You know Dilbert, don't you? I find this cartoon a very good representation of what is going on in the emerging market for software vulnerabilities, and of course, its OTC trade practices -- total miscommunication and different needs and opinions. While different opinions and needs provoke quality discussion and I understand the point that everyone is witnessing that something huge is happening, "so why shouldn't I?", but at the bottom line, it's so obvious that there isn't any sort of mission or social welfare goal to be achieved, that everyone is commercializing what used to be the "information wants to be free" attitude.
Weren't software vulnerabilities supposed to turn into a commodity given the number of people capable and actually discovering them, where "windows of opportunities" get the highest priority as a con? That is, compared to commercializing vulnerability research, empowering researchers to the skies, and turning vulnerabilities into an IP, totally decentralizing the current sources of information, and fueling the growth of underground models, as it's obvious that for the time being vulnerabilities and their early acquirement seems to be where the $ is. What do you think?
Technorati tags :
Security, Vulnerabilities, 0day, 0bay, Dilbert
Friday, March 17, 2006
"Successful" communication
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Getting paid for getting hacked
In the middle of February, Time Magazine ran a great article on Cyberinsurance or "Shock Absorbers", and I feel this future trend deserves a couple of comments, from the article :
"As companies grow more dependent on the Internet to conduct business, they have been driving the growing demand for cyber insurance. Written premiums have climbed from $100 million in 2003 to $200 million in 2005, according to Aon Financial Services Group. The need for cyberinsurance has only increased as hacker move away from general mischief to targeted crimes for profit. Insurers offer two basic types of cyber insurance: first-party coverage will help companies pay for recovery after an attack or even to pay the extortion for threatened attacks, while third-party coverage helps pay legal expenses if someone sues after a security breach. Demand for insurance is also driven by laws in over twenty states that require companies to notify consumers if a breach compromises their personal data. However, prevention is still the top priority for most companies, since loss of critical data to competitors would do damage beyond the payout of any policy."
Cyber insurance seems to be an exciting business with a lot of uncertainty compared to other industries with more detailed ROIs, as I feel the information security one is missing a reliable ROSI model. I once blogged about why we cannot measure the real cost of cybercrime, and commented the same issue with the "FBI's 2005 Computer Crime Survey - what's to consider?". Don't get me wrong, these are reliable sources for various market indicators, still the situation is, of course, even worse.
But how do you try to value security at the bottom line?
Bargaining with security, and negotiating its cost is projectable and easy to calculate, but whether security is actually in place or somehow improved, seems to be a second priority -- bad bargaining in the long-term, but marketable one in the short one.
Going back to the article, I hope there aren't any botnet herders reading this, especially the first-party coverage point. To a certain extend, that's a very pointless service, as it fuels the growth of DDoS extortion, as now it's the insurer having to pay for it, meaning there're a lot of revenue streams to be taken by the cybergang. While covering the expenses of extortion attempts is very marketable, it clearly highlights how immature the current state of the concept really is. Something else to consider, is that a lot of companies reasonably take advantage of MSSPs with the idea to forward risk/outsource their security to an experienced provider, and most importantly, budget with their security spending. And while the California's SB 1386 is important factor for growth of the service given the 20 states participating, with the number of stolen databases from both, commercial, educational and military organizations, insurers will start earning a lot of revenues that could have been perhaps spent in security R&D -- which I doubt they would spend them on, would they?
UPDATE:
The post has just appeared at Net-Security.org - "Getting paid for getting hacked", as well as LinuxSecurity.com - "Getting paid for getting hacked"
Related resources :
Cyber-Insurance Revisited
Economics and Security Resource Page
WEIS05 WorkShop on Economics and Information Security - papers and presentations
Valuing Security Products and Patches
The New Economics of Information Security
Safety at a Premium
Cyber Insurance and IT Security Investment Impact on Interdependent Risk
Valuing Security Products and Patches
Network Risks, Exposures and Solutions
Technorati tags :
Security, ROSI, Cyber Insurance, Economics
"As companies grow more dependent on the Internet to conduct business, they have been driving the growing demand for cyber insurance. Written premiums have climbed from $100 million in 2003 to $200 million in 2005, according to Aon Financial Services Group. The need for cyberinsurance has only increased as hacker move away from general mischief to targeted crimes for profit. Insurers offer two basic types of cyber insurance: first-party coverage will help companies pay for recovery after an attack or even to pay the extortion for threatened attacks, while third-party coverage helps pay legal expenses if someone sues after a security breach. Demand for insurance is also driven by laws in over twenty states that require companies to notify consumers if a breach compromises their personal data. However, prevention is still the top priority for most companies, since loss of critical data to competitors would do damage beyond the payout of any policy."
Cyber insurance seems to be an exciting business with a lot of uncertainty compared to other industries with more detailed ROIs, as I feel the information security one is missing a reliable ROSI model. I once blogged about why we cannot measure the real cost of cybercrime, and commented the same issue with the "FBI's 2005 Computer Crime Survey - what's to consider?". Don't get me wrong, these are reliable sources for various market indicators, still the situation is, of course, even worse.
But how do you try to value security at the bottom line?
Bargaining with security, and negotiating its cost is projectable and easy to calculate, but whether security is actually in place or somehow improved, seems to be a second priority -- bad bargaining in the long-term, but marketable one in the short one.
Going back to the article, I hope there aren't any botnet herders reading this, especially the first-party coverage point. To a certain extend, that's a very pointless service, as it fuels the growth of DDoS extortion, as now it's the insurer having to pay for it, meaning there're a lot of revenue streams to be taken by the cybergang. While covering the expenses of extortion attempts is very marketable, it clearly highlights how immature the current state of the concept really is. Something else to consider, is that a lot of companies reasonably take advantage of MSSPs with the idea to forward risk/outsource their security to an experienced provider, and most importantly, budget with their security spending. And while the California's SB 1386 is important factor for growth of the service given the 20 states participating, with the number of stolen databases from both, commercial, educational and military organizations, insurers will start earning a lot of revenues that could have been perhaps spent in security R&D -- which I doubt they would spend them on, would they?
UPDATE:
The post has just appeared at Net-Security.org - "Getting paid for getting hacked", as well as LinuxSecurity.com - "Getting paid for getting hacked"
Related resources :
Cyber-Insurance Revisited
Economics and Security Resource Page
WEIS05 WorkShop on Economics and Information Security - papers and presentations
Valuing Security Products and Patches
The New Economics of Information Security
Safety at a Premium
Cyber Insurance and IT Security Investment Impact on Interdependent Risk
Valuing Security Products and Patches
Network Risks, Exposures and Solutions
Technorati tags :
Security, ROSI, Cyber Insurance, Economics
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Thursday, March 16, 2006
Old physical security threats still working
In "The Complete Windows Trojans Paper" that I released back in 2003 (you can also update yourself with some recent malware trends!) I briefly mentioned on the following possibility as far as physical security and malware was concerned :
"Another way of infecting while having physical access is the Auto-Starting CD function. You've probably noticed that when you place a CD in your CDROM, it automatically starts with some setup interface; here's an example of the Autorun.inf file that is placed on such CD's:
[autorun]open=setup.exeicon=setup.exe So you can imagine that while running the real setup program a trojan could be run VERY easily, and as most of you probably don't know about this CD function they will get infected and won't understand what happened and how it's been done. Yeah, I know it's convenient to have the setup.exe autostart but security is what really matters here, that's why you should turn off the Auto-Start functionality by doing the following: Start Button -> Settings -> Control Panel ->System -> Device Manager -> CDROM -> Properties -> Settings"
and another interesting point :
"I know of another story regarding this problem. It's about a Gaming Magazine that used to include a CD with free demo versions of the latest games in each new edition. The editors made a contest to find new talents and give the people programming games the chance to popularise their productions by sending them to the Editors. An attacker infected his game with a new and private trojan and sent it to the Magazine. In the next edition the "game" appeared on the CD and you can imagine the chaos that set in."
Things have greatly changed for the last three years, while it may seem that global malware outbreaks are the dominant trend, slow worms, 0day malware and any other "beneath the AVs radar" concepts seem to be the next pattern.
It's "great" to find out that age-old CD trick seems to be fully working, whereas I can't reckon someone was saying "Hello World" to WMF's back then! TechWorld wrote a great article two days ago titled "Workers duped by simple CD ruse", an excerpt :
"To office workers trudging to their cubicles, the promotion looked like a chance at sweet relief from the five-day-a-week grind. By simply running a free CD on their computers, they would have a chance to win a vacation. But the beguiling morning giveaway in London's financial district last month was more nefarious than it appeared. When a user ran the disc, the code on it prompted a browser window that opened a Web site, Chapman said. The site then tried to load an image from another Web site, Chapman said."
While we can argue how vulnerable to security theats and end user is these days, compared to physical security ones, there are lots of cases pointing out the targeted nature of attacks, and the simple diversification of attack methods from what is commontly accepted as current trend. My point is that if you believe the majority of threats are online based ones, someone will exploit this attitude of yours and target you physically.
And while I feel the overall state of physical security in respect to end users and their workstations has greatly improved with initiatives such as ensuring the host's integrity and IPSs, what you should consider taking care of is - who is capable of peeping behind your back and what effect may it have on any of your projects? 3M's Privacy Filters are a necessity these days, and an alternative to the obvious C.H.I.M.P. (monitor mirror). Be aware!
UPDATE - this post recently appeared at LinuxSecurity.com - Old physical security threats still working
More resources on physical security can also be found at :
19 Ways to Build Physical Security into a Data Center
Securing Physical Access and Environmental Services for Datacenters
CISSP Physical Security Exam Notes
Physical Security 101
SANS Reading Room's Physical Security section
Technorati tags :
Security, Physical Security, Workplace
"Another way of infecting while having physical access is the Auto-Starting CD function. You've probably noticed that when you place a CD in your CDROM, it automatically starts with some setup interface; here's an example of the Autorun.inf file that is placed on such CD's:
[autorun]open=setup.exeicon=setup.exe So you can imagine that while running the real setup program a trojan could be run VERY easily, and as most of you probably don't know about this CD function they will get infected and won't understand what happened and how it's been done. Yeah, I know it's convenient to have the setup.exe autostart but security is what really matters here, that's why you should turn off the Auto-Start functionality by doing the following: Start Button -> Settings -> Control Panel ->System -> Device Manager -> CDROM -> Properties -> Settings"
and another interesting point :
"I know of another story regarding this problem. It's about a Gaming Magazine that used to include a CD with free demo versions of the latest games in each new edition. The editors made a contest to find new talents and give the people programming games the chance to popularise their productions by sending them to the Editors. An attacker infected his game with a new and private trojan and sent it to the Magazine. In the next edition the "game" appeared on the CD and you can imagine the chaos that set in."
Things have greatly changed for the last three years, while it may seem that global malware outbreaks are the dominant trend, slow worms, 0day malware and any other "beneath the AVs radar" concepts seem to be the next pattern.
It's "great" to find out that age-old CD trick seems to be fully working, whereas I can't reckon someone was saying "Hello World" to WMF's back then! TechWorld wrote a great article two days ago titled "Workers duped by simple CD ruse", an excerpt :
"To office workers trudging to their cubicles, the promotion looked like a chance at sweet relief from the five-day-a-week grind. By simply running a free CD on their computers, they would have a chance to win a vacation. But the beguiling morning giveaway in London's financial district last month was more nefarious than it appeared. When a user ran the disc, the code on it prompted a browser window that opened a Web site, Chapman said. The site then tried to load an image from another Web site, Chapman said."
While we can argue how vulnerable to security theats and end user is these days, compared to physical security ones, there are lots of cases pointing out the targeted nature of attacks, and the simple diversification of attack methods from what is commontly accepted as current trend. My point is that if you believe the majority of threats are online based ones, someone will exploit this attitude of yours and target you physically.
And while I feel the overall state of physical security in respect to end users and their workstations has greatly improved with initiatives such as ensuring the host's integrity and IPSs, what you should consider taking care of is - who is capable of peeping behind your back and what effect may it have on any of your projects? 3M's Privacy Filters are a necessity these days, and an alternative to the obvious C.H.I.M.P. (monitor mirror). Be aware!
UPDATE - this post recently appeared at LinuxSecurity.com - Old physical security threats still working
More resources on physical security can also be found at :
19 Ways to Build Physical Security into a Data Center
Securing Physical Access and Environmental Services for Datacenters
CISSP Physical Security Exam Notes
Physical Security 101
SANS Reading Room's Physical Security section
Technorati tags :
Security, Physical Security, Workplace
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Wednesday, March 15, 2006
Security vs Privacy or what's left from it
My latest privacy related posts had to do with "The Future of Privacy = don't over-empower the watchers!" and "Data mining, terrorism and security" in respect to the the still active TIA and the hopes for the effectiveness out of data mining. While these are important topics I feel every decent citizen living in the 21st century should be aware of -- many still "think conspiracies" than real-life scenarios. At the bottom line, privacy violations for the sake of your security and civil liberties are a common event these days!
Today, I came across an article "Google must capitulate to DoJ, says judge" in relation to the DoJ's subpoena trying to get access to random sites and searches in order to justify its statement that anti-porn filters do not protect young children online.
The NYtimes is also a running a story on this. What I truly liked is US District Judge James Ware's comment that he was reluctant to give the Justice Department everything it wanted because of the "perception by the public that this is subject to government scrutiny" when they type search terms into Google.com, that's right, but you would be also right to conclude that such requests would turn into a habit given Google's data aggregation power. It's s a complex process to run the world's most popular search engine when everyone wants to take a bite from you, at least they have hell of motto to sort of guide them in future situations like this, but is it?
This time it's a misjudged online porn request that gets approved, next time, it would be Google against the terrorists, again, for the sake of your Security, one backed up by a little bit of glue as on the majority of occasions!
Technorati tags :
Privacy, Google, Search Engine
Today, I came across an article "Google must capitulate to DoJ, says judge" in relation to the DoJ's subpoena trying to get access to random sites and searches in order to justify its statement that anti-porn filters do not protect young children online.
The NYtimes is also a running a story on this. What I truly liked is US District Judge James Ware's comment that he was reluctant to give the Justice Department everything it wanted because of the "perception by the public that this is subject to government scrutiny" when they type search terms into Google.com, that's right, but you would be also right to conclude that such requests would turn into a habit given Google's data aggregation power. It's s a complex process to run the world's most popular search engine when everyone wants to take a bite from you, at least they have hell of motto to sort of guide them in future situations like this, but is it?
This time it's a misjudged online porn request that gets approved, next time, it would be Google against the terrorists, again, for the sake of your Security, one backed up by a little bit of glue as on the majority of occasions!
Technorati tags :
Privacy, Google, Search Engine
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Friday, March 10, 2006
DVD of the Weekend - The Immortals
The Lawnmower Man : Beyond Cyberspace was among the several other classic techno thrillers I was watching and mostly remembering pleasant times from the past. I actually got in touch with SFAM from the CyberpunkReview.com, and intend to contribute with another point of view to his initiative I highly recommend you to keep an eye on.
This weekend, I want to recommend you one of the best European film productions ever, namely Enki Bilal's adaptation of his Nikopol Trilogy - The Immortals.
Here's an excerpt from a review, and another one :
"New York City, year 2095. A floating pyramid has emerged in the skies above, inhabited by ancient Egyptian Gods. They have cast judgment down upon Horus, one of their own. Now he must find a human host body to inhabit, and search for a mate to continue his own life. Below, a beautiful young woman with blue hair, blue tears and a power even unknown to her, wanders the city in search of her identity. Reality in this world has a whole new meaning as bodies, voices and memories converge with Gods, mutants, extra-terrestrials and mortals."
The Matrix did shock, and set a new benchmark by combining Hollywood's passion for entertainment, and Japan's culture, still, European productions such as the 5th Element, and The Immortals, are on my hall of fame for effects and the stories themselves. Enjoy it!
Technorati tags :
Lone Gunmen, The Outher Limits, Lawnmower Man, Immortals, Enki Bilal, Nikopol Trilogy, Techno Thriller, Cyberpunk
This weekend, I want to recommend you one of the best European film productions ever, namely Enki Bilal's adaptation of his Nikopol Trilogy - The Immortals.
Here's an excerpt from a review, and another one :
"New York City, year 2095. A floating pyramid has emerged in the skies above, inhabited by ancient Egyptian Gods. They have cast judgment down upon Horus, one of their own. Now he must find a human host body to inhabit, and search for a mate to continue his own life. Below, a beautiful young woman with blue hair, blue tears and a power even unknown to her, wanders the city in search of her identity. Reality in this world has a whole new meaning as bodies, voices and memories converge with Gods, mutants, extra-terrestrials and mortals."
The Matrix did shock, and set a new benchmark by combining Hollywood's passion for entertainment, and Japan's culture, still, European productions such as the 5th Element, and The Immortals, are on my hall of fame for effects and the stories themselves. Enjoy it!
Technorati tags :
Lone Gunmen, The Outher Limits, Lawnmower Man, Immortals, Enki Bilal, Nikopol Trilogy, Techno Thriller, Cyberpunk
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)