Spectacle draws cameras and fuels notoriety. It also masks incremental security progress. So it is or has been with recent crowd control efforts in Los Angeles and Toronto, from the Laker basketball title victory to the G20 summit. Both events drew unruly crowds expressing either elation or disgust by torching otherwise innocent vehicles posing neither threat nor obstruction. In L.A., video coverage of thugs torching a taxicab made it to YouTube. This video (http://www.youtube.com/watch?v=4xfQR6YomJs&feature=related) shows a uniquely modern touch to an otherwise unchanging pattern of mob destruction. The pattern begins with tentative strikes that gather momentum and intensity as attackers meet no resistance and only magnify their glee at being able to hit things or people without being hit back – to the cheers of their own crowd.
The modern novelty comes in the ubiquity of cell phone camera flashes, as thugs pause after smashing a window or jumping on a car hood to immortalize their impact while grinning and cheering. Those with higher-end cellular phones take a turn at playing videographer, while their more electronically challenged fellows, lacking in the souvenir-taking technology, must content themselves with smacking the defenseless cab with renewed vigor. What are these destroyers ostensibly doing all the while? Celebrating their team’s victory. That’s right. These are happy people, expressing their joy by robbing a taxi driver of the means of his livelihood.
Move forward, now, to Toronto. Mobs vandalize banks and retail shops while torching police cars. Their worst destruction, attributed to Black Blocs (See http://www.csmonitor.com/World/terrorism-security/2010/0627/Black-Bloc-tactics-mar-Canada-s-G-20-summit), appears to be carried out under the banner of anti-capitalist, anti-police, anti-government – anti-you-name-it sentiment. So these are unhappy people, expressing their discontent by destruction that, at a given moment, looks remarkable indistinguishable from what happy rioters did in Los Angeles. These crowds use technology a little differently. Not that they don’t take their own souvenir photos. However, their mobile phones are communication devices first and documentation devices second. Text and Twitter messages offer Black Blocs their command and control, redirecting crowds on the fly to exposed targets and away from riot police strongholds.
Welcome to the new global pastime of modern unruly crowds. Among the principal differences between jubilant crowds and angry ones is that the latter come better prepared, hence the projectiles that Black Blocs used in Toronto to launch bags of urine and feces at police. Similarly, the Toronto mobs included stalwarts drenched in vinegar to offset the effects of the teargas they expected to draw. For once, the inherent sourness of violent protestors comes with a telltale, odor-bearing signature, as observers in Toronto reported tracking mob progress by following the vinegar smell with their noses.
Where is the good news for security practitioners? Well, it may not be good news exactly, but it is better than it could be. So far, both venues have been far less destructive than they could have been. True enough, one single torching of a car or business is one too many. However, it could be a lot worse. The Laker game mob’s swath of destruction in L.A. was a fraction of what previous ones have been. Similarly, the G20 rioting in Toronto has drawn 4,000 instead of the greater than 100,000 rioters in Italy for a past summit. Observers in Toronto report that riot police were refusing to be drawn into skirmishes when Black Blocs and other rioters torched police cars and broke store windows. Again, this is bad news for the custodian of the damaged asset.
However, there remains a certain wisdom in containing destructive forces, in channeling them to where they literally burn off their energy as they burn up some things in their path. Call it crowd control meets the Dog Whisperer. Once that energy dissipates, so too does a good measure of aggression. Better that this process take place with some impact to property and less jeopardy to human life. Security may not be perfect in either circumstance. But there are signs that it is better than it used to be for similar events.
– Nick Catrantzos
Sunday, June 27, 2010
Sunday, June 20, 2010
Insider Threats Like … Cyber Armed Robbery? (Part 2 of 2)
Where Cyber Studies Stumble
This is where a look at the evolution of workplace violence studies foreshadows what is happening with cyber treatment of the insider threat.
To those who fear it, experience it, or defend against it, workplace violence is about rampage killings on the job. The agent of destruction, here, is an employee, a former employee, or a raging spouse whose domestic problems have spilled over into the workplace. Efforts to interdict workplace violence and improve defenses against these kinds of attacks, however, suffer when the data on cases extend to armed robberies of convenience store clerks and taxicab drivers. Indeed, when the latter categories enter into the discussion, they soon overtake the study. As a result, statistical compilations of workplace violence from official bodies such as the National Institute for Occupational Safety and Health tell us that key indicators of workplace violence are cash-handling operations at night – something cab drivers and convenience store clerks deal with and armed robbers covet. (This is why handling cash, dealing with the public, and transporting cash-carrying people or goods rate as high risk factors according to NIOSH, as noted in http://www.cdc.gov/niosh/violrisk.html.) However, while armed robberies do produce threats, injuries, and even fatalities, these are not the cases we mean when trying to deal with disgruntled employees driven to homicide. The broad definition, in this case, does a disservice. If you are running an organization that has little to do with cash accessible to an armed robber, developing a security program to counter armed robbers will do nothing to defend against enraged, hostile insiders.
Cyber-centric command of the insider threat performs a similar disservice to serious analysts of the kinds of trust betrayer whose goal it is to carry out an attack fatal to the institution. If most cyber threats indeed represent a former employee slamming the door with a denial-of-service attack, then it is a mistake to crowd the field with them. It is the equivalent of categorizing jaywalkers with mass murderers. Admittedly, both are breaking rules. But if we have to sort through thousands of jaywalkers before getting to see a single murderer, then our focus and resources are diluted by the time we arrive at the more dangerous threat. This is where the cyber world gets it wrong, Y2K-reminiscent predictions of cyber doom notwithstanding.
The insider threat that merits first priority is not the casual hacker or fired system administrator. Nor is it the disgruntled employee bent on harming his boss and co-workers. These people may create problems and even cause personal tragedies. Certainly they deserve some of the organization’s attention. Yet they are seldom able or willing to carry out an attack that will be fatal to the institution. The insider threat of first concern for us is the trust betrayer intent on catastrophic sabotage for reasons beyond narrow personal interest, such as for a terrorist adversary whose aim is our annihilation.
Defending people, assets, and capabilities is all about prioritizing. Let’s isolate the murderers from the jaywalkers, the malcontents from the terrorist assassins, and the opportunistic hackers willing to disrupt from the zealots willing to die in order to devastate. Otherwise, we will find ourselves consumed with investing all our resources on jaywalking, because that is what we are looking for and seeing most of, while murderers skulk in the dark corners of the periphery our blinders will not allow us to view.
--Nick Catrantzos
This is where a look at the evolution of workplace violence studies foreshadows what is happening with cyber treatment of the insider threat.
To those who fear it, experience it, or defend against it, workplace violence is about rampage killings on the job. The agent of destruction, here, is an employee, a former employee, or a raging spouse whose domestic problems have spilled over into the workplace. Efforts to interdict workplace violence and improve defenses against these kinds of attacks, however, suffer when the data on cases extend to armed robberies of convenience store clerks and taxicab drivers. Indeed, when the latter categories enter into the discussion, they soon overtake the study. As a result, statistical compilations of workplace violence from official bodies such as the National Institute for Occupational Safety and Health tell us that key indicators of workplace violence are cash-handling operations at night – something cab drivers and convenience store clerks deal with and armed robbers covet. (This is why handling cash, dealing with the public, and transporting cash-carrying people or goods rate as high risk factors according to NIOSH, as noted in http://www.cdc.gov/niosh/violrisk.html.) However, while armed robberies do produce threats, injuries, and even fatalities, these are not the cases we mean when trying to deal with disgruntled employees driven to homicide. The broad definition, in this case, does a disservice. If you are running an organization that has little to do with cash accessible to an armed robber, developing a security program to counter armed robbers will do nothing to defend against enraged, hostile insiders.
Cyber-centric command of the insider threat performs a similar disservice to serious analysts of the kinds of trust betrayer whose goal it is to carry out an attack fatal to the institution. If most cyber threats indeed represent a former employee slamming the door with a denial-of-service attack, then it is a mistake to crowd the field with them. It is the equivalent of categorizing jaywalkers with mass murderers. Admittedly, both are breaking rules. But if we have to sort through thousands of jaywalkers before getting to see a single murderer, then our focus and resources are diluted by the time we arrive at the more dangerous threat. This is where the cyber world gets it wrong, Y2K-reminiscent predictions of cyber doom notwithstanding.
The insider threat that merits first priority is not the casual hacker or fired system administrator. Nor is it the disgruntled employee bent on harming his boss and co-workers. These people may create problems and even cause personal tragedies. Certainly they deserve some of the organization’s attention. Yet they are seldom able or willing to carry out an attack that will be fatal to the institution. The insider threat of first concern for us is the trust betrayer intent on catastrophic sabotage for reasons beyond narrow personal interest, such as for a terrorist adversary whose aim is our annihilation.
Defending people, assets, and capabilities is all about prioritizing. Let’s isolate the murderers from the jaywalkers, the malcontents from the terrorist assassins, and the opportunistic hackers willing to disrupt from the zealots willing to die in order to devastate. Otherwise, we will find ourselves consumed with investing all our resources on jaywalking, because that is what we are looking for and seeing most of, while murderers skulk in the dark corners of the periphery our blinders will not allow us to view.
--Nick Catrantzos
Sunday, June 13, 2010
Insider Threats Like … Cyber Armed Robbery? (Part 1 of 2)
Self-canceling phrases like this sometimes highlight a contradiction smothered under the page count of arcane studies. Two cases in point illustrate a shared phenomenon afflicting the insider threat: the peril of defining a threat either too broadly or of tailoring it to a particular agenda.
Cyber aficionados today dominate insider threat studies. Perform a Google search on insider threat with the current year, and the first several pages will demonstrate this dominance. Cyber-centric observers argue that information technology is not only important but, increasingly, the axis around which the rest of our world revolves. Accordingly, any disruption to the flow of data through a network or processor must necessarily foreshadow dire consequences. Therefore, when such disruption traces to access made possible by someone from within the firewall rather than an outside stranger, cyber defenders raise the alarm and fire their fusillades in the name of insider threat defense. Fine, up to a point.
But what is an insider threat? Who defines it, and how broadly? Here the defender’s perspective begins to vary widely, often in proportion to narrow expertise, agenda, or comfort zone. Ask Carnegie Mellon’s cyber-centric analysts, and they will inundate you with tales of breaches of networks and firewalls, of employees abusing system administrator privileges, of hackers socially engineering their way into unauthorized access to sensitive electronic files, and of petty thieves turned cyber crooks who carry out schemes for personal enrichment at an institution’s expense or infect their employer’s system with virus or Trojan horse after severing employment. That Google search string with “insider threat” and “2010” unearths an overwhelming salvo of cyber-centric articles on the topic, crowding out other treatments of trust betrayers.
What is missing? Even informed cyber observers themselves point out that the majority of cyber insider attacks are by former employees after they have departed, in effect an electronic slamming of the door in a less than graceful leave-taking (Band, et al, 2006, pp. 40, 52). This data point finds little welcome in the cyber acolyte’s taking command of today’s insider threat studies.
Another little-advertised data point is that some cyber security rules comprising accepted wisdom in the name of insider threat defense are gradually being exposed as ham-handed or over-the-top reactions that are out of proportion to the object sought. In a 2009 Oxford workshop of cyber minds, a Microsoft engineer presented a detailed analysis of the rational rejection of security advice – by and for cyber security – because rules are unduly burdensome and often unthinkingly imposed(Herley, 2009, pp. 1-12). If one is worried about passwords being compromised from the outside, Herley argued, it makes little sense to compel users to create new and difficult passwords every 60-90 days. A user can create a hard-to-crack password and remember and safeguard it for years. But if the same user must repeatedly do this time and time again, the attending burden encourages shortcuts, like writing the password down where it can be exposed or using a simpler, less secure password because it is easier to remember. This is only one example of how cyber security practitioners are no more immune to the afflictions of specialist myopia that their brethren from other security disciplines. The alarm and surveillance specialist sees no problem that cannot be mitigated by the installation of yet one more intrusion alarm or monitoring point. Similarly, the response force commander reflexively asks for more trained sentries or security patrols to solve whatever security problem comes along. None of these specialists need be evil to be wrong. All are proceeding as if doing more of the same will somehow produce results that have eluded them so far. Thus, absent a change in perspective and the taking of soundings of their ambient conditions and larger objectives, security specialists eventually become prisoners of their predilections.
In a certain way, the result of the cyber world’s present efforts to claim the insider threat as its exclusive province creates precisely the kind of distortion that the world of workplace violence has come to experience by allowing its definitions to stretch too broadly.
(To be continued.)
-- Nick Catrantzos
References
Band, S., Cappelli, D., Fischer, L., Moore, A., Shaw, E., & Trzeciak, R., Carnegie Mellon University Software Engineering Institute (2006). Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis. PA: Carnegie Mellon University. Retrieved March 20, 2010 from www.cert.org/archive/pdf/06tr026.pdf
Herley, C. (2009, September). So long, and no thanks for the externalities: The rational rejection of security advice by users. Proceedings of the New Security Paradigms Workshop, Oxford, United Kingdom. September 8-11, 2009.
Cyber aficionados today dominate insider threat studies. Perform a Google search on insider threat with the current year, and the first several pages will demonstrate this dominance. Cyber-centric observers argue that information technology is not only important but, increasingly, the axis around which the rest of our world revolves. Accordingly, any disruption to the flow of data through a network or processor must necessarily foreshadow dire consequences. Therefore, when such disruption traces to access made possible by someone from within the firewall rather than an outside stranger, cyber defenders raise the alarm and fire their fusillades in the name of insider threat defense. Fine, up to a point.
But what is an insider threat? Who defines it, and how broadly? Here the defender’s perspective begins to vary widely, often in proportion to narrow expertise, agenda, or comfort zone. Ask Carnegie Mellon’s cyber-centric analysts, and they will inundate you with tales of breaches of networks and firewalls, of employees abusing system administrator privileges, of hackers socially engineering their way into unauthorized access to sensitive electronic files, and of petty thieves turned cyber crooks who carry out schemes for personal enrichment at an institution’s expense or infect their employer’s system with virus or Trojan horse after severing employment. That Google search string with “insider threat” and “2010” unearths an overwhelming salvo of cyber-centric articles on the topic, crowding out other treatments of trust betrayers.
What is missing? Even informed cyber observers themselves point out that the majority of cyber insider attacks are by former employees after they have departed, in effect an electronic slamming of the door in a less than graceful leave-taking (Band, et al, 2006, pp. 40, 52). This data point finds little welcome in the cyber acolyte’s taking command of today’s insider threat studies.
Another little-advertised data point is that some cyber security rules comprising accepted wisdom in the name of insider threat defense are gradually being exposed as ham-handed or over-the-top reactions that are out of proportion to the object sought. In a 2009 Oxford workshop of cyber minds, a Microsoft engineer presented a detailed analysis of the rational rejection of security advice – by and for cyber security – because rules are unduly burdensome and often unthinkingly imposed(Herley, 2009, pp. 1-12). If one is worried about passwords being compromised from the outside, Herley argued, it makes little sense to compel users to create new and difficult passwords every 60-90 days. A user can create a hard-to-crack password and remember and safeguard it for years. But if the same user must repeatedly do this time and time again, the attending burden encourages shortcuts, like writing the password down where it can be exposed or using a simpler, less secure password because it is easier to remember. This is only one example of how cyber security practitioners are no more immune to the afflictions of specialist myopia that their brethren from other security disciplines. The alarm and surveillance specialist sees no problem that cannot be mitigated by the installation of yet one more intrusion alarm or monitoring point. Similarly, the response force commander reflexively asks for more trained sentries or security patrols to solve whatever security problem comes along. None of these specialists need be evil to be wrong. All are proceeding as if doing more of the same will somehow produce results that have eluded them so far. Thus, absent a change in perspective and the taking of soundings of their ambient conditions and larger objectives, security specialists eventually become prisoners of their predilections.
In a certain way, the result of the cyber world’s present efforts to claim the insider threat as its exclusive province creates precisely the kind of distortion that the world of workplace violence has come to experience by allowing its definitions to stretch too broadly.
(To be continued.)
-- Nick Catrantzos
References
Band, S., Cappelli, D., Fischer, L., Moore, A., Shaw, E., & Trzeciak, R., Carnegie Mellon University Software Engineering Institute (2006). Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis. PA: Carnegie Mellon University. Retrieved March 20, 2010 from www.cert.org/archive/pdf/06tr026.pdf
Herley, C. (2009, September). So long, and no thanks for the externalities: The rational rejection of security advice by users. Proceedings of the New Security Paradigms Workshop, Oxford, United Kingdom. September 8-11, 2009.
Subscribe to:
Posts (Atom)