Tuesday, January 26, 2010


I promised that this would not be the risk de jour blog but that I might use something topical to make a bigger point. Aurora is such an event.

No less than the nation states of France and Germany have suggested that, in response to the vulnerability exploited in Aurora, their citizens should not use Internet Explorer. Now never mind the fact this was a multi-element attack of which the IE vulnerability was only one part. Never mind that most IE7 and IE8 browsers are not vulnerable and that IE6 is seven years old. Never mind that the attack was aimed at a very small number of very high value targets. Never mind that many of the individual targets did not take the bait. Never mind that MS was promising an out-of-cycle patch. Never mind that if the attacker can get the target to take the first bait, i.e., the link in the e-mail message, the browser vulnerability is only nice, not necessary.

Nation states were giving security advice to all their citizens. And it was the wrong advice. The right advice was "don't take the bait."

One of the tests of the Principle of Proportionality is that if the remedy is worse than the problem, you are doing something wrong. Now for most of us, not using IE is not a big deal. But two whole countries? Who were not even on the original target list? And it was only marginally reducing what was already a vanishingly small risk for most of the citizens.

Now I admit, the governing class loves little as much as it likes fear. It just makes the rest of us so much easier to govern. "I am from the (French) government, and I am here to protect you from Chinese hackers. " The government should not be one's first choice for security advice. Indeed it isn't. Most of their citizens did nothing. Most waited for the MS update. Most are still not taking bait. Doing what the government suggested did not reduce the risk of most of those who are still taking bait.

Aurora is a classic case of security over reaction.

Monday, January 25, 2010

Exploiting the Rational Attacker

Attackers are often portrayed as irrational, fundamentally evil, or even demonic. They do what they do without regard to the damage that they may do. This is particularly true of amateurs doing mischief. They are simply unable to appreciate the value of public trust and confidence and the cost of the damage that they may do to it.

However, while one would not argue that rogue hackers understand that even they have an interest in an orderly world, one may argue that, at least collectively and across time and events, even they are rational. In the short run, they may underestimate the cost of attack and over-estimate the value of success, they may spend more than they gain. However, they will not do so over and over again. While an angry individual may deliberately spend more to damage another, than any psychic value to himself or even the cost of the remedy to his victim, there is some cost that will deter him, that he is unwilling or unable to pay.

Given two attacks to achieve a particular value of success, at least collectively, attackers will choose the cheaper of the two.

None of this is to suggest that the rogues are any better at estimating cost and value than any of the rest of us. They make their decisions in a "market" like the rest of us. However, within our tolerance for risk, our estimates of his cost of attack and value of success provide us with a guide for our spending on security. To the extent that we believe that his value of success is higher than his cost of attack, we should increase the cost of attack. We call that "security."

Saturday, January 23, 2010

The Principle of Proportionality

The principle used in the last blog, "Nothing useful can be said about the security of a mechanism except in the context of a specific application and environment," is also known as Courtney's First Law.

Courtney's Second Law says, "Never spend more mitigating a risk than tolerating it will cost you." The Generally Accepted Information Security Practices refer to this principle as the Principle of Proportionality. The amount to be spent on mitigating a risk should be proportional to the risk. Whatever the effectiveness of a remedy, if its cost exceeds the risk it is time to stop.

At one level the principle is simply a restatement of good economics; a measure must be efficient. In order to be said to be efficient, a security measure must be cheaper than any of the alternatives, including that of doing nothing.

The application of the Principle of Proportionality protects us from irrational fear. It protects us from over-reacting. It protects us from responding to the last successful attack or the threat, or the vulnerability de jour.

One sure way to know that one has violated this principle is when the solution is worse than the problem one set out to solve. Can you say "transportation security."

This may be the most important principle of security. The consistent application of this principle is why we get paid the big bucks.

Thursday, January 21, 2010

The Principle is..........

Security is a space in which intuition does not serve us well.

Therefore, I have formed the habit over the decades of starting the answer to questions that are put me with the words, "The principle is…….."

Having stated the guiding principle for my answer, I go on to answer the question.

This procedure does not always lead me to a simple and correct answer but it has served very well to prevent me from giving erroneous answers.

For example, one of the questions frequently put to me is, "Is thus-and-so mechanism secure."

The temptation to answer this question yes or no is often so strong as to be almost irresistible.

However, in this case the principle is, "Nothing useful can be said about the security of a mechanism except in the context of a specific application and environment."

Restating the principle reminds one that answering the question as asked invites one to say something foolish .

Monday, January 18, 2010

Welcome to "Thinking about Security"

This is the first entry in this blog, Thinking about Security.

A legitimate reaction would be, "Just what I need, one more blog about security." So, how is this blog different? Why should anyone care?

First, unlike most on this subject, this blog is not topical. While I may sometimes use a current report to illustrate an idea, this blog is not about what happened today. Indeed, in part, it is about "today not." It is not about the patch, attack, threat, or vulnerability of the day.

Rather, this blog is about a context and perspective in which to view and respond to the events of the day.
It is about:
  • Decision Making
  • Governance
  • Policy
  • Strategy
  • Priorities
  • Management System
  • Rules and Tools

It responds to my observation that security is a space in which intuition does not serve us well and in which rational thinking is difficult. There are many variables, some of which are un-identified. Even for the identified variables, the range of possible values, much less the exact or current value, may be unknown, or even unknowable. So, this blog will stress making hard decisions in the face of uncertainty.

The tools that we use to make these decisions include the language of risk assessment. We must keep these tools sharp and practice our skill in using them However, few security professionals, much less others, use the terms of this language (e.g., risk, threat, attack, vulnerability) in a consistent and mutually exclusive way. For example, when asked by a reporter to enumerate threats confronting the enterprise in the coming year, a famous security guru (in the literal sense of guru) quickly listed three vulnerabilities, novel, interesting (at least to the two of us) and totally irrelevant to the average enterprise.
So in this blog we will practice the use of these tools.

Because this is such a hard subject to talk about, your feeback will be necessary and welcome.