Looking for a Cyber Security Project Investor?

Dear blog readers,

I've just received a direct acquisition proposal for a high-profile cyber security project and I need an investment partner who can work with me and make it happen.

Are you interested in working with me for this project? Drop me a line at dancho.danchev@hush.com

 Sample project screenshots:

Stay tuned!

Continue reading →

Cyber Security Project Investment Proposal - Cybertronics - VR for Hackers and Security Experts - Support me Today!

We started in 2019 thanks to our CEO Dancho Danchev who decided to launch a major product called Cybertronics - VR for Hackers and Security Experts including the establishing of a direct partnership with Astalavista.box.sk the original hackers search engine circa 1994 where he's currently running a high-profile hacking and security project serving the needs of millions of loyal U.S based users including international users following a successful re-launch of the Astalavista.box.sk project.

The primary Dark Web crowd-funding URL for this campaign is - http://lkzihepprlhxtvbutjedoazbsqd4avmifhpjms3zuq7itceiu4qajwad.onion/ where you can find the actual technical specifications for this project including the actual Bitcoin donation address.

Drop me a line at dancho.danchev@hush.com in case you're interested in a possible seed investment for this project or offering any sort of operational and financial support including to actually use my PayPal ID: dancho.danchev@hush.com for the purpose of this project.

Keywords: Hacker, Hacking, Security, Information Security, Computer Hacking, Network Security, Network Hacking, Virtual Reality, Virtual Reality Glassess, Virtual Reality Helmet, Bitcoin, Bitcoin Donation, Penetration Testing, Jabber, XMPP, Hacker Book, Hacking Book, Hacker Book Memoir, Hacking Book Memoir, End-to-End Encryption, SSL, DNSSEC, Cryptocurrency, Points Based Virtual Economy, Virtual Economy, Social Media, Social Media Network, Virtual Social Network, VR, VR Social Network, Oculus Rift, Leap Motion, Cryptohippie, CHAVPN, Closed-Communication Group, Ethernet Encryptor, OpenGPG, OpenPGP Smart Card, P2P Hosting, Distributed Hosting, Covert Channel, Deep Packet Inspection, Eavesdropping, Surveillance

Pitch
Welcome to the Wonderful World and the Future of Hacking and Information Security! Enter and Join Today the World's Largest and Most Popular VR-Based Hacker and Security Expert Social Network Platform Including the Initial Crowd-Funding Campaign For the Project!

Executive Summary
Led by CEO Dancho Danchev Cybertronics is proud to present the general availability of a proprietary and never released before custom version of the World's Largest and Most Popular Virtual Reality Based Hacker and Security Expert Social Network Platform empowering millions of active users on a monthly basis with the necessary access to data information and knowledge to help them learn educate themselves share their knowledge and learn from others in the World of Computer Hacking and Information Security.

Led and presented by Cybertronics - the projects aims to present to the general public a versatile and multi-platform Oculus Rift and Leap Motion compatible Virtual Reality application targeting millions of active users on their way to become hackers and learn from others in the World of Computer Hacking and Information Security.

Official Press Release:

"In 2020, we're proudly presenting the World's first and most popular and sophisticated Virtual Reality and Augmented Reality Network Platform or Hackers and Security Experts connecting millions of users globally through the launch of an ubiquitous VR-based Social Media platform and the general availability of an ubiquitous XMPP-based VR-based Virtual Keyboard and a sophisticated skills and experience including location-based and aware Virtual Reality experience successfully connecting millions of users globally on a Virtual Reality based landscape empowering everyone with the necessary "know-how" and technical expertise to reach out to fellow colleagues VIP members from the Hacker Community including the Security Industry including the general availability of an ubiquitous cross-platform based Desktop and Mobile Device application issuing "real-time" notifications and updates possibly assisting in the actual improvement of the user's work-flow in both the "real" and Virtual Reality World including actual project and business including personal and skills and experience based "match-making" and Hacker and Security Community outreach.

The primary purpose of the VR application would be to connect empower and facilitate an ubiquitous "real" World and Virtual World type of sophisticated and novice Hacker and Security Expert experience ultimately connection international Hackers and Security Experts including the actual integration and development of never-seen and released-before API-based type of innovative services and products ultimately built on the top of the VR-based Social Media Platform.

Key Examples include:

- Built-in Ethical Penetration Testing API for research and testing purposes

- Built-in API-based Honeypot deployment further assisting the Security Industry through the ease of deployment

- Never-seen before Cluster of Activity Targeting Intelligence Analysts and Members of the U.S Intelligence Community through the general availability of an offensive and defensive Cyber Warfare Platform functionality allowing the successful Training including the development of actual Wargames Scenario type of offensive and defensive Cyber Warfare Cluster-based activity."

The Office:
Cybertronics CEO Dancho Danchev has been running a cyber security and cybercrime fighting research lab since 2006 in his place and has successfully managed to position himself as one of the World's leading experts in the field of cybercrime fighting. In his lab he produces and researches various cybercrime groups and persistently communicates and shares the "crown jewels" of his research with a vast network of U.S based researchers members of the U.S Intelligence Community and U.S Law Enforcement.

 

Sample VR and Virtual Keyboard Concepts:

Project Status:

- Astalavista.box.sk is the official partner of the Cybertronics - VR for Hackers and Security Experts project the original search engine for hackers circa 1994 which is one of the World's most high-traffic visited Web site for hackers and security experts

- Several VR application developers have already expressed interest in working on the project and we have several other VR application developers waiting to join the team

- The majority of marketing and advertising will be done using industry-leading partnerships with leading hacker and security expert Web sites including actual community and security conference outreach including active social media advertising and outreach

To-Do List
Reach out to Custom Crypto-currency Developer to properly launch and introduce SecureCoin
Reach out to Tor Links Directory for a Possible Inclusion Including Banner Advertisement
Finish Working on the Project Semantics In Terms of Features and Innovative Design
Finish Working on the Project FAQ
Finish Working on the VR-Platform Manual Guide
Finish Working on the VR-Platform Tutorial Guide
Reach out to CD/DVD Labeling and Shipping Service Provider
Record Two-Hour Long Introduction to the Project and the Platform
Develop multi-platform multi VR-headset functionality and compatibility features
Develop a proper VR Application Platform Manual And Tutorial

Financials
$10,400 - Virtual Reality Application Development
$25,500 - Major Web Property Acquisition and Partnership to Acquire More Users and Spread the Word
$10,000 - Logistics Infrastructure for Shipping the CD/DVD Containing the Application
$3,000 - Printed E-book FAQ and Virtual Reality Application Manual Production
$20,000 - Infrastructure Management and Closed-Network Group Development
$15,000 - Custom "Points Based" and Democracy including Liquid-Based Cryptocurrency Development
$3,000 - Personal Printed Memoir Design and Development
$26,600 - Advertising and Marketing Including VR Application Promotion and Traffic Acquisition
$15,000 - Hacker and Security Community Outreach in terms of API Implementation including a Standardized and Custom Service and Solution Platform Integration Implementation
$30,000 - Acquire an Industry Leading VIP Team of Hackers Innovators and Application Developers and Pay Maintenance Fees for the VR Application
$30,000 - Research and Development in terms of the VR Application Including the Introduction of New Features and Acquisition of New Users

Key Features Summary

• A ubiquitous End-to-End Encrypted Jabber-based OTR (Off-The-Record) Encrypted Chat Feature connecting millions of users globally
• Clustered Skills and Experience-Based Opt-In Hacker and Security Expert Expert Methodology in over 50 Categories Including Security Bloggers Hacktivists Anarchists Privacy Advocates Censorship Researchers and Human Rights Advocates including Blackhat and Gray Hat hackers including Security Industry Leaders and VIP Members
• Self-Sufficient Eternal Virtual Cyber Economy including a "Points-Based" Economy and Cybertronics Branded Custom Democracy And Voting-Based Cryptocurrency ensuring the spread preservation and dissemination of Computer Hacking and Information Security Knowledge to millions of loyal users globally
• Localization at its best including advanced geolocation on a per-country and on a per-city basis introducing local Hacker and Security Expert communities introducing local Hacker and Security Expert economies and social network driven communities
• Future Global Hacker and Security Expert Network including mainstream local and global community announcements and featured events and products including service
• End-to-end Encrypted Communications including Enhanced Personal Encryption and User Identification using PGP (Pretty Good Privacy) and Jabber OTR (Off-The-Record-Messaging) including Yubico-Based Two-Factor Authentication Extended Validation SSL and DNSSEC Support
• Closed-Communication Group Network Preserving Key Privacy and Security Features of Modern Hacker and Security Expert Social Network Platform
• P2P-Based Content Distribution and Hosting Including Censorship and Surveillance Resilience
• Standardized Security Product and Security and Hacking Service Partner API Allowing Vendors and Commercial and Community-driven Hacking and Security Service Providers Easy Access to the Platform
• Covert Communication Channel P2P Based Social Media Platform Making Deep Packet Inspection Including Possible Communication Surveillance and Eavesdropping on Member Communication Virtually Impossible
• Client-to-Site Ethernet Encryptor Further Enhancing The Privacy and Security Features of the Platform Making it Impossible for Someone To Eavesdropp or Launch a Potential Surveillance Attack Campaign
• OpenPGP Smart Card Enabled Web-Based On-the-Fly SSL Session Authentication Ensuring Maximum Security and Advanced Identity-Based Secure User Authentication

Sample Technical Specifications:

Introduction
Executive Summary
Project Semantics
VR-Based Interface
Hardware Specifications Soliciting
Platform and Social Network Migration
Import Facebook Contacts
Import Gmail Contacts
Import Steam Contacts
Invite Your Friends
Earn Points for Converted Friends
Claim VIP Status
High-Trafficked Web Site
Major Security Project
Major Hacking Project
Old-School Hacking Project
Old-School Security Project
Old-School Hacking Software Developer
Old-School Security Software Developer
Access and Permission-Based Social Network Control System
Geolocation Points
VIP Status
Content-Based “Points Economy
Voting-Based
Comments-Based
Application-Specification
Profile Basic Introduction
Requirements
Valid Email
Valid Phone Number
Valid Second Phone Number
Valid and User-Generated Profile
Valid and User-Generated Web Site
Category-Based Inclusion
Tags-Based Inclusion
Distributed Search Engine Indexing
Voting-Based Access Permission Granting
Profile Basics Categorization
Real Name
Handle
Valid Email
Valid PGP Key
Skills-Based Opt-In
Category-Based Opt-in
Trial Access
Featured VIP Participants
Network Status Update
Network Status Headline and Messages
Future Internet GUI Interface
Purchase Subscription
Partner Ecosystem API Registration
Penetration Testing Services API
Ethical Phishing Testing API
Honeypot Installation Service API
CanaryTokens API
T-Pot API
Honeydrive API
Connectivity Requirements
Cisco Malware Connector
P2P-Based Data and Information Hosting and Dissemination
Central Server
Redundancy Planning and Contingency Planning
Clear-Net Access
CHAVPN Closed-Group Access

Marketing Concept

The platform ultimately targets users in the following Categories:

Hackers
Independent Security Researchers
Penetration Testers
Hacker Groups
Activists
Free Speech Writers
Privacy Advocates
Censorship Researchers
Exploit Writers
Malicious Software Debuggers
Hacktivists
Political Activists
Security Bloggers
Cybercrime Researchers
Malware Researchers
OSINT Analysts
Intelligence Analysts

Sample Personal Photo of CEO and Founder of this Project - Dancho Danchev - The World's Leading Expert in the Field of Cybercrime Research and Threat Intelligence Gathering:

Sample Web Traffic Statistics for the Official Partner and Actual Founder and CEO of this Project - Dancho Danchev's Blog - Mind Streams of Information Security Knowledge:

Sample Web Traffic Statistics for the Official Partner and Actual Founder and CEO of this Project - Dancho Danchev's Blog - Mind Streams of Information Security Knowledge:

The Technical Specifications

Executive Summary
Project Semantics
VR-Based Interface
Hardware Specifications Soliciting
Platform and Social Network Migration
Import Facebook Contacts
Import Gmail Contacts
Import Steam Contacts
Invite Your Friends
Earn Points for Converted Friends
Claim VIP Status
High-Trafficked Web Site
Major Security Project
Major Hacking Project
Old-School Hacking Project
Old-School Security Project
Old-School Hacking Software Developer
Old-School Security Software Developer
Access and Permission-Based Social Network Control System
Geolocation Points
VIP Status
Content-Based “Points Economy”
Voting-Based
Comments-Based
Application-Specification
Profile Basic Introduction
Requirements
Valid Email
Valid Phone Number
Valid Second Phone Number
Valid and User-Generated Profile
Valid and User-Generated Web Site
Category-Based Inclusion
Tags-Based Inclusion
Distributed Search Engine Indexing
Voting-Based Access Permission Granting
Profile Basics Categorization
Real Name
Handle
Valid Email
Valid PGP Key
Skills-Based Opt-In
Category-Based Opt-in
Trial Access
Featured VIP Participants
Network Status Update
Network Status Headline and Messages
Future Internet GUI Interface
Purchase Subscription
Partner Ecosystem API Registration
Penetration Testing Services API
Ethical Phishing Testing API
Honeypot Installation Service API
CanaryTokens API
T-Pot API
Honeydrive API
Connectivity Requirements
Cisco Malware Connector
P2P-Based Data and Information Hosting and Dissemination
Central Server
Redundancy Planning and Contingency Planning
Clear-Net Access
CHAVPN Closed-Group Access
E-Shop Merchandise
Home-Based PC
Virtual Reality Headset
Leap Motion
Augmented Reality Glasses
Multi-Platform Compatibility
Augmented Reality Compatible
Background Mode
Security Features
Country-Geolocation
City-Geolocation
Two-Factor Authentication
SSL Encryption
Yubico Two-Factor Authentication Key
PGP Key Encryption
Convert Current Users
Introduce New Users
Jabber-Based Instant Messenger
CHAVPN Closed-Network-Group
VPN Router
Client-Based LAS Server Closed-Network Group Communication
Clustering
Experience-Based
Skills-Based
Country-Based
City-Based
VIP-Status
Reputation-Based Clustering
Categories-Based Search
Upload and Convert Photo
Custom Avatars
Choose Background Music
Purchase Music
Manual Search
Recommended People
Recommended Groups
Recommended Organizations
Universal Jabber-Based Messenger
Marketing Concept
Two-Factor Based Authentication
Mobile-Phone
$100 Entry Fee
Payment Methods
Direct Download
Hardware Online Test
Long Tail
Commercialization and Monetization
Self-Branded Internal Crypto-Currency

Cross-Platform Compatibility:

Cross-Platform Support

CEO Dancho Danchev BIO:

Dancho Danchev is the world's leading expert in the field of cybercrime fighting and threat intelligence gathering having actively pioneered his own methodology for processing threat intelligence throughout the past decade following a successful career as a hacker-enthusiast in the 90's leading to active-community participation and contribution as a Member to WarIndustries List Moderator at BlackCode Ravers Contributor to Black Sun Research Facility (BSRF) List Moderator Software Contributor (TDS-2 Trojan Information Database) at DiamondCS Trojan Defense contributor to LockDownCorp Contributor to HelpNetSecurity Managing Director of Astalavista Security Group's Astalavista.com - The Underground a Security Consultant for Frame4 Security Systems contributor to TechGenix's WindowSecurity.com security blogger for ZDNet Zero Day Threat Intelligence Analyst for Webroot leading to a successful set of hundreds of high-quality anaysis and research articles published at the industry's leading threat intelligence blog - ZDNet's Zero Day Dancho Danchev's Mind Streams of Information Security Knowledge and Webroot's Threat Blog with his research featured in Techmeme ZDNet CNN PCWorld SCMagazine TheRegister NYTimes CNET ComputerWorld H+Magazine currently producing threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - Mind Streams of Information Security Knowledge.

With his research featured at RSA Europe CyberCamp InfoSec GCHQ and Interpol the researcher continues to actively produce threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - Mind Streams of Information Security Knowledge publishing a diverse set of hundreds of high-quality research analysis detailing the malicious and fraudulent activities at nation-state and malicious actors across the globe.

Sample Personal Photos of CEO Dancho Danchev:

Stay tuned!

Continue reading →

Upcoming Security Project - Accepting Donations and Feedback!

Dear blog readers I wanted to let everyone know that I've recently added a "Donate Today!" button including a Pop-Up banner within my blog with the idea to seek you donations and feedback to raise the necessary capital for an upcoming Security Project.

How you can contribute in case you're a long-time reader of this blog - and want to possibly see more high-quality Security and Cybercrime research? Consider making a modest $500 donation - which will better help me to scale the project and eventually launch it.

Feel free to approach me at dancho.danchev@hush.com

Stay tuned! Continue reading →

Consolidation, or Startups Popping out Like Mushrooms?

If technology is the enabler, and the hot commodity these days, spammers will definitely twist the concept of targeted marketing, while taking advantage of them. Last week I've mentioned the concepts of VoIP, WiFi and Cell phone spam that are slowly starting to take place.

Gartner recently expressed a (pricey) opinion on the upcoming consolidation of spam vendors, while I feel they totally ignored the technological revolution of spamming to come -- IPSec is also said to be dead by 2008..

"The current glut of anti-spam vendors is about to end, analysts at Gartner said Wednesday. But enterprises shouldn’t stay on the sidelines until the shakeout is over. By the end of the year, Gartner predicted, the current roster of about 40 vendors in the enterprise anti-spam filtering market will shrink to fewer than 10. As consolidation accelerates and as anti-spam technology continues to rapidly change, most of today’s vendors will be "left by the wayside," said Maurene Caplan Grey, a research director with Gartner, and one of two analysts who authored a recently-released report on the state of the anti-spam market."

The consequence of cheap hardware, HR on demand, angel investors falling from the sky on daily basis, and acquiring vendor licensed IP, would result in start ups popping up like mushrooms to cover the newly developed market segments, and some will stick it long enough not to get acquired given they realize they poses a core competency.

Sensor networks, spam traps, bayesian filters, all are holding the front, while we've getting used to "an acceptable level of spam", not the lack of it. What's emerging for the time being is the next logical stage, that's localized spam on native languages, and believe it or not, its gets through the filters, and impacts productivity, the major problem posed by spam.

SiteAdvisor -- I feel I'm almost acting as an evangelist of the idea -- recently responded to Scandoo's concept, by wisely starting to take advantage of their growing database, and provide the feature in email clients while protecting against phishing attacks. End users wouldn't consider insecure search by default in order to change their googling habits, they trust Google more than they would trust an extension, and they'd rather have to worry about Google abusing their click stream, compared to anything else. Anti-Phishing toolbars are a buzz, and it's nice to see the way they're orbiting around it.

Be a mushroom, don't look for an umbrella from day one! Continue reading →

Going Deeper Underground

IT Security Goes Nuclear, at least that's what they say.

"Venture capitalists are predicting a "business boom below ground" as blue-chip companies turn to nuclear bunkers built at the height of the Cold War in the battle to protect sensitive electronic data. The latest private equity investor to move in on the area is Foresight Venture Partners, which has just taken a 20 per cent stake in The Bunker Secure Hosting."

But no matter how deep underground you are, you would still be providing an Internet connection given you're a hosting company. That's an open network, compared to a closed one which is more easy to control -- thick walls wouldn't matter when it comes to connectivity and insiders. It's logical for any data to be stated as secure in that type of environment, but an authorized/unauthorized "someone"will want to use and abuse it for sure.

VCs often exagerate to develop a market sector they somehow envision as profitable in the long term, the real issue is that, while the idea is very marketable, you cannon base future trends on this fact only. They'd better invest in market segments such as portable security solutions, or risk management companies such as Vontu and Reconnex, which I covered in a previous post related to insiders abuse. Continue reading →

There You Go With Your Financial Performance Transparency

Truly amazing, and the inavitable consequence of communication retention in the financial sector, but I feel it's the magnitude that resulted in Enron's entire email communication achive that's seems available online right now.

"Search through more hundreds of thousands of email messages to and from 176 former Enron executives and employees from the power-trading operations in 2000-2002. For the first time, they are available to the public for free through the easy-to-use interface of the InBoxer Anti-Risk Appliance. Create a free account, and go to work. You can search for words, phrases, senders, recipients, and more."

The interesting part is how their ex-risk management provider is providing the data, in between fighting with the Monsters in Your Mailbox. Continue reading →

Brace Yourself - AOL to Enter Security Business

In the re-emergence of the Web, AOL got the attention it never imagined it would get, Microsoft and Google fighting for a share of its modest, but strategic amount of eyeballs. After being an exclusive part of Time Warner's balance sheet since its early acquisition, and with a $510M fine, dial-up business that was profitable by the time telecoms started offering cable connections, due to the years of infrastructure renovation, the though to be mature online advertising model is what saved it. Now, AOL is basically putting half its leg into the red hot security market and wisely playing it safe as :

"AOL plans to expand into security services with the release of the Active Security Monitor, expected on Thursday. The program would also check to make sure Internet Explorer is properly configured to prevent security holes. "ASM determines a security score for your PC, and for all other PCs in your home network, by evaluating the status of all the major components needed for a robust system: Anti-Virus software, Anti-Spyware software, Firewall protection, Wireless Security, Operating System, Web Browser, Back up software and PC Optimization."

After the scoring, I presume it would "phone back home" and let AOL know what end users are mostly missing, then a solution provided by AOL, or a licensee would follow. Benchmarking against AOL's understanding of application based security is tricky, and I bet you already know the programs necessary to establish common sense security on your PC/network. Who's next to enter the security industry besides Microsoft and AOL, perhaps DoubleClick?

CNET has naturally reviewed the Active Security Monitor. Continue reading →

The Global Security Challenge - Bring Your Know-How

It's a public secret that the majority of innovative ideas come from either the academic enviroment, or plain simple entrepreneurial spirits. I find such annual competitions as a valuable incentive for both sides to unleash the full power of their ideas, or commercialize them - consciously or subconciously. SpaceShipOne is a case study on how elephants can't dance, or at least how they dance on high profit margins only.

Recently announced, The Global Security Challenge seeks "..to help young startups succeed in the security field. Take advantage of this unique opportunity to get your ideas in front of investors, media, and government and industry leaders." And most importantly :

"We seek to uncover the creative capabilities of innovators in universities and infant companies that apply to public security needs. This includes software, hardware or other industrial solutions that help (a) protect people, critical infrastructure, facilities and data/electronic systems against terrorist or other criminal attacks and natural disasters or (b) help governments, businesses and communities defend against, cope with or recover from such incidents. Examples of Technologies We Seek:
- Mesh Networks
- Data Storage and Recovery
- Detection/ Sensors
- Biometrics
- Search Software
- Cyber/Network Security
- Communications Interoperability & Reconstruction
- Biological/Chemical/Radiological Remediation
- Protective Equipment
- RFID, Asset Tracking & Container Security
- Biotechnology

I bet Europe's Top Private Security Companies revenues' exceed the limit of having less than £ 10 million in annual revenues, it's worth speculating on their participation. Do your homework, know your competitors better than they do themselves,work out your elevator pitch, and disrupt.

As far as acquisitions are concerned, SiteAdvisor is the fist recently acquired startup that comes to my mind with its $70M acquisition deal valuation. As it obviously goes beyond VC type of mentorship, to many this seemed as an overhyped deal. There's no price for being a pioneer, but a price on acquiring the position -- a stairway to heaven. Right now, a vertical security market segment is slowly developing, and it is my humble opinion that the company's pioneering position is poised for success. Another alternative to SiteAdvisor's safe search function is the recently launched Scandoo.com which actually integrates the results from Google and Yahoo -- I doubt users would that easily change their search preferences though.

Who's next to get acquired, or hopefully funded? Continue reading →

Valuing Security and Prioritizing Your Expenditures

I often blog on various market trends related to information security and try to provide an in-depth coverage of emerging or current trends -- in between active comments. In previous posts "FBI's 2005 Computer Crime Survey - what's to consider?", "Spotting valuable investments in the information security market", "Why we cannot measure the real cost of cybercrime?", "Personal Data Security Breaches - 2000/2005" and, "To report, or not to report?" I emphasized on the following key points in respect to data security breaches and security investments :



- on the majority of occasions companies are taking an outdated approach towards security, that is still living in the perimeter based security solutions world


- companies and data brokers/aggregators are often reluctant to report security breaches even
when they have the legal obligation to due to the fact that, either the breach still hasn't been detected, or the lack of awareness on what is a breach worth reporting


- the flawed approaches towards quantifyingthe costs related to Cybercrime are resulting in overhyped statements in direct contradiction with security spending


- companies still believe in the myth that spending more on security, means better security, but that's not always the case


- given the flood of marketing and the never ending "media echo" effect, decision makers often find themselves living with current trends, not with the emerging ones, which is what they should pay attention to



It is often mistaken that the more you spend on security, the higher level of security would be achieved, whereas that's not always the case -- it's about prioritizing and finding the most suitable metrics model for your investment.



Here's an article describing exactly the same impression :



"Security breaches from computer viruses, spyware, hacker attacks and equipment theft are costing British business billions of pounds a year, according to a survey released Tuesday. The estimated loss of $18 billion (10 billion pounds) is 50 percent higher than the level calculated two years ago, according to the survey that consultancy PricewaterhouseCoopers conducted for the U.K. Department of Trade and Industry. The rise comes despite the fact that companies are increasing their spending on information security controls to an average 4 percent or 5 percent of their IT budget, compared with 3 percent in 2004."



That's pretty much the situation everywhere, companies are striving to apply metrics to security investments and this is where it all gets blur. Spending more on security might seems to be logical answer, but start from the fact that open networks, thus exposed to a great deal of uncontrollable external factors, undermine the majority of models so far. Bargaining with security, or "Getting paid for getting hacked" remains a daily practice whatsoever. Let's consider various social aspects concerning the participants.



A financial executive often wants to know more on :

- Do I get any return on my investment (ROI) ?
- What % of the risk is mitigated and what are your benchmarking methods?
- What may I lose if I don't invest, and where's the sweet spot?
- How much is enough?
- How do I use basic financial concepts such as diversification in the security world?
- How would productivity be influenced due to the lack of solutions, or even their actual use?



A security consultant on the other hand might be interested in -- How do I convince senior management in the benefits of having a honeyfarm in respect to mitigating the overall risk of having real systems breached into, without using Cyberterrorism as the basis of discussion?



These different school's of though, positions, responsibilities and budget-allocation hungry individuals are constantly having trouble communicating with each other. And while you cannot, and perhaps even should not try to educate your security workforce in to the basics of finance, an understanding of both side's point of view may change things -- what you don't see value in, is often someone else's treasure.



Another recent article on the topic of justifying security expenditure, or mostly assigning value made me an impression :



"So we came up with Value Protection," Larson says. "You spend time and capital on security so that you don't allow the erosion of existing growth or prevent new growth from taking root. The number-one challenge for us is not the ability to deploy the next, greatest technology. That's there. What we need to do now is quantify the value to the business of deploying those technologies." "It adds value; we're very supportive of it," says Steve Schmitt, American Water's vice president of operations, of Larson's Value Protection metric. For a while, people were just trying to create reasonable security, Schmitt says, "but now you need something more—something that proves the value, and that's what Bruce developed. Plus, as a secondary benefit, it's getting us better visibility from business owners and partners on risks and better ways to mitigate the risks."



Good point on first estimating the usefulness of current technologies, before applying the "latest", or "newest" ones. The rest comes to the good old flaws in the ROSI model, how would you be sure that it would be the $75,000 virus outbreak that will hit your organization, and not the $5000 one? "Return On Security Investment (ROSI) – A Practical Quantitative Model" emphasized on the challenges to blindly assigning the wrong value to a variable :



"The virus scanner appears to be worth the investment, but only because we’re assuming that the cost of a disaster is $25,000, that the scanner will catch 75% of the viruses and that the cost of the scanner is truly $25,000. In reality, none of these numbers are likely to be very accurate. What if three of the four viruses cost $5,000 in damages but one costs $85,000? The average cost is still $25,000. Which one of those four viruses is going to get past the scanner? If it’s a $5,000 one, the ROSI increases to nearly 300% – but if it’s the expensive one, the ROSI becomes negative!"



Among the first things to keep in mind while developing a risk management plan, is to identify the assets, identify the potential attackers, and find ways to measure the threat exposure and current threatscape as well. In a publication I wrote three years ago, "Building and Implementing a Successful Information Security Policy", that as a matter of fact I still find a quality and in-depth reading on the topic, I outlined some ideas on achieving the full effect of the abovementioned practices -- it's also nice to came across it given in assignments and discussed in lectures too. An excerpt on Risk Analysis :

"
As in any other sensitive procedure, Risk Analysis and Risk Management play an essential role in the proper functionality of the process. Risk Analysis is the process of identifying the critical information assets of the company and their use and functionality -- an important (key) process that needs to be taken very seriously. Essentially, it is the very process of defining exactly WHAT you are trying to protect, from WHOM you are trying to protect it and most importantly, HOW you are going to protect it."



Identifying the threats and some current threats worth keeping in mind
- windows of opportunities/0day attacks
- lousy assets/vulnerability/patch management
- insecure end users' habits
- sneaky and sophisticated malicious software
- wireless/bluetooth information leakage
- removable media information leakage



How would you go for measuring the risk exposure and risk mitigated factor?



Risk exposure and risk mitigated are both interesting and hard to quantify, should we consider the whole population given we somehow manage to obtain fresh information on the current threats ( through the use of Early Warning System such as Symantec's DeepSight Analyzer, The Internet Storm Center, or iDefense's Intelligence services for instance). Today, it is often based on :



- the number of workstations and network assets divided by the historical occurrence of a particular security event on the network -- the use of mobile agents for the specifics of a company's infrastructure effects is hard sometimes


- on the historical TCO data related to typical breaches/security events



Risk mitigated is often tackled by the use of Best practices -- whether outdated or relevant is something else, Cyber Insurance and the current, sort of, scientifically justified ROSI model are everyday's practice, but knowing the inner workings of your organization and today's constantly changing threatscape and how it(if) affects you is a key practice while prioritizing expenditure. You cannot, and should not deal with all the insecurities facing your organization, instead consider prioritizing your security expenditure, not just following the daily headlines and vendor-released, short-term centered research.



It's hard to quantify intellectual property's value, the way it's hard to quantify TCO loses due to security breaches and it's perhaps the perfect moment to mention the initiative that I undertook in the beginning of this year - a 50/50 security/financial cross-functional team on coming up with a disruptive idea -- more on the current status soon, still, thanks for the time and efforts folks! To sum up, a nice quote by the authors of the research I mentioned : "Most of the problems stem from the fact that security doesn’t directly create anything tangible – rather it prevents loss. A loss that’s prevented is a loss that you probably won’t know about."



At the bottom line, are you making money out of having security, that is thinking business continuity, not contingency planning, and should we keep on trying to adapt financial concepts, and not rethinking them all?



Recommended reading/resources on the topic of justifying security expenditure :
Return on Information Security Investment
Risk - A Financial Overview
Calculated Risk - Guide to determining security ROI
The Return on Investment for Network Security
Analysis of Return on Investment for Information Security
Methodologies for Evaluating Information Security Investments
Risk Assessment for Security Economcis - very informative slides
Economics and Security Resource page
Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm
PKI and Financial Return on Investment
Privacy Breach Impact Calculator
Guide to Selecting Information Technology Security Products Continue reading →