Saturday, September 29, 2007

Three Prereviews

I am fairly excited by several new books which arrived at my door last week. The first is Security Data Visualization by Greg Conti. I was pleased to see a book on visualization, but also a book in visualization in color! I expect to learn quite a bit from this book and hope to apply some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lessons to my own work. The next book is End-to-End Network Security: Defense-in-Depth by Omar Santos. This book seems like a Cisco-centric approach to defending a network, but I decided to take a look when I noticed sections on forensics, visibility, and telemetry. The author includes several diagrams which show how to get information from a variety of devices in a manner similar to NSM. I hope to be able to operationalize this information as well. The last new book is LAN Switch Security: What Hackers Know About Your Switches by Eric Vyncke and Christopher Paggen. This book looks really interesting. It is probably going to be my favorite of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se three. I don't spend much time in my classes talking about layer 2 defenses, so it is cool to see a modern book just about that topic. I believe most enterprises do little with layer 2 security, so perhaps this book can improve that situation.

Cyberinsurance in IT Security Management

One more thought before I retire this evening. I really enjoyed reading Cyberinsurance in IT Security Management by Walter S. Baer and Andrew Parkinson. Here are my favorite excerpts.

IT security has traditionally referred to technical protective measures such as firewalls, aucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ntication systems, and antivirus software to counter such attacks, and mitigation measures such as backup hardware and software systems to reduce losses should a security breach occur. In a networked IT environment, however, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 economic incentives to invest in protective security measures can be perverse. My investments in IT security might do me little good if ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r systems connected to me remain insecure because an adversary can use any unprotected system to launch an attack on ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs.

In economic terms, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 private benefits of investment are less than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 social benefits, making networked IT security a public good — and susceptible to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 free-rider problem. As a consequence, private individuals and organizations won’t invest sufficiently in IT security to provide an optimal (or even adequate) level of societal protection.

In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r areas, such as fire protection, insurance has helped align private incentives with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 overall public good. A building owner must have fire insurance to obtain a mortgage or a commercial business license. Obtaining insurance requires that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 building meet local fire codes and underwriting standards, which can involve visits from local government and insurance company inspectors. Insurance investigators also follow up on serious incidents and claims, both to learn what went wrong and to guard against possible insurance abuses such as arson or fraud. Insurance companies often sponsor research, offer training, and develop best-practice standards for fire prevention and mitigation.

Most important, insurers offer lower premiums to building owners who keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir facilities clean, install sprinklers, test cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir control systems regularly, and take ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r protective measures. Fire insurance markets thus involve not only underwriters, agents, and clients, but also code writers, inspectors, and vendors of products and services for fire prevention and protection. Although government remains involved, well-functioning markets for fire insurance keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 responsibility for and cost of preventive and protective measures largely within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 private sector.


That is so compelling. Unfortunately, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cyberinsurance market is currently small:

[B]usinesses now generally buy stand-alone, specialized policies to cover cyberrisks. According to Betterley Risk Consultants surveys, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 annual gross premium revenue for cyberinsurance policies has grown from less than US$100 million in 2002 to US$300 to 350 million by mid 2006. These estimates, which are based on confidential survey responses from companies offering cyberinsurance, are nearly an order of magnitude below earlier projections made by market researchers and industry groups such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Insurance Information Institute.

But Betterley, like many ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r industry experts, believes that cyberinsurance will be one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fastest growing segments of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 property and casualty market over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next several years. With only 25 percent of respondents to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most recent Computer Security Institute/US Federal Bureau of Investigation Computer Crime and Security survey reporting that, “cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir organizations use external insurance to help manage cybersecurity risks,” cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market has plenty of room for growth.


So what are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problems?

The reported 25 percent cyberinsurance adoption rate appears low to many observers, given well-publicized increases in IT security breaches and greater regulatory pressures to deal with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. Although we could partially attribute cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 slow uptake to how long it takes organizations to acknowledge new security risks and budget for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, several ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r factors seem to be of particular concern for cyberinsurance. They include problems of asymmetric information, interdependent and correlated risks, and inadequate reinsurance capacity...

Insurance companies feel cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 effect of asymmetric information both before and after a customer signs an insurance contract. They face cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 adverse selection problem—that is, a customer who has a higher risk of incurring a loss (through risky behaviors or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r—perhaps innate—factors) will find insurance at a given premium more attractive than a lower-risk customer. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 insurer can’t differentiate between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m—and offer differentiated premiums—it won’t be able to sustain a profitable business.

Of course, to some extent, insurance companies can differentiate between risk types; sophisticated models can predict risk for traditional property/casualty insurance, and health insurance providers try to identify risk factors through questionnaires and medical examinations. Insurers can also apply cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se mechanisms to cyberinsurance: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can undertake rigorous security assessments, examining in-depth IT deployment and security processes.

Although such methods can reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 asymmetric information between insurer and policyholder, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can never completely eliminate it. Particularly in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information security field, because risk depends on many factors, including technical and human factors and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir interaction, surveys can’t perfectly quantify risk, and premium differentiation will be imperfect.

The second impact of asymmetric information occurs after an insurance contract has been signed. Insured parties can take (hidden) actions that increase or decrease cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk of claiming (for example, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case of car insurance, driving carelessly, not wearing a seatbelt, or failing to properly maintain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 car), but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 insurer can’t observe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 insured’s actions perfectly. Under full insurance, an individual has little incentive to undertake precautionary measures because any loss is fully compensated—a problem economists term moral hazard.

Insurers may be able to mitigate certain actions through partial insurance (so making a claim carries a monetary or convenience cost) and clauses in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 insurance contract—for example, policyholders must usually meet a set standard of care, and fraudulent or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r criminal actions (such as arson) are prohibited. However, many actions remain unobservable, and it’s difficult to prove that a client didn’t meet a due standard of care.

Cyberinsurers could administer surveys at regular intervals and link coverage to a certain minimum standard of security. Although this might be feasible from a technical standpoint, human factors are often cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weakest link in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chain and possibly unobservable, so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 moral hazard problem might not be completely alleviated, implying that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 purchase of cyberinsurance could in fact reduce efforts on information security. Nevercá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365less, purchasers also have incentives to increase effort—that is, to invest in security to obtain insurance or reduce premiums—that would outweigh moral hazard effects in a viable and well-functioning market.

The problem of asymmetric information is common to all insurance markets; however, most markets function adequately given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 range of tactics used by insurance companies to overcome cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se information asymmetries. Many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se remedies have developed over time in response to experience and result in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 well-functioning insurance markets we see today.


This gives me some hope. The article continues:

[G]overnment actions to spur development of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cyberinsurance market could include assigning liability for IT security breaches, mandating incident reporting, mandating cyberinsurance or financial responsibility, or facilitating reinsurance by indemnifying catastrophic losses. Clarifying liability law to assign liability “to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 party that can do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best job of managing risk” would make good economic sense, but it seems a political nonstarter in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US—and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem’s global nature would require a global response.

Similarly, government regulations that mandate reporting of cyberincidents (similar to that required for civil aviation incidents and contagious disease exposures) appear to have little political support. Probably more plausible in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 short run would be contractual requirements that government contractors carry cyberliability insurance on projects highly dependent on IT security...

Jane Winn of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 University of Washington School of Law has proposed a self-regulatory strategy, based on voluntary disclosures of compliance with security standards and enforcement through existing trade practices law, as a politically more viable alternative than new government regulation. Such a strategy would require increased public awareness of cybersecurity (with possible roles for government) as well as public demand that organizations disclose whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y comply with technical standards or industry best practices.

Disclosures would be monitored for compliance by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir customers and competitors; and in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case of deceptive advertising, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US Federal Trade Commission could take enforcement action under existing regulation. This strategy could spur cyberinsurance adoption, which would indicate that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization has passed a security audit or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise met underwriters’ security standards.

Perhaps cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most important role for government would be to facilitate a full and deep cyberreinsurance market, as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 UK and US have done for reinsurance of losses due to acts of terrorism.


What a great article. I recommend reading it.

Security Staff as Ultimate Insurance

I'm continuing to cite cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Fifth Annual Global State of Information Security:

Speaking of striking back, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2007 security survey shows a remarkable (some might say troubling) trend.

The IT department wants to control security again.

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first year of collaboration on this survey, CIO, CSO and PWC noted that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more confident a company was in its security, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 less likely that company's security group reported to IT. Those companies also spent more on security.

The reason CIO and CSO have always advocated for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 separation of IT and security is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 classic fox-in-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-henhouse problem. To wit, if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CIO controls both a major project dedicated to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 innovative use of IT and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security of that project — which might slow down cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project and add to its cost — he's got a serious conflict of interest. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 2003 survey, one CISO said that conflict "is just too much to overcome. Having cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISO report to IT, it's a death blow."


Ouch. CIO continues:

What's going on here? Johnson has one cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory: "Security seems to be following a trajectory similar to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quality movement 20 or 30 years ago, only with security it's happening much faster. During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quality movement, everyone created VPs of quality. They got CEO reporting status. But cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n in 10 years cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 position was gone or it was buried."

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quality movement, Johnson says, that may have been partly because quality became ingrained, a corporate value, and it didn't need a separate executive. But cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 evidence in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 survey suggests that security is neicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r ingrained nor valued. It's not even clear companies know where to put security, which would explain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "gobs of dotted line" reporting structures.

That brings us to anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory: organizational politics. What if separating security from IT were creating checks on software development (not a bad thing, from a security standpoint)? What if all this security awareness cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 survey has indicated actually exposed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 typical IT department's insecure practices?

One way for IT to respond would be to attempt to defang security. Keep its enemy close. Pull cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 function back to where it can be better controlled.


Interesting. The article finishes with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se thoughts:

[M]aybe security was never as separate as it seemed. Companies created CISO-type positions but never gave cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m authority. "I continually see security people put in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 position of fall guy," says Woerner of TD Ameritrade. "Maybe some of that separation was, subconsciously, creating a group to take cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hit."

This leads me to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 title of my post. What if security staff is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ultimate insurance -- for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CIO? In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, what if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CIO performs "security cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ater," creating a CISO position and staff, but doesn't give cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISO cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 authority or resources to properly defend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise? If no breaches (seem) to occur, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CIO looks like a hero for keeping security spending low. If a breach does occur (and is discovered), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CIO blames cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISO. The CISO is fired and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CIO keeps his/her job -- at least for now. I don't see a CIO executing this strategy more than once successfully.

What do you think?

Friday, September 28, 2007

Visibility, Visibility, Visibility

CIO Magazine's Fifth Annual Global State of Information Security features an image of a happy, tie-wearing corporate security person laying bricks to make a wall, while a dark-clad intruder with a crow bar violates cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 laws of physics by lifting up anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r section of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wall like it was made of fabric. That's a very apt reference to Soccer Goal Security, and I plan to discuss security physics in a future post. Right now I'd like to feature a few choice excerpts from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story:

Awareness of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problematic nature of information security is approaching an all-time high. Out of every IT dollar spent, 15 cents goes to security. Security staff is being hired at an increasing rate. Surprisingly, however, enterprise security isn't improving...

Are you feeling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 disquiet that comes from knowing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's no reason why your company can't be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next TJX? The angst of knowing that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se modern plagues — cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se spam e-mails, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se bots, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se rootkits — will keep coming at you no matter how much time and money you spend trying to stop cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m? The chill that comes from knowing how much you don't know...

You're undergoing a shift from a somewhat blissful ignorance of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 serious flaws in computer security to a largely depressing knowledge of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m...

"That next level of maturity has not been reached," says Mark Lobel, a principal with PWC's advisory services. "We have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technology but still don't have our hands around what's important and what we should be monitoring and protecting.


Not everyone has shifted from "somewhat blissful ignorance" to "largely depressing knowledge" yet, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y'll get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re eventually.

Five years ago, 36 percent of respondents to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Global State of Information Security" survey reported that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had suffered zero security incidents. This year, that number was down to 22 percent.

Does this mean cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are more incidents? We don't think so. We believe it simply means that more companies are aware of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incidents that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y've always suffered but into which, until recently, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had no visibility. Those once inexplicable network outages are now known to be security incidents. Perhaps a spam outbreak wasn't considered a security incident before, but now that it can deliver malware, it is. Awareness is higher, and that's because companies have spent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past five years building an infrastructure that creates visibility into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir security posture.


That's right -- visibility. I love it.

This year marks cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time "employees" beat out "hackers" as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most likely source of a security incident. Executives in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security field, with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most visibility into incidents, were even more likely to name employees as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source.

Have employees suddenly turned more malicious? Are inside jobs suddenly more fashionable and productive than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y used to be? Probably not. Most security experts will tell you that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 insider threat is relatively constant and is usually bigger than its victims suspect. None of us wants to think we've hired an untrustworthy person.

This spike in assigning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blame for breaches and attacks to employees is probably more like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dip in companies that report zero incidents — a reflection of awareness, of managers' ability to recognize what was always cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re but what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y couldn't previously determine.


I'd agree with that. I would also blame misreporting surfing pr0n sites and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 like as "security incidents." CIO continues:

But here's an odd paradox: Despite cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 massive buildup of people, process and technology during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past five years, and fewer people reporting zero incidents, 40 percent of respondents didn't know how many incidents cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y've suffered, up from 29 percent last year.

The rate of "Don't know" for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 type of incident and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 primary method used to attack also spiked.

It doesn't bode well that after years of buying and installing systems and processes to improve security, close to half of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 respondents didn't have a clue as to what was going on in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own enterprises. But when close to a third of CSOs and CISOs, who presumably should have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most insight into security incidents, said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't know how many incidents cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y've suffered or how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se incidents occurred, that's even worse...

The truth is, systems, processes, tools, hardware and software, and even knowledge and understanding only get you so far. As [Ron] Woerner puts it, "When you gain visibility, you see that you can't see all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 potential problems. You see that maybe you were spending money securing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wrong things. You see that a good employee with good intentions who wants to take work home can become a security incident when he loses his laptop or puts data on his home computer. There's so much out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re, it's overwhelming."

Woerner and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs believe that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security discipline has so far been skewed toward technology—firewalls, ID management, intrusion detection - instead of risk analysis and proactive intelligence gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ring.


Check this out, too. Someone recognizes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nature of Attacker 3.0:

Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmore, even a cursory look at security trends demonstrates that adversaries, be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y disgruntled employees or hackers, have far more sophisticated tools than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ones that have been put in place to stop cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. Antiforensics. Mass distribution of malware through compromised websites. Botnets. Keyloggers. Companies may have spent cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past five years building up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir security infrastructure, but so have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bad guys. Awareness includes a new level of understanding of how little you know about how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bad guys operate. As arms races go, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bad guys are way ahead.

So what can we do about this? Say it isn't so:

What can be done about all this? Be strategic. Security investment must shift from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technology-heavy, tactical operation it has been to date to an intelligence-centric, risk analysis and mitigation philosophy.

Information and security executives should, for example, be putting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir dollars into industry information sharing. "Collaboration is key," says Woerner. They should invest in security research and technical staff that can capture and dissect malware, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y should troll cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet underground for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latest trends and leads.
(emphasis added)

I would add that it's only appropriate to turn to advanced sources when you have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security basics in place. It's no use trying to learn how to defend against attacker 2.0 or 3.0 if you can't handle 1.0.

There's more to say about this survey, but I'll save cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest for a second post because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nature of it is so different from this one.

Excerpts from Ross Anderson / Tyler Moore Paper

I got a chance to read a new paper by one of my three wise men (Ross Anderson) and his colleague (Tyler Moore): Information Security Economics - and Beyond. The following are my favorite sections.

Over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last few years, people have realised that security failure is caused by bad incentives at least as often as by bad design. Systems are particularly prone to failure when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 person guarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m does not suffer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 full cost of failure...

[R]isks cannot be managed better until cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can be measured better. Most users cannot tell good security from bad, so developers are not compensated for efforts to strengcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir code. Some evaluation schemes are so badly managed that ‘approved’ products are less secure than random ones. Insurance is also problematic; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 local and global correlations exhibited by different attack types largely determine what sort of insurance markets are feasible. Cyber-risk markets are thus generally uncompetitive, underdeveloped or specialised...

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 observations that sparked interest in information security economics came from banking. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 USA, banks are generally liable for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 costs of card fraud; when a customer disputes a transaction, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bank must eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r show she is trying to cheat it, or refund her money. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 UK, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 banks had a much easier ride: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y generally got away with claiming that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir systems were ‘secure’, and telling customers who complained that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y must be mistaken or lying. “Lucky bankers,” one might think; yet UK banks spent more on security and suffered more fraud. This may have been what economists call a moral-hazard effect: UK bank staff knew that customer complaints would not be taken seriously, so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y became lazy and careless, leading to an epidemic of fraud.

In 1997, Ayres and Levitt analysed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Lojack car-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft prevention system and found that once a threshold of car owners in a city had installed it, auto cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft plummeted, as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 stolen car trade became too hazardous. This is a classic example of an externality, a side-effect of an economic transaction that may have positive or negative effects on third parties. Camp and Wolfram built on this in 2000 to analyze information security vulnerabilities as negative externalities, like air pollution: someone who connects an insecure PC to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet does not face cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 full economic costs of that, any more than someone burning a coal fire. They proposed trading vulnerability credits in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same way as carbon credits...

Asymmetric information plays a large role in information security. Moore showed that we can classify many problems as hidden-information or hidden-action problems. The classic case of hidden information is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ‘market for lemons'. Akerlof won a Nobel prize for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following simple yet profound insight: suppose that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are 100 used cars for sale in a town: 50 well-maintained cars worth $2000 each, and 50 ‘lemons’ worth $1000. The sellers know which is which, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 buyers don’t. What is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market price of a used car? You might think $1500; but at that price no good cars will be offered for sale. So cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market price will be close to $1000.

Hidden information, about product quality, is one reason poor security products predominate. When users can’t tell good from bad, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y might as well buy a cheap antivirus product for $10 as a better one for $20, and we may expect a race to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom on price.

Hidden-action problems arise when two parties wish to transact, but one party’s unobservable actions can impact cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outcome. The classic example is insurance, where a policyholder may behave recklessly without cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 insurance company observing this...

[W]hy do so many vulnerabilities exist in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first place? A useful analogy might come from considering large software project failures: it has been known for years that perhaps 30% of large development projects fail, and this figure does not seem to change despite improvements in tools and training: people just built much bigger disasters nowadays than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y did in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 1970s. This suggests that project failure is not fundamentally about technical risk but about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 surrounding socio-economic factors (a point to which we will return later).

Similarly, when considering security, software writers have better tools and training than ten years ago, and are capable of creating more secure software, yet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 economics of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 software industry provide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m with little incentive to do so.

In many markets, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attitude of ‘ship it Tuesday and get it right by version 3’ is perfectly rational behaviour. Many software markets have dominant firms thanks to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 combination of high fixed and low marginal costs, network externalities and client lock-in noted above, so winning market races is all-important. In such races, competitors must appeal to complementers, such as application developers, for whom security gets in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way; and security tends to be a lemons market anyway. So platform vendors start off with too little security, and such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y provide tends to be designed so that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 compliance costs are dumped on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end users. Once a dominant position has been established, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor may add more security than is needed, but engineered in such a way as to maximise customer lock-in.

In some cases, security is even worse than a lemons market: even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor does not know how secure its software is. So buyers have no reason to pay more for protection, and vendors are disinclined to invest in it.

How can this be tackled? Economics has suggested two novel approaches to software security metrics: vulnerability markets and insurance...

Several variations on vulnerability markets have been proposed. Bohme has argued that software derivatives might be better. Contracts for software would be issued in pairs: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first pays a fixed value if no vulnerability is found in a program by a specific date, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second pays anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r value if one is found. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se contracts can be traded, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir price should reflect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consensus on software quality. Software vendors, software company investors, and insurance companies could use such derivatives to hedge risks. A third possibility, due to Ozment, is to design a vulnerability market as an auction...

An alternative approach is insurance. Underwriters often use expert assessors to look at a client firm’s IT infrastructure and management; this provides data to both cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 insured and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 insurer. Over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 long run, insurers learn to value risks more accurately. Right now, however, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cyber-insurance market is both underdeveloped and underutilised. One reason, according to Bohme and Kataria, is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interdependence of risk, which takes both local and global forms. Firms’ IT infrastructure is connected to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r entities – so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir efforts may be undermined by failures elsewhere.

Cyber-attacks often exploit a vulnerability in a program used by many firms. Interdependence can make some cyber-risks unattractive to insurers – particularly those risks that are globally racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than locally correlated, such as worm and virus attacks, and systemic risks such as Y2K.

Many writers have called for software risks to be transferred to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendors; but if this were cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 law, it is unlikely that Microsoft would be able to buy insurance. So far, vendors have succeeded in dumping most software risks; but this outcome is also far from being socially optimal. Even at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 level of customer firms, correlated risk makes firms under-invest in both security technology and cyber-insurance. Cyber-insurance markets may in any case lack cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 volume and liquidity to become efficient.
(emphasis added)

If you made it this far, here's my small contribution to this paper: what about breach derivatives? To paraphrase cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 paper, contracts for companies would be issued in pairs: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first pays a fixed value if no breach is reported by a company by a specific date, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second pays anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r value if one is reported. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se contracts can be traded, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir price should reflect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consensus on company security.

I understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incentives for companies to stay quiet about breaches, but this market could encourage people to report. I imagine it could also encourage intruders to compromise a company intentionally, as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 authors mention:

One criticism of all market-based approaches is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y might increase cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of identified vulnerabilities by motivating more people to search for flaws.

What do you think?

Microsoft's Anemone Project

While flying to Los Angeles this week I read a great paper by Microsoft and Michigan researchers: Reclaiming Network-wide Visibility Using Ubiquitous Endsystem Monitors. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Abstract:

Network-centric tools like NetFlow and security systems like IDSes provide essential data about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 availability, reliability, and security of network devices and applications. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 increased use of encryption and tunnelling has reduced cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 visibility of monitoring applications into packet headers and payloads (e.g. 93% of traffic on our enterprise network is IPSec encapsulated). The result is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 inability to collect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 required information using network-only measurements.

To regain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lost visibility we propose that measurement systems must cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves apply cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end-to-end principle: only endsystems can correctly attach semantics to traffic cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y send and receive. We present such an end-to-end monitoring platform that ubiquitously records per-flow data and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n we show that this approach is feasible and practical using data from our enterprise network.


This is cool. How does it work?

Each endsystem in a network runs a small daemon that uses spare disk capacity to log network activity. Each desktop, laptop and server stores summaries of all network traffic it sends or receives. A network operator or management application can query some or all endsystems, asking questions about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 availability, reachability, and performance of network resources and servers throughout cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization...

Ubiquitous network monitoring using endsystems is fundamentally different from ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r edge-based monitoring: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 goal is to passively record summaries of every flow on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than to collect availability and performance statistics or actively probe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network...

It also provides a far more detailed view of traffic because endsystems can associate network activity with host context such as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application and user that sent a packet. This approach restores much of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lost visibility and enables new applications such as network auditing, better data centre management, capacity planning, network forensics, and anomaly detection.

Using real data from an enterprise network we present preliminary results showing that instrumenting, collecting, and querying data from endsystems in a large network is both feasible and practical.


How practical?

For example, our own enterprise network contains approximately 300,000 endsystems and 2,500 routers. While it is possible to construct an endsystem monitor in an academic or ISP network cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are significant additional deployment challenges that must be addressed. Thus, we focus on deployment in enterprise and government networks that have control over software and a critical need for better network visibility...

Even under ideal circumstances cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re will inevitably be endsystems that simply cannot easily be instrumented, such as printers and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hardware running embedded software. Thus, a key factor in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 success of this approach is obtaining good visibility without requiring instrumentation of all endsystems in a network. Even if complete instrumentation were possible, deployment becomes significantly more likely
where incremental benefit can be observed...

[I]nstrumenting just 1% of endsystems was enough to monitor 99.999% bytes on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network. This 1% is dominated by servers of various types (e.g. backup, file, email, proxies), common in such networks.


Wow -- in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, just pick cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right systems to instrument and you end up capturing a LOT of traffic.

How heavy is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 load?

To evaluate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 per-endsystem CPU overhead we constructed a prototype flow capture system using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ETW event system [Event Tracing for Windows]. ETW is a low overhead event posting infrastructure built into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows OS, and so a straightforward usage where an event is posted per-packet introduces overhead proportional to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of packets per second processed by an endsystem.

We computed observed packets per second over all hosts, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 peak was approximately 18,000 packets per second and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mean just 35 packets per second. At this rate of events, published figures for ETW [Magpie] suggest an overhead of a no more than a few percent on a reasonably provisioned server...

[F]or a 1 second export period cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are periods of high traffic volume requiring a large number of records be written out. However, if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 export timer is set at 300 seconds, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 worst case disk bandwidth required is ≃4.5 MB in 300 seconds, an average rate of 12 kBps.

The maximum storage required by a single machine for an entire week of records is ≃1.5 GB, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 average storage just ≃64 kB. Given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capacity and cost of modern hard disks, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se results indicate very low resource overhead.


This is great. I emailed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 authors to see if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have an implementation I could test. The home for this work appears to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Microsoft Anemone Project.

Be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Caveman

I just read a great story by InformationWeek's Sharon Gaudin titled Interview With A Convicted Hacker: Robert Moore Tells How He Broke Into Routers And Stole VoIP Services:

Convicted hacker Robert Moore, who is set to go to federal prison this week, says breaking into 15 telecommunications companies and hundreds of businesses worldwide was incredibly easy because simple IT mistakes left gaping technical holes.

Moore, 23, of Spokane, Wash., pleaded guilty to conspiracy to commit computer fraud and is slated to begin his two-year sentence on Thursday for his part in a scheme to steal voice over IP services and sell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m through a separate company. While prosecutors call co-conspirator Edwin Pena cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mastermind of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 operation, Moore acted as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hacker, admittedly scanning and breaking into telecom companies and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r corporations around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world.

"It's so easy. It's so easy a caveman can do it," Moore told InformationWeek, laughing. "When you've got that many computers at your fingertips, you'd be surprised how many are insecure."
(emphasis added)

So easy a caveman can do it? Just what happened here?

The government identified more than 15 VoIP service providers that were hacked into, adding that Moore scanned more than 6 million computers just between June and October of 2005. AT&T reported to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 court that Moore ran 6 million scans on its network alone...

Moore said what made cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hacking job so easy was that 70% of all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords.

"I'd say 85% of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m were misconfigured routers. They had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 default passwords on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m," said Moore. "You would not believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of routers that had 'admin' or 'Cisco0' as passwords on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. We could get full access to a Cisco box with enabled access so you can do whatever you want to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 box...

He explained that he would first scan cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network looking mainly for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cisco and Quintum boxes. If he found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, he would cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n scan to see what models cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n he would scan again, this time for vulnerabilities, like default passwords or unpatched bugs in old Cisco IOS boxes. If he didn't find default passwords or easily exploitable bugs, he'd run brute-force or dictionary attacks to try to break cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 passwords.


So, we have massively widespread scanning, discovery of routers, and attempted logins. No kidding this is caveman-fu.

And Moore didn't just focus on telecoms. He said he scanned "anybody" -- businesses, agencies and individual users. "I know I scanned a lot of people," he said. "Schools. People. Companies. Anybody. I probably hit millions of normal [users], too."

Moore said it would have been easy for IT and security managers to detect him in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir companies' systems ... if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y'd been looking. The problem was that, generally, no one was paying attention.

"If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were just monitoring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir boxes and keeping logs, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could easily have seen us logged in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re," he said, adding that IT could have run its own scans, checking to see logged-in users. "If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had an intrusion detection system set up, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could have easily seen that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se weren't cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir calls."
(emphasis added)

Didn't someone tell Robert Moore that "IDS is dead?" Apparently all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se victim companies heard it, and turned off cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir visibility mechanisms.

My advice? Be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 caveman. Perform adversary simulation. This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 simplest possible way to pretend you are a bad guy and get realistic, actionable results.

  1. Identify all of your external IP addresses.

  2. Scan cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

  3. Try to log into remote administration services you find in Step 2.

  4. Report your findings to device owners when you gain access.


How difficult is that? This methodology is nowhere near to being effective against targeted threats who want to compromise you specifically, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y would work against this opportunistic threat.

PS: If I hear one more time that "scanning is too dangerous for our network" I will officially Lose It. Scanning of external systems happens 24x7. If you really don't want an authorized party to scan your external network, try setting up a passive detection systems like PADS and wait for a bad guy to ignore cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fragility of your systems and scan cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for you. Gacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r his results passively and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n act on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.