The Security Poverty Line (and lifehacking update: Faraday cage solved! also stochastic resonance)

A former CISO makes a wonderful point about “security for the 99%.” Most people can’t afford security in its current form. Computer systems are too complex for Jerry the Dentist to put together an office network that’s both functional and secure, and the security technology that seems mandatory is too expensive and takes too much expertise to run.

This affects just about everyone. Remember the case of CYBERsitter against the Chinese e-Mafia? Yeah, that was a security firm, stuck below the security poverty line. And next time you end up entrusting your embarassing personal problems to a small medical office? Guess where they are on the scale of security socioeconomic status.

The author’s suggestions for solving this are clear — and contain at least a handful of business plan ideas for the entrepreneurial. To my view the most important is her last: we need a clear statement of what effective security looks like. Right now we have lots of well-known “don’ts” and embarassing public failures… neither very helpful unless you’re in the security industry.

My answer? For people with no particular reason to expect an attack —
if you can pass a penentration test, your security is probably good enough. How do you get there? I don’t have a general answer, or even the expertise to make a specific one in all too many cases.

(Also worth mentioning is the author’s call for products that are secure by default. ‘Products that protect you’ goes a long way to obviating the more difficult sides of her other suggestions, for affordable security services and more hands-on resources for people to secure themselves.)

Lifehacking updates–
Faraday cage: Solved it!
After finding that sleeping in a Faraday cage was the key to getting rid of some sleep disturbances that were costing me two hours a day (!) — and puzzling about some really weird night electromyogram readings — I’ve tried just about everything to get rid of the Faraday cage.

Turns out the solution was earplug-style headphones (Senn CX150s, picked up for 20 EUR) taped in place, with pink noise playing. The pink noise generator was the most complex part (http://sound.westhost.com/project11.htm) — I ended up driving the headphones with a single extra opamp, using a really classic design (http://headwize.com/projects/cmoy2_prj.htm).

Note that I haven’t tried the headphones by themselves yet: in the name of one-variable-at-a-time I’ve kept all the other solutions that kind-of sort-of helped a little (photic entrainment at 0.6Hz via incandescent bulbs at close range, pink noise via bone conduction, pink noise via direct electric stimulation through a reversed audio output transformer, conductive fabric on the areas of skin which showed massive square-wave waveforms in the electromyogram, pink noise into a ~2m dia 10 turn coil around where I’m sleeping). However, the headphones represented such a massive improvement that it’s hard to believe they wouldn’t do the trick on their own.

Stochastic resonance: After I discontinued the use of a Neurophone (+pink noise) all night, the earlier noted stochastic resonance effects (noticed in pink noise during the day while I’m working) have all but disappeared. Evidently the Neurophone-caused auditory processing adaptations were key.

http://idoneous-security.blogspot.de/2011/12/security-poverty-line-and-junk-food.html

“When you don’t have a lot of IT money, you can’t afford your own IT staff (or you go with whatever you can borrow or rent). This means you don’t have in-house expertise to maintain a decent level of security controls and monitoring, even assuming you get systems and networks configured right to begin with. As we all know, security is an ongoing process, and if you have Jane the IT Girl as your sole resource, she’s going to be too busy troubleshooting problems and installing new systems to be able to maintain the existing ones in a proactive fashion.

Organizations below the SPL tend to be inordinately dependent on third parties for this reason, and since they’re so dependent, they have less direct control over the security of the systems they use. They also end up ceding risk decisions to third parties that they ideally should be making themselves.[…]

although some people see the failure to achieve compliance or effective security as simply a matter of attitude (“if you really cared about auto safety, you’d buy a Mercedes!”), it’s not that simple. Even upgrading and untangling a set of legacy systems can double the cost of migration to a new platform, due to system inertia and missing institutional knowledge.[…]

As it turns out, most of the affordable security technology is the oldest kind, the least effective, and mostly preventive in nature —
firewalls, antivirus, and a scanner that will tell you what’s wrong with your systems that you can’t afford to fix. The newer stuff, especially anything that involves proactive work and monitoring, is out of reach. Enterprises below the SPL are not only stuck with the equivalent of burgers and fries, they can’t afford any vegetables[…]

we need to make security services more affordable (and there are some providers who are working on just that). We need to build security into products and deliver them already secured, so that security isn’t an add-on luxury. We also need to create more hands-on resources — perhaps as a community service — that poorer organizations can draw on, not just to give them guidelines, but to adapt them to what they can afford to do.

And finally, we need to be able to state clearly what effective security looks like. The great thing about compliance (yes, I really did just write that) is that you know when you’re done. When the last box has been checked, you have that sense of accomplishment, and it’s straightforward to know whether you pass or not. I challenge anyone in the security community to tell me what, say, a 50-person company needs to buy — even assuming they have a blank check — to make sure they are doing everything necessary to manage their risk. (Hell, I challenge anyone to tell me what their risk is without using colors.)

At least there’s a food pyramid (or plate, or whatever — they keep changing it) to describe the minimum daily requirements for nutrition. What should be on the security plate for a healthy organization?”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: