Full Disclosure mailing list archives
Re: Rothman: Belva's a Joker (was Could InfoSec beWorse than Death?)
From: "Kenneth F. Belva" <ken () ftusecurity com>
Date: Wed, 27 Sep 2006 07:32:57 -0400
Tom, No I don't mind answering your objections. I find this debate very healthy and it helps me to further clarify these ideas. After all, I am the challenger to a very entrenched perspective (loss prevention). I'd better be able to discuss the differences to people's satisfaction. Your example is excellent. I think it really gets to the heart of the matter. I'm going to paste something from an earlier thread and then extrapolate that in contrast to your objections.
The information security mechanisms are a necessary but not sufficient condition to create these new assets. The loss prevention model
shows how
this necessary condition breaks down and what we can do to stop the breakdown. The virtual trust model says that once we have this necessary condition, here are the things we may do with it. The focus is
different.
In my mind, both the Loss Prevention and Virtual Trust paradigm focus on the delivery condition (the bikes being functional), the only difference being that the Virtual Trust paradigm would advocate the active servicing of bikes (the security of the delivery mechanism) on the basis that this would establish more "Trust" with customers (they're guaranteed to get their paper) as opposed to just actively servicing the bikes as part of a standard working practice.
While I think this is an excellent comparison, there are certain aspects of this comparison that I do not like but I will go with it for now because I think it will help clarify things. (My main objections are that it is a physical and not an electronic example. This may cause confusion later.) The loss prevention model focuses on the servicing model that you cite. For example, vulnerability assessments, change control, following existing policy and procedures are examples of maintaining the bikes. Anti-virus, IPS/IDS, firewalls are bikes but are only meant to prevent loss. I take it that this will not be objected to. So what's the difference between loss prevention and VT. It's this. What security mechanisms would allow us to create bikes? And when we have our bikes, what can we do with them? Well, we need a bike with such and such tire size, a bike that has a soft seat for those long rides, etc. Once we have established the bike and it's properties, we can expand our routes to cover different markets, we can deliver different print content than simply newspapers, we could sell/offer different services as well as newspaper delivery (bill payment), etc. [If you are really going for the jugular you will note that I did not mention any security mechanisms. That's because this is where I think the example breaks down between physical and electronic means. Generally one should be able to take the underlying concepts and apply them, which I do next paragraph.] So, we can use authentication to identify someone (a bike). It's a security mechanism. Once we have this ability, what can we do with it? Well, we can create credit card products (it's electronic), EasyPass, Pay-per-click advertising, etc. We can create new revenue streams and cash flow using this methodology. (I should note that the pay-per-click example is Brian Eaton's. I was psyched when I saw it!) We never mention loss in the authentication example. It's not about making sure that our authentication mechanism works properly (checking for SQL injection) or maintaining it. We could (and should) understand loss prevention in terms of VT. But that's not my focus right here and now. In the first example, we understand the loss prevention and a necessary means for maintaining the trust. Keeping the bikes maintained so we can keep our routes established. In the VT model, we how do we establish the trust so we can do things with that trust. How do we establish the route itself and how do we create the bikes? Once these things are established, what can we do with our bikes and routes? Selecting the right security mechanism and its purpose(s) are our objective in the VT model. As my co-author Sam mentioned to me the other day, not every security mechanism is in the VT enablement toolkit. So, a firewall will not be in the VT enablement toolkit. It helps to get to that baseline level of trust, but it does not function in a way that is useful to the creation of new assets. I'd like to reiterate the quote at the beginning. Loss prevention is the maintenance of the necessary condition of trust. VT is establishing that trust and then doing something with it. There is often a mistake in asking security to be a sufficient condition to generate revenue. In other words, how can our IPS device all by itself bring us revenue. Well, it can't. And, I'm not claiming that. I am claiming that security is one of the essential components (necessary) for the creation of electronic business. I think that authentication and DRM are two excellent examples of this. iTunes, EasyPass, etc. are great real world examples of VT. I hope that clarifies a few things and answers your excellent objections. Feel free to write anytime. Ken _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Rothman: Belva's a Joker (was Could InfoSec beWorse than Death?) Kenneth F. Belva (Sep 27)