Archive for October, 2011

Where is Your Data – Today?

Tuesday, October 25th, 2011

A random collection of recent headlines includes:


October 25:  Microsoft’s YouTube Channel Hacked

See more here:


October 24:  Hackers release data on Ex-Secretary Rubin

See more here:


October 24:  New cyberweapon DUQU found

See more here:


October 20:  NADAQ hackers spy on directors of publicly held companies

See more here:


October 19:  DUQU details:

See more here:


October 17:  Citigroup CEO targetted by hackers

See more here:


SEC: Report Cyber Attacks and Incidents

Monday, October 17th, 2011

In an article in the Washington Post, Ellen Nakashima and David Hilzenreth point out the Securities Exchange Commission (SEC) issued new guidelines that publicly-traded companies must report significant instances of cyber-theft or attack.


See Washington Post article here:


Because there’s a lot covered in the SEC Guidance, we recommend you take the time to read it carefully.

Among some of the highlights, publicly-traded organizations:

  • Will have to review, on an ongoing basis, the adequacy of their disclosure relating to cyber-security risks and incidents
  • Should address cyber-security risks and incidents in Management’s Discussion and Analysis of Financial Condition and Results of Operations if the costs or other consequences associated with one or more known incidents, or the risk of potential incidents, represents a material event, trend, or uncertainty that is reasonably likely to have a material effect on results of operations, liquidity or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial conditions
  • Will be required to disclose the risk of cyber incidents if the issues are among the most significant factors that make an investment in the company speculative or risky
  • May need to disclose known or threatened cyber incidents to place the discussion of cyber-security risks in context
  • May need to discuss the occurrence of specific attacks and their known potential costs and consequences.
  • Should provide sufficient disclosure to allow investors to appreciate the nature of the risk faced by a company in a manner that would not have further cyber security risk consequences
  • Will have to describe the material affect on products, services, relationships with customers or suppliers, or competitive conditions
  • Will have to disclose legal proceedings it is a party to as these relate to cyber security incidents
  • Will be required to disclose conclusions on the effectiveness of disclosure controls and procedures


Find the SEC Guidance, CF Disclosure Guidance Topic No. 2, here


Where’s Your Data – Today?

Monday, October 10th, 2011

A random assortment of recent coverage involving sensitive information:

October 10:  Secret Orders Target Email

October 10:  Virus infects US air drone fleet

October 10:  PII data of 4.9 million Tricare beneficiaries lost on missing backup tape

October 10:  Outage of blackberry Service spans three continents

October 8:  Chaos Computer Club: Lawful interception malware of German Police Force

October 7:  Obama Issues ‘WikiLeaks’ Order to Better Safeguard Information

October 7:  1.6 Million PII records lost on backup tapes

October 7:  PI data of thousands of employees exposed on University Website

October 5:  HTC confirms security faw; fix in the works

Information Risk, Security and Asymmetry

Thursday, October 6th, 2011

Are you prepared to deal with a world of asymmetric information to protect your organizations most valuable information assets?

It’s already upon us

The events of the past year may be sufficient evidence we are beyond the tipping-point: one where black-hats are able to more rapidly and stealthily gather information about you than you are, to defeat them. Some events of the past year – those that that have been publicized – indicate we are at or over the edge of information asymmetry, include:

  • Aurora attacks on Google
  • Rerouting of 15% of Internet traffic through a small ISP located in China
  • Google gathering data from unprotected Wi-Fi networks for its Street View projects
  • 100,000 iPad customers surprised by a hack on records at AT&T
  • Stuxnet worm destroys Iranian nuclear capabilities and equipment
  • Wikileaks continuing to find & publish secret and confidential state data
  • RSA two-factor authentication token system compromised by hackers
  • SSL BEAST proof-of-concept attack demonstrated against SSL
  • HTC Android phones spewing user data
  • The ever-changing, Facebook un-privacy flavor-of-the-month


When black-hats have better information than you do, the results are lopsided, and heavily in their favor.

What they don’t have – one hopes – is all of the tricks you use to defeat their attacks to gain additional information.

While there is merit to the now-common approach to information security based on Kerckhoff’s principle that I’ll re-phrase as “no security through obscurity”, there’s also merit to the pragmatic approach of using  “security through obscurity” to reduce your information asymmetry.

In an environment where adverse selection plays an important role in determining outcomes, he who has more information, has the upper-hand.

Whether it’s information asymmetry of economic agents (mortgage brokers, estate-agents), war (Operation Fortitude of World War II, Sun Tzu) or that for information and security risk management (honeypots for example); the cat-and-mouse games involving signaling, screening behavior, false information, information hiding, information transparency, and the absolute necessity of up-to-date information intelligence dictates winners.

She who has more intelligence – information asymmetry – at her fingertips will generally survive to play the next game.


Some related information

Asymmetry in Infosec

Security through obscurity

Ascent of Asymmetric Risk in Information Security: An Initial Evaluation

The Value of Security Audits, Asymmetric Information and Market Impact if Security Breaches