Saturday, June 20, 2015

Diminishing Returns on Mitigations

So now that I have the DBIR Attack Graph, I wanted to test something out.  How does the shortest attack path from start to end change when you mitigate things in the graph?  The short answer is, it plateaus quickly, probably due to there always being a direct connection to some attribute from some action.  Ultimately, that means that you need to pick the attributes you're protecting, not try and stop everything.  Check out the full analysis in this blog post on the Verizon Security Blog.

Monday, June 15, 2015

Privacy was a Passing Fad

The breach of OPM has a lot of people angry and scared about their privacy.  That's not surprising.  The federal government keeps a lot of information on its employees.  Even more on those with clearances.  Alternately, large companies have massive amounts of data on us that we only implicitly shared.  Companies like Google simply profile what we do.  Other companies make a business of collecting information about us without our knowledge or consent.

Before Privacy

We think of privacy as an implicit right, however it has a rather short history. Let's consider specialization and division of labor.  Looking back to history, we can see that specialization was what made society possible. Specialization was intrinsically tied to the agricultural revolution. Once a single person was able to provide food for many through farming, it allowed the other people in the community to specialize.  This in turn allowed the formation of complex societies.

It also, for the first time, allowed people to survive without contributing, freeloading so to speak. As such, it makes sense that those who sought privacy would be ostracized for not contributing to society. Tight social cohesion was seen as a priority and privacy was looked down upon.

Prior to the industrial revolution, communities were local and unable to scale significantly due to transportation and population density constraints. In such a world, it is nearly impossible to hide one’s actions. Housing would be small enough that most actions would occur outside of the home or with another family member present. Larger houses would have many staff within them that would be aware of all occurrences in the home. People would have to deal directly with their neighbors for goods and services ensuring news spread from party to party.

The Dawn of Privacy

The industrial revolution brought with it a new trend. With the ability to support highly dense population centers and menial jobs requiring no special skills, people became interchangeable. You didn't need the person, you needed a person. As such there was less care about any specific person. As people traveled away from their ancestral roots to work, they began living in dense areas where they potentially shared a small apartment with no other people, allowing for complete privacy within their walls. There was no need to know your neighbors. There was no need to know those that provided you services. People were a cog in the machine of industry.
As efficient transportation became more available, it allowed people to spread out into the suburbs, increasing their isolation, (almost in homage to C.S. Lewis’s The Great Divorce). Now a person could have a nice house and an acre of land of their own. They could buy their supplies at the supermarket without the need to ever learn about the people they interacted with. Their work life and family life were so physically separate that they could be two completely different and even incompatible lives.

This caused a culture in which anything you could hide was ok, which lead to the idea that anything was ok that didn't hurt others. It also lead to the social norm that if you were caught doing something, it implicitly was nearly unforgivable. This is where we are in society today. Anything is ok that doesn't hurt others, but if anyone finds out about it, it is implicitly so bad it must follow you forever.

The End of Privacy

We are now leaving this golden age of privacy due to the massive amount of data which has been and is being collected as well as the tools which have become available to analyze the data.  The shared similarity is that all these tools and data stores are meant to help provide context that would otherwise not be known.  For an employer, (such as OPM), they provide a context for an employee that helps the employer interact with the employee or make decisions about the employee.  These tools can provide very helpful services, such as Google Now, Microsoft Cortana, Apple Siri, and Amazon Alexa.  They can also be used against users such as collecting information used to sway a person to make decisions they would not otherwise make or make life-changing decisions about a person simply based on how an algorithm classifies them.

And the Internet of Things will only accelerate this situation.  The additional information provided through sensors on our bodies, in our homes, and always around us will allow a more complete determination of our context than ever before.  It is not something you will be able to get away from.  The power company will install a smart power meter.  Your TV will be connected to the internet.  And right now, count how many microphones are listening to you.  (Don't forget your smartphone and your laptop.)  It is naive to think that, once collected, this data will not affect us.  Whether it is a company going bankrupt, a breach, or simply the explicit use of the data, it has just as effectively robbed us of our privacy as if our neighbors, church, government, or complete strangers were aware of our every move.

How we Must Face This Reality

This is not something law will solve. Any law would invariably not outlaw such systems, but instead simply limit who was allowed to have them. They would be restricted to the government who makes the rules and to the corporations who effectively lobby for the right to maintain their own context graphs. Instead, the technology should be made available to the general public. While no one person has the resources to build the big data systems available to large organizations and the government, tools may be distributed among many small, separately managed, data stores and still be effective, allowing a population to band together to build an equivalent data source to those maintained by the government. This will not return anyone’s privacy, but will provide a consistent understanding to everyone of the level of privacy they have.

To deal with this new reality, we are going to have to return to the principles that guided life before privacy. I believe this can be broken down into three fundamental principles:
  1. People should be productive members of society. 
  2. People should not do things they would be embarrassed about others knowing. 
  3. People should forgive others for their imperfections. 
I don't think it is surprising that these are all core tenants of most major religions. While the temporary availability of privacy in society has allowed these principles to become less important to a functioning society in short term history, they have never been wrong. Every person should contribute to society commensurate with his or her ability. This is the cornerstone of the very definition of a society. While the industrial revolution may have insulated people from the consequences of their actions, that is unlikely to continue. People will have to step up and take responsibility for what they do, even if they are not caught doing it. The simplest way to avoid this is to not do things you are not willing to take responsibility for. It is few and far between that something worth doing is also not worth taking responsibility for. Finally, forgiveness must again become a tenant of society. We cannot hold people’s imperfections against them as all people are imperfect. Instead we must work to compensate for others weaknesses, forgive their mistakes, and support their strengths. In doing so, we will build a better society that does not use privacy to hide its failings but uses truth to cement its future.

Monday, June 8, 2015

The DBIR Attack Graph Web App

It's time to shake up how we think of risk.  To that end, I've published the DBIR Attack Graph Web App at  To get started, watch the tutorial video.  You can also read about the web app in this blog, read about the underlying algorithms in this blog, or download the tools yourself!  The goal is to help people stop thinking about their risks as a single point, but as paths which must be mitigated, to show them the incredible scale of paths available to attackers, and give people the tools to fight back!

Tuesday, June 2, 2015

The Other DBIR: Database Breach Investigations Report

Wondering how databases are represented in the Verizon Data Breach Investigations Report?  Head on over to the Verizon security blog and check out my new blog post answering just that!