Thursday, January 31, 2008

Risk Management: Denial, the strategy that isn't a strategy

One of the short courses I enjoy teaching is a basic back of the napkin risk assessment process. It gives people a bit of leverage as well as a better understanding of the risks involved in their projects, designs, and systems. One part of that training is to talk about risk management once risks have been identified.

Most security professionals will tell you that there are four basic methods of risk management:

  • Acceptance or retention - accepting the loss when it occurs. Self insurance is often used as the standard example of risk acceptance.
  • Avoidance - not performing the activity that creates the risk. If exposing your services to the outside world creates a risk, you can avoid it by not exposing them. This is often possible for some, but not all risks.
  • Transferral - insurance is an excellent example of risk transferral. A lower payment insures that losses can be recouped, thus transferring the bulk of the risk to another organization.
  • Mitigation or reduction - taking action to reduce the risk. This is often paired with avoidance by avoiding as many risks as possible, then mitigating the remaining necessary risks.

There's a super secret fifth option that isn't really an option - but which is quite common. Every time I teach someone asks about it, because it shows up in almost every organization at some level when assessing risk.


While it isn't a valid strategy, often management and staff will not want to face a problem, or admit that a risk exists. I've seen this happen with the most senior management in organizations and at every level down to entry level staff, and once it starts, it often becomes an organizational assumption. It usually isn't due to ignorance, but rather due to a simple blind spot - the risk just doesn't seem real or possible.

There is a possible win in instances of denial though - if you can crack through that carefully built armor and get someone to admit that there is a risk, the entire organization's attitude can quickly change. In one case, the most senior person on a team I worked with paused halfway through a risk assessment in which we had identified a risk that senior staffers were highly trusted with no internal checks.

The light had turned on.

She noted that if she herself decided to cause problems that the organization could face a significant risk. Once she admitted that she herself could be a risk, the rest of the team quickly chimed in with the risks and vulnerabilities that their positions faced. Denial had shifted to awareness, and that let us address their risks through valid risk management techniques - with the full support of management.

Denial. It isn't a valid risk management strategy, but it is real - develop a strategy to deal with it as part of your risk assessment process, and you'll reap the benefits.

Creative Commons licensed photo credit Flickr user shawnzlea

Tuesday, January 29, 2008

Cisco PIX EOL announcement

Cisco has announced that the PIX line will be reaching their end of sale date this year, and that their support will continue through 2013. They're encouraging new buyers to purchase ASAs. If you're a PIX user, now is the time to get your hardware spares if you don't have them. From the Cisco site:

"On January 28, 2008, Cisco announced the end-of-sale and end-of life dates for Cisco PIX Security Appliances, software, accessories, and licenses. The last day for purchasing Cisco PIX Security Appliance platforms/bundles will be July 28, 2008 and the last day to purchase accessories and licenses will be January 27, 2009. It is important to note that Cisco will continue to support Cisco PIX Security Appliance customers through July 27, 2013."

Monday, January 28, 2008

Security as Economics: Making security worth it

A co-worker dropped a link to Kevin Soo Hoo's slide deck for "Economic Incentives & Metrics of Cybersecurity" my way a while ago, and it is worth pointing out to the community.

If you're an information security person who struggles to make security relevant, this is worth a read. Similarly, if you're an information security officer and you're working on a security program, you should definitely take a look. Why? Because it will remind you of why people will act to handle security, and why security can be an unpopular budget item. It also points to coming possibilities, pointing out that policy efforts have thus far avoided product liability and strict security regulation.

Kevin notes that the free market isn't enough, as pure public good suffers from a number of issues, and externalities effect non-participants in the market. In short, security takes a back seat because the public good isn't enough to make the market work, and security effects people who aren't actively in the game.

In addition, he points out that the Internet creates incentives that encourage behavior that doesn't help information security. We've all seen this - anonymity, or at least the perception of anonymity, as well as the ease of access and openness of the Internet create security risks. The incentives include the usefulness of interconnectedness, the fact that each person's individual security can effect the security of others, and the fallacies of behaviors such as operating system elitism - the traditional Linux and MacOS superiority complex, for example.

Take a look - putting security into an economics framework is a great way to step back from the exigencies of day to day security efforts to look at the big picture.

Top Five Ways to Protect Yourself From Identity Theft

Identity theft is big business these days. Between 10 and 15 million Americans were victims of fraud that stemmed from identity theft between mid-2005 and mid-2006. The average loss more than doubled as well, from $1408 to $3257. With numbers like that, more and more people are wondering how to keep their credit and their identity safe.

Fortunately, there are a number of simple things you can do to help protect both.

1. Review: Get a free Credit Report

Your credit report shows what credit you have - a who, what, and where of your financial standing. Simply reviewing your credit report three times a year using the free credit reports available through and checking for things that you don't recognize can help save you. Be careful, and use the official site.

When you receive your report, you will not receive your credit score. You don't need it to help protect your identity, so don't worry. Look for accounts that aren't familiar, addresses you don't recognize, and anything that you are not familiar with.

Since each of the credit agencies will give you at least one free credit report a year (and in some states, or other certain circumstances, more), you can check your credit report every four months. Think of this as preventative maintenance like changing the oil in your car, and
set a reminder for yourself.

The credit agencies are:

2. Guard: Protect Your SSN

Your Social Security Number or SSN is used for many identification purposes. Everything from taxes to credit applications to health insurance relies on Social Security numbers, and that makes them one of the most frequently targeted pieces of personal information. You can help protect yours by only giving it when required - many forms request it, but do not require it.

A few tips:
  • Never write your social security number on a check
  • Don't provide your SSN over the phone unless you have dialed the company yourself, and you trust the company.
  • Don't carry your Social Security card unless you need it - most people can keep their Social Security card at home in a safe place, rather than in their wallet where it can be stolen along with credit cards and a driver's license or other personal data.
3. Dispose: Properly dispose of records, receipts, and credit applications.

Shred statements, receipts, credit card applications and checks, and any other records that you throw away. A diamond or crosscut shredder is always preferable to a strip cut shredder, but any shredding is better than throwing them away intact.

4. Monitor: Check your financial statements, and keep accounts up to date.

Monitor bills and other financial statements such as bank statements regularly. Check for charges you didn't make, or locations that are unfamiliar. In addition, make sure that all of your accounts are up to date, and that addresses and other contact information are current. This ensures that you receive your bills, replacement credit cards, and that the companies can contact you in the event of a problem.

5. Cleanup: Cancel old accounts, and remove yourself from mailing lists.

You can remove your name from the Direct Mail Association's Mail Preference Service at, which will help cut down on junk mail and credit offers. You can also opt to not receive pre-screened credit offers at

Canceling old accounts helps to ensure that credit cards aren't sent to old addresses, and keeps your unused cards from being abused without your knowledge. Not carrying extra cards can also help to make you safer if you do lose your wallet - you'll be less exposed, and you'll still have a card that you can use while you wait for replacements.

Simple maintenance can really help to protect your personal information and your credit. Make these steps a part of your everyday habits, and you can feel confidence that you're taking the right steps to protect your identity!

Creative Commons licensed photo credit Flickr user shawnzlea

Wednesday, January 23, 2008

TrueCrypt for OS X is live

The TrueCrypt for OS X project is live and available as an alpha release - you can grab the first release on the site. Remember, this is an alpha, so treat it as a useful test, but it is a sign of good things to come.

Readers may recall that this is a community funded effort using, and that I had posted about this before in October and December.

Tuesday, January 22, 2008

ClamXav OS X antivirus - free protection for the proactive

Most Mac users don't worry about viruses - in fact, a lot of the time you'll hear statements like "Macs don't get viruses.". As the popularity of OS X grows, and as more and more people buy Macs, they are becoming more attractive targets, and they're working side by side with PCs. That means files are exchanged, email is received, and a whole host of entry vectors open up. Macs also see use as file servers, mail servers, and in other capacities where they might not be at risk, but the clients connecting to them may be.

Those risks mean that antivirus software for the Mac is getting more attention now than it was a year ago.

Last year saw OS X viruses starting to get attention - viruses such as OSX.Leap.A brought attention to the fact that Macs weren't invulnerable bastions of security. While we still haven't seen a major OS X worm, antivirus for the Mac is looking more attractive.

If you'd like to cover your bases, but don't want to invest in a commercial product, ClamXav may be a great option for you. It is based on the ClamAV open source antivirus package that most Linux users are used to, and it has a GUI that makes it more attractive to most OS X users.

A small dose of preparedness can help, and I'll be using AV on my Mac. Is that a belt and suspenders approach to security? Not for much longer, I believe.

Monday, January 7, 2008

GIAC passes the 20K milestone...

On a recent trip to my SANS portal I noticed that the number of GIAC certified professionals had marched past the 20,000 mark. Congratulations to the folks at SANS and GIAC on this tremendous achievement. I can remember, just a few years ago, when I obtained the GCWN that it stood at slightly more than half that number.

So what makes for the doubling in size? Awesome training, and flourishing brand recognition. As with any program that strives to stay on top, the certifying body GIAC has also fortified their credential offerings by now boasting ISO/ANSI 17024 accreditation. Both of these achievements make for a bright outlook for these organizations.

Take the time to include SANS in your research for training opportunities in '08 whether it's for you or your staff. You are planning on training for '08 right?