Wednesday, September 30, 2009

Too much trust is not a good thing

In any organization, you won't disagree that we need to have some level of trust in order to have a healthy working environment. Project managers trust developers to meet deliverables and develop according to the specification. System/network administrators are trusted not only to keep the infrastructure functional but also safe-guard from outsiders. Hospital employees are trusted not to misuse patient records. Bank employees are trusted not to misuse/illegally modify financial records. This very own trust could be a negative factor. I found this interesting report which explains three traps. The report is a result of a workshop of 25 research from various disciplines in 2004 to come up with a systems dynamic model in order to better understand insider threats/attacks.

The following diagram shows a simplified version of the full systems dynamic model. '+' indicates a proportional relationship and '-' indicates a inversely proportional relationship.

Detection trap:
Have you ever wondered, most of the time when an organization comes under an attack, they are usually under-invested on security control or they don't have any security controls at all? The detection extracted from the above diagram is a good explanation of this observation.

When the organization's perceived risk increases, the management is willing to invest on detection measurements (in the hope that the perceived risks will lower). With better detection mechanisms, it is likely to detect more insider attacks/attempts for such attacks. When the number of cases go up, it is natural to perceive that the organization is under higher risk. See, this loop feedbacks. At the same time the inverse is also true! At some point in time, the organization may perceive that the perceived level of risk is low (due to better education, better controls in place, better management, etc.). This motivates the management to invest less on detection capabilities. With a few measures to catch wrong doing, it is like that not many cases are caught. Now the organization may perceive even less risk as not many cases are detected. Notice the loop feedbacks in this case as well. Hence the detection trap.

Trust trap:
Sometimes, good intentional measurements from the management may themselves lead to attacks. The following digram shows how it unfolds with the level of trust the management has on its on employees.

When the management perceives a higher trust on the employees, they may decide that they don't need to have extensive security controls to monitor their employs in the belief that there will be hardly any employee who will turn an enemy of the company. With less detection capabilities, it is natural to see that there will only be a few detected attacks while many go unnoticed. With fewer reported attacks, the managerial trust goes even higher. This loop also feedbacks and hence creates the trust trap. Why does it happen like this? One possible reason, as the loop feedbacks, the perceived level of risk by the employees of getting caught falls down.

Unobserved emboldening:
While those two pitfalls continue to feedback, the following shows how the perception of risk by the employees/insiders change and then lead to full blown attacks.

When an insider attempts to do something wrong and it goes unnoticed, their perceived risk of doing that falls down. Hence, they they tend to do more probing. Notice that this loop also feedbacks, lower the perceived risk each iteration. (This scenario is true with other situations. When a person does something that is not acceptable by the society and it goes unnoticed, that person may tend to even bigger crimes. It does not always need to be a crime. The intention could innocuous. For example, a person may speed for fun. If that person is never copped, they may be tempted to go even faster.) When the perceived risk goes below a certain threshold, the insider may carry out the actual attack.

It should be noted that not all insiders act like this. In fact, this is only the minority. (Security controls are there to protect against a few bad people while making sure the good majority is not negatively affected by these measurements) This happens only when things go wrong, when things don't work out the way the employees want - for example - no recognition for work, no bonus/salary increase or less pay, possibility of being laid off, etc. In any case, in order to have a healthy and safe working environment, the management need to show a certain level of trust while keeping the perceived level of risk (as perceived by insiders) at an acceptable level (e.g. by training, by legally prosecuting wrong doers, security controls, etc.).

Ref: Preliminary System Dynamics Maps of the Insider Cyber-threat Problem, 2004.

Insider Threats: People-Process-Control

I recently did a presentation on the $subject. You can access the slides from here. I used to think that if you have nearly perfect security control in place, you have a higher probability of surviving from malicious attacks. But the more I work in this area, the more I am convinced that technology plays only a partial role; People and Process play a bigger role. It is more evident if you look at insider attacks; these are carried out by people who have legitimate access to the systems/resources.

Saturday, September 26, 2009

The power of wikipedia :)

Softball rules.. (credit PhD comics)

Yesterday, we wanted to double-check the wallyball (not volleyball) rules.

Thought of the day

We all have ability. The difference is how we use it.
~Stevie Wonder

This is very true. I always believe that each and everyone of us can do almost anything that others have done/have been doing and more! It is just that some people need some guidance/direction to figure out their abilities and put them into good use. For example, as a kid, I was terrible in math and didn't like it much at that time. (my early school records indicate this). However, with time (different people triggers at different times), good guidance (will never forget a few very special people) and self-motivation (encountered a few incidents which made me think hard), I turned math into one of my favorite subjects.

On a related note, I know some people who are really talented but are unfortunate in one way or the other (mainly due to factors out of their control - only the God knows why). They deserve our help who are blessed with many things in life. Making a difference is harder than earning money which comes and goes..

Thursday, September 24, 2009

My personal information at your business is not safe!

I was surprised to see the following results from a recent survey.

(Credit: Impreva)

This is a good example about the fact that many organizations do not view security as a top priority. The management is not willing to invest extra money to comply with security standards - especially true for small companies. They don't see the ROI (unless the security is breached). It is interesting to see more than half don't have faith in standards (PCI DSS); is it due to lack of knowledge about the standards or is it perceived to be more costly to have security measure in place compared recovering from a security breach? On second thought, I shouldn't be surprised about these results considering the large-scale breaches (1, 2, 3, 4, 5) we continue to see.

Thursday, September 10, 2009

OLPC reaching SL students

It is good to see OLPC reaching underprivileged schools in Sri Lanka. These XO laptops are equipped with local languages as well. I personally prefer if students are taught to use in English language; this will not only shink the gap of IT skills in urban (mainly in and around Colombo, and some other main cities) and rural areas, but also English language skills.

Our ICDE 2010 paper

Our paper "A Privacy-Preserving Approach to Policy-Based Content Dissemination", Ning Shang, Mohamed Nabeel, Federica Paci, Elisa Bertino is to appear in the upcoming ICDE (International Conference in Data Engineering) 2010 conference. The acceptance rate for full papers is around 12.5%.

We propose a novel scheme for selective distribution of content, encoded as documents, that preserves the privacy of the users to whom the documents are delivered and is based on an efficient and novel group key management scheme. Our document broadcasting approach is based on access control policies specifying which users can access which documents, or subdocuments. Based on such policies, a broadcast document is segmented into multiple subdocuments, each encrypted with a different key. In line with modern attribute-based access control, policies are specified against identity attributes of users. However our broadcasting approach is privacy-preserving in that users are granted access to a specific document, or subdocument, according to the policies without the need of providing in clear information about their identity attributes to the document publisher. Under our approach, not only does the document publisher not learn the values of the identity attributes of users, but it also does not learn which policy conditions are verified by which users, thus inferences about the values of identity attributes are prevented. Moreover, our key management scheme on which the proposed broadcasting approach is based is efficient in that it does not require to send the decryption keys to the users along with the encrypted document. Users are able to reconstruct the keys to decrypt the authorized portions of a document based on subscription information they have received from the document publisher. The scheme also efficiently handles new subscription of users and revocation of subscriptions.

I am planning to make slides and other materials related to this work available to everyone soon.

Wednesday, September 9, 2009


The geek way of meditation :)

(Source: The joy of tech)

Wednesday, September 2, 2009

Flu trend

Now that Purdue has increased the awareness on H1N1 Influenza, I just wanted to see how it is being treated in rest of the world. I used Google Trends assuming the volume of search is roughly proportional to what I am after (there may be better tools for this?). Looks like Asians are more obsessed with H1N1 Influenza (aka swine flu). Also checked the trend in USA..people in USA have also started to search on H1N1 again from last month; there's a similar tend in Indiana state (looking at the cities it appears to be mainly by people in universities P, IU, IUPUI) .

- All regions in 2009 for the term H1N1
Swine flu - All regions in 2009 for the term "swine flu"