Saturday, January 23, 2010

Thursday, January 21, 2010

Vital to Cyber Security in 2010 & Beyond: Mission Understanding & Mission Assurance



2009 had all the makings to be a banner year for cybersecurity: The need had been identified, guidance was promised, appointments were planned and mandates were discussed. Unfortunately, 2009 will be remembered as the year that wasn't, and the challenge facing us now is to make sure 2010 doesn't follow suit. Keith Rhodes, Cybersecurity: Make It Work This Year, Defense News, 1-11-10

Cybersecurity begins with disciplined, methodical risk analysis. Each business or agency needs a clear mission profile. Its decision-makers need a comprehensive analysis of their assets that includes an understanding of vulnerabilities and dependencies. First-hand, experiential mission knowledge helps ensure analytical accuracy. Keith Rhodes, Cybersecurity must start with mission assurance, Washington Technology, 1-15-10

Vital to Cyber Security in 2010 & Beyond: Mission Understanding & Mission Assurance

By Richard Power


In his years with the U.S. General Accounting Office (GAO), which was eventually re-named U.S. Government Accountability Office, Keith Rhodes was responsible for some very important assessments the profound implications of which have yet to be adequately addressed. During his career in government, he served as the first director for the GAO's Center for Technology and Engineering. Currently, Rhodes is Senior Vice President and Chief Technology Officer (CTO) for QinetiQ North America' Mission Solutions Group. (QinetiQ is one of CyLab's corporate partners.)

Rhodes has written two compelling Op-Ed pieces on cyber security in 2010 and beyond.

His insights are invaluable.

Here are some excerpts, with links to the full texts.

In his Defense News Op-Ed, Rhodes outlines "four ways in which cyber defense can move forward," including three that many of us think we understand better than we actually do, "Education," "Communication," and "Partnerships," and a fourth that is rarely grokked thoroughly, "Mission Understanding."

Mission Understanding ... is the most important piece of the puzzle. Without knowing what needs to be done, we cannot know what needs to be protected. Mission understanding needs to be the fabric that cybersecurity is made out of. Information isn't protected just because it exists, it is protected because it is necessary to a mission." Keith Rhodes, Cybersecurity: Make It Work This Year, Defense News, 1-11-10

In his Washington Technology Op-Ed, Rhodes articulates the companion concept of "Mission Assurance" and its relationship to cyber security.

I would argue that cybersecurity cannot be understood, much less addressed, except as part of a larger mission assurance whole. You want cybersecurity because you want to be able to use information to get something done. And you want to protect that information because you want to prevent others from damaging your ability to get things done. So the point is really mission assurance; that’s the holistic context in which cybersecurity makes sense. Keith Rhodes, Cybersecurity must start with mission assurance, Washington Technology, 1-15-10

Wednesday, January 13, 2010

Read Alessandro Acquisti on Nudging Privacy (IEEE Security & Privacy), Hear Him Speak, 1/20/10, at National Academy of Science's Koshland Museum

Alessandro Acquisti on CNN, July, 2009


What is it that pushes us to seek fame by misconduct or publicity by sharing embarrassing information with strangers? How do we reconcile these desires with the apparent need for privacy that surveys keep finding so widespread among the American population? In short, what drives individuals to reveal, and to hide, information about themselves to and from others? decision-making and promising initial results. They might be able to reconcile the human need for publicity with our ostensible desire for privacy. Nudging Privacy, the Behavioral Economics of Personal Information, IEEE Security and Privacy, November-December 2009

Our cashless, information-sharing society has made identity theft easier and far more common than ever before. New research conducted by Alessandro Acquisti (Carnegie Mellon University) shows how thieves can accurately guess your Social Security number with a few easily obtainable facts. At this science café, Acquisti will have a conversation with the audience about his findings and their ideas for protecting privacy in an increasingly public world. The Dish: It's All in the Numbers - Privacy, Math, and Social Security, Koshland Science Museum Science Cafe, 1-20-10

Read Alessandro Acquisti on Nudging Privacy (IEEE Security & Privacy), Hear Him Speak, 1/20/10, at National Academy of Science's Koshland Museum

CyLab researcher Alessandro Acquisti rocked the realms of privacy and security in 2009, with the release of his blockbuster paper on predicting social security numbers (co-authored with Ralph Goss, also of Carnegie Mellon).

If you don't remember the story, or happened to be taking core samples at the North Pole during that news cycle, see There is an Elephant in the Room; & Everyone’s Social Security Numbers are Written on Its Hide and Not Just Yesterday's Headlines, But the Day After Tomorrow's As Well for a refresher.

News of the two researchers' revelations even made it through the overgrown thicket that insulates the halls of government from the outside world; see Significant Contribution of Carnegie Mellon Privacy Research Cited in Congressional Hearing.

Well, just to keep you current --

In the November-December 2009 issue of IEEE's Security and Privacy, Acqusti published a paper entitled "Nudging Privacy, the Behavioral Economics of Personal Information."

Here is a brief excerpt, followed by a link to a .pdf of the full text:

The idea behind soft paternalism is to design systems so that they enhance (and sometimes influence) individual choice to increase individual and societal welfare. To do so, behavioral economists might even design systems to “nudge” individuals, sometimes exploiting the very fallacies and biases they uncover, turning them around in ways that don’t diminish users’ freedom but offer them the option of more informed choices. Hence, nudging privacy—that is, using soft paternalism to address and improve security and privacy decisions—might be an appealing concept for policy makers and technology designers. This concept goes beyond concurrent attempts at making our computer systems more “usable.” Alessandro Acquisti, IEEE Security and Privacy, November-December 2009

If you are in Washington, D.C. on January 20, 2010, you can join Alessandro Acquisti at the National Academy of Science's Koshland Science Museum's Science Cafe, from 6:30 p.m. to 8 p.m., for his talk on The Dish: It's All in the Numbers - Privacy, Math, and Social Security. This program will be held in collaboration with Proceedings of the National Academy of Sciences. Please RSVP to ksm@nas.org or call 202-334-1201, including number of guests.

-- Richard Power

Friday, January 8, 2010

Nicolas Christin: "... see if we can follow the money trail to figure out what are the best intervention practices to defeat online crime"


"More and more attacks are motivated by financial gain, so it makes sense to try to see if we can follow the money trail to figure out what are the best intervention practices to defeat online crime." -- Nicolas Christin, CyLab Chronicles, 2010

Nicolas Christin: "... see if we can follow the money trail to figure out what are the best intervention practices to defeat online crime"

CyLab Chronicles is an ongoing feature of CyLab's online presence; it provides periodic interviews with CyLab researchers, and offers insights into vital issues and trends.

Here is a brief excerpt from the latest CyLab Chronicles, an Q and A with Nicolas Christin, a link to the full text follows:

CyLab Chronicles: Many security professionals are looking for answers to important questions, and know that some of those answers can be found in Economics, but most of them would probably find it difficult to get their minds around how mathematical models that can be used to uncover them. Tell us about your research into this area? How can mathematical models be used to analyze security and privacy risks in organizations and prescribe mechanisms for mitigating such risks?

Nicolas Christin: Mathematical models are a useful abstraction that enables us to reason about security in organizations. Having a model of organizational security allows us to test different intervention scenarios on that model and predict which effects they would have on the overall security of the organization. Let me give you an example. Consider you manage a hospital. Obviously, you have to maintain the confidentiality of all of your patients' records. But if you treat a celebrity, for instance, there may be some perverse incentives for some of your staff to sell juicy bits of information to the tabloids. So, you want to put in place some sort of monitoring infrastructure to ensure people do not commit such violations, but at the same time, you cannot monitor everything and everybody, all the time -- it would simply be too expensive, not to mention probably detrimental to employee productivity. How to strike the right balance in practice is a very difficult problem. Now, if I can come up with a reasonable mathematical abstraction for the problem, I can probably show you which strategies are most likely to be effective, so in the end I can provide a formal justification of which policy makes most sense. Having a formal basis on which to reason is really indispensable to make the right decisions. Also, the beauty of mathematical models is that they tend to rid you of political or other considerations that may hamper your judgment. If your model is sound, and if your assumptions are valid, then the model tells you exactly what is going to happen. It can be a powerful predictive tool.
CyLab Chronicles: Q & A with Nicolas Christin (2010)

For an archive of all CyLab Chronicles, click here.

-- Richard Power

Tuesday, January 5, 2010

CSO Magazine: The Digital Trail of the Maltese Falcon - Private Investigations in the Information Age

Dashiell Hammett, author of the Maltese Falcon, The Thin Man and Continental Op


Psycholinguistics uses insights from the field of psychology to help gain a better understanding about the intent and state-of-mind of people through their communications. This is important because much of the law is focused on whether or not there was "intent" associated with the actions of individuals. Intent is a critical element that must be be established in most litigation. Ed Stroz of Stroz and Friedberg in CSO Magazine, 1-5-10

The Digital Trail of the Maltese Falcon: Private Investigations in the Information Age

By Richard Power


My latest piece for CSO Magazine is now available on-line. It features an interview with Ed Stroz of Stroz and Freiberg. Stroz is a global leader in the field of corporate cyber security investigations, and his insights on this vital issue are invaluable.

Here is one of the seven questions I posed to him, follow the link below to read the rest of the interview:

Richard Power: The ways in which the shift from the Industrial Age to the Information Age has revolutionized different fields of expertise and endeavors related to risk, security, privacy, etc. is of great interest to us all; and few are as fascinating as what the Information Age has meant to the field of private investigations for both for the corporation and the individual. It is something that I have been tracking for almost two decades, and that you and I have been discussing throughout. So for our CSO readers, give us your overview of where the field of private investigations was, technically and professionally, when you went into it after your years with the FBI, and where it is today, technically and professionally?

Ed Stroz: Private investigations are more important than ever, both for their private party clients, and for the government. Investigative skill is needed to address areas where suspicions or allegations have been made, but they also are being used for additional due diligence and assurance in the wake of financial scandals like that of Bernard Madoff. But today, private investigation requires updated skills.

As recently as the early 1990s, expertise in computerized technology was viewed as a tactical skill set within private investigative services. Today computer expertise is part of the necessary knowledge base in crafting an investigative strategy. For example, if a client thinks they are being "bugged" at home or work you would be remiss if all you did was "sweep" the office for listening devices. Today's investigator should have an understanding of spyware and sniffer technologies to even decide how to approach that type of engagement.

Another major change is brought about by the legal and practical limitations on government investigations. While the government has tremendous technological resources and expertise, those resources cannot be brought to bear in every investigation. And, putting technological prowess aside, the government is often restricted in what it is allowed to possess or view.

For example, a recent court case in the Ninth circuit limited the government's ability to examine a single computer device seized under search warrant because of the intermingled information contained within that device. In other words, the government agents may have had legitimate rights to see some of the contents in a given device, but maybe not all of it. In those situations, a safe way to proceed and honor the valid interests of government and the valid interests of private parties, is to have a carefully structured procedural protocol executed by competent private investigators, complete with an audit trail. Those services will increasingly be provided by the private sector in my opinion.


Richard Power, The Digital Trail of the Maltese Falcon - Private Investigations in the Information Age, CSO Magazine, 1-5-10