Looking for a Cyber Security Project Investor?

Dear blog readers,

I've just received a direct acquisition proposal for a high-profile cyber security project and I need an investment partner who can work with me and make it happen.

Are you interested in working with me for this project? Drop me a line at dancho.danchev@hush.com

 Sample project screenshots:

Stay tuned!

Continue reading →

Cyber Security Project Investment Proposal - Cybertronics - VR for Hackers and Security Experts - Support me Today!

We started in 2019 thanks to our CEO Dancho Danchev who decided to launch a major product called Cybertronics - VR for Hackers and Security Experts including the establishing of a direct partnership with Astalavista.box.sk the original hackers search engine circa 1994 where he's currently running a high-profile hacking and security project serving the needs of millions of loyal U.S based users including international users following a successful re-launch of the Astalavista.box.sk project.

The primary Dark Web crowd-funding URL for this campaign is - http://lkzihepprlhxtvbutjedoazbsqd4avmifhpjms3zuq7itceiu4qajwad.onion/ where you can find the actual technical specifications for this project including the actual Bitcoin donation address.

Drop me a line at dancho.danchev@hush.com in case you're interested in a possible seed investment for this project or offering any sort of operational and financial support including to actually use my PayPal ID: dancho.danchev@hush.com for the purpose of this project.

Keywords: Hacker, Hacking, Security, Information Security, Computer Hacking, Network Security, Network Hacking, Virtual Reality, Virtual Reality Glassess, Virtual Reality Helmet, Bitcoin, Bitcoin Donation, Penetration Testing, Jabber, XMPP, Hacker Book, Hacking Book, Hacker Book Memoir, Hacking Book Memoir, End-to-End Encryption, SSL, DNSSEC, Cryptocurrency, Points Based Virtual Economy, Virtual Economy, Social Media, Social Media Network, Virtual Social Network, VR, VR Social Network, Oculus Rift, Leap Motion, Cryptohippie, CHAVPN, Closed-Communication Group, Ethernet Encryptor, OpenGPG, OpenPGP Smart Card, P2P Hosting, Distributed Hosting, Covert Channel, Deep Packet Inspection, Eavesdropping, Surveillance

Pitch
Welcome to the Wonderful World and the Future of Hacking and Information Security! Enter and Join Today the World's Largest and Most Popular VR-Based Hacker and Security Expert Social Network Platform Including the Initial Crowd-Funding Campaign For the Project!

Executive Summary
Led by CEO Dancho Danchev Cybertronics is proud to present the general availability of a proprietary and never released before custom version of the World's Largest and Most Popular Virtual Reality Based Hacker and Security Expert Social Network Platform empowering millions of active users on a monthly basis with the necessary access to data information and knowledge to help them learn educate themselves share their knowledge and learn from others in the World of Computer Hacking and Information Security.

Led and presented by Cybertronics - the projects aims to present to the general public a versatile and multi-platform Oculus Rift and Leap Motion compatible Virtual Reality application targeting millions of active users on their way to become hackers and learn from others in the World of Computer Hacking and Information Security.

Official Press Release:

"In 2020, we're proudly presenting the World's first and most popular and sophisticated Virtual Reality and Augmented Reality Network Platform or Hackers and Security Experts connecting millions of users globally through the launch of an ubiquitous VR-based Social Media platform and the general availability of an ubiquitous XMPP-based VR-based Virtual Keyboard and a sophisticated skills and experience including location-based and aware Virtual Reality experience successfully connecting millions of users globally on a Virtual Reality based landscape empowering everyone with the necessary "know-how" and technical expertise to reach out to fellow colleagues VIP members from the Hacker Community including the Security Industry including the general availability of an ubiquitous cross-platform based Desktop and Mobile Device application issuing "real-time" notifications and updates possibly assisting in the actual improvement of the user's work-flow in both the "real" and Virtual Reality World including actual project and business including personal and skills and experience based "match-making" and Hacker and Security Community outreach.

The primary purpose of the VR application would be to connect empower and facilitate an ubiquitous "real" World and Virtual World type of sophisticated and novice Hacker and Security Expert experience ultimately connection international Hackers and Security Experts including the actual integration and development of never-seen and released-before API-based type of innovative services and products ultimately built on the top of the VR-based Social Media Platform.

Key Examples include:

- Built-in Ethical Penetration Testing API for research and testing purposes

- Built-in API-based Honeypot deployment further assisting the Security Industry through the ease of deployment

- Never-seen before Cluster of Activity Targeting Intelligence Analysts and Members of the U.S Intelligence Community through the general availability of an offensive and defensive Cyber Warfare Platform functionality allowing the successful Training including the development of actual Wargames Scenario type of offensive and defensive Cyber Warfare Cluster-based activity."

The Office:
Cybertronics CEO Dancho Danchev has been running a cyber security and cybercrime fighting research lab since 2006 in his place and has successfully managed to position himself as one of the World's leading experts in the field of cybercrime fighting. In his lab he produces and researches various cybercrime groups and persistently communicates and shares the "crown jewels" of his research with a vast network of U.S based researchers members of the U.S Intelligence Community and U.S Law Enforcement.

 

Sample VR and Virtual Keyboard Concepts:

Project Status:

- Astalavista.box.sk is the official partner of the Cybertronics - VR for Hackers and Security Experts project the original search engine for hackers circa 1994 which is one of the World's most high-traffic visited Web site for hackers and security experts

- Several VR application developers have already expressed interest in working on the project and we have several other VR application developers waiting to join the team

- The majority of marketing and advertising will be done using industry-leading partnerships with leading hacker and security expert Web sites including actual community and security conference outreach including active social media advertising and outreach

To-Do List
Reach out to Custom Crypto-currency Developer to properly launch and introduce SecureCoin
Reach out to Tor Links Directory for a Possible Inclusion Including Banner Advertisement
Finish Working on the Project Semantics In Terms of Features and Innovative Design
Finish Working on the Project FAQ
Finish Working on the VR-Platform Manual Guide
Finish Working on the VR-Platform Tutorial Guide
Reach out to CD/DVD Labeling and Shipping Service Provider
Record Two-Hour Long Introduction to the Project and the Platform
Develop multi-platform multi VR-headset functionality and compatibility features
Develop a proper VR Application Platform Manual And Tutorial

Financials
$10,400 - Virtual Reality Application Development
$25,500 - Major Web Property Acquisition and Partnership to Acquire More Users and Spread the Word
$10,000 - Logistics Infrastructure for Shipping the CD/DVD Containing the Application
$3,000 - Printed E-book FAQ and Virtual Reality Application Manual Production
$20,000 - Infrastructure Management and Closed-Network Group Development
$15,000 - Custom "Points Based" and Democracy including Liquid-Based Cryptocurrency Development
$3,000 - Personal Printed Memoir Design and Development
$26,600 - Advertising and Marketing Including VR Application Promotion and Traffic Acquisition
$15,000 - Hacker and Security Community Outreach in terms of API Implementation including a Standardized and Custom Service and Solution Platform Integration Implementation
$30,000 - Acquire an Industry Leading VIP Team of Hackers Innovators and Application Developers and Pay Maintenance Fees for the VR Application
$30,000 - Research and Development in terms of the VR Application Including the Introduction of New Features and Acquisition of New Users

Key Features Summary

• A ubiquitous End-to-End Encrypted Jabber-based OTR (Off-The-Record) Encrypted Chat Feature connecting millions of users globally
• Clustered Skills and Experience-Based Opt-In Hacker and Security Expert Expert Methodology in over 50 Categories Including Security Bloggers Hacktivists Anarchists Privacy Advocates Censorship Researchers and Human Rights Advocates including Blackhat and Gray Hat hackers including Security Industry Leaders and VIP Members
• Self-Sufficient Eternal Virtual Cyber Economy including a "Points-Based" Economy and Cybertronics Branded Custom Democracy And Voting-Based Cryptocurrency ensuring the spread preservation and dissemination of Computer Hacking and Information Security Knowledge to millions of loyal users globally
• Localization at its best including advanced geolocation on a per-country and on a per-city basis introducing local Hacker and Security Expert communities introducing local Hacker and Security Expert economies and social network driven communities
• Future Global Hacker and Security Expert Network including mainstream local and global community announcements and featured events and products including service
• End-to-end Encrypted Communications including Enhanced Personal Encryption and User Identification using PGP (Pretty Good Privacy) and Jabber OTR (Off-The-Record-Messaging) including Yubico-Based Two-Factor Authentication Extended Validation SSL and DNSSEC Support
• Closed-Communication Group Network Preserving Key Privacy and Security Features of Modern Hacker and Security Expert Social Network Platform
• P2P-Based Content Distribution and Hosting Including Censorship and Surveillance Resilience
• Standardized Security Product and Security and Hacking Service Partner API Allowing Vendors and Commercial and Community-driven Hacking and Security Service Providers Easy Access to the Platform
• Covert Communication Channel P2P Based Social Media Platform Making Deep Packet Inspection Including Possible Communication Surveillance and Eavesdropping on Member Communication Virtually Impossible
• Client-to-Site Ethernet Encryptor Further Enhancing The Privacy and Security Features of the Platform Making it Impossible for Someone To Eavesdropp or Launch a Potential Surveillance Attack Campaign
• OpenPGP Smart Card Enabled Web-Based On-the-Fly SSL Session Authentication Ensuring Maximum Security and Advanced Identity-Based Secure User Authentication

Sample Technical Specifications:

Introduction
Executive Summary
Project Semantics
VR-Based Interface
Hardware Specifications Soliciting
Platform and Social Network Migration
Import Facebook Contacts
Import Gmail Contacts
Import Steam Contacts
Invite Your Friends
Earn Points for Converted Friends
Claim VIP Status
High-Trafficked Web Site
Major Security Project
Major Hacking Project
Old-School Hacking Project
Old-School Security Project
Old-School Hacking Software Developer
Old-School Security Software Developer
Access and Permission-Based Social Network Control System
Geolocation Points
VIP Status
Content-Based “Points Economy
Voting-Based
Comments-Based
Application-Specification
Profile Basic Introduction
Requirements
Valid Email
Valid Phone Number
Valid Second Phone Number
Valid and User-Generated Profile
Valid and User-Generated Web Site
Category-Based Inclusion
Tags-Based Inclusion
Distributed Search Engine Indexing
Voting-Based Access Permission Granting
Profile Basics Categorization
Real Name
Handle
Valid Email
Valid PGP Key
Skills-Based Opt-In
Category-Based Opt-in
Trial Access
Featured VIP Participants
Network Status Update
Network Status Headline and Messages
Future Internet GUI Interface
Purchase Subscription
Partner Ecosystem API Registration
Penetration Testing Services API
Ethical Phishing Testing API
Honeypot Installation Service API
CanaryTokens API
T-Pot API
Honeydrive API
Connectivity Requirements
Cisco Malware Connector
P2P-Based Data and Information Hosting and Dissemination
Central Server
Redundancy Planning and Contingency Planning
Clear-Net Access
CHAVPN Closed-Group Access

Marketing Concept

The platform ultimately targets users in the following Categories:

Hackers
Independent Security Researchers
Penetration Testers
Hacker Groups
Activists
Free Speech Writers
Privacy Advocates
Censorship Researchers
Exploit Writers
Malicious Software Debuggers
Hacktivists
Political Activists
Security Bloggers
Cybercrime Researchers
Malware Researchers
OSINT Analysts
Intelligence Analysts

Sample Personal Photo of CEO and Founder of this Project - Dancho Danchev - The World's Leading Expert in the Field of Cybercrime Research and Threat Intelligence Gathering:

Sample Web Traffic Statistics for the Official Partner and Actual Founder and CEO of this Project - Dancho Danchev's Blog - Mind Streams of Information Security Knowledge:

Sample Web Traffic Statistics for the Official Partner and Actual Founder and CEO of this Project - Dancho Danchev's Blog - Mind Streams of Information Security Knowledge:

The Technical Specifications

Executive Summary
Project Semantics
VR-Based Interface
Hardware Specifications Soliciting
Platform and Social Network Migration
Import Facebook Contacts
Import Gmail Contacts
Import Steam Contacts
Invite Your Friends
Earn Points for Converted Friends
Claim VIP Status
High-Trafficked Web Site
Major Security Project
Major Hacking Project
Old-School Hacking Project
Old-School Security Project
Old-School Hacking Software Developer
Old-School Security Software Developer
Access and Permission-Based Social Network Control System
Geolocation Points
VIP Status
Content-Based “Points Economy”
Voting-Based
Comments-Based
Application-Specification
Profile Basic Introduction
Requirements
Valid Email
Valid Phone Number
Valid Second Phone Number
Valid and User-Generated Profile
Valid and User-Generated Web Site
Category-Based Inclusion
Tags-Based Inclusion
Distributed Search Engine Indexing
Voting-Based Access Permission Granting
Profile Basics Categorization
Real Name
Handle
Valid Email
Valid PGP Key
Skills-Based Opt-In
Category-Based Opt-in
Trial Access
Featured VIP Participants
Network Status Update
Network Status Headline and Messages
Future Internet GUI Interface
Purchase Subscription
Partner Ecosystem API Registration
Penetration Testing Services API
Ethical Phishing Testing API
Honeypot Installation Service API
CanaryTokens API
T-Pot API
Honeydrive API
Connectivity Requirements
Cisco Malware Connector
P2P-Based Data and Information Hosting and Dissemination
Central Server
Redundancy Planning and Contingency Planning
Clear-Net Access
CHAVPN Closed-Group Access
E-Shop Merchandise
Home-Based PC
Virtual Reality Headset
Leap Motion
Augmented Reality Glasses
Multi-Platform Compatibility
Augmented Reality Compatible
Background Mode
Security Features
Country-Geolocation
City-Geolocation
Two-Factor Authentication
SSL Encryption
Yubico Two-Factor Authentication Key
PGP Key Encryption
Convert Current Users
Introduce New Users
Jabber-Based Instant Messenger
CHAVPN Closed-Network-Group
VPN Router
Client-Based LAS Server Closed-Network Group Communication
Clustering
Experience-Based
Skills-Based
Country-Based
City-Based
VIP-Status
Reputation-Based Clustering
Categories-Based Search
Upload and Convert Photo
Custom Avatars
Choose Background Music
Purchase Music
Manual Search
Recommended People
Recommended Groups
Recommended Organizations
Universal Jabber-Based Messenger
Marketing Concept
Two-Factor Based Authentication
Mobile-Phone
$100 Entry Fee
Payment Methods
Direct Download
Hardware Online Test
Long Tail
Commercialization and Monetization
Self-Branded Internal Crypto-Currency

Cross-Platform Compatibility:

Cross-Platform Support

CEO Dancho Danchev BIO:

Dancho Danchev is the world's leading expert in the field of cybercrime fighting and threat intelligence gathering having actively pioneered his own methodology for processing threat intelligence throughout the past decade following a successful career as a hacker-enthusiast in the 90's leading to active-community participation and contribution as a Member to WarIndustries List Moderator at BlackCode Ravers Contributor to Black Sun Research Facility (BSRF) List Moderator Software Contributor (TDS-2 Trojan Information Database) at DiamondCS Trojan Defense contributor to LockDownCorp Contributor to HelpNetSecurity Managing Director of Astalavista Security Group's Astalavista.com - The Underground a Security Consultant for Frame4 Security Systems contributor to TechGenix's WindowSecurity.com security blogger for ZDNet Zero Day Threat Intelligence Analyst for Webroot leading to a successful set of hundreds of high-quality anaysis and research articles published at the industry's leading threat intelligence blog - ZDNet's Zero Day Dancho Danchev's Mind Streams of Information Security Knowledge and Webroot's Threat Blog with his research featured in Techmeme ZDNet CNN PCWorld SCMagazine TheRegister NYTimes CNET ComputerWorld H+Magazine currently producing threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - Mind Streams of Information Security Knowledge.

With his research featured at RSA Europe CyberCamp InfoSec GCHQ and Interpol the researcher continues to actively produce threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - Mind Streams of Information Security Knowledge publishing a diverse set of hundreds of high-quality research analysis detailing the malicious and fraudulent activities at nation-state and malicious actors across the globe.

Sample Personal Photos of CEO Dancho Danchev:

Stay tuned!

Continue reading →

Consolidation, or Startups Popping out Like Mushrooms?

If technology is the enabler, and the hot commodity these days, spammers will definitely twist the concept of targeted marketing, while taking advantage of them. Last week I've mentioned the concepts of VoIP, WiFi and Cell phone spam that are slowly starting to take place.

Gartner recently expressed a (pricey) opinion on the upcoming consolidation of spam vendors, while I feel they totally ignored the technological revolution of spamming to come -- IPSec is also said to be dead by 2008..

"The current glut of anti-spam vendors is about to end, analysts at Gartner said Wednesday. But enterprises shouldn’t stay on the sidelines until the shakeout is over. By the end of the year, Gartner predicted, the current roster of about 40 vendors in the enterprise anti-spam filtering market will shrink to fewer than 10. As consolidation accelerates and as anti-spam technology continues to rapidly change, most of today’s vendors will be "left by the wayside," said Maurene Caplan Grey, a research director with Gartner, and one of two analysts who authored a recently-released report on the state of the anti-spam market."

The consequence of cheap hardware, HR on demand, angel investors falling from the sky on daily basis, and acquiring vendor licensed IP, would result in start ups popping up like mushrooms to cover the newly developed market segments, and some will stick it long enough not to get acquired given they realize they poses a core competency.

Sensor networks, spam traps, bayesian filters, all are holding the front, while we've getting used to "an acceptable level of spam", not the lack of it. What's emerging for the time being is the next logical stage, that's localized spam on native languages, and believe it or not, its gets through the filters, and impacts productivity, the major problem posed by spam.

SiteAdvisor -- I feel I'm almost acting as an evangelist of the idea -- recently responded to Scandoo's concept, by wisely starting to take advantage of their growing database, and provide the feature in email clients while protecting against phishing attacks. End users wouldn't consider insecure search by default in order to change their googling habits, they trust Google more than they would trust an extension, and they'd rather have to worry about Google abusing their click stream, compared to anything else. Anti-Phishing toolbars are a buzz, and it's nice to see the way they're orbiting around it.

Be a mushroom, don't look for an umbrella from day one! Continue reading →

Going Deeper Underground

IT Security Goes Nuclear, at least that's what they say.

"Venture capitalists are predicting a "business boom below ground" as blue-chip companies turn to nuclear bunkers built at the height of the Cold War in the battle to protect sensitive electronic data. The latest private equity investor to move in on the area is Foresight Venture Partners, which has just taken a 20 per cent stake in The Bunker Secure Hosting."

But no matter how deep underground you are, you would still be providing an Internet connection given you're a hosting company. That's an open network, compared to a closed one which is more easy to control -- thick walls wouldn't matter when it comes to connectivity and insiders. It's logical for any data to be stated as secure in that type of environment, but an authorized/unauthorized "someone"will want to use and abuse it for sure.

VCs often exagerate to develop a market sector they somehow envision as profitable in the long term, the real issue is that, while the idea is very marketable, you cannon base future trends on this fact only. They'd better invest in market segments such as portable security solutions, or risk management companies such as Vontu and Reconnex, which I covered in a previous post related to insiders abuse. Continue reading →

Brace Yourself - AOL to Enter Security Business

In the re-emergence of the Web, AOL got the attention it never imagined it would get, Microsoft and Google fighting for a share of its modest, but strategic amount of eyeballs. After being an exclusive part of Time Warner's balance sheet since its early acquisition, and with a $510M fine, dial-up business that was profitable by the time telecoms started offering cable connections, due to the years of infrastructure renovation, the though to be mature online advertising model is what saved it. Now, AOL is basically putting half its leg into the red hot security market and wisely playing it safe as :

"AOL plans to expand into security services with the release of the Active Security Monitor, expected on Thursday. The program would also check to make sure Internet Explorer is properly configured to prevent security holes. "ASM determines a security score for your PC, and for all other PCs in your home network, by evaluating the status of all the major components needed for a robust system: Anti-Virus software, Anti-Spyware software, Firewall protection, Wireless Security, Operating System, Web Browser, Back up software and PC Optimization."

After the scoring, I presume it would "phone back home" and let AOL know what end users are mostly missing, then a solution provided by AOL, or a licensee would follow. Benchmarking against AOL's understanding of application based security is tricky, and I bet you already know the programs necessary to establish common sense security on your PC/network. Who's next to enter the security industry besides Microsoft and AOL, perhaps DoubleClick?

CNET has naturally reviewed the Active Security Monitor. Continue reading →

The Global Security Challenge - Bring Your Know-How

It's a public secret that the majority of innovative ideas come from either the academic enviroment, or plain simple entrepreneurial spirits. I find such annual competitions as a valuable incentive for both sides to unleash the full power of their ideas, or commercialize them - consciously or subconciously. SpaceShipOne is a case study on how elephants can't dance, or at least how they dance on high profit margins only.

Recently announced, The Global Security Challenge seeks "..to help young startups succeed in the security field. Take advantage of this unique opportunity to get your ideas in front of investors, media, and government and industry leaders." And most importantly :

"We seek to uncover the creative capabilities of innovators in universities and infant companies that apply to public security needs. This includes software, hardware or other industrial solutions that help (a) protect people, critical infrastructure, facilities and data/electronic systems against terrorist or other criminal attacks and natural disasters or (b) help governments, businesses and communities defend against, cope with or recover from such incidents. Examples of Technologies We Seek:
- Mesh Networks
- Data Storage and Recovery
- Detection/ Sensors
- Biometrics
- Search Software
- Cyber/Network Security
- Communications Interoperability & Reconstruction
- Biological/Chemical/Radiological Remediation
- Protective Equipment
- RFID, Asset Tracking & Container Security
- Biotechnology

I bet Europe's Top Private Security Companies revenues' exceed the limit of having less than £ 10 million in annual revenues, it's worth speculating on their participation. Do your homework, know your competitors better than they do themselves,work out your elevator pitch, and disrupt.

As far as acquisitions are concerned, SiteAdvisor is the fist recently acquired startup that comes to my mind with its $70M acquisition deal valuation. As it obviously goes beyond VC type of mentorship, to many this seemed as an overhyped deal. There's no price for being a pioneer, but a price on acquiring the position -- a stairway to heaven. Right now, a vertical security market segment is slowly developing, and it is my humble opinion that the company's pioneering position is poised for success. Another alternative to SiteAdvisor's safe search function is the recently launched Scandoo.com which actually integrates the results from Google and Yahoo -- I doubt users would that easily change their search preferences though.

Who's next to get acquired, or hopefully funded? Continue reading →

Valuing Security and Prioritizing Your Expenditures

I often blog on various market trends related to information security and try to provide an in-depth coverage of emerging or current trends -- in between active comments. In previous posts "FBI's 2005 Computer Crime Survey - what's to consider?", "Spotting valuable investments in the information security market", "Why we cannot measure the real cost of cybercrime?", "Personal Data Security Breaches - 2000/2005" and, "To report, or not to report?" I emphasized on the following key points in respect to data security breaches and security investments :



- on the majority of occasions companies are taking an outdated approach towards security, that is still living in the perimeter based security solutions world


- companies and data brokers/aggregators are often reluctant to report security breaches even
when they have the legal obligation to due to the fact that, either the breach still hasn't been detected, or the lack of awareness on what is a breach worth reporting


- the flawed approaches towards quantifyingthe costs related to Cybercrime are resulting in overhyped statements in direct contradiction with security spending


- companies still believe in the myth that spending more on security, means better security, but that's not always the case


- given the flood of marketing and the never ending "media echo" effect, decision makers often find themselves living with current trends, not with the emerging ones, which is what they should pay attention to



It is often mistaken that the more you spend on security, the higher level of security would be achieved, whereas that's not always the case -- it's about prioritizing and finding the most suitable metrics model for your investment.



Here's an article describing exactly the same impression :



"Security breaches from computer viruses, spyware, hacker attacks and equipment theft are costing British business billions of pounds a year, according to a survey released Tuesday. The estimated loss of $18 billion (10 billion pounds) is 50 percent higher than the level calculated two years ago, according to the survey that consultancy PricewaterhouseCoopers conducted for the U.K. Department of Trade and Industry. The rise comes despite the fact that companies are increasing their spending on information security controls to an average 4 percent or 5 percent of their IT budget, compared with 3 percent in 2004."



That's pretty much the situation everywhere, companies are striving to apply metrics to security investments and this is where it all gets blur. Spending more on security might seems to be logical answer, but start from the fact that open networks, thus exposed to a great deal of uncontrollable external factors, undermine the majority of models so far. Bargaining with security, or "Getting paid for getting hacked" remains a daily practice whatsoever. Let's consider various social aspects concerning the participants.



A financial executive often wants to know more on :

- Do I get any return on my investment (ROI) ?
- What % of the risk is mitigated and what are your benchmarking methods?
- What may I lose if I don't invest, and where's the sweet spot?
- How much is enough?
- How do I use basic financial concepts such as diversification in the security world?
- How would productivity be influenced due to the lack of solutions, or even their actual use?



A security consultant on the other hand might be interested in -- How do I convince senior management in the benefits of having a honeyfarm in respect to mitigating the overall risk of having real systems breached into, without using Cyberterrorism as the basis of discussion?



These different school's of though, positions, responsibilities and budget-allocation hungry individuals are constantly having trouble communicating with each other. And while you cannot, and perhaps even should not try to educate your security workforce in to the basics of finance, an understanding of both side's point of view may change things -- what you don't see value in, is often someone else's treasure.



Another recent article on the topic of justifying security expenditure, or mostly assigning value made me an impression :



"So we came up with Value Protection," Larson says. "You spend time and capital on security so that you don't allow the erosion of existing growth or prevent new growth from taking root. The number-one challenge for us is not the ability to deploy the next, greatest technology. That's there. What we need to do now is quantify the value to the business of deploying those technologies." "It adds value; we're very supportive of it," says Steve Schmitt, American Water's vice president of operations, of Larson's Value Protection metric. For a while, people were just trying to create reasonable security, Schmitt says, "but now you need something more—something that proves the value, and that's what Bruce developed. Plus, as a secondary benefit, it's getting us better visibility from business owners and partners on risks and better ways to mitigate the risks."



Good point on first estimating the usefulness of current technologies, before applying the "latest", or "newest" ones. The rest comes to the good old flaws in the ROSI model, how would you be sure that it would be the $75,000 virus outbreak that will hit your organization, and not the $5000 one? "Return On Security Investment (ROSI) – A Practical Quantitative Model" emphasized on the challenges to blindly assigning the wrong value to a variable :



"The virus scanner appears to be worth the investment, but only because we’re assuming that the cost of a disaster is $25,000, that the scanner will catch 75% of the viruses and that the cost of the scanner is truly $25,000. In reality, none of these numbers are likely to be very accurate. What if three of the four viruses cost $5,000 in damages but one costs $85,000? The average cost is still $25,000. Which one of those four viruses is going to get past the scanner? If it’s a $5,000 one, the ROSI increases to nearly 300% – but if it’s the expensive one, the ROSI becomes negative!"



Among the first things to keep in mind while developing a risk management plan, is to identify the assets, identify the potential attackers, and find ways to measure the threat exposure and current threatscape as well. In a publication I wrote three years ago, "Building and Implementing a Successful Information Security Policy", that as a matter of fact I still find a quality and in-depth reading on the topic, I outlined some ideas on achieving the full effect of the abovementioned practices -- it's also nice to came across it given in assignments and discussed in lectures too. An excerpt on Risk Analysis :

"
As in any other sensitive procedure, Risk Analysis and Risk Management play an essential role in the proper functionality of the process. Risk Analysis is the process of identifying the critical information assets of the company and their use and functionality -- an important (key) process that needs to be taken very seriously. Essentially, it is the very process of defining exactly WHAT you are trying to protect, from WHOM you are trying to protect it and most importantly, HOW you are going to protect it."



Identifying the threats and some current threats worth keeping in mind
- windows of opportunities/0day attacks
- lousy assets/vulnerability/patch management
- insecure end users' habits
- sneaky and sophisticated malicious software
- wireless/bluetooth information leakage
- removable media information leakage



How would you go for measuring the risk exposure and risk mitigated factor?



Risk exposure and risk mitigated are both interesting and hard to quantify, should we consider the whole population given we somehow manage to obtain fresh information on the current threats ( through the use of Early Warning System such as Symantec's DeepSight Analyzer, The Internet Storm Center, or iDefense's Intelligence services for instance). Today, it is often based on :



- the number of workstations and network assets divided by the historical occurrence of a particular security event on the network -- the use of mobile agents for the specifics of a company's infrastructure effects is hard sometimes


- on the historical TCO data related to typical breaches/security events



Risk mitigated is often tackled by the use of Best practices -- whether outdated or relevant is something else, Cyber Insurance and the current, sort of, scientifically justified ROSI model are everyday's practice, but knowing the inner workings of your organization and today's constantly changing threatscape and how it(if) affects you is a key practice while prioritizing expenditure. You cannot, and should not deal with all the insecurities facing your organization, instead consider prioritizing your security expenditure, not just following the daily headlines and vendor-released, short-term centered research.



It's hard to quantify intellectual property's value, the way it's hard to quantify TCO loses due to security breaches and it's perhaps the perfect moment to mention the initiative that I undertook in the beginning of this year - a 50/50 security/financial cross-functional team on coming up with a disruptive idea -- more on the current status soon, still, thanks for the time and efforts folks! To sum up, a nice quote by the authors of the research I mentioned : "Most of the problems stem from the fact that security doesn’t directly create anything tangible – rather it prevents loss. A loss that’s prevented is a loss that you probably won’t know about."



At the bottom line, are you making money out of having security, that is thinking business continuity, not contingency planning, and should we keep on trying to adapt financial concepts, and not rethinking them all?



Recommended reading/resources on the topic of justifying security expenditure :
Return on Information Security Investment
Risk - A Financial Overview
Calculated Risk - Guide to determining security ROI
The Return on Investment for Network Security
Analysis of Return on Investment for Information Security
Methodologies for Evaluating Information Security Investments
Risk Assessment for Security Economcis - very informative slides
Economics and Security Resource page
Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm
PKI and Financial Return on Investment
Privacy Breach Impact Calculator
Guide to Selecting Information Technology Security Products Continue reading →

Insider fined $870

Insiders still remain an unresolved issue, where the biggest trade-off is the loss of productivity and trust in the organizational culture. According to the Sydney Morning Herald :



"A court in Guangzhou, capital of the southern Chinese province of Guangdong, has upheld a lower court's guilty verdict against Yan Yifan for selling stolen passwords and virtual goods related to the online game "Da Xihua Xiyou.The court upheld a $870 US fine, arguing that victimized players had spent time, energy, and money to obtain the digital items Yan sold. Yan stole the players' information while an employee for NetEase.com, the company behind the game."



So, it's not just 0days, Ebay/PayPal accounts, and spyware market entry positions for sale -- but virtual world goods as well.



While it's not a top espionage case, or one compared to the recent arrest of "two men, identified as Lee and Chang, on charges of industrial espionage for downloading advanced mobile phone designs from employer Samsung for sale to a major telecommunications firm in Kazakhstan", insiders still represent a growing trend that according to the most recent FBI's 2005 Computer Crime Survey, cost businesess $6,856,450.


Then again, failing to adequatly quantify the costs may either fail to assess the situation, or twist the results based on unmateliazed, but expected sales, as according to the company, "Samsung could have suffered losses of $1.3 billion US had the sale been completed." Trust is vital, and so is the confidence in Samsung's business case.



Technorati tags:
Security, Insider, Espionage Continue reading →

Getting paid for getting hacked

In the middle of February, Time Magazine ran a great article on Cyberinsurance or "Shock Absorbers", and I feel this future trend deserves a couple of comments, from the article :



"As companies grow more dependent on the Internet to conduct business, they have been driving the growing demand for cyber insurance. Written premiums have climbed from $100 million in 2003 to $200 million in 2005, according to Aon Financial Services Group. The need for cyberinsurance has only increased as hacker move away from general mischief to targeted crimes for profit. Insurers offer two basic types of cyber insurance: first-party coverage will help companies pay for recovery after an attack or even to pay the extortion for threatened attacks, while third-party coverage helps pay legal expenses if someone sues after a security breach. Demand for insurance is also driven by laws in over twenty states that require companies to notify consumers if a breach compromises their personal data. However, prevention is still the top priority for most companies, since loss of critical data to competitors would do damage beyond the payout of any policy."



Cyber insurance seems to be an exciting business with a lot of uncertainty compared to other industries with more detailed ROIs, as I feel the information security one is missing a reliable ROSI model. I once blogged about why we cannot measure the real cost of cybercrime, and commented the same issue with the "FBI's 2005 Computer Crime Survey - what's to consider?". Don't get me wrong, these are reliable sources for various market indicators, still the situation is, of course, even worse.


But how do you try to value security at the bottom line?



Bargaining with security, and negotiating its cost is projectable and easy to calculate, but whether security is actually in place or somehow improved, seems to be a second priority -- bad bargaining in the long-term, but marketable one in the short one.



Going back to the article, I hope there aren't any botnet herders reading this, especially the first-party coverage point. To a certain extend, that's a very pointless service, as it fuels the growth of DDoS extortion, as now it's the insurer having to pay for it, meaning there're a lot of revenue streams to be taken by the cybergang. While covering the expenses of extortion attempts is very marketable, it clearly highlights how immature the current state of the concept really is. Something else to consider, is that a lot of companies reasonably take advantage of MSSPs with the idea to forward risk/outsource their security to an experienced provider, and most importantly, budget with their security spending. And while the California's SB 1386 is important factor for growth of the service given the 20 states participating, with the number of stolen databases from both, commercial, educational and military organizations, insurers will start earning a lot of revenues that could have been perhaps spent in security R&D -- which I doubt they would spend them on, would they?



UPDATE:
The post has just appeared at Net-Security.org - "Getting paid for getting hacked", as well as LinuxSecurity.com - "Getting paid for getting hacked"



Related resources :

Cyber-Insurance Revisited
Economics and Security Resource Page
WEIS05 WorkShop on Economics and Information Security - papers and presentations
Valuing Security Products and Patches
The New Economics of Information Security
Safety at a Premium
Cyber Insurance and IT Security Investment Impact on Interdependent Risk
Valuing Security Products and Patches
Network Risks, Exposures and Solutions



Technorati tags :
Security, ROSI, Cyber Insurance, Economics Continue reading →

Why we cannot measure the real cost of cybercrime?

At the end of 2005, a rather contradictive statement was made, namely, that the costs of cybercrime have surpassed those of drug smuggling? And while I feel it has been made in order to highlight the threats posed by today's cyber insecurities, I find it a bit of an unrealistic one.

Mainly because of :

- the lack of centralized database and approach to keep track of, and measure the costs of cyber crime
Centralization is useful sometimes, and so is standardization. My point is that, doesn't matter how many metrics I go through on a monthly basis. They all have had different approaches while gathering their data. Estimated or projected loses are a tricky thing the way Donald Trump's valuation is largely based on his name brand. In this very same way, if we were to quantify the losses of a worldwide worm outbreak posed by direct attacks of the availability and integrity of networks and hosts, it would always be rather unrealistic, yet hopefully scientifically justified to a certain extend!

I feel it's about time the industry appoints a watchdog with an in-depth understanding of the concept. A watchdog that has the open source intelligence attitude, and the law enforcement backup to diffentiate online identity theft next to dumpest diving, and both, soft and hard dollar losses out of an event.

- the flawed approaches towards counting the TOC costs
"We had out network hit by a worm attack, where 200 out of 1000 desktops got successfully infected resulting in 4 hours downtime of the 200 desktops, and with the department's $15 hourly rate it resulted in direct loss of productivity." Rather common approach these days, what isn't included is the time the IT/Security department spent fixing the problem, the eventually
increased infosec budget (given the department takes advantage of the momentum and asks for more), and and potential law suits that may follow by other companies whose systems have been attacked by any of the 200 infected ones. A security incident shouldn't be isolated when it comes to costs, yet it's the best approach to bring some accountability, though, it's totally unrealistic. The butterfly effect has its word in both the real, and the financial world as well.

- the hard to quantify intellectual property theft
Continuing my thoughts from the abovementioned opinion, if we were to count the IT/Security department's associated costs, as well as the loss of productivity next to the hourly rate, especially when there's been a theft of intellectual property is easy, yet, untrue. If we were to
even estimate the potential dollar losses of intellectual property theft due to security breaches, it would surpass the U.S budget's deficit and reach levels of a developing economy's GDP, I bet that! The current inability of the industry to successfully quantify the costs of intellectual property theft, results in a mare estimation of the real costs of the cyber crime act. In this case, it's more complex that some want to believe.

- lack of disclosure enforcement
More and more states(U.S only, painfully true but the world is lacking behind) are adopting breach disclosure laws with the idea to prevent successful use of the information, seek accountability from the organizations/enterprises, and, hopefully result in even more clear metrics on what exactly is going on in the wild. However, the lack of acceptance, and sometimes,
even the awareness of being hacked is resulting into the highly underestimated, and actual picture in respect to the real state of cyber crime today. The more disclosure enforcement, and actual awareness of the breaches, the better the metrics, understanding of where the threats are going, and accountability for the organizations themselves.

- survey and metrics should always be a subject to question

The way a research company gathers survey and metrics data should always be a subject to questions. Even highly respected law enforcement agencies surveys and research, clearly indicate similarities, though when it comes to financial losses, every organization has a different measurement approaches and understanding of the concept. That is why, in the majority of cases, they aren't even aware of the actual long-term, or soft dollar losses directly posed by a single security breach. Evaluating assets, and assigning dollar values to intellectual property is tricky, and it could both, provide a more realistic picture of the actual losses, or overestimate
them due ot the company "falling in love" with the intellectual value of its breached information.

- companies fearing shame do not report the most relevant events today, online extortion or DDoS attacks
No company would publicly admit complying with online extortionists, and no matter how unprofessional it may sound, a LOT of companies pay not to have their reputation damaged, and it's not just public companies I'm talking about. How should a company react in such a situation, fight back, have it's web site shut down resulting in direct $ losses outpacing the sum requested by extortionists, or complying with the request, to later on having to deal with issue again? How much value would a company gain for fighting back, or for publicly stating of having such a problem, and complying with it? What's more, should quantifying a successful DDoS attack on a E-shop also include the downtime effect for the ISP's customers, given they don't null route
the site of course? And who's counting all these counts, and how far would their impact actually reach?

- the umatelized sales of people avoiding shopping online
A topic that is often neglected when it comes to E-commerce, is the HUGE number of people that aren't interested in participating(though they have the E-ability to do so), mainly because of the fear posed by cyber crime, having their credit card data stolen etc. The current revenues of E-commerce in my point of view, are nothing compared to what they could be given the industry's leaders gently unite in order to build awareness on their actions towards improving security. I also consider these people as a cost due to cyber crime!

At the bottom line, drug addicts don't exist because of drugs, but because of the society, and it may be easier to execute phishing attacks than smuggle cocaine from Mexico to the U.S, but this is where the real $$$ truly is from my point of view - drugzZzZzZzZ...................:)

Technorati tags :
cybercrime,security,information security,ROSI

Continue reading →