Have you ever wondered what the FTC does?

These are the friendly bureaucrats in the US government charged with implementing and monitoring adherence to the the CAN SPAM act, the legislation designed to eliminate Spam email.

Have you noticed how successful and effective their activities for CAN SPAM are?

Neither have I now that you mention it.

In fact – the FTC doesn’t even take reports about SPAM.

How can you CAN SPAM – or Phishing, SPAM’s more dangerous brother – if you don’t know what’s going on?

If you want to CAN SPAM or Phishing, then send the offending email or notice about the email to the organizations that were cited in the SPAM or the Phish or that showed up in the email headers of these darlings in your in-box.

The firms named in the email headers or named in the body of the email will want to get the correct authorities involved, NOT THE FTC. However the FTC might want to create a new study on the idea of a NO EMAIL LIST given the runaway success of the CAN SPAM act.

You can also send the miscreant email to one of the following:

phishing-report@us-cert.gov

phishing@irs.gov

http://www.google.com/safebrowsing/report_phish/

abuse@nacha.org

https://submit.symantec.com/antifraud/phish.cgi

This is not a complete list, but it’s a start.

The more everyone participates, the more likely we”ll see a reduction in the volume of Spam and Phish.

It’s your turn now … report what you find and help CAN SPAM.

They Know What You Looked For

The US Government through the NSA is vacuuming up data from the servers of at least nine identified Internet access companies, including those at Apple, AOL, Facebook, Google, Microsoft, Skype, Yahoo and YouTube (See The Washington Post article). GCHQ in England is doing the same.

Your every move, search, email, and activity on the Internet is now being recorded by the very firms that provide access to the Internet and then handed over to government.

They Know Where You Are

Your Internet activities are not enough information for government though. Your mobile phone is tracking where you are and you’re movements and locations are now being recorded and sold without you being aware of it to anyone willing to spend money on the data. And, the data is being vacuumed up and shipped to Big Brother as well.

They Know what You Look Like

Have you ever noticed all of the security cameras all over England? They’re everywhere. The rough estimates have the number of CCTVs’ installed at close to 2 million. The numbers claim one camera for every 14 to 32 people in England. But England was just first to the scene. The same is playing out in other parts of the World.

How do you think the bomber in Marathon Boston was identified? From CCTV footage shot from the BonWit Teller store that happened to be located across the street – not exactly what one might expect as ideal placement of a CCTV camera to manage loss prevention from thefts occurring inside a store!

The expansion of Big Brother was underway shortly before 9/11 – the bombing of the twin-towers just emboldened the surveillance-society mavens and accelerated with the use of CCTV monitoring of citizens as identified in this BBC report from 2009 on the statistics of CCTV – covering England and other parts of the World.

Soon They’ll Know Your DNA

Now in the US, the police have the right to swab the cheek of anyone arrested for a “serious” crime  (who interprets this – the local arresting officer?) to obtain a tissue sample that will be used to check against a database of DNA samples to determine if the person arrested is wanted for other crimes. Of course, it goes without saying that the swabbed DNA will also be used to ADD to the database being amassed by a big brother bureaucracy.

When the US Supreme court recently accorded the privileges to swab the mouths of those arrested by law enforcement, they stripped the citizenry of a long-held assumed right enshrined in the fourth amendment of the US constitution against unjust searches and seizures. See this story from US News and World Report

The impact of 9/11 has fundamentally changed the relationship between the citizens and their government, and the changes are being made by the government without any input or oversight from its citizens.

It’s supposed to be government of the people, for the people and by the people. At least that’s what Abraham Lincoln thought. If he or the founding fathers were alive today – they (many but not all) would shudder at what is happening and the paths now being taken.

I’ve been struck by the zealotry surrounding the wonders of NPS (Net Promoter Scores) for a number of years now.

Opining all manner of solutions to most business ailments, promoters of NPS have made in-roads across most American businesses, to the point that “the system” is now regarded by CEOs as truth unveiled.

NPS and Fantasy Land

Nothing could be further from the truth. The reality is that the mathematics – and the methods – behind NPS are pure fantasy.

NPS asks one simple question, “Would you recommend ABC to your friends?” The promoters of NPS espouse the the higher your score, the more likely you will experience stellar growth in your business.

I’ve seen large and small businesses alike fall for this stuff over the years and have not seen one of them leverage the money spent on NPS into improved customer loyalty, improved customer satisfaction, improvements to customer expectations, or into improvements in revenue or profit.

Moreover, the population distributions, assumptions and mathematics behind NPS are riven with unrealistic expectations. If the collection of data for any NPS survey is random you would not see the distributions required to even achieve breakeven NPS scores.

In fact I’ve seen many NPS programs where the selection of customers is based on which ones will yield the highest scores by employees who have in-bred conflicts of interest to hand-pick customers to achieve the highest scores.

Assuming the customer selection process were random, a majority of respondents will say that  “5″ on a 10 point scale is average.

But the math of NPS skews the distribution such that only 9s and 10s count as “promoters, all “7′s and 8′s” are thrown out, and all scores between “1 and 6″ count and “detractors”. Subtract the “detractors” scoring 1 through 6 from the “promoters” scoring 9 and 10, and voila you have the magic NPS number.

The only thing you might be able to infer about those casting ballots between “1 and 6″ is that they will probably not promote your company or its products. But this is a far cry from assuming all of these people will go out and tell their friend to expressly not do business with your company.

The relevant questions are not asked, “Did you dissuade your friends from doing business with our company?” and “Did you recommend our company to your friends?” You only asked if they “WOULD” recommend. Any other inferences cannot be assumed and is not borne out from empirical evidence.

Probability and NPS
Moreover, the mathematical unreality of NPS is its underlying problem.The probabilities of ballots being cast for the 1-to-10 scale with 5 being the perceived mid-point by almost all people is:

• 10% for “9s and 10s”
• 20% for “7s and 8s”
• 70% for “1s to 6s”

This results in hitting a negative 50 percent – on average – for NPS scores which is where most organizations start their journey. Surprise – surprise – surprise, customers are saying that 5 is average on a 10 point scale!

Adding insult to injury, the businesses that see these results – especially the CEOs – take the negative numbers personally and then completely torque their organizations for years trying to achieve positive NPS scores.

To achieve breakeven for NPS, unrealistic distributions such as the following have to be achieved:

Detractors        Neutral      Promoters

50                             0                       50

40                            20                     40

30                           40                      30

20                           60                     20

10                           80                      10

Hitting these skewed distributions is only possible when the process of collecting the data is not representative of your customers!

So, what problems are you really trying to solve?

• Are you trying to have a number you can crow about to your pals on the golf course? – Then plow ahead with NPS.
• Are you trying to understand what the range of your customer’s expectations are? – Then look to something else.
• Are you trying to sell more applesauce to the customers who buy apples? – Then look to something else.
• Are you trying to sell more oranges to new customers interested in fruit?  – Then look to something else.

It’s simply amazing how the desire to make business decisions based on a single number can have such an impact on organizations. But then we’ve seen this movie play out in the financial services sector with the use of VaR, haven’t we.

As a species we learn the hard way.

Did you know about the latest research being done on the human microbiome?

If not, don’t worry, you’re not alone.

Even many of my biochemistry friends have never heard about it.

There’s an NIH (National Institutes of Health in the US) funded, five-year study focused on the impact of the microbiome on the health and disease states of people.

Should you care?

Read on.

What’s a microbiome?

What this “microbiome” you ask? It’s the microbial cells that live with us, all over us, and in us, and that appear to have an impact on everything from our health to our DNA. These little cells are not exactly bacteria either, but another class of beings known as archaea.

The microbiome taking up residence with you may weight as little as little as a half pound, to as much as three pounds. The little critters appear to be involved in everything from our genetics to our health, mental states and capacities; and they’ve been living under our noses (or should I say in our noses) without our even being aware of them until late into the 20th century.

The research being completed is fascinating and indicative of much more that needs to be learned.

Additional resources:

NIH funded research at http://www.hmpdacc.org/

Microbiome Journal at http://www.microbiomejournal.com/

Overview at The New York Times at http://www.nytimes.com/2013/05/19/magazine/say-hello-to-the-100-trillion-bacteria-that-make-up-your-microbiome.html?pagewanted=all&_r=0

Heart Disease at The Economist at http://www.economist.com/news/science-and-technology/21576062-hardening-arteries-may-be-caused-malign-interaction-meat-eating-and

Archaea at Microbe World at http://www.microbeworld.org/types-of-microbes/archaea

Beauty is in the eye of the beholder. This is something my mother always told me, especially when I was younger and too immature to realize there was any other perspective on the world other than mine.

When you’re only five years old, your perspective is the only one that matters, right?

When it comes to information security, perspective is what matters.

Unfortunately the perspective from a decades-long fixation with the dualism of inside and outside is now history. It was good while it lasted. It’s now time for another.

The inside-outside point-of-view (POV) came of age when firewalls became the controls keeping the unknown world from outside the enterprise network from invading the corporate nest-egg and allowing anyone to walk off with whatever they darned-well desired.

We believed in the crunchy-exterior.

Well, if the events of the recent week don’t convince you the age of inside-outside security concepts is over, nothing will. The New York Times covers the story well, In Hours, Thieves took $45 million in A.T.M. Scheme and exposes the reality that there are no more insides or outsides anymore.

Let me repeat: there is no inside nor outside anymore!

And, anyone in the security community caught thinking this way should be run out of town on a rail-head, or if they have redeeming qualities told to repent after they’ve written 500 times on their electronic chalk-board, “There is no more inside or outside anymore.”

There’s the criminal folks who want to sift and sort from where the money is nowadays or to nation-break on their way-to-glory and fame, and then there’s the rest of us law-abiding citizens whose mothers would be in aghast if we had a hand in the cookie-jar.

It’s time to realize that the old inside-out conceptions, perceptions and POV’s about security are over with – and move onto the reality that it’s harder than this, and we’re entering a new age of information intelligence. The sooner you make this transition, the sooner you’ll be able to make forward progress.

Bliss Point – in economics – is the quantity of consumption beyond which any further increase in consumption becomes less satisfying. Bliss Point is associated with maximizing desires and wants in the absence of any cost or spending restraints – such that beyond some point where desires and wants have been satisfied, pleasure becomes less and less fulfilled and eventually becomes boring.

Bliss Point in the Food Industry

This same term – Bliss Point – is used by the processed food industry to engineer the formulations of three critical ingredients – salt, sugar and fat – to deliver just the right amount of palatability to achieve hedonistic pursuit of food, independent of hunger levels.

Think of the muchies and you have a good idea of what this means in the extreme. Or think of your daily reflexive grab for potato-chips, ice-cream, yogurt (yes yogurt, because current sugar-levels in these catchy-looking packages are as high or higher in sugar levels than some candy bars), cookies, crackers, pretzels and cheeses.

But Bliss Point as it’s been applied in the world of processed food stuffs does not depend on unlimited resources to realize maximize enjoyment. Rather, the processed- and fast- food industries have made it cheaper for consumers to purchase laboratory-invented and assembly-line manufactured food-stuffs that are based on mixing salt, sugar and fat, than it is for consumers to purchase whole foods that have not been adulterated.

The engineered food-masterpieces are optimized to exploit palatability. And palatability – hedonistic-hunger – is shown to be directly related to opioid receptors in the brain, spine and gut: the same opioid receptors stimulated by illicit drugs.

Should salt, sugar and fat be banned as illicit drugs?

Some might make the case for it. Others argue that imposing this stiff a burden on these ingredients and industries is overreach: no one is forcing people to purchase junk-food and eat it after all. But when that’s all that’s available to you through corner convenient stores in many inner-cities, making healthier choices about what to eat may not even be an option.

The medical literature and exhaustive test results make clear that for most people, current levels of consumption of salt, sugar and fat from fast- and processed- foods should be reduced.

Some common problem-foods to check nutrition labels include those with:

High salt: fast foods, cheese sauces, bread crumbs, baked beans, canned soups

High sugar: dates, candy, pie crust, raisins, milk shakes, yogurts

High fats: fast foods, pie-crusts, cheeses, hamburgers, snack foods

The connection between obesity, diabetes, heart disease, cancers, and a number of other disease conditions from such dietary inputs are documented.

What’s your Bliss Point?

Should you reflexively buy from your big-box seller or consider taking a chance on that small start-up or local retailer you met a few weeks ago? This is a question that’s not always on the mind of buyers of all sorts of goods and services – but should be. For it’s the decisions you make as a buyer that influence and shape the market, and therefore your future.

Should you buy from the big-box location offering you maybe 5 percent off the going retail price for a commodity item, or should you purchase the same item from your local retailer at the higher price.

Your actions will influence the lives of people behind the counters and running the local business, whereas it probably won’t matter as much to the big behemoth down the street.

Moreover if you buy local, the cash flow stays in the locale instead of being siphoned off to a locale that may be 3,000 miles away, 9,000 miles away – or more. And, the taxes paid by the local business owner add to the value of the local base, making the local economy that much stronger.

But there are pros and cons beyond the health of the local economy to buying small versus buying big that also need to be taken into account.

Buying big

If you buy big, you generally know that you can get the same item in Singapore that you can get in London or Omaha. If uniformity or homogeneity matter, then this may be an important factor.

You may be able to get better pricing from the bigger supplier, but this will depend on how much competition the giant faces in your sector or geography.

You are likely to get the same service-levels no matter what. Uniformity of service for one customer will generally be the same for all customers, unless of course you are one of the customers that generate more than 5 percent of the behemoths revenue stream, in which case you’ll be offered service levels that other customers can only hope for but will never receive.

You are also likely to run into levels of hubris, unethical and illegal behavior you’d never find from a smaller supplier, including ignoring contracts, breaching contracts, and ignoring customer commitments while taking their money.

The benefit of buying big is that you’ll more likely be able to deal with fewer suppliers, which should reduce some of your burdens. But don’t believe the urban legend about buying big to have one throat to choke: it’s doesn’t work unless you are among that suppliers biggest customers.

Buying small

If you buy small you are unlikely to be able to purchase the item in Singapore, London and Omaha. You may only be able to get it locally, or it might not be localized for your geography. It may be the same item or it may not.

You might pay a bit more, or if the size differential is in your favor you might actually pay quite a bit less, depending on the product or service and the competitive environment.

You will generally receive much better service levels, where they are available. And this is the sticking point. If you need service in West Osh Kosh and the supplier only covers East Osh Kosh currently, this could cause problems for you. Otherwise, be prepared for generally better service levels from your local and smaller suppliers: they need and want your business much more than the big behemoth does.

You will not run into hubris, and are much less likely to face a supplier that will willingly break a contract or ignore a customer or another supplier.

The drawback to buying smaller and local is that you’re likely to be in the position of having to manage more suppliers. Excepting the few rotten apples you might run into, you’re more likely to have suppliers willing to “go the extra mile” to make you happy.

Your turn

Now it’s your turn.

What will you do: buy big or buy small?

Do you ever have the feeling you’re in one of those background noise-chambers where the same sound or sounds keep playing-on, time after time without letup?

I have this experience a lot when it comes to the word “risk” and how most people in IT interpret what it means, or should I say what they mean by the word “risk.”

Risk

My definition of risk is simply the outcomes or impacts resulting from trigger events operating on and within an environment. The outcomes may be aided and abetted, or hindered, by vulnerabilities and the environment itself.

Example

The risk of disease from air-borne illness is injury or death. This is the outcome or impact of being exposed to some virus or bacteria. This outcome is more likely in tropical humid climates than in drier and less humid northern climates.

In the example, the risk is disease and its potential outcomes, including injury or death. The trigger event may be a pathogen or might be a carrier of the disease sneezing in an enclosed jet 30,00 feet in the air. Or, the trigger event might be related to colony formation aided in humid regions such as the tropics but that is retarded in drier and less humid northern climates. If the immune system of Uncle Dick or cousin Jane were more vulnerable to the bacteria, this would make it easier for the bacteria to grow and accelerate its attack, impact and outcome on its host.

The Chaos of Language

The same applies to the world of information systems and security. But for some reason many people in the world of information security – and almost all the vendors pitching security products and services – confuse themselves and everyone around them by calling trigger events risks, or calling the environment the risk, or calling vulnerabilities risks. This shows up in such statements as “the technology risk”, the “vulnerability risk”, the “ecosystem risk”, and the “security risk” among other favorite lazy thinking phrases oft’ heard.

Sorry to rain on the parade, but these things are not risks.
The outcomes or impacts that might result from vulnerabilities in IT systems, lax or no procedural controls, or unfunded mitigation steps are the real risks to organizations and people, not the factors leading to the outcomes. Do factor contributing to the outcomes? Of course they do. But they are not the risks. Instead of identifying the factors as the risks, we should be constructing rich storyboards that connect events to their outcomes.

Unfortunately the laziness with the use of language and the confusion over what “risk” means has resulted in an inability on the part of many people in IT to clearly articulate what the business impact of vulnerabilities are likely to be. The confusion has resulted in an inability to communicate the relationship between environmental factors, trigger events, vulnerabilities and their business outcomes.

The result is that many senior business leaders have no idea what risk IT is talking about when it comes to the table asking for money to mitigate “security risks”, instead of describing the business outcome: such as the risk the company will be sued, capital from financial markets will decline, and sales will decline after a massive data breach occurs.

What’s the risk?

If you do not clearly communicate the difference between what is likely to cause adverse outcomes from the outcomes themselves, then you’ll fall short of the support needed to fund mitigation strategies to manage the risks.

And the reason you won’t be funded is because no one will understand what you’re talking about.

This is a pretty large risk, and one that can be managed by carefully articulating the desired state, the adverse outcomes you are trying to avoid, the trigger events likely to lead to the adverse outcomes, and the environmental and vulnerability factors you will be mitigating to reduce the likelihood of the outcomes.

If you can do this, you’ll reduce the risk of not being funded – and thereby reduce the business risks associated with why information security policies, procedures or controls are implemented and maintained.

What’s your magic number?

If you’ve never heard this question or phrase, you’ve probably been living off-network or away from the developed world for some time. It’s a term used by people for different reasons and a variety of meanings.

Numbers

We employ numbers in accounting to maintain financial accounts that assess our current balance among other purposes. We use numbers in educational institutions to assess relative performance levels of students and teachers. Numbers are used to design almost everything man-made and we use numbers to plumb the breadth and depth of the natural world around us.

What is the Magic Number?

But what is this “magic number” thing?

For a business manager it might be the backlog number. For a sales manager it might be the conversion rate, the forecast, and the quarterly “number” that’s finally posted upon which commissions are paid.

For a business owner it might be growth rate. For a CEO it might be earnings, return on assets, return on equity, the trading price of stock or the achievement of objectives established with the board.

For a customer service representative the magic number could be the number of calls serviced per hour, time spent on the phone per caller, or the number of successful close-outs per day.

For a lawyer the magic number may be billable hours. For an airline pilot the magic number is likely to be accident-free miles. For a truck driver it’s likely to be miles per day between required rest times.

For sports fanatics, the magic number may be the number of games remaining to be won until the home-town team wins a slot in the upcoming post season playoffs. The formula for this magic number looks like:

Magic number = total games – # of wins by 1st place team – # of losses by2nd place team + 1

In financial risk mathematics, Value at Risk became the magic number to express the total value of a portfolio that could be lost over a certain time horizon.  We won’t both to include VaR calculations here; it would require an entire series of blog articles.

Magic Numbers: a reversion to the Mean

With the exception of teams remaining in contention for a playoff spot, almost all magic numbers reflect an arithmetic mean – the average – value for a series of numbers in a given population.

As an “average” value, most magic numbers aren’t really magic at all: they simply represent current consensus of the group. There’s really nothing “magic” about them other than the magic number is simply the current mean or average.

But, it’s the differences in the population – the deviations – at any given time that really are the interesting numbers. Most intriguing of all are the maximum differences between the outliers in a population and how far removed these are from average.

The outliers tell the story

It’s the outliers that are really the magic numbers, not the mean. I don’t mean the outliers that are so far away from any cluster, but the clusters of numbers that might be two, three, four or more sigma away from the mean.

The outliers tell the stories of “unexpectedly” super levels of performance or of sub-par performance. Or the outliers tell the story of overwhelming evidence of correlation between disease outcomes and causative agents.

Or the outliers reveal financial graft and corruption in the servicing of mortgages. Or outliers reveal the reasons why some organizations continue to be plagued by security breaches resulting in financial damage, public scrutiny and scorn, business downtime or other outcomes.

So the next time you hear the question, “what’s the magic number?”, think a bit beyond the comfortable box of average, and look for and then understanding what’s behind the fat-tails.

Going beyond average to find the magic numbers

The average is not the magic number. Instead it’s our way of saying this is the current level of average. For those who want to go beyond average, who want to understand how to improve results, or how to limit risk exposure, going beyond the magic number is necessary to going beyond the contextual level of acceptable mediocrity.

It’s the outliers that are really the magic numbers, not the average.

These are really the magic numbers!

The biggest problem contributing to elevated risk – according to most practitioners – is a lack of consistency in operations and following procedures.

Consistency in applying patches, consistency in inspecting logs, consistency in testing new builds before releases, consistency in monitoring and consistency in removing unauthorized accounts among other procedures and policies.

The lack of consistency was driven home the other day for me when a friend – who is not in security – related a story of what happened to him after a job change. After starting work in his new position he was handed a laptop which did not have an antivirus endpoint agent running on it. He asked the person in IT who delivered the laptop to him to fix the problem and the response he received was “don’t worry about it, it will take of itself.”

Assuming “it will take care of itself” meant the the agent would be detected automatically and that this would set off a procedure to install the agent without him being involved, my friend ignored the issue.

About two weeks after this discussion he noticed some strange things happening with his laptop and decided to check whether the antivirus agent had been installed or not. And as you might have guessed, the agent was not installed on the laptop despite the claim from the original IT person that “it will take care of itself.”

After calling for help from someone else in IT, he was told the laptop had been infected by a trojan-horse that found a nice home for itself on the laptop. After re-formatting the drive and having a new image of all the software re-installed, the laptop was delivered to my friend. Indeed, “it had taken care of itself, just not in the manner my friend anticipated.

Sometimes we spend a lot of time and effort debating whether some controls need to be implemented or not to mitigate risks, whether we’re spending more time and money on detecting problems instead of preventing them, or debating the value a particular framework or technology, but it’s simple things like following policies and procedures that often causes the most problems.

Consistency – and the lack of it – are the hobgoblins of security.