The Flatline Cohesion Principle

This week’s CCSP class pointed out that one of the multiple-choice answers in my book of practice tests included the term “flatline cohesion principle.” They asked me what it meant, and I had to admit that I had no clue…maybe it meant that I was drinking too much scotch when I wrote the book?

Turns out, it was a nonsense term I invented as a distractor from the correct answer to that specific question. So we discussed the idea, and decided we had to come up with a definition for the completely blank term.

The consensus was that it should mean: “When you write a book of practice tests that may or may not have complicated, misleading questions in it, then use your class to crowdsource how worthy the material is for study purposes.”

I do like this. But I am very open to alternative uses for the term. If someone comes up with something better, put it in the Comments section, and I’ll send you a free copy of the book. I will be the sole judge of what constitutes “better.”

In the meantime: everyone should follow the flatline cohesion principle.

And many, many thanks to this week’s CCSP class participants: y’all were awesome, and I think you’re all gonna to conquer the exam.

Sharp Security

In the US, possession of a switchblade is a federal offense, but butterfly knives are as legal as rye bread.

In Germany, it’s just the opposite. About switchblades and butterfly knives, I mean— bread’s not illegal there, as far as I know.

Funny thing: neither place, far as I can tell, suffers from crime waves using either instrument.

I am sure someone smarter than me could figure out some sort of meaning in this.

CCSP Test Feedback

From a recent student:

”I found it to be quite challenging, mostly because more than a few of the questions and / or answers were so tersely worded that it was very hard to determine what was being asked.  I also ran into some test questions on concepts that weren’t covered in the course material, or if they were,  it was in passing and didn’t really justify the attention it got on the exam.  However, I passed, so it’s all behind me now.  :^) “

Amazon Data Leaks

in

Meh. When I first saw a notice that contained the same words as the headline on this entry, I thought, “well, here begins the end of cloud managed services.”

But then I read an article [like this one] and saw that it was really Amazon employees taking bribes from retailers to remove negative reviews.

So…”help me sell more sandals,” is a far cry from, “sell me my competitor’s data.” I would imagine Amazon’s main concern is that the bribes are less expensive than what Amazon could otherwise charge for this same service…and go directly to the employees, instead of to Amazon.

RECENT CISSP CAT EXAM NOTES

in

Got an email from a recent former student...the kind of email I really enjoy:

"Hi Ben,I wanted to let you know that I took my test yesterday and passed at 100 questions :D

 

- After our class, I studied using mostly the Boson practice exams (reading the explanation for EVERY question, failed or passed).

- After that I bounced back and forth between Boson random exams, the updated Sunflower guide, and the 11th Hour book (which was great for last-minute cramming, the last 2 days leading up to the exam).  I also watched Kelly Handerhan's CISSP prep videos at Cybrary prior to our class, and various other YouTube videos (Larry Gleenblatt's CISSP exam tips were helpful) here and there.

- I studied for about 2-3 hours a day, every day, for 4 weeks total (taking 1.5 weeks off for vacation).

- I was 100% certain that I was going to fail while taking the exam.  I was so sure of it that I considered just picking the same letter answer over and over to end the test and GTFO at around 80 questions.  Glad I didn't.

- I took my time reading and re-reading each question and answer so many times that I thought I was going to shoot myself in the foot with the time of the exam.   I had about 30min left at 100 questions.

 

Thank you for all of your wisdom and guidance during our class.  I feel that it helped a lot and set a good expectation for the exam and framework of where to study. It helped me realize my weak areas so I knew where to focus.  Although, the test has a funny way of making you feel that you're completely unprepared while you're actually taking it. :)"

Physical Badsec

in

If your physical security process involves controlled items, make sure you train your staff not to hand a stack of the controlled items to unauthorized personnel during the procedure...else someone could pilfer one or two, and use them for all sorts of nefarious purposes.

 

In totally unrelated news, if someone wants to smuggle contraband/small children/explosives aboard a cruise ship, drop me a line in the Comments section.

carnival luggage tag.jpg

Bad Control

in

The vendor has a policy: checks that are numbered less than 1500 are not accepted.

The clerk tells me to just ask my bank to put a higher number on my checks and send me some new ones.

The control was put in place years ago, to reduce the possibility of fraud from an outdated attack method (does anyone even commit check fraud anymore?). The vendor obviously knows the control is easy to overcome, and only actually prevents legitimate transactions.

This is not a good control.

First person to guess the vendor correctly gets a free copy, your choice, of one of my books. Put your guess in the Comments to this post.

Letting Off Steam

in

            Valve is a company that makes computer/video games; they also run the Steam game distribution platform, which is an online store/licensing portal that sells games made by other companies. This week, Valve announced it would no longer curate titles on Steam, and allow any game producer to host any title in the store, for sale to the public (with the notable exceptions of games that contain illegal content and those are “straight up trolling”). [You can read the announcement at: https://store.steampowered.com/news/]

            This is fascinating, and definitely a reaction to recent public attention focused on one game that Valve took off the Steam platform (and simultaneously banned the game producer), a first-person shooter that simulated mass murder at a school, called Active Shooter. While I’m not sure how that game would run afoul of this new policy (is Active Shooter straight up trolling or illegal content? if neither, why is it still banned?), it seems very interesting to me that Valve chose to modify their approach to hosting titles as a result.

            I am a gamer. And I am interested in maximizing free speech. Valve’s decision therefore delights me greatly. Opponents of Valve’s decision (including writers from disparate sources, such as game review websites and Forbes) kind of puzzle me, and somewhat infuriate me. Their arguments seem to constitute two lines of thought: 

1) By allowing anything, Valve is taking a political stance that endorses everything.

2) By allowing anything, the online store will be swamped with material customers don’t want, such as games that include topics that bother some people, including racial bias, violence, and sexuality. Customers won’t be able to find what they want, because of all the material they don’t want; this will be particularly disturbing to sensitive customers who are offended by those topics.

            Trying to make sense of these criticisms, I draw these two conclusions:

1) I can’t possibly understand why the political stance of “allowing everything” is ugly or wrong: the entire purpose of having a free society (much less a free online store) is so that conflicting ideas and perspectives are allowed to exist (and maybe flourish)....even if most of us don’t particularly like them. Having freedom so that we can all like the same things isn’t freedom, it’s a sheep farm.

2) I don’t think the people saying this A) are gamers and B) understand how the Internet works. To explain in detail:

            A) Gaming is a participatory mode of entertainment unlike any other form of mass media: books, movies, music are all projections of the creators (writers, directors, musicians, singers) at the audience in a unilateral communication; the audience does not communicate with the artist or influence the art. (The notable exception: choose-your-own-adventure books, where outcomes are decided by readers.) In gaming, the player must take part in the activity in order to determine progress/outcome. The artist(s) can present content, but the game doesn’t actually do anything unless the player is utilizing it-- a game without a player is a title screen, and no different from wall art. In terms of recreation, this makes gaming more akin to, say, sports, than literature (with the obvious advantage that gaming does not favor only those with the biological birthright biases of ability, size, speed, etc.).

            So in order to be “affected” by a game (no matter how sensitive you are), you have to actually play the game...which is a conscious choice, and includes the option of stopping at any time. You, the player (or potential player), have full control over whether any selection from that medium, any game, affects you, personally. You have no control over whether someone else can play it or if they are affected, and nobody else has control over whether you play it or are affected. You. You alone are in charge. Compare this to, say, the television turned to full volume in the airport waiting areas: I have no choice, as an audience member, to voluntarily not participate: if I want to isolate myself from that communication, I have to take active steps (using headphones/earplugs, purposefully not looking in that direction) to insulate myself from the message.

            Gamers understand this, and relish it-- it is one of the great joys of games. There are many thousands of games I have never played, nor ever will-- those do not affect me in any way, much the same way the millions of sandwiches eaten by other people only affect those people, and not me. There is food on this planet I do not like, and would probably cause me intestinal distress: I don’t have to eat that food, and can choose not to.

            Now, is it possible that the title of a particular game offends someone, and just seeing it on a screen bothers someone? Or that hundreds of these titles, listed together, scrolling across a screen, might be distressing to a viewer? Like, if every title in a list of hundreds contained racial/religious epithets, or swear words?

            Maybe that would be bothersome to someone...or maybe it would inure that person to those words, causing those words to lose power. But that’s not really here nor there, because we go to point....

            ....B) The Internet is the best shopping market ever devised. I can find almost anything I could possibly want, in a moment, without the trouble of leaving my couch. Steam makes full use of Internet possibilities, allowing a shopper to search for particular terms (or filter out particular terms), see only titles that are preferred, or limit content in any number of ways. So not only does a gamer not have to play a particular game (or genre of games), but the gamer does not even have to see a given title or type of title.

            Those that complain Steam will be overwhelmed with undesirable games, making it difficult for shoppers to find the games they (the shoppers) like, don’t really want to shop. Because that’s what shopping is: making a choice from among options. The complainers want someone else to make the choice for them (and for all gamers) by limiting the possible options. I find that sad; when an adult wants to forego the power of their own choices, they limit themselves (and when they want to impose it on everyone, they’re limiting all of us).

            Might Steam get inundated with cheap, callous, crass games made by halfhearted or greedy developers less concerned with quality gameplaying experiences than turning a quick buck? Might that make it harder for a shopper to find the gems hidden in piles of dross? Possibly. But that same description could be used for major production houses right now, easily. And sifting through a bunch of crap to find a treasure is one of the great joys of one of my favorite shopping formats: the flea market. I have found some items of great value (both relative and financial) for amazing prices at flea markets...and I have spent hours in flea markets where I’ve seen nothing but crap and not made a single purpose. Did the latter experience harm me in any way? You could argue I lost the value of those hours, but that would be predicated on the assumption I didn’t receive enjoyment and entertainment value from those hours

            I assure you, I did.

            Finally, just to offer a couple thoughts on the public outrage over the specific game that started the whole conversation: Active Shooter. I am not sure why the idea of a simulation that mimics a tragedy, or where the player can pretend to be an awful person, or where entertainment is derived from violence is something to revile. I and my friends have pretended to be Nazis, done faux atrocities, and taken pleasure in murder for decades...and those were just board/tabletop games: Axis and Allies, Dungeons and Dragons, and Clue. Oddly, it has never meant that I actually want to invade Poland, slaughter hobgoblinoid people, or would take delight at a dinner party in which someone was bludgeoned to death with a heavy plumbing tool.

Anatomy Of A Troubleshooting Session

in

- I wake up. Sit down at laptop, quickly notice there are aberrant issues with the keyboard: certain keys do not work, but the rest do.

- I freeze all my work/open resources. Immediately start searching for info about malware that attacks only specific keyboard keys.

- Reboot.

- Do a quickscan. No hits.

- Look over my restore points, just to make sure I still have my current data.

- Check hardware drivers, make sure they are all up to date.

- Search for more info about malware, particularly for certain apps (browser/Office). Spend a good half-hour reading about funky viruses.

- Girlfriend wakes up. I tell her that some of the keys on my keyboard aren't working. She has no tech background whatsoever.

- "Dog hair?" she asks.

- Take out the can of compressed air, spray beneath keyboard.

Dammit. Problem solved.

Advice for Job Applicants

in

From my brilliant friend George J. Silowash:

"Pro Tip of the day: If you are applying for jobs to multiple organizations, be sure the "Track Changes" feature is turned off in MS Word, or, at least sanitize your document before sending it out to a perspective employer. If you don't, I am one click away from learning where you have applied to. Digital Forensics 001 folks. (No, this was not me, I am not looking for a job.) "

Read and heed. Also, this is good advice for those posting RFPs, too.

Ditching the ALE

in

At this point in my career, I deliver a lot of certification prep content, through teaching and writing. And I see certain things that were included at the outset of the industry as guidelines and suggestions that just aren't applicable anymore (or at least, not applicable in the same way as when they were proposed). My primary customer is ISC2, for the CISSP and CCSP certs, but I've taught ISACA and CompTIA certification prep courses in the past, and many of them suffer from the same problems. While I can't say for certainty exactly why all the major INFOSEC certifications suffer from the same blind spots, I can guess: most of the test writers have the same training in the same fundamental concepts, get the same certifications (from multiple vendors), and have received that content from their predecessors, and will pass it to the next generation in kind.

This leads to the possibility of stagnancy in content and approach. Which isn't terrible, for certain fundamental security concepts (say, defense-in-depth/layered approach/multiple redundant controls, or the use of two-person integrity), but there are other notions/ideas that are simply treated as sacrosanct in perpetuity, instead of being re-examined for validity, assessed as nonsense, and thrown onto the trash pile of history.

Today, I want to talk about one of the latter: the ALE formula.

If you don't what it is, consider yourself lucky. Then consider yourself unlucky, because if you're going to go get an INFOSEC cert, I can tell you for damn sure that it's going to be one of the things you're going to have to learn and memorize whether you like it or not.

Simply put, it's an approach to estimating the cost of a given type of negative impact as the result of security risk being realized. We teach INFOSEC practitioners that this value determination can be used to weigh the possible costs of controls to address a particular risk, and figure out whether or not to spend the money protecting against it.

Which is a good idea: spending too much on addressing a particular threat is just as bad as not spending enough...and, arguably, sometimes worse, because spending too much leaves you with a false sense of security and a lack of money, where not spending enough just means you have some of that risk left.

But the ALE formula is not really the best tool to accomplish this in our realm of INFOSEC, for many, many reasons. And we should stop requiring its use, and teaching it to newbies.

Why? Well, for starters, let's talk about the potential cost of a single type of incident, known in the formula as the SLE.

It's worth noting that the ALE formula works great in the physical security universe, where tangible assets can be mapped to specific losses. If I'm trying to secure a retail space selling goods that are of a particular size, shape, weight, and cost, I know some discrete, objective information about those assets. I know how many can be stolen at one time, by a single person picking them up and walking off with them. I know the amount (number and dollar value) of my inventory, based on another limiting factor: the footprint of my retail space and storage area. I know the various access points to get at my inventory: the doors/windows/loading areas. All these things can be defined and somewhat limited.

With electronic data as assets, all this numeric determination goes out the window (I mean, not the literal window, like tangible assets, but a metaphorical window, because the determination is impossible). I can't really know how many "data"s a person can steal at any given moment, because the size of files or objects or characters don't really have any meaning in the physical universe-- a flashstick that weighs less than an ounce can carry one file or a thousand files, and any given file can contain one character, or a million characters, and all of this fits inside one person's pocket, anyway (and that person doesn't need any exceptional muscles to carry even the heaviest flashstick).

So trying to determine the monetary impact of a single security event involving data is impossible, unlike the impact of a single security event involving physical assets. If someone steals one spoon in a retail environment, we know the cost of that spoon (and we actually know several costs: the wholesale cost we paid to get the spoon, the retail cost of what we would have realized in revenue if we sold that spoon, and the logistical cost of getting that spoon to the retail location)...but if someone steals a file, the value of the information in that file can vary wildly. A file might contain a photo of the user’s pet kitten (which is of value only to the user, and then only arguably at that, if the user has a copy of the photo), or it can contain the privacy data of the target organization’s entire customer base, and the relevant monetary impact can stretch into the range of millions of dollars, as the result of statutory damages assessed against the organization, or the loss of market share, or direct fraud on the part of the perpetrator using that information, and so on.

Sure, insurance companies in recent years have created various approaches to assigning value to data, but these are all just gibberish. Take, for instance, the idea of “average file cost”-- even if we were to determine the midpoint of value between the kitten photo and the customer list, that medium value would be meaningless when we suffered an actual loss: if we lost the kitten photo, and the insurance claim paid the amount of “average cost,” we’d be receiving far more in cash payout than the thing was worth, and if we lost the customer list the “average cost” claim payout would be far less than the damage we’d suffered. And what’s the size/value of an “average” file, anyway? How many files are there in a given business environment? The concept is absolutely pointless.

When the SLE is just a fictional construct, the entire ALE formula is ridiculous. We could use just this argument to eliminate the wretched thing from our industry. But there are even more reasons why ALE is stupid in the INFOSEC world-- and I’ll get to those in subsequent articles.