Budget Allocation Myopia and Prioritizing Your Expenditures

Top management's empowerment - the dream of every CSO, or IT manager responsible for allocating the infosec budget, and requesting future increases. The biggest downsize of your current or future empowerment, is how easy it is to get lost in a budget allocating myopia compared to actual prioritizing of your expenditures. According to Gartner, security is all about percentage of budget allocation :

"Organizations that have reached a high level of IT security practice maturity can safely reduce spending to between 3% and 4% of the IT budget by 2008, according to research firm Gartner Inc. By contrast, organizations that are inefficient or have historically under invested in security may spend upwards of 8% of their IT budget on security. This means that many organizations will still be investing aggressively for the next few years. Rich Mogull, research vice president and conference chair of the Gartner IT Security Summit which starts in Sydney Tuesday, said that there are now solutions to most information security problems. It's just a matter of implementing the technology efficiently and effectively so resources can be focused on new threats," Mogull said. While information security has become a highly specialized branch of IT, commodity security functions are often being returned to IT operations. Organizations that are still impacted by everyday, routine threats must ramp up and become more mature in their approach."

I find this a wrong emphasis on higher spending as the corner stone of "better security", and even if it is so, who's your benchmark at the bottom line? In a previous in-depth post on Valuing Security and Prioritizing Your Expenditures, I discussed the currently hard to implement ROSI model, and pointed out the following key points on data security breaches and security investments :

- on the majority of occasions companies are taking an outdated approach towards security, that is still living in the perimeter based security solutions world

- companies and data brokers/aggregators are often reluctant to report security breaches evenwhen they have the legal obligation to due to the fact that, either the breach still hasn't been detected, or the lack of awareness on what is a breach worth reporting

- the flawed approaches towards quantifying the costs related to Cybercrime are resulting in overhyped statements in direct contradiction with security spending

- companies still believe in the myth that spending more on security, means better security, but that's not always the case

- given the flood of marketing and the never ending "media echo" effect, decision makers often find themselves living with current trends, not with the emerging ones, which is what they should pay attention to

There's also a rather simplistic explanation on the effect of industry convergence :

"Mogull also said that functional convergence in security products is occurring. For example, host firewalls, antivirus, antispam, and basic host intrusion prevention are combining into single, desktop agents. In the future, this will make security less complex, he said."

Wish the analyst has reached the potential TCO increase and the beneficial diversification of appliances/products trade-off concept stage, one that naturally depends on the perspective of course. Meanwhile, here's an article on how NOT to "sell security" to your CEO, they tend to understand the basics of ROI, it's just the RO(S)I they want to scientifically apply -- compliance is perhaps your best friend these days. It's not about the percentage of spending, but on what you're actually spending for, and when.

Go through a previous post on information security market trends to consider, and try to stay on the top of security, not in line with it.

Open Source North Korean IMINT Reloaded

Continuing the latest coverage on North Korea, and the Travel Without Moving series, yesterday I came across to an ongoing initiative on Google-Earthing the North Korean Military pointing out that :

"In fact, there are several military and intelligence employees, some retired and some active, who turn the defense job into a hobby, helping to point out and explain foreign military curiosities at the very civilian level of Google Earth. One current imagery analyst explained that, though he never divulges classified information, he often ‘identifies naval vessels at’ bases that ordinary Google Earth explorers have stumbled upon. Also, maps from sites such as Globalsecurity.org are overlayed onto the framework of Google Earth. Like an army of ants, the nearly 550,000-strong Google Earth community has voraciously explored the North Korean military installations, including : Musadan-ri/No-Dong missile test site, Pipa Got naval base, Cho Do naval base"

Given the powerful driving force and the size of the Google Earth's community it could definitely save tax payers' dollars, but high-resolution and timely imagery still remain a critical issue here. Open Source IMINT is gaining scale and I'm sure someone's watching the trend as well.

Related resources and posts :
GEOINT
Reconnaissance
The "threat" by Google Earth has just vanished in the air
Suri Pluma - a satellite image processing tool and visualizer
Security quotes : a FSB (successor to the KGB) analyst on Google Earth

Satellite Reconnaissance of the Future (1998)
Military Reconnaissance Satellites (IMINT)
Military Intelligence Satellites
North Korea Sightseeing
Shedding light on North Korea (330+ placemarks)

Malware Search Engine

While it seems that it takes a publicly traded Internet filtering company to come up with quite some creativity, it's always coming back to the community to break through the FUD and release a PoC Malware Search Engine.

The concept is great, excluding the dark web(closed behind authentication, and basic crawler blocking approaches), but what bothers me besides all the fuss is that it's a signature based approach taking advantage of the most recent Google's crawl of the Web. 0day malware naturally remains undetected, while it's a great way to sum up the percentage of infections with known malware on different domains/hosts, given you know what and where to look for. It's not the binary nature of a malware to emphasize on, but today's malware released under a GPL license, an issue I stated as a key factor for the future growth of malware at the beginning of 2006. I also came across to an article pointing out the same problem :

"Open tools and techniques have found favor among an unlikely community. Malware writers are using open-source ideas and tools to share malicious code, collaborate, and wreak online mayhem, the security firm McAfee said in a report issued Monday. Cyber criminals are making available source code with documentation so that it can be easily modified using popular open-source project management tools like Content Versioning System (CVS), thus giving malware creation a high degree of efficiency, said McAfee’s Global Threat Report for 2006."

To keep the discussion going by the time I release a summary of what I've been coming across for quite a while -- tons of bot source codes available on the public Web, barely any binaries -- go through previous posts related to the diverse topic as well.

UPDATE : eWeek has a nice article on the topic

Malware
Malware trends - Q1, 2006
What are botnet herds up to?
Why relying on virus signatures simply doesn't work anymore?
Skype to control botnets?!
The War against botnets and DDoS attacks
Master of the Infected Puppets
One bite only, at least so far!
Look who's gonna cash for evaluating the maliciousness of the Web
The anti virus industry's panacea - a virus recovery button
No Anti Virus Software, No E-banking For You
The Current State of Web Application Worms
Web Application Email Harvesting Worm
Unknowingly Becoming a Child Porn King
Real-Time PC Zombie Statistics
Malicious Web Crawling

Agobot configuration interface courtesy of Hakin9's "Robot Wars – How Botnets Work".

Weaponizing Space and the Emerging Space Warfare Arms Race

Satellites Jamming, Hijacking, Space SIGINT, Space Kill Vehicles are just the tip of the iceberg in the ongoing weaponization of Space. In previous posts "Who needs nuclear weapons anymore?", "EMP warfare - Electronic Domination in Reverse", and "Is a Space Warfare arms race really comming?" I expressed my opinion on the current and emerging efforts to install and experiment with space weapons, and mostly emphasized on the major problem - the arms race fear itself. What's also worth mentioning is how the original anti-missile defense system Star Wars, transformed from a defensive, to an offensive tool for warfare. SFAM at the CyberpunkReview.com made a good comment :

"Weaponizing space when there really isn't any competitor is a really bad idea. Truly though, the issue that obfuscates things is the US military's change from a threat-based acquisition system (where weapon systems were acquired to combat specific and verifyable threats) to a capability-based acquisition system is the problem. The switch to a capability-based system, being divorced from threats (since the Wall fell, most of the threats did as well), can find justification for new weapon systems even if there isn't a verifyable enemy or even a proven, irreplaceable need in warfare for the technology. Case in point - nobody is challenging the US for air surpremacy, yet we have massively expensive acquisitions underway for the F-22 (which should have been killed in 1991) and the F-35 (Joint Strike Fighter)."

Just came across to a great initiative aiming to act as a faciliator for debating the problem. The SpaceDebate.org aims to :

"expand the debate on the weaponization of space through a collaborative wiki-like tool for structured debate on a topic. You can learn more by taking the quick tour, reading the about page, or browsing our frequently asked questions. You can also jump into the debate by browsing our argument list or one of the positions"

I feel there's a more serious problem we should be discussing for the time being compared to the world's super powers waging wars in space, and it's called Near Earth Object Protection -- there's even a distributed client for tracking the hazard posed by NEOs. For instance, consider the following alternatives for combating the real threat in space - the universe itself :

"There’s been no shortage of ideas how to fend off unfriendly fire from the cosmos: laser beams, space tugboats, gravity tractor, and solar sails for example, as well as using powerful anti-NEO bombs, conventional as well as nuclear. Ailor, also Director of The Aerospace Corporation’s Center for Orbital and Reentry Debris Studies, told SPACE.com that creative ways to deflect Earth-harming NEOs are far from being exhausted. People have put a lot of concepts on the table over time, Ailor said. Now we’re beginning to try and develop an organized way of looking at those things and finding out which ones are really viable in the short-term, medium-term, and what technologies do we need to protect and develop for the long-term as well."

I've always thought the human race is an experiment of a super intelligent race trying to figure out how long it's gonna take us to self-destroy our kind. In case you're interested in the current situation on space warfare, you can also go through the Space Security 2006 book (111 pages), and previous editions as well. An excerpt from the executive summary :

"A growing number of states, led by China, Russia, the US, and key European states, increasingly emphasize the use of space systems to support national security. Dependence on these systems has led several states to view space assets as critical national security infrastructure. US military space doctrine has also begun to focus on the need for “counterspace operations” to prevent adversaries from accessing space. Building on existing trends, in 2005 actors that included the EU, India, Israel, and Japan placed more emphasis on the national security applications of space. Israel and Japan introduced plans to boost surveillance capabilities from space. India’s Air Force urged the government to set up a Strategic Aerospace Command to better develop military space capabilities."

Don't look for enemies where there aren't still any, but deal with the real space threat. Camouflage, Concealment, and Deception (CC&D) techniques table courtesy of FAS's "Threats to United States Space Capabilities"

Related resources:
Space
SPAWAR