done over the years. That being said, I'm tired of the in-fighting between the different camps, in particular because these are truly petty squabbles that adds almost no real, practical value.

Where I'm really getting hung-up today is with Kelvin's notion that you can't improve something if you can't measure it. I suppose I'm perhaps putting words into his mouth a bit when I imply "empirically" and "quantitatively" in front of "measure," but if you look at a lot of the churn in info-risk circles, you'll see that much of it is around quantitative techniques. To boot, if you then look at Douglass Hubbard's How to Measure Anything, then you'll further see that there's an obsession with quantitative measurements, even if only through using ranges. There are, however, problems and limitations...

Let me just say up front: This is not a formal correlation as the result of a study, but rather an anecdotal correlation that occurred to me this week. The source discussion involved how people act on the east coast vs. the (upper) midwest where I grew up. However, the principle seems to apply very broadly.

Simply put, my hypothesis is: As communities grow in size, the values represented by that community will shift from being community-centric to being individually oriented. That is, at a certain tipping point a community will be large enough that people will stop taking into consideration the entire community, and will instead focus almost exclusively on their own, selfish needs.

I recently gave a firetalk at BSides Austin 2011 on the topic of "how not to suck at public speaking," which, ironically, flopped, and hard. There were a number of reasons the talk didn't succeed. First, the projector wouldn't handle 800x600 resolution, which was a bit of a problem since my Keynote preso deck was hard-set to 800x600 (as a side note: Keynote may be my design tool of choice, but it will *not* be my actual build tool of choice going forward - I'll be switching everything back to PowerPoint ASAP - it at least knows how to scale a preso to match screen resolution!). On a 1280x1024 display, 800x600 looked ridiculously small and unreadable. #FAIL Also, I hadn't had a chance to practice running through the deck enough, and so I didn't have my delivery timed out very well. To make matters worse, I was revved up and thus rushed through the slides. And, lastly, given the projector issues, it should also be unsurprising that the majority of my slides were simply not readable given both the size and some contrast issues.

So, rather than sit and cry about it for any (ok, much) longer, I thought I'd give it a shot at writing about this topic and see if I can't develop things better into a more humorous talk eventually. Or, maybe it'll just suffice as a blog entry for the foreseeable future.

If you're reading this message, then it means that my site migration has completed successfully!

What we're talking about here is "Governance, Risk, & Compliance" (GRC) as a discipline, not the product niche that seems to be the favorite catch-all for startups these days. Simply buying a license for IT UCF and throwing a UI on it does not a GRC product make, and it certainly does not address the overall discipline of GRC, which is fundamental to the successful management of organization and the risk contained therein. All organizations have a governance structure, but they're not universally integrating security and risk management practices into those structures. Moreover, compliance (aka "checkbox security") has taken far too prevalent of a roll in organizations today, rather than being a component of the overall governance and risk management strategies.

Please check out my post over on Gemini's Security Musings blog.

"Lessons from the Fukushima Nuclear Accident"
http://securitymusings.com/article/2591/lessons-from-fukushima

This is just a quick update to let you know that the upgrade portion of my "Upgrade+Migration" project has completed successfully (yay!). I'm going to let things simmer here for a couple days to make sure everything is good before I move on to the next phase. In the meantime, you can find me in Austin, TX, Fri-Sat (3/11-12) where I'll be helping run - and speaking at - Security B-Sides Austin 2011! Yeehaw! :)

Just a heads-up, if this blog suddenly disappears from your feed in the next couple weeks, please check back to make sure your RSS link is correct. Those following on SBN or Feedburner should be unaffected, and I expect those directly linked to my feed will be unaffected as well. Nonetheless, I thought I'd let y'all know... just in case!

Just an fyi, I'm migrating email to a new platform. If everything works properly, then there should be no impact to you (if you're emailing me). Come Monday most DNS records should have flushed. If for some reason you can't reach me via email, then please resort to an alternative communication method (TXT, Twitter, FB, IM, non-secureconsulting.net address).

Thanks!

The video of my OWASP AppSec DC 2010 talk, "The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform", is now available online. You can watch the video on Vimeo, and follow along with a sanitized version of the slides on SlideShare.

(Note: this is a somewhat incomplete thought.)
There's been a lot of talk of late about security metrics, but I'm increasingly inclined to think that we're shooting at the wrong elusive target. Why do we keep chasing after measuring relatively immeasurable things? Instead, I think we should be starting with the things that we can measure. After all, security is a feeling, not a tangible outcome, right?