Searching for Privacy in a World Without Secrets

“I am not a number, I am a free man”

IDC reported that we generated and replicated 1.8 zettabytes – that’s 1.8 trillion gigabytes – of data in 2011. To give you an example of scale you would need to stack CDs from Earth to the Moon and Back again – twice – to represent that amount of data and its expected to grow 50x by 2020. Interesting factoid: Through April of 2011 the Library of Congress had stored 235TBs of data. In 2011 15 out of 17 sectors in the US have more data per company than the US Library of Congress, much of that data is about you.

Facebook is preparing to raise $100 billion, yes a hundred billion, in a highly anticipated IPO next spring. Twitter is valued at $10 billion, and social media companies are pulling massive valuations. In terms of data, roughly 4 billion pieces of content are shared on Facebook every day, and Twitter registered 177 million tweets per day in March of 2011. The success of these companies, and many others, is trade in human commodity. There is an inherent value to your tweet, your wall post, becoming mayor at some DC cafe or posting your location to wherever people post those things, but the real value is simply in your existence as a number in a sea of other 1 and 0’s.

We are entering a world where every aspect of our lives, short of those thoughts we hold deep, will be processed, indexed, analyzed and archived forever. What we search for, our online activity, where and how we drive, what we buy; when and how often, our health, financial, and personal records digitized for quick sale to the highest bidder. Never before have we had the ability to implement systems to handle massive volumes of disparate data, at a velocity that can only be described as break-neck and with this ability comes the inevitable misuse.

The commercial implications for companies seeking access to this depth and breadth of customer intelligence is clear, but this same information federated with the analysis of unstructured video, picture, voice and text data in the hands of our government or one that meant us harm is truly frightening.

Social media is an interesting experiment in applying a large scale operant conditioning chamber to a mass population, the law of effect is a retweet, a friending, being listed on a top x most influential list, or whatever else elicits the desired response. We leap head first off the cliff of technology and only concern ourselves with the implications when they become a problem for us.

The irony is that in our search for identity and individuality in an increasingly digital world we have willingly surrendered that which we used to hold so dear – our privacy.

May future generations forgive us.

The US Cyber Challenge Wants You

As part of the administrations continuing efforts to actually do something tangible to improve the security posture of US critical infrastructure and to better deal with a severe lack of technical talent the CSIS (Center for Strategic and International Studies) announced the US Cyber Challenge (here) to identify and develop 10,000 cyber security specialists.

One of the fundamental deficiencies of the current US critical infrastructure protection programs (there are many of them), is the astonishing lack of qualified technical security specialists. This program aims to develop the next generation of technically advanced cyber warriors and security specialists.

The United States Cyber Challenge

The US Cyber Challenge is a national talent search and skills development program. Its purpose is to find 10,000 young Americans with the interest and skills to fill the ranks of cyber security practitioners, researchers and warriors. Some will, we hope, become the top guns in cyber security. The program will nurture and develop their skills, and enable them to get access to advanced education and exercises, and where appropriate, enable them to be recognized by employers where their skills can be of the greatest value to their nation.

Improving our private and public sector security posture will be an ongoing process as we adopt new technology innovations and as the dynamic global environment shifts between hostile and friendly actors. Recruiting the next generation of technically advanced security specialists and developing the skills today to deal with tomorrows threats is key to ensuring we have a population of talent to enable continued growth and prosperity of the United States and its citizens. Like so many times in our history, the hopes of an aging nation rest on the shoulders of America’s youth.

Continue reading →

Moving Security through Visibility to Implementing Operational Controls

Quick thought for the day. Most technologies in the security world move through a predictable cycle of adoption. First an organization implements a solution to gain visibility into the scope of the problem (VA, IDS, DLP/CMF, SIEM) then once it becomes apparent that the problem is vast and overwhelming they move to operationally implement technical controls to protect the environment and to enforce organizational policies, when this switch over occurs the adoption of the pure visibility tools becomes eclipsed by the control tools. This doesn’t mean that the visibility tools are ineffective, it generally means that the scope of the problem is understood to the point that an organization can effectively implement controls, it also means that the problem has successfully moved from the security team to the operations team. You can apply this same logic to any segment of security and to any new technology, including cloud computing, virtualization and all the little shiny obejcts in between.

Examples of this movement from visibility to control include intrusion detection, vulnerability assessment and content monitoring and filtering. Let’s look at VA, It’s initial use was to determine the scope of the ‘exposure’ problem, that is to scan the environment against a database of known vulnerabilities to determine the extent of exposure. Unfortunately the volume of output was very high and was presented in a format that was not easily consumable or actionable by the IT operations team. What exactly does one expect the server admin to do with 300 pages of vulnerability data? There were also inherent issues of fidelity. The use of VA tools moved into targeted scans to determine what needed to be patched, which resulted in the operational implementation of patch management technologies, which soon overtook the market adoption of vulnerability assessment tools. There was also the pressure of auditors looking for the implementation of technical controls and although vulnerability assessments were viewed as an important first step, without the work-flow and controls to address the volume of vulnerability data they proved to be less effective in improving operational security than was originally thought.

It became clear that vulnerability management needed to cross the chasm to become an operationally actionable tool, without remediation capabilities the organization would always be under a mountain of vulnerabilities and the use of the technology would linger in the trough of disillusionment. Security configuration management met that need, it allowed an organization to define the desired configuration state of an environment against industry best practices (NIST, DISA, CIS, etc) and then to operationally implement technical controls to identify non-compliant devices and enforce policy. Security configuration management also had the benefit of providing a common language between the security, audit, and operations teams. I wrote about this in a series of posts (here), (here), and (here).