III. Exposure-Impact

Rugged is —

  1. Knowing the exposure possibilities  (internal or external)*
  2. Examining various impact levels
  3. Identifying sensitivity levels
  4. Establishing trust levels
  5. Reducing exposure level
  6. Exposure is the degree of physical or logical (digital) access to people,  information or computer systems.

NEW CONCEPTS:

  • Universality:  One concept emerging from the revolution of the last 10 years is Universality and Immediacy: we are able to connect to 1, 999, 999, 999 other people virtually instantly.  They can connect to us, to our computer, to our data without us knowing it.  This has never before in the history of humanity been possible.  We simply don’t know how to deal with the scope of access and communication this vast or …
  • Immediacy: …that fast.  Communication is virtually instantaneous and can be addictive.  Online relationships can develop to startling intensity within days or weeks.  Huge amounts of information can be stolen in fractions of a second.
  • Anonymity — sitting alone behind a computer screen, does not provide the face to face feedback of reading body language, tonal inflection or facial expressions that temper or change face to face communication.  This has led to email “flaming”,  brutal “cyber bullying”, an explosion of sexual exploitation, and other abuses that were not as intense or wide spread pre-Internet.  Offenders can never come face to face with the victims they exploit.  It is much easier to commit an offense or crime without personal contact.

Attack Surface —  is an old military term.  Shields and armor were used in ancient times to reduce the amount of body surface exposed to enemy swords.  The attack surface of a house is the number of easy ways a thief can gain entrance.  Attack surface in software development is related to the amount of running code, privilege, anonymous code paths.  The Microsoft Attack Surface Analyzer can be used to evaluate code.   On a network attack surface is open ports, running services, interfaces, SQL attacks and more.  For people it is the quantity of people with access, the number that fall prey to social engineering schemes.  Another way is restricting ability to write or change files in a folder.  A third way is encrypting data in a folder so that nobody but the person with the encryption key can unencrypt it to read it.  The more we restrict what we have to protect, and apply the protection as close to the data as possible, the safer it will be.

Impact — along with estimating the attack surface or likelihood of an event is a good understanding of what the consequences of the event occuring is needed.

Effect of Underestimation of Impact in Japanese Nuclear Power Plant

Online relationships– Most parents are not yet aware of the extreme importance  and impact social media have on their children.  If early Web 2.0 was about e-commerce, it is now all about exposure to online relationships and communication through new media like Facebook, Twitter, Flickr and others.  Parents and those who did not grow up with new media, should learn enough to understand what their children are doing online.  Would a parent give a child keys to a car without lessons?  Yet most allow children unrestricted Internet access without understanding the extent of exposure to cyberbullying by their peers, pedofiles, online fraud or identity thieves.  Parents can ask children for help as an excuse for engaging in conversation with children; give them a chance to show off how much they know and what they can do.   Social norms have not yet been established and disseminated, throughout the population, for digital communication norms.  There is no Emily Post of Internet Ettiquette!   Parents and teachers don’t have their own experience to draw from to teach positive and safe digital communication behavior.  It’s all just too new!  So we have to find existing practices we are already familiar with and expand them to the Internet.

Internet safety should not be totally alien.  It helps to build on concepts of safety that we already have and expand them to the new digital frontier.   A good practical and immediately useful analogy for these principles can be found at ISECOM’s Home Security Vacation Guide

Exposure: Internal/External —  Traditionally, focus on protecting computers is on external threats.  However, with the  advance of infiltration techniques, the ease of using phishing and other browser based techniques to get inside a protected network means we cannot rely as much as previously thought on perimeter protection from external threats.   Still, in most organizations as well as homes, the greater threat is internal.  Those with the most access to the data on a computer is the greatest threat to it!  To best protect against either internal or external threats, the best solution is to protect exactly what has to be protected:  data and information.

Sensitivity — Ideally, the best solution wouild be to identify the most important, sensitive, irreplaceable (or too time consuming to replace) data and only spend money on protecting that small percentage of data.  At least one major university does that.  They have few perimeter defenses since the purpose of a university is exchange of knowledge, information and data.  However, they also have top secret government research and the same PII data all businesses have, that they are obligated to protect.  At least one major university  has developed sophisticated algorithms that monitor the traffic patterns on their network closely.  Algorithms sense anomalous patterns, which over time they have  matched patterns with various types of intrusions or malicious activity.  They can then go directly to the compromised computer and deal with the problem.  Feel free to explore the pros and cons of this approach by commenting below.  Obviously, this isn’t an option for home computers or small businesses, but it is an interesting idea and a good illustration of having to know exactly what data you have to protect and where it is, either at rest on a hard drive somewhere or in digital transit to an appropriate person or computer.

Trust —  One of the biggest problems either in real life (physical) or on a computer system (logical) is deciding whom to trust.  There are no good relationships in either without trust.  In relationships as in computer security, the goal is to make the right information available to the right person at the right time.  With people, we learn to associate a person’s name with their face and come to trust we know who that person is.  That’s fine for the few hundred people we have in a social circle.  But when there are 1000 people in a moderately sized business, that becomes a problem of a different magnitude.  With 2 billion people on the Internet it becomes an enormous problem.  Either at home or at work, each individual should have his or her own account, especially on a shared computer and use a password that only that one person knows.  Those accounts should only have “user” access, not “administrative” access.  Limiting accounts to user access” is an extra layer of security that prevents much malware (malicious software) from being installed.

According to the Internet Crime Complaint Center (IC3) 2010 annual report, Identity Theft is the #1 crime nationwide, in 2010 even surpassing drug trafficking because people’s unsecured PII provides an easy target (attack surface)   .

Exposure in the Cloud —  numerous large companies outsource maintenance of customer email lists to outsiders.  The Epsilon breach in April 2011, exposed the email lists of hundreds of companies’ email subscribers.  The prevalent corporate attitude seems to be that consumers don’t care if their information is breached.  Until consumers start caring, and contacting legislators, personal data will continue to be exposed without consequence. This is an example of when risk doesn’t work — when nobody is accountable.

The Open Security Foundation is made up of employees and volunteers who search for data breaches current and past.  They also use Freedom of Information Act (FOIA) requests to states requesting the breach documents states receive (this varies by state dependant on state legislation).

Several companies publish annual reports summarizing the recent trends they’ve seen. The 2011 Verizon Data Breach Investigation Report prepared by the Verizon risk team with theirs and data from US Secret Service investigations is one of the largest and most interesting.  It’s about 74 pages long and well worth reading.

Advertisements

37 Responses to III. Exposure-Impact

  1. GTM says:

    Covers the gamit of exposure….

  2. Mr. D says:

    As a security professional, the “cloud” bothers me. We have enough trouble trying to secure our relatively small network and now we will push vital services to a “cloud?”

    Clouds may bring needed rain, but they also spawn huricanes and tornadoes.

    • Longshot9 says:

      Agreed. I’d add to that the simple problem of whom do you call when something breaks. Who is responsible within the cloud?

  3. michael says:

    The discussion on sensiivity was good. But a new section titled impact should be created for an appropriate discussion on the impact if a threat happens to leverage one of your exposures (vulnerabilities).

  4. Always Learning says:

    Dumpster diving is another way in which you are exposed. Especially if you do not shred important documents. Also, remember to secure your home wireless network!

    • Elastic Man says:

      Dumpster’s are too dirty/require too much effort. Easier for them to grab your mail right out of the mailbox! Might as well add a locking mailbox to your wish list.

  5. Jose H says:

    I’m beginning to understand the need for additional security for home pc’s also, but the cost is getting out of hand, especially with the economy as it is.
    Does anyone know of free downloads that can help?

    • Lydia says:

      Many free programs are offered on other pages of this website for exactly the reason you mentioned. Also, numerous people in the comments have offered their suggestions for free programs.

  6. Brenda Sue Pickering says:

    I see the point that it is much easier to commit an offense or crime without personal contact.

  7. IT Guy says:

    As a parent this something near and dear to me. The threat is unrealized by younger people and if the internet is going to be a social gathering place we as parents need to ensure their safety with ours.

  8. colston says:

    Cloud computing sounds great but the security indications as well as ownership and liability make it seem very far away….anyone not running a firewall on their personal system really needs to get in the loop here.

  9. Evolution thru growth says:

    Being a good parent includes teaching our children that we must not mix human interactions and put those expectations on business matters. Unfortunately our social structure has changed to encourage the social media to replace the human interaction, this may be the most difficult transition to impart to our children, nothing personal, it is all just about business…

  10. Chris says:

    I would be very concerned that reducing your external protection and relying instead on algorithms to find suspected intrusions would lead to more loss of data, not less. At what point do the algorithms fail to detect hacking activity done via what might appear as normal activity? Wasn’t it just mentioned that China uses the slow and methodical approach walking in on the backs of others so their activity looks like regular usage?

  11. Charlie says:

    The solutions / suggestions for security described in these pages, especially for the average user securing their personal cloud or home data, are too much work for the average user to likely implement. If we as individuals need to do that much to secure ourselves, I fear for the future.

  12. Terry says:

    DBIRs are very insightful and the results of a dedicated force onbehalf of security.
    The reports have to have a lot better exposure interms of out reach to the public at large via the traditional media. Awareness and the the degree of worrisome feeling these reports leave on the larger public conscience can help put on a real face on the seiousness of cyber security..

  13. CWJ says:

    Trust is one of the scary parts for parents and for most of the rest of us, not scary enough. The way a lot of malware infestations occur is that adults, and children, just blindly trust. Trust that a web site we know and visit regularly, really understands what advertisements are up and running. Trust that an email sent by a friend or co-worker will not contain a link, picture, .pdf or executable file that puts some type of malware onto our PC whether at home or at work. Trust…I’m not implying that users shouldn’t trust. We should just take off the rose colored glasses and be aware of the questionable element on the web. Did that request for assistance from your friend stranded in Africa, really come from them? Did the co-worker who has never told a joke or sent you anything even remotely funny suddenly grow a sense of humor by sending you an email with the subject line: “Hilarious, check this out?”

  14. Arctic says:

    Again good info…………but, while it may not be PC (no pun intended), we really need to turn on our common sense “software” when we enter the digital world. I’m new to facebook and a lot of friends were telling me horrors stores of why “not to”……… after listening to them I am on facebook! Number 1 Rule: If you can’t say anything nice about someone….etc.

  15. Bob Brown says:

    Very interesting stuff

  16. ash says:

    I have to say I have been very surprised at how much I did NOT know.

  17. leewelch32 says:

    assesing exposure impact and risk management, cost benefit ratios, etc. all key subjects

  18. OctalMan says:

    At the same time that we hear we should reduce our attack surface, there are DOI initiatives to open access wider. Policies have not kept up with changes for Windows 7 and 2008. Users are caught in the middle between being denied any access at all, and being allowed too much access. We need to iteratively refine policies. The cost of not doing so is extremely high.

  19. protectmydata says:

    Personal data on the WEB will continue to be exposed to the public without consequence.

  20. Buster says:

    Don’t forget that companies that “Offshore” their IT services to India and China. How do you protect your information assets on the other side of the planet.?

  21. Guest says:

    First time I have heard the term email flaming

  22. thedudea says:

    The window anolog was good since I’m replacing windows in my house.

  23. Bulk says:

    Some numbers to think about.
    80% of teens use privacy settings at some point to hide content from certain friends and/or parents.
    82% of parents feel they should be able to delete information from their teens’ accounts by contacting Facebook or other sites.
    1 out of 10 Parents secretly log inot their kids’ social networking accounts without permission.

  24. Mark D. says:

    Found this checklist really useful, I’ll be sending this to all family members for future use: http://www.isecom.org/mirror/HomeSecurityMethodologyVacationGuide.1.2.pdf

  25. AID says:

    Knowing about cybercrime, Intellectual property rights, computer intrusions, theft of trade secrets, child pronography, International Money laundering, identity theft is a valuble information.

  26. EGK says:

    Go on an eDiet and reduce your digital footprint. That will surely reduce your attack surface! Just because you “could” put things online does not always mean you “should”.

  27. Kevin says:

    Cloud computing is still too cloudy…too much risk and exposure for all.

  28. QR says:

    Good information about reducing your exposure level.

  29. RD says:

    If we have all these security issues why are we going to put more information into the Cloud when it still will not be safe? If we can not fix the security problems we have then why create more? I love the fact we have all this technology however it scares me that someone can know everything with just a bit of information.

  30. Ry says:

    Good information, not quite what I was expecting

  31. Nick Cusimano says:

    Sure seems to me that moving applications and data to the cloud will increase exposure and make it easier for hackers to find you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s