Offshoring Partners & The Hand That Feeds

Tue, 19 Jan 2010 03:44:24 GMT

People are catching on to what the smart kids knew all along: of course Google's Chinese offices were compromised. And not just Google, and not just in China, and not just by China.

Ten years ago, the disloyal insider was a fact of life about which there wasn't much to be done. You'd mitigate as best you could with careful access control (right?) and handle incidents as they occurred. Beyond that, what? Fire all your foreign visa holders?

Times have changed. Global enterprises are investing in China, India, Russia, and elsewhere, creating new opportunities for an entire generation of workers to succeed without having to emigrate from their own cultures and communities.

And that's how I, Eric the Prophet, can predict roughly what Hillary Clinton is going to say to China on Thursday:

All of this investment is supposed to give you guys some skin in the game. Surely you don't prefer the previous arrangement, in which the "developed" world lures China's best and brightest abroad, and China's role in the global economy is relegated to "factory?"

Is anybody else just a little bit curious as to the global economy's capacity to issue pink slips in countries whose governments can't or won't prevent the emission of cyberattacks?

p.s. On a personal note, I helped Microsoft select candidates for IT Security positions in China back in 2004. As I recall, wages for Chinese IT staff were on the order of US $5.00/hr. Whatever resentment I felt towards Microsoft at the time for not cutting me in on the expected savings has given way to something more like schadenfreude.

http://mashable.com/2010/01/18/attack-google-inside-job/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Mashable+%28Mashable%29

A Grain of Salt for Digital Asset Values

Mon, 26 Oct 2009 06:53:09 GMT

&amp;amp;amp;amp;amp;lt;!-- /* Font Definitions */ @font-face {font-family:Wingdings; panose-1:5 0 0 0 0 0 0 0 0 0; mso-font-charset:2; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:0 268435456 0 0 -2147483648 0;} @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:1; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-1610611985 1073750139 0 0 159 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin-top:0in; margin-right:0in; margin-bottom:10.0pt; margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {mso-style-noshow:yes; mso-style-priority:99; color:purple; mso-themecolor:followedhyperlink; text-decoration:underline; text-underline:single;} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; margin-top:0in; margin-right:0in; margin-bottom:10.0pt; margin-left:.5in; mso-add-space:auto; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; mso-add-space:auto; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast {mso-style-priority:34; mso-style-unhide:no; mso-style-qformat:yes; mso-style-type:export-only; margin-top:0in; margin-right:0in; margin-bottom:10.0pt; margin-left:.5in; mso-add-space:auto; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} .MsoPapDefault {mso-style-type:export-only; margin-bottom:10.0pt; line-height:115%;} @&amp;amp;amp;amp;lt;a href="http://page.soup.io"&amp;amp;amp;amp;amp;gt;page&amp;amp;amp;amp;amp;lt;/a&amp;amp;amp;amp;amp;gt; Section1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} /* List Definitions */ @list l0 {mso-list-id:1023358003; mso-list-type:hybrid; mso-list-template-ids:-1676016582 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;} @list l0:level1 {mso-level-number-format:bullet; mso-level-text:; mso-level-tab-stop:none; mso-level-number-position:left; text-indent:-.25in; font-family:Symbol;} ol {margin-bottom:0in;} ul {margin-bottom:0in;} --&amp;amp;amp;amp;amp;gt;

A recent flurry of blog posts by some very smart people has reminded me of how in my former life at Microsoft, I often found myself in meetings whose agenda included tallying up the so-called "digital assets" related to a given project.

For the uninitiated, the "digital asset" is the starting point in pretty much every formal and semi-formal IT risk analysis exercise, to wit: What are we protecting, after all, if not assets? What uniquely digital threats imperil these assets, and how awful would it be if any of those threats should be realized, and what are the potential mitigations for each threat, and what is the cost of each contemplated mitigation, and can I somehow avoid being summoned to any more of these meetings, or do I need to step up my search for a new position in the company?

Granted, as a starting point for getting a handle on your security spend, it seems only reasonable to boil everything down to a finite list of items. The obvious next step is, let’s appraise the items in our list according to some kind of valuation scheme, and start sorting. There’s plenty of methodologies to pick from.

Except that we’re not insuring Tina Turner’s legs here. I contend that there is no useful relationship between asset value and loss-per-incident.

With that claim in mind, let’s review the types of costs associated with typical real-world hacking incidents, and ask ourselves which of these costs will vary according to some pre-estimated value of the compromised digital assets:

* Engagement of incident response specialists
* Damage to reputation / loss of future business
* Loss of business advantage (e.g., leakage of details concerning payroll, pending deals, R&D, etc.)
* Direct financial loss (e.g., fraudulent transactions)
* Disruption of regular business operations
* Fines and penalties

Actually, I wrote that list in order, ranging from “no relationship to asset values” to “perhaps some vague, tenuous relationship.”

Sure, the cost of an hour’s operational disruption might be estimable in advance, especially when service level agreements are in place. But when we attempt to quantify the cost of downtime, are we even talking about assets any more?

And is it possible that when we fetishize over the valuations of individual data assets, we’re taking our eyes off the loss-avoidance ball?

Job: Security

Congratulations, Dan Kaminsky

Told ya so.

Thought for the Day

Offshoring Partners & The Hand That Feeds

Duly Noted

A Grain of Salt for Digital Asset Values

Rebooting.