Tuesday, September 29, 2009

Medical Vaccines as an Analogy to Information Security

In the information security field, we often encounter an ethical dilemma. Should information become public, so that people can protect themselves, or better decide how to do so. Or should it remain secret so that larger harm is prevented? The world of Vaccines shows us an image of how medical professionals deal with the issue.

I recently wrote a blog post on an unrelated subject, vaccines and their risks. I have been gathering information on whether they are safe for some time now.

While they are in fact, in the vast majority of cases, safe, there is no easily available information online as to the risks associated with vaccination. Most of this data, therefore, can be found in scare-monger websites, spreading fear, uncertainty and doubt.

Whatever reason vaccine professionals have to take the party-line, we can assume one reason they do not wish public debate to avoid risk of more people not vaccinating, potentially increasing the death-toll and causing epidemics.

The similarities don't end there, and it truly is fascinating. For example the World Health Organization (WHO) monitors disease globally, detects new epidemics and responds accordingly, and thus monitoring the success of vaccines as well.

An interesting anecdote is on global risk analysis. How regulation trumps personal liberties world-wide in vaccination programs for new-born babies, as the risk of epidemics outweighs the infringement. Some people claim that this is no longer the case, and that these programs need to be reexamined. They seem to be wrong, but information is not easily available online. It is interesting to note, as once successful, even if it was no longer helpful I very much doubt society would easily change in this regard, much like I am sure it was difficult to initiate this program to begin with.

I doubt such regulation will happen in information security, but a common stance such as vaccine developers and medical doctors have on emerging threats could be highly beneficial to our field, when approaching the public.

Many interesting strategic and psychological lessons can be learned by examining this field, when compared to information security.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron

Friday, September 11, 2009

Lessons I Learned from Cyber Crime, an Article Series

I have been slow on updating this blog due to blogging on Dark Reading. I will make amends and start updating here more often. I will also start to cover my more interesting blogs on Dark Reading, here. You can also read my personal blog where I write about things I find interesting, or funny.

A few months ago I wrote a short series on some of the lessons I learned from the world of security and cyber crime. About systems and networks, people and communities, and finally, projects and making things happen, the first one begins with:
"The history of anti-spam teaches us about half-baked ideas and how people succeeded or failed to implement them. The analogy of evolution, while limited, demonstrates how reactionary solutions can achieve strategic goals before they are made obsolete by countermeasures.

How do you herd cats? In a series of blogs starting today, I'll explore the history of fighting cybercrime and how and why certain solutions worked while others failed, how we can recreate success, and what lessons we can distill to build business solutions, affect change in communities -- and even fight terrorism."
The three posts in question, are:

1. Lessons From Fighting Cybercrime
"... Criminals were forced to evolve in a desirable direction, which is a victory on its own. Evolution in capabilities occurs to circumvent security measures. By limiting the spammers' options they evolved to a technological battleground where we have more control."
2. Lessons From Fighting Cybercrime, Part 2

"... It enumerates ways by which "new" and "amazing" suggestions on solving the spam problem go wrong... If only "everyone" (or most people) used their solution or "forced users" to act counter intuitively (and similar truisms), spam would be "gone". It is well worth a read.

Trying to map how some solutions work while others can't even get off the ground and seeing how communities and social systems change is fascinating. The examples above and many other lessons of fighting cybercrime are illuminating. Especially when we consider they are mostly derived from failures of technical solutions to solve a human problem, a common design fallacy this day and age."

3. Cybercriminals: More Obvious Than They Think?
  • "...Let me pose it this way: It's a hot summer day, and you're drinking a beer at the beach. People are having fun and relaxing. Suddenly, you see a person wearing an heavy coat. Is this suspicious?"
  • "... Encryption is a great tool, but it also draws attention to you for using it. In your organization, how likely is an attacker to identify important resources just by watching for encrypted traffic? In some cases, it may be better to stay obscure, in the background as noise, than to use encryption. If the malware sample is new and therefore undetected by antivirus, then the same unfortunately applies to malware authors."
I hope you find these posts interesting. Do share your thoughts with me. Any anecdote, epiphany or even just an insight from your own experience will be appreciated.

Gadi Evron,
ge@linuxbox.org.

Follow me on twitter! http://twitter.com/gadievron