Heads Up!

10 11 2008

Well I haven’t posted anything here in quite a while, but I really do have a good excuse this time. Not the usual been busy with work, life, etc. Watch for a follow-up post in the near future discussing some of the stuff I have been busy working on. In the meantime, there are a couple of items I just wanted to throw up here to make everyone aware.

  1. This Thursday, November 13, is the Chicago OWASP meeting. Scott Stender from iSec Partners will be presenting on Concurrency Attacks in Web Applications, and Thomas Ptacek from Matasano Security will be talking about The Seven Deadly Features of Web Applications. You can find all the details on the where, when, and who here. I plan on attending and hope to see everyone there.
  2. The 8th Annual Workshop on Economics of Information Security recently put out their call for papers. Next year’s conference will be held at University College London. More details on the conference here and great resources on the topic of economics in information security can be found here.

Apologies for the link dumping. I will follow this up very soon with some more interesting news.

White List vs. Black List

17 06 2008

Jeremiah Grossman posted an entry on his blog yesterday about why most WAF’s are not currently implemented in blocking mode. To steal from Jeremiah who borrows from Dan Geer,

When you know nothing, permit-all is the only option. When you know something, default-permit is what you can and should do. When you know everything, default-deny becomes possible, and only then.”

I think both Jeremiah and Dr. Dan are right on with their analysis. In fact, I would take this a step further and say this is ultimately how developers end up deciding whether to use a black list or white list approach when doing things like input validation. If you cannot fully document and articulate EVERYTHING about your site(s), it becomes impossible to create a valid whitelist. While knowing and understanding the majority of your site allows you to create a fairly effective black list, and of course, if you know nothing about your site you must allow all and pray.

To read a much more in-depth explanation of how this plays out in security, check out Dr. Dan Geer’s book. He delves into one of this blog’s favorite topics, the economics of information security and the trade-offs associated with it. Happy Reading!

AddThis Social Bookmark Button

Two Places You Need To Be

18 04 2008

Register for both now. Hope to see you soon.

  1. The Front Range OWASP Conference
  2. The Workshop on the Economics of Information Security – 2008

AddThis Social Bookmark Button

More on Security Economics

12 03 2008

The European Network and Information Security Agency has released a study open for comment on the economic barriers to information Security found here.

To quote ENISA, The principal objectives of the report are:


  • To identify existing economic barriers for addressing Network and Information Security (NIS) issues in a single, open and competitive Internal Market for e-communication;
  • To assess these barriers’ potential impact on the smooth functioning of the Internal Market for e-communication;
  • To identify and analyse incentives (regulatory, non-regulatory, technical, educational, etc.) for lifting these barriers identified to cause distortion of the smooth functioning of the Internal Market for e-communication;
  • To provide a range of recommendations to relevant actors (decision-makers both at EU and national level, industry, academia, etc.) for policy options, possible follow-up actions and initiatives.

AddThis Social Bookmark Button

Luminary Economics?

14 12 2007

 There is a  good interview with Bruce Schneier over at the Freakonomics blog. I am just getting through it, but here are a couple of Q&A excerpts that I tend to get a lot and completely agree with the answer given:

“Q: So seriously, do you shop on Amazon, or anywhere else online for that matter?     

 A: Of course. I shop online all the time; it’s far easier than going to a store, or even calling a mail-order phone number, if I know exactly what I want.What you’re really asking me is about the security. No one steals credit card numbers one-by-one, by eavesdropping on the Internet connection. They’re all stolen in blocks of a million by hacking the back-end database. It doesn’t matter if you bought something over the Internet, by phone, by mail, or in person — you’re equally vulnerable.” 

I cannot stress this enough! It doesn’t matter whether your purchases are online or offline, in reality they’re all online. All of our transactions go through computer systems, are stored in large databases and are transmitted over networks. Look at the large security breaches in the news, many of them are ‘offline’ purchases. 

“Q: What was the one defining moment in your life that you knew you wanted to dedicate your life to computer security and cryptography?          

A: I don’t know. Security is primarily a way of looking at the world, and I’ve always looked at the world that way. As a child, I always noticed security systems — in retail stores, in banks, in office buildings — and how to defeat them. I remember accompanying my mother to the voting booth, and noticing ways to break the security. So it’s less of a defining moment and more of a slow process.”

 Security is a way of thinking. When interviewing candidates for information security roles, one of the things I look for beyond learned skills is how they think about problems. Specifically, a ‘security person’ thinks of different ways to break things. They think of ways to deconstruct the system and make it perform actions it was never intended to perform.

  AddThis Social Bookmark Button

WEIS Call for Papers – 2008

1 11 2007

The Workshop on the Economics of Information Security just opened up it’s call for papers for 2008. This year it will be held at Dartmouth College in New Hampshire.

I have written about this workshop in the past (here, here and here). The amount of quality content that comes out of this is incredible. As most readers of this blog know, information security is much greater than a technical issue. This workshop addresses many of those problems including the economic incentives of security and privacy, the various trade-offs individuals and groups must make to achieve a level of security, addressing negative externalities, the psychology of security and more.

If you have an interest in the driving factors of what makes many of our systems more or less secure, I would highly recommend this workshop. Last year’s workshop generated a tremendous amount of buzz about WabiSabiLabi. The online vulnerability marketplace for selling and purchasing vulnerabilities.

I would recommend reading Economics of Information Security as a great primer / introduction to the topics related to the workshop. You can find a link to it on the bookshelf of this site. It contains several papers that came directly from it. This is a great way to dig yourself out of some of the day to day technical details and start thinking about some of the more broad decision factors around security and privacy. While many of the papers come from academia, the information is a great way for those leading security programs in the private sector to understand the decision criteria that ultimately will fund or not fund their initiatives.

AddThis Social Bookmark Button

Recent Readings (and listenings)

6 08 2007

I recently finished two books (OK one of them was audio), The Long Tail: Why the Future of Business is Selling More by Chris Anderson and Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks by Michael Zalewski. While they are both very different, they were both good reads and very appropriate topics for this blog. I would recommend both to regular readers here.

Ever since I finished the long tail a couple of weeks ago, I had been meaning to post on it and what it means to information security. Well while I was busy with other things a couple of people went it did just that. Over the weekend Mark Curphey wrote a 2 part post which sums up the book and how it relates to our field at a high level. Part 1 is here and Part 2 is here. I encourage you to read his posts if you have an interest in the economics of information security.

Another area that came to mind while reading this book (sorry, listening to this book) was the ever present topic these days of compliance. Organizations today have a number of regulations and laws that they must comply with in a given industry or geographic region. Some of these requirements make economic sense for the business, others are their to control the negative externalities of security. After reading (argh! LISTENING) to The Long Tail, I spent some time wondering how could a set of tools, processes, etc. make compliance economically sound and a choice organizations would make regardless of outside requirements (laws, regulations, etc).

I would like to challenge readers of this post to come up with some new ideas that would make these requirements that traditionally go against the rules of risk management and make them more sound for YOUR organization. The key here is every organization is different. What may make economic sense within mine, makes little to no sense in yours. That’s what makes the “one size fits all” approach of several regulations difficult on most companies today.

Have an idea? Post it here in a comment or send me an email!

AddThis Social Bookmark Button


Get every new post delivered to your Inbox.

Join 28 other followers