Return-Path: <sentto-279987-4453-1013315419-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Sat, 09 Feb 2002 20:40:08 -0800 (PST) Received: (qmail 13454 invoked by uid 510); 10 Feb 2002 04:36:22 -0000 Received: from n11.groups.yahoo.com (216.115.96.61) by all.net with SMTP; 10 Feb 2002 04:36:22 -0000 X-eGroups-Return: sentto-279987-4453-1013315419-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.188] by n11.groups.yahoo.com with NNFMP; 10 Feb 2002 04:30:19 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_2); 10 Feb 2002 04:30:19 -0000 Received: (qmail 51858 invoked from network); 10 Feb 2002 04:30:18 -0000 Received: from unknown (216.115.97.167) by m2.grp.snv.yahoo.com with QMQP; 10 Feb 2002 04:30:18 -0000 Received: from unknown (HELO red.all.net) (12.232.72.98) by mta1.grp.snv.yahoo.com with SMTP; 10 Feb 2002 04:30:17 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g1A4WDA28016 for iwar@onelist.com; Sat, 9 Feb 2002 20:32:13 -0800 Message-Id: <200202100432.g1A4WDA28016@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Sat, 9 Feb 2002 20:32:13 -0800 (PST) Subject: [iwar] [fc:Don't.risk.it:.analyse.the.threat:..What.are.ther.real.securirt.risks.in.IT,.asks.Dave.Birch] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Don't risk it: analyse the threat: What are ther real securirt risks in IT, asks Dave Birch The Guardian, 2/7/02 <a href="http://www.guardian.co.uk/online/story/0,3605,645868,00.html">http://www.guardian.co.uk/online/story/0,3605,645868,00.html> The reporting of computer and communications security in the mainstream media is often puzzling. Why do some risks merit a big story, while others go unnoticed. This is largely because the subject is taken out of its organisational context and it is important to see security risks in that context. The first step is to be clear what we mean by a risk: a risk is the overlap between a threat and a vulnerability. If there is a vulnerability in a system, such as there being no lock on my front door, but there is no corresponding threat (because my house is empty and there is nothing to steal) then it may make sense to leave the vulnerability in place rather than spend money removing it. Conversely, if there is a threat but no corresponding vulnerability then it is also not worth losing sleep. This is why newspaper reports about security problems have to be assessed carefully, because they don't always have a realistic view of the overlap. Take, for example, the widely reported discovery by researchers in Cambridge: that there are circumstances in which the security of a cryptographic processor used in many automated teller machines may be compromised. This was inevitably reported as a discovery of critical importance to financial systems of the western world. What the researchers actually reported was that someone with unchallenged authority in a bank branch who could get uninterrupted access to an ATM (eg, a bank manager) could, with a degree of technical knowledge of ATM hardware, cryptography and IBM software (eg, not a bank manager) obtain the PINs of cards used in that ATM after a couple of days of "cracking time". In summary then, a technologically sophisticated bank manager might be able to execute a plot to steal a couple of hundred pounds a day (presumably, only for a few days) from a few accounts. While it is true that the old adage - that if you want to steal money from a bank, then you should work for one - applies, I would have thought that this particular scam would be some way down the "to do" list of criminal masterminds working for large banks. In particular, if you are a bank manager, there must be a great many better ways of stealing money. Cracking the security of PINs out of your branch's ATM might yield a few thousand pounds before investigators noticed the link. Yet just a couple of months ago a bank executive was sentenced to four years for stealing £1.7m in a fraud uncovered by accident. Looking at the "ATMs cracked" story in a banking context highlights a crucial point: the person most likely to get away with the money is not the bank robber, but the bank manager. In fact, the overwhelming majority of cybercrimes are inside jobs. The headline told you that, for example, a man who illegally accessed other people's online stock trading accounts had been sentenced to more than three years in federal prison. Looks like hacking: did he use keyboard sniffers, line tappers or database hacks? No, read a bit further and you find (of course) that it is just old-fashioned fraud with a cyber veneer. He had a lay friend who worked in a company payroll office: the man accessed Etrade accounts using names, home addresses and social security numbers provided by his accomplice. So who should you be worried about? Teenage hackers, sneaky competitors, the Russian mafia, international terrorism or middle managers in your invoicing department? And, more importantly in business, how do you decide where to spend money to minimise your exposure? There is a way of evaluating threats and vulnerabilities to allocate countermeasures expenditure in the most effective way: it is called risk analysis. Working as I do for an organisation that has carried out IT risk analysis for systems as diverse as equities settlement, retail electronic payments and a manned space mission, it seems that the old 80-20 rule applies: a few vulnerabilities account for the majority of the risks, so directing the budget at those vulnerabilities makes the most sense (even if they are unglamorous). Don't panic about IT security. If you do your risk analysis and allocate your meagre countermeasure budget accordingly, you can sleep comfortably at night. Don't risk it: analyse the threat: What are ther real securirt risks in IT, asks Dave Birch The Guardian, 2/7/02 <a href="http://www.guardian.co.uk/online/story/0,3605,645868,00.html">http://www.guardian.co.uk/online/story/0,3605,645868,00.html> The reporting of computer and communications security in the mainstream media is often puzzling. Why do some risks merit a big story, while others go unnoticed. This is largely because the subject is taken out of its organisational context and it is important to see security risks in that context. The first step is to be clear what we mean by a risk: a risk is the overlap between a threat and a vulnerability. If there is a vulnerability in a system, such as there being no lock on my front door, but there is no corresponding threat (because my house is empty and there is nothing to steal) then it may make sense to leave the vulnerability in place rather than spend money removing it. Conversely, if there is a threat but no corresponding vulnerability then it is also not worth losing sleep. This is why newspaper reports about security problems have to be assessed carefully, because they don't always have a realistic view of the overlap. Take, for example, the widely reported discovery by researchers in Cambridge: that there are circumstances in which the security of a cryptographic processor used in many automated teller machines may be compromised. This was inevitably reported as a discovery of critical importance to financial systems of the western world. What the researchers actually reported was that someone with unchallenged authority in a bank branch who could get uninterrupted access to an ATM (eg, a bank manager) could, with a degree of technical knowledge of ATM hardware, cryptography and IBM software (eg, not a bank manager) obtain the PINs of cards used in that ATM after a couple of days of "cracking time". In summary then, a technologically sophisticated bank manager might be able to execute a plot to steal a couple of hundred pounds a day (presumably, only for a few days) from a few accounts. While it is true that the old adage - that if you want to steal money from a bank, then you should work for one - applies, I would have thought that this particular scam would be some way down the "to do" list of criminal masterminds working for large banks. In particular, if you are a bank manager, there must be a great many better ways of stealing money. Cracking the security of PINs out of your branch's ATM might yield a few thousand pounds before investigators noticed the link. Yet just a couple of months ago a bank executive was sentenced to four years for stealing £1.7m in a fraud uncovered by accident. Looking at the "ATMs cracked" story in a banking context highlights a crucial point: the person most likely to get away with the money is not the bank robber, but the bank manager. In fact, the overwhelming majority of cybercrimes are inside jobs. The headline told you that, for example, a man who illegally accessed other people's online stock trading accounts had been sentenced to more than three years in federal prison. Looks like hacking: did he use keyboard sniffers, line tappers or database hacks? No, read a bit further and you find (of course) that it is just old-fashioned fraud with a cyber veneer. He had a lay friend who worked in a company payroll office: the man accessed Etrade accounts using names, home addresses and social security numbers provided by his accomplice. So who should you be worried about? Teenage hackers, sneaky competitors, the Russian mafia, international terrorism or middle managers in your invoicing department? And, more importantly in business, how do you decide where to spend money to minimise your exposure? There is a way of evaluating threats and vulnerabilities to allocate countermeasures expenditure in the most effective way: it is called risk analysis. Working as I do for an organisation that has carried out IT risk analysis for systems as diverse as equities settlement, retail electronic payments and a manned space mission, it seems that the old 80-20 rule applies: a few vulnerabilities account for the majority of the risks, so directing the budget at those vulnerabilities makes the most sense (even if they are unglamorous). Don't panic about IT security. If you do your risk analysis and allocate your meagre countermeasure budget accordingly, you can sleep comfortably at night. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Sponsored by VeriSign - The Value of Trust Pinpoint the right security solution for your company - FREE Guide from industry leader VeriSign gives you all the facts. http://us.click.yahoo.com/lWSNbC/WdiDAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST