Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

A new metrics vigilante.

Look, I don’t want to turn this into an All Marcus, All the Time slobberblog, but damn if he hasn’t gone and started something else fun.

Check this out.

Now, I only looked at the PowerPoint, because I almost NEVER do podcasts.  Mainly because people still generally can’t talk as fast as I can read, and I don’t have any spare time to speak of.  Maybe the only one who can do it is Dick Hardt.   But podcasts force me to do more unitasking than I can afford—and in my 20- to 30-minute commute, I spend all my time singing loudly along with the Rodgau Monotones, so I’m not going to displace them for more work-related stuff.

Anyway, what was I saying?  Oh yes.  The slides alone cracked me up.  It looks like Ranum is going after risk assessment, metrics and the security industry in general with guns a-blazing.  Schneier has decided that we don’t really need a security industry anyway, so Ranum will take it upon himself to do it in.

I can’t wait.  grin

Posted by shrdlu on Wednesday, May 09, 2007
(9) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon

Next entry: A meta-post.

Previous entry: Identity++.

Comments

stacy Canada on 05/10  at  10:57 AM:

You really should listen to the podcast… the disclaimer at the end is worth it grin

shrdlu United States on 05/10  at  12:24 PM:

Damn.  He really is entertaining, isn’t he?  Okay, I’ll have to find some time somewhere ...

(JavaScript must be enabled to view this email address) United States on 05/11  at  02:29 PM:

Hi!  New user J Barkwin here.  Let me apologize in advance for breaking any protocal on this board. (Excellent board btw.  My style and so I joined up.  However, I just skimmed through and clicked yes on the “I agreement”.  Are you installing spyware on my machine right now?)

Anywho- loved Ranum’s “badness meter” and the graphical representation of the recent “Win Sys Admins” census data.  Great stuff.  Thanks for posting the link !

So on the topic, a trusted party of mine, “w” ( as in a,b,c,d… w; in where I am “a”.. and so I don’t know c through w.. so they are really not a trusted party of mine ..or anyone I know.. but linkedin says they are.. so they must be trusted) deployed the following yesterday:

http://www.theiia.org/itaudit/index.cfm?iid=536&catid=21&aid=2655

Upon initial observation, and possibly for your discussion/amusement:
1. Does this author believe he has written anything unique here or unlocked any new door of perception?

2. Is the author a communist?  (I dunno.. why not ask.)

3. How will vendors begin using risk mgmt metrics for their own evil purposes?

4. My Allah, will we ever get something on this topic from the ivory tower (yeah I said it.. I called NIST too academic) that small/midsized companies can actually use (think risk controls around “seg of duties”)?

5. Is the IIA really using ColdFusion?

shrdlu United States on 05/11  at  02:56 PM:

Hey J,

I would suspect the author of that article has actually closed a couple of doors of perception:

Once a risk’s impact is measured, the auditor can identify its probability of occurring and complete an impact assessment for each risk.

Magically!  He pulls a probability out of his butt!  (If it’s one thing I hate, it’s auditors trying to tell ME how probable something is.)

I’m sure Alex will chime in here at some point; he’s the Practical Riskmeister (or at least his earthly incarnation).

(JavaScript must be enabled to view this email address) United States on 05/11  at  03:37 PM:

Auditor: What is the probability of this risk occurring?

Me (dazed): Umm, that would be about 3.14159% ..Give or take, of course

Auditor: Wrong! It’s 99%. I need to see lots of unread documentation and worthless process to make sure this risk is mitigated.  ..Or I’m marking this down as a material deficiency and then you’ll REALLY have your time wasted!

shrdlu United States on 05/11  at  08:30 PM:

Stop, J, you’re depressing me!!

One of my regular auditors is one of the most apologetic auditors I’ve ever met.  He’s constantly ducking and apologizing as he works through his notes.  I’m tempted to tell him, “If you feel this bad about it, then stop auditing me!”

Oh, and I did end up listening to the podcast.  Great disclaimer.  “The opinions voiced in this show are entirely Marcus Ranum’s, although obviously he wants you to have them.”

(JavaScript must be enabled to view this email address) United States on 05/14  at  11:56 AM:

Totally! Off topic.. so might I humbly suggest putting in queue a post titled, “Ways to Annoy Your Auditor”?

(JavaScript must be enabled to view this email address) United States on 05/30  at  12:36 PM:

Shrdlu -

Whether you want to or not, every decision you make in risk management estimates probability. The fact that you find the level of granularity discomforting should make you strive for better data, not simply give up.

The entire industry is working on the coarsest of coarse levels of estimation - why wouldn’t you want to do a better job?

You can estimate probability the same way folks measure risk in health care, insurance, nuclear power, and astrophysics. Oh, and Texas Hold ‘em. wink

Or, I suppose you can complain about it and make fun of it.

Good luck! wink

Pete

shrdlu United States on 05/31  at  07:16 AM:

Thanks, Pete, once again, for your incredibly useful advice!  Otherwise, I would never have suspected that I was (1) unaware of what risk management entails; (2) giving up; (3) uninterested in doing a better job; and (4) equivalent to a Vegas poker player.

Man, I’ve got to do something about lowering the BTUs in here ...

Page 1 of 1 pages

Add a comment

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: