I have had friends and family in town over the last eight days. Some of them wanted the ‘Arizona Experience’, so we did the usual: Sedona, Pinnacle Peak Steak House, Cave Creek, a Cardinals game, and a few other local attractions. Part of the tour was the big Crossroads Gun Show out at the fairgrounds. It was the first time I had been to such a show in 9 or 10 years. Speaking with merchants, listening to their sales pitches, and overhearing discussions around the fairgrounds, everything was centered on security. Personal security. Family security. Home security. Security when they travel. They talk about preparedness and they are planning for many possibilities: everything from burglars to Armageddon. Some events they plan for have small statistical probability, while others border on the fantastic. Still, the attendees were there to do more than just speculate and engage in idle talk – they train, plan, meet with peers, and prepare for they threats they perceive.

I don’t want this to devolve into a whole gun control discussion, and I am not labeling any group – that is not my point. What you view as a threat, and to what lengths you are willing to go, provides an illuminating contrast between data security and physical security. Each discussion I engaged in had a very personal aspect to it. I don’t know any data security professionals that honestly sit up at night thinking about how to prepare for new threats or what might happen. For them, it’s a job. Some research late into the night and hack to learn, but it’s not the same thing. As data security professionals, short of a handful of people in capture the flag tournaments at Black Hat, the same level of dedication is not there. Then again, generally no one dies if your firewall fails.

For each of the dozen or so individuals I spoke with, their actions were an odd blend of intellect and paranoia. How much planning was a product of their imagination and resources. Are they any more secure than other segments of the population? Do their cars get stolen any less, or are their homes any safer? I have no idea. But on one level I admired them for their sharing of knowledge amongst peers. For thinking about how they might be vulnerable, planning how to address the vulnerabilities, and training for a response. On the other hand I just could not get out of my head that the risk model is out of whack. The ultimate risk may be greater, but you just cannot throw probability out the window. Perhaps with personal safety it is easier to get excited about security, as opposed to the more abstract concepts of personal privacy or security of electronic funds. Regardless, the experience was eye opening.

On a totally different subject, we notice we have been getting some great comments from readers lately. We really appreciate this! The comments are diverse and enlightening, and often contribute just as much to the community as the original posts. We make a point of listing those who contribute to white paper development and highlighting interesting comments from week to week, but we have been looking for a more concrete way of acknowledging these external contributors for a while know. To show our appreciation, Rich, myself and the rest of the Securosis team have decided that we are giving a $25 donation to Hackers for Charity (HFC) in the name of whoever drops the best comment each week. Make sure you check out the “Blog Comment of the Week”!

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

• Chris explains What is Google Voice? over at Macworld.
• David Mortman on Data Not Assertions over at the New School.
• Rich was part of the Black Hat Virtual Event.
• Rich was quoted on Bit.ly in The Tech Herald.
• Rich on the Network Security Podcast.
• Adrian in Information Security Magazine’s December issue on Basic Database Security.
• While not directly Securosis related, the RSA Security Blogger’s Meetup is on.

Favorite Securosis Posts

• Rich: David Mortman’s Changing the Game? post is now up to 37 comments. I’m voting for the entire thread, not just the original post.
• Adrian: Meier’s DNS Resolvers and You post.
• Mort: Rich’s post on Possibility is not Probability.
• Meier: In Violent Agreement.

Other Securosis Posts

• Verizon 2009 DBIR Supplement
• Security Controls vs. Outcomes
• Class Action Against Express Scripts Dismissed

Project Quant for Databases:

• Project Quant: Database Security Planning, Part 2 (part 4 overall)
• Project Quant: Database Security Planning (part 3 overall)

Favorite Outside Posts

• Rich: This isn’t my “favorite” post, but it’s probably the single most important thing you need to read on the Internet this week. Eric Schmidt, Google’s CEO, says you only need to worry about privacy if you’re doing something bad. I guess when they say, “Do no evil” they’re talking to us… with an “or else!” at the end.
• Adrian: Spire Security: Should we change passwords every 90 days?
• Chris: WPA Cracker: $17 or $34 to check a sniffed WPA(2) password against Moxie’s list. It’s a steal!

Top News and Posts

• Hackers in the cloud! And not the ones on planes.
• Facebook Changes Privacy UI (and maybe reduces privacy).
• The Totally Awesome Frequent Flier/US Mint Loophole Put this in the category of “things I wish I had thought of”.
• Ending the PCI Blame Game
• Mike Bailey puts XSS into perspective.
• Amrit’s totally snarky (yet amusing) holiday gift guide

Blog Comment of the Week

We are going to do something a little different this week … both because we had so many excellent comments, and because we are launching the Hackers for Charity contributions. This week we have three winners!

1. Chris Hayes in response to Mortman asking for a FAIR analysis in comments on Changing The Game ?

@Mortman. Interesting request. A FAIR analysis can be used to demonstrate variance in resistance strength (formerly referred to as “control strength”). A FAIR analysis is usually done for a unique scenario. For example, password frequency change for an Internet facing app – where access to a small amount of confidential information is possible. A system password policy that requires complexity, lock-out, password frequency changes, is going to have a lot higher resistance strength then a system password policy that requires no complexity, no lockout, and no frequency of password changes. Staying in the context of FAIR, resistance strength and threat capability are both used to determine vulnerability that when combined with threat event frequency result in loss event frequency.

I have performed password frequency related risk assessments for a business unit wanting to accommodate some of its “constituents” to change password frequency from a value that was below 60 days to a value greater then three times the previous value. The key factors were that there were other controls present (lockout, number of records accessible, etc..) The “risk” associated with extending the frequency out as far as they did was more then acceptable to the business, seen as a competitive advantage, and has stood up to scrutiny.

If you are looking for an actual FAIR analysis, I am willing to collaborate with you to ensure we have a reasonable scenario. In my opinion, performing a FAIR analysis on a problem statement that is very broad – like, “what is the risk associated with world hunger”) – is problematic.

2. Russell Thomas in response to Possibility is not Privacy:

@Ben

“This whole “possibility is not probability” phrase is pure nonsense because at their root they all deal with chance. Relying on colloquialisms to make your point is folly here.”

I think you are mistaken. There is a well developed philosophical literature on the distinction between possibility and probability, and also their relation. “Possibility” is part of modal logic, which is reasoning about “necessity”, “possibility”, “actuality”, etc. For a quick overview, see the Stanford Encyclopedia of Philosophy: http://plato.stanford.edu/entries/logic-modal/ and http://plato.stanford.edu/entries/possible-objects/ . For a thorough treatment that relates the two, see: “Reasoning About Uncertainty” by Joseph Y. Halpern.

For something to be possible, the logical prerequisites for it must be actual. E.g. for macro objects to be possible, their prerequisites must first exist (atoms + forces to hold atoms together).

It’s a truism that you can’t estimate the probability of some event if you cannot first establish it’s possibility. Furthermore, many probability methods depend on you ability to enumerate all of the possibilities (“mutually exclusive and collectively exhaustive”). You don’t get there by probability analysis alone.

“On the flip side, it is sheer lunacy in certain planning cycles (e.g. BCP/DRP) to ignore high-impact low-frequency events like natural disasters, so be careful how you phrase it.”

Yes, yes! In addition to having the skills and capability to estimate risk, we need to know when and how to use that information. Any decisions that have a long time-horizon must include estimates of high impact/low frequency events.

3. DS in response to In Violent Agreement:

One former employer was firmly convinced that their customers didn’t have security as a high priority, because they were talking to the wrong people in the organization. So I told them who to talk to, and what kinds of questions to ask to better elucidate the customers needs. Suddenly it became clear that there was a need that was just unnoticed.

There is some irony here, as I’d say if security was indeed an important need, you wouldn’t have had to go looking for proponents; it would have been part of the customer’s purchasing decision.

And to Rich, cost shifting is just another example of an external forcing factor, i.e., if there are no costly incidents, security won’t have this lever, and therefore it is still about the receptiveness of the audience, not the “business language” used by the messenger.

Congratulations! We will contribute $25.00 to HFC in each of your names.