Antifragility and the year of the cut

Hackers expose your secrets on the one hand, but on the other hand they cause flow of information to thrive. Utilizing hackers is the only way to make your organization stronger, not trying to stop them, as embracing the randomness, chaos and uncertainty is the only chance of survival in these uncertain times.  This is the conclusion derived from the latest work on antifragility by one of the most important influential thinkers of the last century.

By Uri Biber CISM/CISA/CISSP/CRISC, member of the NeuroLeadership institute.

In April 28, 1987 one American’s death has made front page headlines all around the world. He was not a politician, nor rich, nor famous before he died – just a mechanical engineer. What made his death so famous was the fact the he was killed in Nicaragua by anti-government Contra rebels that were supported by the US government, while working on a small hydroelectric dam project in the north part of the country. This event brought to light Ronald Reagan administration’s policy at that time, one that supported anti-left movements and regimes around the world regardless of their ethical stand.

One of the people who were touched by the story  decided to write about it, and so the story of the person, Ben Linder, was forever engraved into our memory via the beautiful words of the song “fragile” that was released by sting in his album “ …Nothing Like the Sun”.

On and on the rain will fall

Like tears from a star, like tears from a star

On and on the rain will say

How fragile we are, how fragile we are

[Sting, “fragile”]

The sting Album was released in Tuesday, October 13^th 1987. Less than a week after the album was released, on Monday the 19^th of October the stock markets all around the world have crashed. In what was known as “Black Monday” the world finance markets went down without any warning.  By the end of October, stock markets in Hong Kong had fallen 45.5%, Australia 41.8%, Spain 31%, the United Kingdom 26.45%, the United States 22.68%, and Canada 22.5%. New Zealand’s market was hit especially hard, falling about 60% from its 1987 peak, and taking several years to recover (info: Wikipedia)

Yet the day the markets crushed marked the day a young investment trader became financially free. That person published a book 20 years later which became a bestseller – one that the Sunday Times called “one the twelve most influential books since World War 2”. The book title became engraved as an expression which is part of human consciousness; the man is Nassim Nicholas Taleb, and the name of the book he wrote: “The Black Swan”.

The Black Swan

To those who didn’t read Taleb’s book (seriously?), here is an explanation to the title: For many centuries most humanity was sure black swans were considered to be non-existing. That belief was coined in Latin as “rara avis in terris nigroque simillima cygno” or “rare bird in the lands, and very like a black swan.” It was only in 1697 when a Dutch expedition discovered black swans in Western Australia, and that transferred the meaning of the term “black swan” into a description of what seems to be impossible but at a later stage proven as true.

According to Taleb (taken from Wikipedia):

1)      The disproportionate role of high-impact, hard-to-predict, and rare events that are beyond the realm of normal expectations in history, science, finance and technology

2)      The non-computability of the probability of the consequential rare events using scientific methods (owing to the very nature of small probabilities)

3)      The psychological biases that make people individually and collectively blind to uncertainty and unaware of the massive role of the rare event in historical affairs

Taleb said that almost all major scientific discoveries, historical events, and artistic accomplishments were “black swans”, meaning they were all unpredicted and non-direct. In his book he argued that World-War I, September 11, the personal computer revolution and the Internet were all black swan events, and since his book was published a year before the financial crash of 2008 it turned Taleb into some sort of a modern prophet. NASA invited him to talk about how to identify risks in human missions to the moon and beyond, he’s given talks about risk models for the US department of defense, and in Britain his work is regarded so strongly by the current government it is considered to be a must reading. Professor Taleb work was one of the main reasons the British Prime Minister Cameron was rejecting the European Commission plan to have a central state control and planning.

Fragility, antifragility and robustness

For all those born beneath an angry star

Lest we forget how fragile we are

[Sting, “fragile”]

On December 1^st, 2011, in front of a room packed with people Taleb came to speak about the subject of his new upcoming book at the Royal Society for the encouragement of Arts Manufactures and Commerce (AKA – RSA). The name of his talk was “The Predictability of Unpredictability”. (Taleb’s first book was called “Fooled by Randomness”)

Taleb new work focuses on the subject of what he calls antifragility, which is the opposite from fragility. The RSA talk was actually a very short talk by Taleb and a longer Q&A session, and from now everything below is based on all the sources of information that Taleb had written on the subject in the last few years. I’ve consolidated it as much as I can, and incorporated my own ideas on the subject of antifragility. Enjoy my hack

So first, let us describe what is fragile. Fragile is something that is both unbroken and subjected to nonlinear effects —and extreme, rare events of large size (or high speed) are rarer than ones of small size (and slow speed).  Take for example earthquakes – every year we have about 3 million earthquakes which are below 2 on the Richter scale, and they do little harm. If we get an earthquake larger than 6 we hear about it everywhere because the consequences are horrific.  For the fragile, the cumulative effect of small shocks is smaller than the single effect of a large shock.  Remember – fragile hurts a lot more due to extreme events. In IT security, for example, a fragile system could be your firewall logging – it is supposed to document predefined events based on various criteria. For as long as you don’t experience DDOS your OK (to my non-IT-security-reader, distributed Denial Of Service is an attack in which huge amount of computers over the internet try to connect to a website at the same time, causing it to be unable to respond). However, a DDOS turns your logging system into useless, because you either will be lacking the disc space to write all the events so your system will either crash, or become useless by re-writing over previous log entries.

Now let us describe antifragile. For the antifragile, shocks bring more benefits (and equivalently less harm) as their intensity increases – up to a point. Going to the gym puts stress on your body – but it makes your muscles grow. Learning a new language “stresses” your mental capability but by doing so it improves your brain (again, up to a point). In the IT security world, an anti-virus client that detects a strange behavior at a client and reports it back to a centralized place is utilizing that information to make other nodes (computers) more protected.  The antifragility motto could be described as – “What doesn’t kill me makes me stronger”.

Now what about robustness? Isn’t a robust system is anti-fragile? Not exactly explain Taleb. Robust systems are shock resistance, but they do not gain anything from it. A robust system does not change after a shock; it simply keeps its previous state, robust system experiences small or no variations through time, but they not grow. For a system to be robust, all risks must be visible and out in the open.

So the main difference between robust and antifragile is that robustness does not and cannot gain from unexpected events, while antifragile systems thrive on them.  If we use the Greek mythology as a source of example, the sword that was hanging above Damocles using a single hair from a horse tail was describes fragility (AKA the sword of Damocles). A phoenix will forever remain as a Phoenix; it will never evolve or will become stronger after it will reborn from its ashes. But when Hercules second labor was to kill hydra he discovered that cutting her head made two popped out instead.  The phoenix is robust, hydra is antifragile.

Antifragility is important because it is behind it anything that changed with time: evolution, culture, ideas, riots and revolutions, political systems, technological innovation etc.  After every unexpected event (AKA black swan) there were systems that gained from the shock, while others that collapsed. Those who collapsed were fragile; those who prevailed were the antifragile systems. The counter side of antifragility is fragility, because fragility doesn’t like randomness, uncertainty, errors, etc.

If I got Taleb correctly, robustness is the linear, while the curve is everything else…

The effect of the speed & optimization

According to Taleb the problem is that the more optimized your systems become, the faster you move, and when you move so fast your crash is so horrible that the costs of recovery becomes huge. The bigger, more “optimized” and “redundant free” you try to become, the more fragile you become, and the bigger the fall you will experience when it will come, and Taleb strongly use the word “when”, not “if”.

If you drive a car, and you’re about to hit a  wall while driving a car, there is a major difference if you’re going to hit it in 100 miles per hour or you’re going to hit it in 0.1 miles per hour. Same for jumping down 100 meters – If you do it in one go you will break every bone in your body. If you will do it in one million small steps you would not feel it. If you crash into a building with a car driving 100 miles per hour you would probably not survive, if you drive the same car at the speed of 0.1 miles per hour, most chances you will be ok. Speed has a huge impact on the impact of black swans –  the more optimized your systems become, the faster you move, and when you move so fast your crash is so horrible that the costs of recovery becomes huge.

Crash Test Dummies

Because fragile systems fear so much randomness those systems tend to be designed in a top down structure, with a lot of thought being invested into them, but since there are always invisible and unpredictable events those systems tend to expose themselves to the harm of black swans. When an unplanned negative event occurs, the result to it counters all the benefit that the design was supposed to provide in trying to prevent it.

Before I would continue, here is a simply way to describe a very important aspect in risk – convex and concave. The convex (on face the left) is antifragile; while the concave (the fact on the right) is fragile (has negative convexity effects)

To understand the difference a black swan impact on convex vs. concave (negative convex), see below the example of Gain vs. Pain – convex, antifragile is the upper vs. concave (negative convex), fragile is the lower.

Fragile systems are prone to negative asymmetries, negative convexity effects. Take for example projects, or flights – both extremely complex and [theoretically] optimized processes, and almost always any unplanned negative event end up causing horrible delays. Increasing uncertainty in the system causes an augmentation of mostly (sometimes only) negative outcomes. However antifragile is prone to positive asymmetries, positive convexity effects. Increasing randomness and uncertainty in the system raise the probability of very favorable outcomes, and accordingly expands the expected payoff. Let me give you an example to antifragility – hackers usually don’t really mind the reward they are being offered, they do it for the sake of doing, and negative “counter attacks” actually makes them even more upset.

After 20 years of working in IT, I found professor Taleb argument to be extremely correct. I was fortunate to work in some of the most advanced redundant IT environments; some of the most secured IT environments, and some of the most regulated IT environments out there – all of which failed at some point. Sometimes it was a human mistake; sometimes it was a hardware failure, sometimes software problem, and sometimes – a failed security mechanism. Sometimes – we didn’t even know why our systems failed. At the end of the day, what matters most is the impact – and the impact of serious failures in those extremely optimized systems was always huge.

Give me some skin

If you wonder why failure occurs in fragile systems, Taleb has an answer. In recent interview Taleb gave he was as direct as always: “The fragility of the whole system comes from two elements: the ability to hide the risks, and the fact that people have no ‘skin in the game’ “.

Anything organic benefits and needs randomness, it makes it grow.  The problem is that when a system is growing – the system starts to become inorganic. The bigger the system is the most chances that there would be some people who will not have any direct pay in whatever their decision or participation will bring, or as Taleb calls them “people with no skin in the game”. The people with “no skin in the game” keep the result of successes, transfer the failures down on others and assign their own risks to others.  There would be those people who “have skin in the game”, who keep their own failures and take their own risk. And finally, there would be those who will have their soul in the game – those are the people that carry other’s downside on their shoulders, and give their upside to others.

Here is a table that Taleb provided on the subject, with one small addendum I’ve added

Intellectual nightmare

People look at systems and love to imagine that if they will optimize them they will become better (this is true for IT, financial, governmental, and organizational systems).  If you dare to disturb their utopian dream that optimization means a better future you will be hammered (AKA “shoot the messenger” syndrome). Surprisingly and contrary to common belief, intelligence doesn’t really help here – Taleb argues that the more intellectual you are, the more you fall in love with the theory your brain gives to reality (AKA perception) and that makes it dangerous because you are becoming blindfolded from the uncertainty of reality. In his lecture he called it “denial of antifragility”, but Lao tzu already told us about it 6 centuries before the birth of Christ in his “Tao Te Ching”:

    The Way that can be told of is not an unvarying way;

    The names that can be named are not unvarying names.

    It was from the Nameless that Heaven and Earth sprang;

    The named is but the mother that rears the ten thousand creatures, each after its kind.

In my career I was involved in endless amount of projects – I was a project leader, technical lead, member of the design team, member of the implementation team, or just a person who was informed of the project. In all those projects I did what I did ever since I was a child – I challenged “the system” when it came to the pre-assumptions – especially with regards to risks. I can sadly say that if you think only in school teachers do not like the kid who ask too many questions, wait till you meet some managers who try to pretend their baby – AKA the IT system they are in charge of. I remember once a conversation with an extremely bright manager who was supposed to review the design I made of a system. As I was I explaining to him the controls I’ve implemented for all possible problem that I could think of he looked at me puzzled and said “Uri, I’m not going to approve it, this is too much, and we never had the problems you talk about”. My design was rejected, and at the end the project ended a year later than expected due to the fact that many of the problems I was afraid of occurred and the more “standard, simplified design” was chosen which had no controls to cover them.

Let the Chaos begin

“Small differences in initial conditions yield widely diverging outcomes for chaotic systems, rendering long-term prediction impossible in general”

”In the Wake of Chaos: Unpredictable Order in Dynamical Systems”, Stephen H. Kellert, University of Chicago Press, 1993.

Models and tools used for measuring risk-taking eventually lead to higher levels of risk. Here is an example Taleb gave:  Suppose you’re flying from Israel to Cyprus and the pilot says:” Well, I don’t have a map of Cyprus, but I have a map of Tokyo. I don’t have anything better but that’s better than nothing ‘. What will you do? Probably go off the plane. Now, when I tell people who teach risk that they use the wrong methods, they tell me: ‘you are talking high Professor Taleb, but you never offered us a method of your own’. To me, it’s like stepping over to the cockpit and after you tell the pilot that it’s crazy to try to fly to Cyprus with a map of Tokyo he will tell you: ‘you’re talking high, but did not offer me your own map’. That’s not a valid reason to use wrong maps, nor a valid reason to use wrong risk models.

As I wrote in my previous post “the metrics”, when it comes to estimating the human risk in information security we are sort of clueless. As all IT systems have human elements, it means that all the current risk modules that do not assume worst-case-scenario when it comes to humans elements are inaccurate by definition.

This is also true for “pure” technical systems, which we can devise a statistical models more easily. Take for example S.M.A.R.T. The Self-Monitoring, Analysis and Reporting Technology is used by all hard disk manufacturers as a monitoring system in order to detect and report on various indicators of reliability, in the hope of anticipating failures. In 2007 google who had more than 100,000 hard discs have discovered that a large proportion of the drives that failed did so without giving any S.M.A.R.T. warnings at all, meaning that S.M.A.R.T. data alone was of limited usefulness in anticipating failures. MTBF (Mean Time Between Failure) does not help you when you hard disk crashed two days after you bought it, a day after you transferred all your family albums to it.

Highly complex systems – let the system be financial, electrical, IT oriented or human oriented are systems that follow more chaos theory models than a straight prediction models. As I wrote in “men without hats are living on the edge”, organizations are utilizing repeated processes and they try to optimize it, thus the idea of admitting that their system is chaotic is against the main theme of the system. This is why economists, politicians, IT management and practically all “experts” fail so many times – because they tend to use the wrong prediction methodology.

The Year of the Cut

She doesn’t give you time for questions

As she locks up your arm in hers

And you follow till your sense of which direction

Completely disappears

[Al Stewart, the year of the cat]

Today is the 1^st of January 2012, and we started the year with very tough conditions. European leaders have warned of a difficult year ahead, as many economists predict recession in 2012. In the US, the situation is already bad: 1 in 2 people are poor or low-income, the suburbs are collapsing, and I don’t even dare to mention the country deficit.  While China seems to bypass everyone else, the problem is that china is extremely fragile due to the speed it evolved in recent years, and the inflexibility it showed handing events like riots in rural areas.

Organizations have been doing everything to become more optimized, via initiatives like LEAN sigma six, CMMI (Capability Maturity Model Integration), Continuous Process Improvement and more. The problem is that the way most organizations used those methodologies caused their organizations to become even more exposed to risk, as most organizations used those methodologies to “cut waste”, initiative which led to “optimization”. What organizations should have invested their energy in was in trying to become antifragile, but as was mention before this is against the nature of most organizations.

What this means is that most organizations are arriving to this uncertain times in a very vulnerable state. They are fragile, and instead of working on becoming antifragile their leadership who has no skin in the game lead them to a disaster.

If you want, as organization, to survive the upcoming turmoil, you have one way to do so – you need to start embracing into your organization people who have skin in the game for the sake of others. Yes, those pesky Saints, Knights, Warriors, Soldiers, Prophets, Philosophers (in the pre-modern sense), Artists, Innovators, Mavericks, Great writers, Rebels, Dissidents, Revolutionaries,  listen to your Taxpayers , and above all – hail the Hackers. The more your organization will be made out of those people, the more chance you will survive. Embrace transparency and openness is the way forward.

For us who work in IT antifragility have huge implications. First of all, it questions many of the paradigms risk departments are build upon. Second, it questions the cornerstones of most IT organizations. Take for example IT governance – Does it mean that IT governance is not important? I don’t think so – it just that it’s overestimated due to the fact organization either ignores or not aware of the risks it engraves in the system. It also means that bigger is not only more powerful, but also more dangerous; it means that centralize IT procurement is way more risky than we admit it is, and above all – it should require IT people to stop trying to fight with hackers and instead learn to use their power to make the organization grow. As Taleb say, candles fear the wind, but the fire rejoice for it. Sustainable IT will be achieved when out IT organization will learn how to utilize the power of hackers, instead of tumble because of them. At the end of the day, they might be the best chance of survival they give the organization.

Addendum

I wanted to add one point, which I believe is important. Some organizations (let it be business, governmental, non-profit organizations and even many religions) tend to look at any person or political group or ideology which seems to contradict their core values as a possible source of black swans. Yet the “solution” they have to that is the attempt to try and “end that problem” via many means – some of them polite, some are ugly, and some are pretty much human rights violations. What we can learn from Taleb is that first it does not last – not forever which is pretty much the holy grail of religions (the oldest organizations around). So if some religions didn’t made it to the hall of fame let me assure you – no one can promise you that the faith you hold right now will stay around forever. if you think I’m wrong I have one word for you: Pharaohs. And second – you’re not going to make your fragile organization/society into robust by taking down those who criticize it. If you do so, all you do is hide risks and increase a bigger risk that individuals who control it will end up causing more damage than if you would have allowed other individuals to object their leaders. The only solution is to turn the organization/society into an antifragile one. But how to do it – well that’s a subject to a whole long other discussion on how we can make our societies and organizations antifragile…

© All Rights Reserved 2011.

How to solve the Clash between ethics, personal integrity, “the system” and hacking? A special post for the holiday season.

By Uri Biber CISA/CISM/CISSP/CRISC, member of the Neuroleadership institute.

Should a hacker ever give up his values and belief system, and if so, when? This blog is about the clash of personal belief with reality, and why a newly defined international standard can help us reach a more universal definition of what is good and what is bad.

About a month and a half ago a gambling company located in Gibraltar contacted me. They found my CV on monster, they saw I was interested in a new role (still do) and so they asked me if I want to work for them. When I told my friends and family about it had brought upon me a rain of criticism from some of them who said to me “You? Work for the gambling industry? How can you work in such unethical place?”, and this brings me to the subject of this blog is – the explosive subject of ethics, moral, and universal truth.

Fast Forward

Watching the movie “The Ides of March” felt like watching a fast forward of my life as an IT professional. In the movie Ryan Gosling plays the role of the main character – a young man by the name of Stephen who is an idealistic staffer for a presidential candidate that gets a crash course on dirty politics during the campaign. The movie was directed by George Clooney and included amazing support actors such as Philip Seymour Hoffman, Paul Giamatti, Evan Rachel Wood and Marisa Tomei.

(The title of the movie “Ides of March” is based on the fact that the 15th of March was a day of festive day dedicated to the god Mars, and also the day that Julius Caesar was murdered, in 44 B.C. )

A lot of us start our career being very idealistic, which gives us a wonderful power – it motivates us to do more than others, it helps us make a bigger effort as we see the target in front of your eyes. We believe, and belief systems are what makes our perception feels the universe around us makes sense. Yet when reality comes crashing down on us, it is painful. The subject of losing your innocence during your professional life is something that is rarely being discussed openly during working hours by people. Sure, some people will find other people to share their disagreement with “the system”, but when we are being forced to do something which stand totally against either our professional or personal principles it leads to different reaction. Giving up our “core values” causes a range of reactions: Some will claim that what they did didn’t contradict their moral stand, and by doing so act like a rape victim that hides the trauma deep within their subconscious. Some will try to minimize it, others only talk about such events with very close friends, and some will not even talk about it at all. Most people rarely talk about this; the same way alcoholics do not feel that happy to talk about the fact that they are killing themselves.

Young and Naïve

When I moved to Brussels with my family at 2001, I was extremely happy. After managing the IT of a big pharmaceutical company I was offered a promotion – a position in Brussels, in the EMEA (Europe, Middle East and Africa) regional headquarter, doing a job I always wanted to do – coordinating various security and partner connectivity requests in our region. The role of my colleague and me was to help the business establish secure information exchange with various partners in the region. At least once a month we had a meeting with the people who were coordinating the activities on the other side of the ocean, at the headquarters which was located in US. One of my colleagues, an extremely smart guy by the name of Larry who worked in the field for many years had a sentence that he used to say from time to time, and I must admit that when he said it I sometimes got upset. The sentence was “ah…Uri, he’s so young and naïve”.

Larry said it because we used to get a lot of business requests for connecting our company to other companies (or vice versa), and sometimes I used to get a business request that made me feel as if someone is asking me to sell my little daughter. Let me think of one… OK, here’s an example, but please remember it is really not a real one (I hope LOL): “We wish to establish automated FTP to transfer information during a clinical trial. We need it by next week; can you please approve it ASAP so we could tell the network guys to implement it?”. As I was reading it, I was adding in my mind the missing parts in the request: “We wish to establish (insecure) automated FTP to transfer (of sensitive patient personal) information during a clinical trial. We need it next week; can you please approve it ASAP?”

This was usually the point in which I used to call the business unit that requested it, and explain to the person who sent me the request that we have a process in place that could give him a much more secure alternative. Most of the time the conversation worked, but sometimes I used to meet with very dedicated people who didn’t really give a $!@# about information security, and they wanted things to be done “their way”. Obviously I was unable to approve it…and obviously it ended up with that person complaining to his management (usually a VP) that “the IT security people are trying to destroy our clinical trials”. The fact that if that information had been leaked our whole company could have been facing a huge legal action was something most of them forgot to mention. This was usually the time when my refusal to give up security caused my manager to get involved (and give Larry reasons to mention again my naïveness).

I was extremely fortunate that my senior director, the person who was in charge of the IT operations in EMEA was a rare leader who gained a lot of respect by his professionalism. He backed us, even when we made mistakes he still backed us (but made sure we will learn from it), and having a manager who will fight for you is not an obvious thing. While I was fortunate to have such a managers in that company and others, some other managers I had were known for not providing the required back to the people who work for them, and when this happened, it brought a dilemma:

Should I stay or should I go?

At some point of your life as information security expert you’re going to feel like Stephen Meyers, the hero of the movie “The Ides of March”. You come to work with a clean ideological view of the security, and you than you meet reality, or the politics of business. That’s part of the game, and no matter how much other people tell you about it and warn you from it you will not understand it until you, yourself, will be required to make a decision – will you give them what they want (and by doing so do not follow your personal ethical standards), or will you move on?

I call it the coin point – you are given a coin, and you are being requested to make a decision which side to choose.

The first one side says “give them what they want” even though it stand against your professional or personal values. Some people say “I don’t care, it’s their own darn problem if something goes wrong”, which always reminds me a play called “Rhinocéros” that was written in 1959 by Eugène Ionesco. It’s a play about how people prefer to become part of the herd just so they will not need to face any moral dilemmas. So yes, you can choose to do so, but it comes with a cost of losing yourself. Some people give up on their moral stand because they understand that if they don’t you will not work there anymore, and leaving “a system” is a painful experience. At the beginning people tell themselves it’s the last time they will do so, but at the end of the day, when you give up your professional or personal values you position yourself at the same spot any beaten wife do when she (or he) tell herself (or himself) that it’s the last time they will do it. When you do it long enough the end result is that you will become part of the system.

The other side of the coin says “leave”. Now that’s a hard one – if you leave it means you give up, and hackers are not really known for giving up that easily. I don’t mean when someone leaves because he is getting a better offer somewhere else, or because of reorganization – I mean to leave because you felt the working place was not matching your professional or personal integrity. It did happen to me, twice in my life, and while it brought some unbalance to my financial state I think they were necessary steps during my personal development. I think when you’re younger it is easier to do so because either you don’t understand that this game is occurring everywhere, and also because when you’re young the consequences are usually much less problematic (“Hey mom/dad, I just quit my job – can I move back to your place for a while?”). And sure, sometimes leaving is not really an option:

Living on the Edge

This brings us to the last option. Each and every coin has an edge, and everyone knows how to spin a coin – you make it stand on the edge and by providing a burst of energy targeted at of its sides you can make it spin. Now spinning coins are amazing – they are shinning, they are fast, but also they are very vulnerable (and people do take advantage of this state of yours). You cannot spin forever, and any disturbance to the coin by unbalancing the surface it is turning on or trying to touch it will automatically make it fall on a side. So yes, there is a third option to a professional and personal dilemma – you can spin. You can choose not to choose, and try to pass the storm, but you can only do it for a short period of time, and only if you’re balanced enough (physically, mentally, emotionally and professionally). Most of the time, you risk falling on a side without any prior warning (and with or without people who will be “helping” you fall).

Back to Hack

The subject of breaking down ones’ innocence is a great theme for movies and a repeated pattern throughout the lives of most of us, but for hackers such event is usually very visible and most of the time carry very high personal penalty, regardless if they are inside the system or challenge it from outside. This was the subject of (yet another) movie called “Hackers wanted – director cut”. The movie was never released, and only been unofficially leaked to the internet last year (2010 – get the director’s cut which runs for 1:10:40). Directed and written by Sam Bozzo and narrated by Kevin Spacey, it explored the origins and nature of hackers and hacking by following the adventures of the hacker Adrian Lamo, and contrasting his story with that of controversial figures throughout history. To those who don’t know Lamo is, he is the guy the broke in 2002 to the New York Times, Yahoo, and Microsoft just for the sake of breaking in and showing their security failures. He is now hiding for fear of his life, after he turned in Bradley Manning that leaked hundreds of thousands of sensitive U.S. government documents to wikileaks. Kevin Mitnick, Captain Crunch, GeoHot and Lamo paid for their curiosity. Kevin Mitnick was thrown to federal prison for 4 years without trial (out of which 8 months in solitary confinement). Captain Crunch was beaten up by the mafia for refusing to tell them how he phreaked the telephone system and then when he was thrown into prison he was stabbed, causing him physical damage. GeoHot almost got into prison and was forced to commit to never hack any Sony system anymore after exposing the encryption keys of the PS3. And finally, in 2004 Lamo was sentenced to six months detention at his parents’ home plus two year probation, and was ordered to pay roughly $65,000 in restitution.

The examples above were just a hint of many examples I am aware of. On the one hand, organizations, governments, political and ideological groups use hackers all the time either to provide them protection or turn their knowledge into a modern electronic warfare human weapon. On the other hand, the same groups fear anyone who is hacking for what seems to those groups to be against their causes, and those people are being treated harshly and many times merciless. On the one hand, hackers are there to challenge the system, on the other hand the system they operate within can be viewed as a repeated process (true for any organization, if business, NGO or government) and due to the wish to optimize that process most organizations don’t like (hate?) changes and challenges.  The end result, in many times, is a Clash…

Ethics 101

This brings me to the reason I wrote this blog – the subject of ethics and hacking. Let’s start with a little Wikipedia:

Ethics, also known as moral philosophy, is a branch of philosophy that addresses questions about morality—that is, concepts such as good and evil, right and wrong, virtue and vice, justice and crime, etc.

How can you tell if you’re doing the right thing, ethically? After all, we all come from different cultures and one culture’s perception of good sometimes is viewed by other cultures as “bad”. What one people believe in might seems like a blasphemy to a big group of other people. Our world is diverse, so is our perception of it, and so are the ethics we “choose”. Ethical code is something very profound in humanity, something we all carry. The problem with ethical codes are that they usually a direct result of the environment they were created in, and are as such very subjective. Al-Qaeda have an ethical code which is based on Islam, the Mafia in various countries have a different ethical code (for example Italian mafia ethics are not the same as the Japanese Yakuza ethics). The western world has a Judeo-Christian ethical code, and this can go on forever. We look at the others and measure their values via our own perception, via our own ethical framework, and because the ethical language is different we sometimes see the others as morally wrong.

The clash between different ethical views can lead to horrible results. Take for example a middle aged Egyptian school inspector who came to the US in 1949 to learn about it’s education system. His name was Sayed Kutb, and his view of the ethical and moral view of the US influenced all of us. Kutb saw the American society as causing Americans to become isolated beings, driven by primitive animal forces. His belief system made him join the Muslim brotherhood in Egypt when his return to Egypt and he became one of the movement leaders. He was arrested after Nasser came into power, and was tortured by Egyptians who were trained by the CIA. This led him to become even more extreme in his views, and to see “selfish Individualism” as the root of all evil. One of his students was Ayman Zawahiri, the idiological leader of Al-Queda (You can watch Adam Curtis TV series “The Power of Nightmares” to learn more). Human history is filled with clashes between different groups with different ethical views.

The clash of ethics re-emerges in workplace, and sometimes you see one system (the country) and it’s regulations in clash with the ethical behavior of another system – a company. A good example to such ethical clash is Apple, who has a headquarter in the US and would never dare to demand from its employees to work under the same conditions the employees of its’ contractors work under. More about this soon.

Men Without Hats

When it comes to hacking we hear the word ethics endlessly. We have white hat, grey hat and black hat, and we define those terms based on the system they relate to – and I do not mean the technological system.

“white hat” refers to an ethical hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization’s information systems. Ethical hacking is a term coined by IBM meant to imply a broader category than just penetration testing.^[2] White-hat hackers are also called “sneakers“,red teams, or tiger teams. 

“grey hat” refers to a skilled hacker whose activities fall somewhere between white and black hat hackers on a variety of spectra. It may relate to whether they sometimes arguably act illegally, though in good will, or to show how they disclose vulnerabilities. They usually do not hack for personal gain or have malicious intentions, but may be prepared to technically commit crimes during the course of their technological exploits in order to achieve better security. Whereas white hat hackers will tend to advise companies of security exploits quietly, grey hat hackers are prone to “advise the hacker community as well as the vendors and then watch the fallout”.

“black hat” refers to a computer security hacker who breaks into networks or computers, or creates computer viruses. He is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero‘s white hat.

Wikipedia

So in a broad sense, the definition of what hat you wear as a hacker really depend on the environment you operate in, or the system you operate from within. If you are hired by a company to find their vulnerabilities and to report to them on your findings – you’re a good guy. If you try to figure out by yourself different vulnerabilities – you’re might be considered as a suspicious dude. and if you’re writing code which has malicious intent – well, watch out.

But I think the idea of “hats” is sort of pointless. If you develop a code for a government that later use it as an offense against another government (or, one system against another) you’re not considered as a “black hat”. if you discover a vulnerability in a security product and your organization/government/system use it as an offense to learn about the weakness of another organization/government/system is it unethical? Not all the time – especially if the organization you’re targeting is a terrorist organization, or the government is a government that torture and kill it’s civilians just because they are gay, or wish to have a democratic election.

Chris MacDonald, Ph.D., is an educator, speaker, and consultant in the realm of business ethics. In a recent blog entitled “What’s Legal Isn’t Always Ethical” he explained that In all legitimate cases of law making, the law always has a moral purpose — generally, either to make people’s lives better and safer (e.g., seatbelt laws) or to protect some important right (e.g., food-labelling laws). But if everything which was legal was ethical, than there would be no possibility of finding a moral rationale for any new law.

So not only everything that is legal is always ethical, but also the opposite – not everything that is illegal is also unethical, or as Chris MacDonald said it:  “Anyone who tells you, or simply implies, that whatever is legal is also ethical is most likely indulging in self-serving rationalizations.“. This begs the question – how can you know what is ethical?

ISO 26000

As I wrote in the beginning of this blog, a new international standard might be able to provide us a much more objective and universal definition of what is good and what is bad. Last year a new ISO standard was approved. It is called ISO 26000, and it’s a standard for social responsibility. If you want to read the essentials of it, you can do so here.

The work on the standard begun in 2005, and it was created because countries around the world agreed that humanity need to ensure healthy ecosystems, social equity and good organizational governance. This International Standard was developed using a multi-stakeholder approach involving experts from more than 90 countries and 40 international or broadly-based regional organizations involved in different aspects of social  responsibility.  These  experts  were  from  six  different  stakeholder  groups:  consumers;  government; industry;  labour;  non-governmental  organizations  (NGOs);  and  service,  support,  research,  academics  and others.  In  addition,  specific  provision  was  made  to  achieve  a  balance  between  developing  and  developed countries  as  well  as  a  gender  balance  in  drafting  groups. The standard was approved with 94% of the countries supporting it (66 in total), and only 6% of countries have rejected it (5 in total – Cuba, India, Turkey Luxembourg and of totally (un)surprisingly, the USA).

A little bit about the standard. It covers 7 core subjects:

1. Organization Governance
2. human rights
3. Labour practices
4. The environment
5. Fair operating practices
6. Consumer issues
7. Community involvement and development

For all of those core subjects, social responsibility is defined as a responsibility of an organization for the impacts of its decisions and activities on society and the environment, through transparent and ethical behaviour that:

1. Contributes to sustainable development, including health and the welfare of society;
2. Takes into account the expectations of stakeholders (This means also customers, employees and the community which you operate in, not only shareholders)
3. Is in compliance with applicable law and consistent with international norms of behavior; and
4. Is integrated throughout the organization and practiced in its relationships

Last but not least, when it comes to ethics, the standard state that an organization’s behavior should be based on the values of honesty,  equity and integrity.

Here is a schematic overview of the standard:

The European Union via the European commission is already taking the standard seriously via a communication entitled “A Renewed EU Strategy 2011-14 for Corporate Social Responsibility“. If you want to understand why the US was against it, you can read the heritage foundation view on the subject, who were alarmed to see a statement such as “The Commission intends to… monitor the commitments made by European enterprises with more than 1.000 employees to take account of internationally recognised CSR principles and guidelines, and take account of the  ISO 26000 Guidance Standard on Social Responsibility in its own operations” in the document.

You can leave your hat on

I love ISO 26000 because it brings a new factor to our work in information security. It is an internationally agreed upon standard, which expand the range of responsibility of each and every one of us from being required to comply with one system into being required to look at the broad implications of our operations. Here is an example: If you are faced with an angry director who is trying to force you to implement a crappy security just because he think it’s a good idea to release an insecure system, you can look in the standard and see whether a security breach of that system could lead to ISO 26000 violations. After all, the standard talks about the fact that organizations that provide products and services to consumers (as well as other customers), have responsibilities to those consumers and customers. The standard also mentions specifically that organizations that collect or handle personal information have a responsibility to protect the security of such information and the privacy of consumers. If the system might leak customer information, it will make you ISO 26000 non-compliant. Or if the security of the system that you design might end up with a risk that the system will cause an environmental damage, it will be (again) a violation of the ISO 26000 standard. So IMHO I feel we can finally say we have a way to define what is good and what is bad, at least when it comes to a workplace because it expand the responsibility of the organization from only the shareholders to the stakeholders.

The standard also put more pressure on organizations because now, if they will be hacked, and they were not transparent, violation of ISO 26000 might result in financial implications in an international scale. In the near future you will not be able to be in the supply chain of big manufacturers if evidence will be provided that you violate the ISO 26000 standard.

And finally – if you work for the mafia, or for any other organization that does not take into account any of the core objectives of the ISO standard – congratulations – now you’re defined internationally as a member of organization that is operating against humanity, including in your own country.  You can leave your hat on – but if you are a real hacker you should also hack yourself and see whether you are a socially responsible hacker.

n

Happy holidays and a great 2012 to everyone

(C) All Rights Reserved 2011.

The Metrics

What does a mass murderer has to do with information security metrics?

By Uri Biber, CISM/CISSP/CISA/CRISC, member of the NeuroLeadership Institute.

A few days ago, on the 13^th of December 2011 Belgians were shocked to discover that in Liege a gunman had killed 5 people and injured scores of people.

To anyone who don’t know where Belgium is, or where Liege is – I’ve enclose below a map. If you can’t even identify Belgium in the small map I suggest to search for it – it might be small in size, but it compensate with its beer and chocolates.  Liege is located about 60 miles or 90km to the east of the capital, Brussels.

Below you can find some photographs from the horrifying incident.

Profile of a killer

This is the killer, a man by the name of Nordine Amrani from a Moroccan origin. In 2008 he was sentenced for 58 months in prison due to the fact they discovered at his home a cannabis growing factory with 2800 plants plus enough weapons for a typical Arnold Schwarzenegger movie (including Law rocket launcher, an AK-47 assault rifle, a sniper rifle, a K31 rifle, a Fal assault rifle and hundreds of cartridges). He was paroled in October 2010 by a sentencing court, and after receiving psychological guidance he moved to an apartment with his wife. It all ended last week.

Here’s a quote from Belgian VRT:

Two days after the carnage Nordine Amrani inflicted on the Place Saint-Lambert in Liège, forensic psychiatrists have spoken of the difficulty to predict repeat offending in such cases. It has been established that a prison psychiatric report drawn up about the attacker in May of last year stated that there was no big risk that Nordine Amrani would commit any serious crimes in the future… Leuven forensic scientist Rudy Verelst says that it is difficult to predict whether or not a convicted criminal will return to his old habits: “We can’t say accurately whether anybody will become a repeat offender. There is a graduation which we can draw up using several instruments. We look at the subject’s life and his earlier offences. We can make a judgement but it’s not watertight.”

During his evaluation the psychologists who tested him said he is not dangerous to society and even though the prison authorities gave a negative recommendation the sentencing court chose the mind experts. The “mind experts” were wrong.

What does this has to do with information security? Well, everything.

On the 7^th of December I’ve participated in an online RSA webinar called “Metrics are Bunk!?: The Zombie Apocalypse, Baseball, and Security Metrics”. The webinar was led by Alex Hutton and Josh Corman, showing the importance of metrics in everyday life, and how they make a difference vs. our own biased view of reality. The session was fascinating, and at the end of it I’ve asked Alex and Josh a question on what kind of metrics we can use to identify human risks. The answer that I’ve received was that we can utilize different metrics to try to identify the risk if a specific person will conduct an information security breach.

The small, minor, insignificant problem is that the metrics currently used by information security experts are as effective as the metrics used to determine that Nordine Amrani was sane.

The way most “experts”, including people in the information security field approach the subject of human behaviour evaluation and behaviour prediction is mostly driven by the field of science they are practicing. In this post I will give some examples on some of the problems this brings, and it’s true in the case of convicted prisoners, and it’s true for end-users in small, medium and large organizations.

Do not judge me

Let’s start with the penal system- the justice system that tries to preserve the essence of the society we live in from what we think could be a human zombie-land. We punish people for their behaviour when they do something we believe is bad – each and every one based on his culture. If you were living in South Africa during the days of Apartheid you will be punished severely if you were passing the racial laws of the country. If you are living in Saudi Arabia you would be punished if you’re a woman and you will be driving without a male escort. If you are a gay person in a Muslim country like Iran and you have had gay sex, you are facing a risk of being hanged.

The problem with all those approaches is that they are based on behavioural models we developed as civilizations and religions WAY before we had any knowledge about the way our brain and body works. The more we start to understand the complexity of our brain and how much it defines people’s perception, it leads to very interesting ethical questions about out penal system. You cannot “change” gay people to stop being gay, especially not by trying to scare them by telling them that if they will be have gay sex they will die. Preventing women from having equal rights because thousands of years ago their main role in society was to produce kids while we men were fighting endless wars does not correspond to the changes in society, the progress of technology and the advantages women have over men when it comes to some cognitive tasks. And thinking that because you’re white you’re better then black person is well… simply sad.

The same mistakes of bad assumptions escort us into our corporate rules. The deterrence approach which defines consequences to employees’ activities might look good on paper for auditors, but it does not provide any real mean of handling the real problem which is the fact it cannot be considered as a control mechanism. You can’t scare people away from not connecting to each other by telling them it’s bad, you can’t prevent people from connecting to your network via unauthorized devices just because you said it wrong, and you cannot say to people that if they will be nice to other people they might risk their jobs.

False commitments

Shlomo Benartzi who is a professor and Co-Chair of the Behavioral Decision-Making Group in UCLA has recently stated in an interview that our brain has a very strange paradox when it comes to thinking about the future. “Humans are pretty bad when it comes to self-control in the present, but we don’t have any problem delaying gratifications when the reward will be presented to us in the future. One research asked people to choose what they would eat in a week from that day, either a banana or chocolate, and to write it down the answer on a piece of paper. Some chose chocolate, but most of the people chose the banana. A week later they invited the same group of people, told them that accidently their answer papers were thrown away and asked them to eat what they chosen. All of them took the chocolate. In the long term we have those fantasies we will be acting responsible, but in the present we all act like children.” (calcalist, 2011)

This is one of the reasons why information security training fails. As was shown in a recent data from the Corporate Executive Board, although 61% of organizations track user completion of training as the primary measure of success, only 7% says there is a demonstrable link between training and sustained behavior improvement.

EVEN if your organization did a wonderful job in its information awareness training (and most organizations have a very poor program, see my ranting in all my previous posts lol) – people might say they will behave responsible and they will believe it – but when it comes to reality they will probably act totally different because at that point of time it was what their brain felt they must do.

The approach of trying to scare them does not work, because if any it will trigger in them a strong emotional response, raise their fear levels, and when fear is strong the ability of any person to conduct rational thoughts is gone, because our brain at that stage is mainly being run by our emotional systems.

We don’t know Jack

Adding to the complexity of identifying who is more susceptible for a human manipulation attack by looking at “known patterns of behaviour” people tends to totally ignore the fact that each and every one of us might totally alter his susceptibility by a change of our biochemistry. And I’m not only talking about the obvious alcohol/drugs/hormones. Stress can have a huge impact on our ability to handle reality, yet we don’t even know how to quantify it.

Let’s take for example a person who is suffering from a severe stress which can cause the release of epinephrine which will be translates to adrenaline which might be translated in his body to adrenochrome which might be translated to adrenolutin. The last two, adrenochrome and adrenolutin are hallucinogens– meaning they causes people a disorders  of perception  (disturbances  of color and shape vision), thought  disorder, altered social responses and paranoia of  the  type often  seen in schizophrenia – but no vivid visual hallucinations of the  LSD type (“The  Neurotoxicity  of Glutamate,  Dopamine, Iron  and  Reactive  Oxygen  Species: Functional  Interrelationships  in  Health and  Disease: A Review – Discussion, 1999, JOHN SMYTHIES).

Such a person can then go on and start shooting other people, or going to act in a very unpredictable manner when it comes to information security – but as he does not suffer from the vivid visual hallucinations his perception of reality does not give him any clue to the fact his brain is now translating reality in a way different then he had before.

Due to the fact the transformation of adrenaline to adrenochrome is a result of oxidation, if you will treat that person with niacin (B3) and change his diet his brain will calm down. Because we can change a person’s perception of the world and his social behaviour just by simply changing his diet and the stress levels he operate in, should we judge him based on the fact that now he is OK or should you judge him based on the fact that when he conducted his actions his mind was hijacked by a chemical imbalance? We don’t know, and even worse – most of us don’t even consider such a possibility at all when we define our metrics.

I believe the current metrics used to identify if a person readiness for human manipulation are useless. No one came forward and presented a “live metrics” model for information security readiness because no one thinks of monitoring employees’ biochemical state. No one is thinking of monitoring his users’ biometrics signals, and until we will do so we are relying on statistics for our security. So even if you will try to identify users who might have risky behaviour, anyone of your employees (including yourself) might become one due to bad diet, light conditions, food and noise levels – and most chances they (or you) will not be even aware of it.

Brain scam

Now what about our brains? Can we find neurological metrics to identify people who have a higher risk of conducting an information security felony either intentional or non-intentional?

This brings us to another problem – we have no idea whatsoever – at least from an academic standpoint.

Not only very little academic research was done in the last 20 years about the subject of information security awareness, I think we need to consider it as not really useful. Many of the research papers that were published were done via surveys, some research was done on “real” people, but even so I am not aware of researches with control group, and I am also not aware of even one research that was trying to check for subconscious, body oriented signals etc. To my knowledge no one had ever put a candidates inside an MRI machine, presented them with information security questions and saw what parts of their brain show increased activity (if you know of any academic research on the subject, please direct me to it, I’m very interested to know). Why does it matter what parts of the brain are active? Because if you don’t know what parts of the brain people are reacting to possible information security threat – how can you even begin to identify what type of people will pose a higher risk.

I don’t even dare dreaming of a research that checks for more complex correlation body state with mental state like does caffeine increase the level of ability to be more or less aware and responsible when it comes to information security? What is the best wall colour to be used in order of increasing information security awareness and response level? Those are just two examples of environmental parameters that impact cognitive abilities, but no one seems to go that path yet when it comes to our field and check them up. Why? Probably because most of the people who work in the information security were never trained in neuroscience, those ideas seem to them as bizarre to say the least.

A brave new world 2.0?

As you saw, we are facing grave difficulties in trying to define usable metrics when it comes to prediction of human behaviour. If we want to reach a higher level of information security readiness we do not only need to change our users’ behaviour, but also teach them ways to overcome what they are not aware off – and the second one is really a hard problem to solve. As this should be a subject to another much longer post I will leave you with few tips:

• When it comes to changing user behaviour I strongly recommend reading and following the work of Alex Pentland from MIT (especially “Honest signals, how they shape our world”) and try to implement his findings in the field of behavioural prediction and behavioural change.
• When it comes to teaching users to find ways on overcoming internal changes I suggest to look into the field of neurofeedback, and into the field of orthomolecular psychiatry.
• For the neurological related field, I suggest reading Jonah Lehrer and David Eagleman.

So the next time someone one will asks you for metrics for humans, you can simply quote William Shakespere: “The fool doth think he is wise, but the wise man knows himself to be a fool.” [As you like it]

The more people will be aware of their lack of understanding, the wiser they will be, and the more secure they will become.

© All rights reserved 2011.

By Uri Biber CISM/CISSP/CISA/CRISC

I was looking outside my window into the dark skies that cover the city of Brussels. It was 5:40 in the evening, and I was sad.

When I was a child our surrounding nature gave us comfort, gave us a feeling of freedom, and provided us the ability to learn without fear. But now, as the siren sounds rush through the streets of my neighbourhood and reaches my window I am thinking to myself on the level of freedom each and every one of us have.

It brought me back to the feeling I had a few days ago when I watched the latest Adam Curtis’s TV series called “All Watched Over By Machines Of Loving Grace“. Broadcast on BBC, in this 3 part masterpiece Adam Curtis was connecting the dots on how our perception of a better world, one that will be running by itself via the aid of computers had caused economies to collapse. How the human crave for new technology gadgets had high implications on remote countries, how good intentions ended up igniting the genocide of millions and millions of people.

I do not wish to take away from you the pleasure of watching the series. It is the best TV series I have ever seen in my life because it touches a very deep truth about our existence. Trying to touch the subject of existence has always been a challenge, but this series manage to handle the subject in an incredible approach.

This brings me to the latest wikileak’s publication. Entitled “THE SPY FILES“, wikileaks stated “On Thursday, December 1st, 2011 wikileaks began publishing The Spy Files, thousands of pages and other materials exposing the global mass surveillance industry”. So this time it will challenge a subject I am well familiar with. “Great” I thought to myself as via the open window I can hear fast cars speed down the road.

When I started to go over the documents wikileaks published you cannot stop wondering how much of this is endless amount of high technology is targeted against people like me, my kids, and my friends? Does the fact that just a few days ago a researcher had shown that mobile providers installed a spyware on phones sold to their customers, that there are two types of law in the world – one for normal people and one for politicians – is freedom and privacy are just illusions or are they reality – and what can I do to influence it – if any.

That brings me back to yesterday. For some reason every girlfriend I ever had always suspected that I installed something on their computer. I told all of them that I never in my life did such a thing and that trust is the most important asset a relationship could have, and really never did (I swear!) – but it never helped. Yesterday I had a conversation with one of my ex-girlfriends, and at some point I told her about the latest information security news. The minute I told her that she just dismissed it, told me that I’m trying to scare her and brought back the “you probably tried to put spyware on my computer”. “You must be kidding me, right?” I asked her “There are governments and companies and criminals that constantly spy on you, and all you think is that I put something on your computer?” oh yes she did! It puzzled me, and only after talking to her for ten more minutes I realized why she and so many other people do it. They do it because we, in the information security world, have been telling them something SO BIG they simply cannot grasp how to cope with it. I mean, it’s almost like someone tells you a meteor is about to hit you on the head, and you don’t have any clue how to hide from it. But can you blame them? After all, even for us it’s becoming impossible to stay protected.

This is how they feel

When we “bombard” them, what happens is that they experience a fight/flight/play-dead feeling, and since it’s so big, they go and plays dead immediately – cognitively speaking.

So what is my conclusion? Next time you need to speak to the average Jane or Joe (AKA the common woman or man) – try to remember that helping your user and friends’ community can only be done if you find a way to empower them, not scare them to death. The more unbalance they will feel by your information and awareness sessions, the more chances they will “bring up” this unbalanced state when they will be facing an incidents and the last thing you want is a user who’s unbalanced during information security incidents

© All rights reserved 2011.

I RECOMMEND TO CHANGE THE RESOLUTION TO 720p or 480p FOR BETTER QUALITY!

“Play Dead” / Bjork

darling stop confusing me
with your wishful thinking
hopeful enbraces
don’t you understand?
i have to go through this
i belong to here where
no-one cares and no-one loves
no light no air to live in
a place called hate
the city of fear

i play dead
it stops the hurting
i play dead
and hurting stops

it’s sometimes just like sleeping
curling up inside my private tortures
i nestle into pain
hug suffering
caress every ache

i play dead
it stops the hurting

Why is our brain not wired for information security and what can we do to change it?

Written by Uri Biber, CISA/CISM/CRISC/CISSP and a member of the NeuroLeadership Institute.

.

Romeo Romeo, where art thou Romeo?

In the last two and a half months I disappeared from the face of the earth (other than the obvious occasional participation in selected information security events). I’ve enabled a very strict filter on my mailbox, I barely saw my girlfriend (I hope I still got one) and from morning till very late at night I set down to try and understand the subject of education in the field of Information Security.  I was digging deep into academic research papers, reading books, watching documentaries and interviews – you name it. Even during the security events I’ve took the opportunity to talk and interview as many people as possible. I wanted to find out what lead to the current situation, one in which information security education is under-funded, neglected, wrongfully planned, ineffective, and most of the time practically non-existing.

Here are some figures:

A study done in 2009 by the Intrepidus Group covered 69,000 employees around the world. It discovered that 23% of the organizations workforce worldwide is vulnerable to information security attacks which used humans as attack vector. A recent survey by Checkpoint which was published this month talk about approximately 48% of enterprises that admitted they have been victims of social engineering more than 25 times in the last two years. Each security incident was estimated as costing anywhere from US$25,000 to over US$100,000, including costs associated with business disruptions, customer outlays, and revenue loss and brand damage. To those who still think that’s not enough for a major shift of attention I suggest to read how RSA have been hacked, and the implications that this hack had on organizations throughout the globe.

This blog was written to give a different perspective why we are not born to be information security experts, why technology (alone) cannot save us, and what to do next.

The Sunscreen Affect

Information security fails because of what something I’ve discovered in the late 80s.

(I know the video is not really *that* related, but…goddamm, I like her tan!!!)

At the end of the happy 1980s I used to go to the seashore during the hot summer days with my girlfriend who later became my (ex) wife. I arrived equipped with a sunscreen lotion of 8 (the protection level mothers used to put on their babies), covered every inch (almost, almost…) of my body with the white shiny lotion and after this annoying ritual I lay down on a towel I put on the hot sand trying my best not to blind anyone who passed by (or air plane pilots above me). My ex-wife on the other hand used baby oil or Hawaiian Tropical tanning oil without any protection. Lucky for her she had great DNA and so after one day of sun exposure she had the most amazing tan colour, one that I never managed to achieve even after going with her the whole darn summer. In the meanwhile I was getting burned, thanks to human stupidity.

Deadly gas

I still remember the days in which refrigerators were filled with CFCs or Freon as we knew it. This colourless, odourless gas was used everywhere – from air sprays through refrigerators and data centres. Then humans discovered that our ozone layer is disappearing and that the CFCs are the main cause, so CFCs were banned.

Meanwhile in order to continue going to the beach we were told we must increase the sunblock levels we were putting on ourselves. The last time I’ve checked in the supermarket, I saw a sunblock labelled 42 for kids, and I assume it is getting higher all the time.

To summarize my story, here are the 4 major points (excluding the fact I’m extremely white):

1. Sun, generating a lot of energy which is vital to us but can also cause us problems
2. An ozone layer, which is supposed to protect us
3. Sunblock cream, we use when the ozone layer is not working
4. And finally, ourselves, generating CFCs and killing ourselves by reducing the effectiveness of earth’s ozone layer.

What does all of this have to do with information security? Other than the fact you should put on a sunscreen lotion when you go to the beach, and that the human race is excellent in first doing stupid things and then trying to fix them, here is the moral of my story:

1. Sun = Internet and relationships – transforming our lives, but can also cause us a lot of problems
2. Ozone layer – Our knowledge and awareness to distinguish between risks and opportunities, which involve both human behaviour and technology.
3. Sunblock cream – Compensating mechanism we developed to handle the lack of awareness or knowledge
4. And finally, ourselves, lowering our knowledge and awareness by total lack of education.

While we try to use technology to compensate for the lack of human education, we don’t really do it that well. It gives us a false sense of mitigating the risk, but in reality, our lack of awareness makes us more and more vulnerable all the time. It can even kill us.

Why we cannot rely (only) on technology

Let’s start with the failure of technology. The solutions we in the information security community came up with are mainly technical. Anti-spam filters, firewalls, anti-malware, IDS, IPS etc. – all are fine efforts to try and mitigate the human risk but at the end of the day, those efforts fail. Don’t take my word, ask Joe.

Meet (the real) Joe (black)

About two weeks ago Joe McCray spoke in the BRUCON 2011 event. Joe is one of those guys that the only way you will forget him is if you’re suffering from extreme advance stage of Alzheimer’s disease. He’s funny, friendly, smart, extremely talented, professional – and his interpersonal skills combined with his technical abilities make Joe one of the most popular figures in the information security world. He used to say in the past that he is “the black guy at security conferences“, but I think we notice it only because most of us who work in information security prefer to stay indoor as sunlight and computer screens don’t go hand in hand…

The presentation Joe gave in BRUCON was one of the least optimistic speeches I’ve heard from him. Joe was describing his experience with events in which his customers were hacked due to APT. His conclusion after many investigations is that APT (Advanced Persistence Threat) is here, it’s going to affect everyone from big organizations to small, and it’s not going to go away any time soon. I think Joe would summarize it with “currently, we’re fucked”

To those who missed Joe’s presentation, here what I remember from his talk:

1. Patching your systems will not provide you an assurance against vulnerabilities, as governments and criminal organizations invest huge amount of effort into finding zero day vulnerabilities and use them.
2. Attacks become extremely sophisticated, many of which are so sophisticated that barely big organizations manage to identify them, and most medium to small size organizations don’t even have the resources to identify them, not to mention stop them
3. The intellectual property which is being stolen from companies is vast. We are talking about management training material, business plans, Visio diagrams and design documents, emails… everything you can think of.

What does it mean? I think it means that in the current economic and political climate we live in, it is pretty obvious that no one is going to publicly retaliate against assumed perpetrators. China has been blamed by Google, the European Union and other organizations, but no one imposed any sanctions on them (You don’t mess around with those whom you own a lot of money). Iran blamed Israel for Stuxnet but didn’t attack Israel (you don’t mess around with someone who has a nuclear bomb). And while everyone knows that in Russia there are a lot of people who have a very comfortable life because they are part of criminal organizations that uses technology to steal resources from companies in other countries no one do anything against them (you don’t mess around with the people who provide you the energy to heat your cold winter nights). As no one has the political and economic means to do anything about the new reality we act like a beaten wife who’s trying to tell herself she is secure by making false claims, like the one that “patching” our systems will solve or prevent the sophisticated attacks we are facing. When the biggest, most security-aware organizations in the world are being hacked, it is because the resources the hackers are investing into the subject supersede the resources of the organizations being attacked. In the current climate, technology alone cannot protect you or your organization any more.

Education failures

Let’s go to the second problem – lack of human awareness and the inability of people to react upon their current knowledge. Does it help to explain to people about information security? I don’t think so, not in the current way we do it.

Let’s start with the assumption that knowledge is the answer. Like everything in life, knowledge is not sufficient. If you think all you need to change people from doing something stupid by showing them that what they do is bad, please try the following experiment – look for any entrance of any modern offices building, locate the people who stand outside and enjoy their cigarettes and tell them that smoking is bad for them. You can even bring research paper on it, posters, whatever you want. Do you think that it will help? I doubt it. It is one thing to know something; it is something completely different to be able to act upon the knowledge when you need it (like when your body tells you that it wants its nicotine portion).

Trying to use logic to explain to people the importance of information security is very similar to explaining to people about the dangers of smoking. People are being told about it from time to time, some effort is being done (mostly to achieve a very low level of due-diligence), but the end result is pretty bad information security awareness.

Which brings me to the second reason for what seems to be reason information security education is not working. How come most people will still ignore the risks involved in information security even if you will give them piles of evidence that it can and will affect them? After thinking about it endlessly I have a new idea to explain it. Hold on, it’s going to get interesting:

I suggest we are not good in handling information security issues because we are not born with the right neurology to handle such decisions, and individuals without information security education who rely on their intuition are extremely vulnerable because of that.

Let me explain (again? YES!!!)

Amygdalala-land

The human brain has a very important mechanism that was developed over hundreds of millions of years to identify dangers. It is called amygdala. The way it works is like that – the amygdala is like your personal alarms system, and your brain’s neurology is wiring all the information it process to it. The amygdala is training itself to process this information (which most of the time is received from our senses) in order to try and identify dangers. It is great to identify visual imagery like a lion or a bear, it is also great to identify suspicious sounds, and temperature differences, or when your mother-in-law is about to arrive. These types of dangers are pretty easy to train because this kind of sensory information has been around for millions and millions of years, and giving an OK or NOT OK signals from such information is fast and effective. HOWEVER, the amygdala was not really created to handle the flow of endless letters and sounds that we process today, because a link is just a click away, while the text that appears on the email itself which we must read before we press the link requires a lot of different parts of the brain in order to process the meaning of it. Until that processing time is over, your amygdala already sent an OK signal, and this “OK” reply is light-years faster (in terms of brain processing time) than the complex neurological associations you are required to perform when you need to do an analysis of a letter you just received and decide if it is a spam or not. Combine that with the way our brain is always comes up with excuses to what we do and you can start to understand why we have a large population that is clicking on links without thinking and that are not even aware of it. When you get a hundred emails a day (common practice in many organizations those days), you will eventually “click through” a malicious message before you will realize what you did.

Of course you can compensate this problem by telling employees to treat every email as dangerous. That’s what many companies write in their awareness material they send, and the problem with such approach is that’s pretty exhausting: your brain get stressed, your body get stressed, your memory is becoming less effective, and you’re coming home from work to scream on the kids. The worst thing about that approach is that under stress your brain cannot really differentiate between a spam email and a legitimate email because it is locked in a loop that prevent him from using the required skills to analyse possible threats, and at some point the brain will simply go into a “numb” state. A sophisticated attacker who understands the brain will bypass most of the current security mechanism with very high chances of success thanks to the lack of understanding on how the brain works by most organizations.

Deadly results

I’ve mentioned before that lack of information security is deadly, and I literally mean deadly. In Mexico a woman was decapitated due to posting on the web information about Mexican drug cartel, In Iran Iranians bloggers have been prisoned by the authority and in China you’re not allowed to criticize the communist party’s view on Falun Gong, or god’s forbid practice it. The lack of information security education is a human phenomenon, not organizational problem. It affects our freedom in the western world, and it is killing progress and freedom in other parts of the world where freedom and human rights are rare commodity.

The price tag we pay in the western world for our lack of education is that when our governments take initiatives it always seems to end up by taking away something from us. I believe the solution to lack of awareness is not adding another layer of security nor stripping us from our rights – before any other measure is to be taken our duty and the duty of our countries is to make a paradigm shift in our consciousness and consciousness of others.

Back in Black

People don’t understand information security, and some of us are getting upset when we see it, forgetting all of us don’t understand something. Here is a list of people you might know that have problem understanding:

• Sheldon from the big bang theory do not understand sarcasm

• My friend’s new born baby do not understand the theory of relativity

• Spock from Star Trek do not understand emotions

• Women find it hard to understand men, men totally don’t understand women.

• Atheist do not understand why people still believe in god, or how people believe in creationism

• Believers do not understand how anyone could disgrace god by their actions or words, with big emphasis on evolution theory.

Lack of understanding is normal, we all experience it. The fact that most people live very happy without truly understand the physics of the universe around them, or how mobile phones really work are two examples on how easy it is to live without awareness. So when we suddenly out of the blue come to people without information security awareness to tell them “Hey, here’s another fact of life, lack of information security is dangerous” they will try to process this information in their brain, their brain tells them “I don’t know what the heck they are talking about, I don’t feel it’s true” and then they will ignore it. If we are lucky, maybe they will store that information in the “not that important bullshit” mental drawer, or if we try to push it too fast or too hard, most chances their brain will simply drop the information.

The point I wanted to make is that it is very hard for people who already have a specific life perception to think outside of it. Most of the people do not understand the risks involved to them in information security vulnerabilities, and most of them even if they knew it is bad for them are unable to have a reaction to such event that will be in line with their own safety.

“Father, forgive them; for they know not what they do” (Luke 23:34)

What can we do?

The purpose of writing this article was to try to explain why it is crucial for all of us in the information security world to understand the neurological limitations and advantages our human brain provides us. Of course it would have been great if everyone had high level of awareness, but since this is not the case here are some of the things we need to go through in order to have a change:

1. We need to learn a new approach of education, so people will not only know that information security is important for them but will be able to have a personal capability to make much better decisions when being faced with such issues.
2. We need to develop the new approach using the intense neurological and behavioural research that has been conducted in parallel to the information security revolution to have a new approach of information security, an integrated information security. We need to do all of this using the current models of how brain works, how we remember things, how we decide, and why relationships are so important to us.
3. We must continuously adapt our education programs based on the research on how information is being processed in the brain.
4. Finally, and most importantly – we need to learn how to communicate all this information so people will start to consider information security education as an investment, not an expense. Investment in growth, investment in freedom.

© All rights reserved 2011.

PS – or, afterblog thoughts

Thanks for everyone who has been reading my blog, and even a bigger thanks to those who choose to subscribe. My (ex?) girlfriend (hopefully not my imaginary one lol) had told me today that she is extremely happy I finally got it out of my system. I totally agree: I’ve been going down the path of trying to explain why we must change the way we handle information security education for a long, long time. In the last few months I’ve scrapped aside a lot of material I wrote because I felt that was I was writing too far ahead, and that reading me will not provide people the starting point I hoped to create. This article today is for me my starting point. Everything I wrote here is easy to prove, is extremely logical, does not require to go into complex thinking patterns and even people who don’t work in information security would be able to go through it and understand why it is important. I didn’t provided a full plan on how to tackle the problem, but I think it’s only natural – like everything else in information security, the human education is a path, not a target. It took me many months to be able to find the right words, and I hope everyone else will be able to find their own words on this subject because it is important.

I thank all the wonderful people that I’ve spoke with in the last few months, for their patient and insight on human ways of thinking. I learned so much from it, thank you. Thanks to my kids, my friends, my ex-wife (for unknowingly allowing me to reference her in this post ) – and a big special thanks to my girlfriend: imaginary or not, I love you

By Uri Biber

Psychologists believe they rule the world; they are 25% of the prison population,  4% of corporate CEOs and 1% of the world population. They affect us all, most of us can’t identify them at all – yet there is a way to find out if you know one of them. No, I’m not talking about The Illuminati, I’m talking about psychopaths.

Monday & Tuesday were a true delight, as BRUCON 2011 took place once more in the Brussels. It was not only the great speakers who covered multiple domains of security or the wonderfully dedicated team of volunteers (and sponsors) that made it all possible – it was the atmosphere. As one of the key speakers told me – “I gave the same speech in other places, but here the vibe was with the audience was so cool, I really loved it here”.

The reason I am writing this fast blog is to apologize for my bad memory. At Dale Pearson’s presentation (“Social Engineering Like In The Movies”) I made a reference which needs to be corrected to those who are interested in the domain of human manipulation. At the end of his presentation, at the Q&A section someone from the audience asked how can you spot those who are psychopaths. “After all” he said, “How can you read those who have no feelings for others?”. After Dale’s reply I’ve made a comment from the audience that if anyone is interested in the subject they should read “The Psychopath test” by Jonathan Safran Foer.

So here is my apology to the audience and to Dale for a partially mistaken reference. As a movie fan I’ve mixed the authors of one book which turned into a movie “everything is illuminated”, with the author of another book that turned into a movie – “The men who stare at goats”. I’ve always remembered movies and faces better then names

So the name of the book is indeed “The Psychopath Test”, but it was written not by Jonathan Safran Foer but by Jon Ronson. To hopefully compensate my mistake I enclose two links, first to an interview with the author on the daily show:

http://www.thedailyshow.com/watch/mon-may-16-2011/jon-ronson

(Try looking at the body language of the author while listening to the interview)

The second link is an animated video the author had uploaded to youtube:

I highly recommend the book, It’s a wonderful to anyone who wish to decide if they are psychopaths or not

Ending this part of the quick blog with a side-note: I wish to take the opportunity and send love to my friends (you know who you are, I don’t need to do name-dropping here). Have a safe trip back home! It was a pleasure to meet, talk and know some of you for the first time, I’ve learned so much from you! It was also a pleasure to finally meet those who I already know and hear about the adventures in time and space since the last time we met . I hope to see you soon!

Namaste

Uri

Now to the PS RFC:

During Dale’s presentation (which was by the way excellent) I wrote to myself a lot of comments/ideas based on my own observation/research in that domain. One of which is related to the fact that “nose up in the air” attitude is referenced to snobbish people.

I was thinking that the “nose up in the air” behaviour can be explained via an evolutionary view. In nature a lot of mammals and primates interpret staring at them as a challenge or a threat, and if you wish to approach them you must look down. This is mainly due to the fact that for many animals the eyes are fixed in looking forward, and those mammals when they wish to change their focus they need to turn their heads. We humans tend to look everywhere without changing the physical location of the face (which is very useful if you’re with your spouse and a very attractive specimen is passing by lol)

For many (most?) mammals, the more dominant you will be, the more you will have your nose up because no one will challenge you, which can explain the root origin of having your nose up in the air (other than a plastic surgery of course). The next time someone will act in such a way don’t get upset – Maybe it’s his DNA that tells him to do so, or he just spent way too much time staring at dogs

That’s it – that’s what came to my mind during the talk. Maybe it’s already been explained before, maybe I don’t know what I’m talking about – I would love to read your opinion!

Some people hate them, most people don’t even know what they do, yet auditors are essential part of the information security world. Here’s my attempt to try and debunk some of the misconceptions people have on the audit process, as well as on the profession itself.

Written by Uri Biber, CISA, CISM, CISSP, CRISC.

The auditors are coming, the auditors are coming!

I was reading yesterday the New York Times article about the ComodoHacker, a hacker who claims to be 21 years old, student of software engineering in Teheran that decided to break into multiple companies that their digital identities are used by all of us when we want to make sure that the server we connect to belongs to the organization we are trying to reach.

Hidden in the article was a paragraph that caught my attention because it was talking about a much more deadly group of people, one of the most feared group of individuals that walk among us. Don’t let their looks deceive you – they can be extremely deadly. I’m not talking about religious extremists and not even about cyber-terrorists. I am talking about auditors, one which way too many CEOs tumble in fear in memory of.

 “Fearing the prospect of other breaches similar to those carried out by this hacker, Mozilla, the maker of the Firefox Web browser, last week issued a warning to certificate authority companies to audit their security systems or risk being booted off Firefox.”

(NYTimes, “Hacker Rattles Security Circles”)

Yet many people don’t know what the heck is an audit or the work of an auditor, so here’s my perspective, one you’re most likely not hear anywhere else

The outsiders

We live in a world which digital information has a huge impact on our lives. To some of us, this could mean if we will be living freely or being thrown to prison if we’re lucky or being shot in the head if we live in the wrong country.  That’s already probably known to most of us – this is why information security is becoming more and more crucial. However there is still one group of people whose work enable information security but they are considered as “outsiders” – I’m talking about information security auditors.

Even though information security auditors are educated in information security there’s still a much bigger chance of meeting hackers in ISSA chapter meetings then in ISACA chapter meetings. That’s a shame because I think it’s time to change the perception of audit and the work of auditors.  I feel that for way too long the perception of audit and especially information security audit has been considered by many people as the most anal work on earth (To any fellow auditor – if you never heard about it before then I’ve just proven it). This viewpoint is not only counter-productive to the audit process itself (more about it later) but wrong. The result of the widespread perception is that a lot of cool and creative people will not even think of audit as a career path and it’s a shame.

Conducting an audit can be an enlightening experience, an experience that can transform not only you but also the organization you are auditing in a level that can be far more reaching then many positions most cool people usually crave for.

The ability to influence something from the inside is always way greater then influencing from the outside. Auditors are the outsiders that can make a difference.

Coming out

Recently I’ve been quoting Wikipedia so many times that I think it’s time to come out of the closet and admit: I love audit, but I’m in love with Wikipedia. I don’t care her values can be deviously wrong, and that I sometimes ask myself if that’s the best I can aspire to. I’m in love Wikipedia because it/she is always there for me.

So what does an IT auditor do? He does audits. Take it from here, dear:

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization’s goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

IT audits are also known as “automated data processing (ADP) audits” and “computer audits”. They were formerly called “electronic data processing (EDP) audits”.

Already sleeping?

For some people even reading the brief Wikipedia definition of what is an IT audit is equivalent to taking a big dose of sleeping pills. If your vision started to be blurred when you were reading it, don’t worry – I will try to explain it a bit differently.

What is the work of an IT auditor? As Robert R. Moeller wrote “they are independent outside representatives to observe and comment on that process”. (COSO enterprise risk management: understanding the new integrated ERM framework, 2007)

An audit is a way of trying to look at a process or people and decide whether or not the actions and results of that someone or something are as expected.  An auditor is a person that comes in and supposes to tell you that from his objective opinion based on the evidence he discover.

CSI, AKA Corporate Security Investigations

In the decade when CSI is still one of the most popular TV shows you would assume that people will want to do the same in their line of work. You will assume people will want to work in a position that will allow them to have the right to go into a given situation in an organization, practice their knowledge by trying to identify if the processes which are being reviewed are OK and if there are no major flaws. After all, isn’t that what white hackers do most of the time?  So how come it’s not considered as cool to say “I’m an auditor” then to say “I’m a programmer in a start-up company”, or “I’m a penetration tester?”

I knew a few hackers who work as penetration testers that if you will ask if they wish to work in audit and they will look at you as if you just smoked their entire weed/mushroom stack, or you’ve been drinking way too much alcohol.

Tell you the truth? I can totally understand them. Auditors have…hmm…a unique way of singing?

Over the years, audit had developed a reputation as the most uncreative job in the world. Compared this to working in Facebook or as a pen test is like comparing Hogwarts (the enchanted boarding school of Harry Potter, grandpa!) with how a real-life British boarding school looks like. The following chapters will hopefully tackle those claims.

Out of scope

Let’s first look at the subject of scope. In audit, you have a predefined scope that you are focusing in. In comparison to that, penetration testing for example looks like a huge freedom, and writing code seems so much Hollywood story telling. In reality, the truth is actually less so romantic. Most companies know that when a code is not being developed in an organized method it would mean they will have a serious problem to support it when the person who wrote the code will leave, so it means you’re not as free as you like. Then there is the assumption that when you work as penetration tester you are free to do what you like. It’s sort of true but with a catch – Many companies will limit the level of penetration testing you will be allowed to perform in fear of risking their production environment, and at the end of the day, if the people on the institute that hires your services will tell you that you cannot do some actions, you will not do them. Audit scope is very similar in the sense of restriction but here it is the matter of scope. In audit however you are being provided ta very different freedom – you get to interact with people and the process via as many directions as you think – so if you’re smart enough you can have a very interesting scope to work within.

Mama, ooh ooh ooh ooh

Another reason why people don’t like auditors is because it reminds them too much of their own mothers. There is way too much in common between auditors and a Jewish mother:

• Usually they are being referred to by their title, not their private name (“My/Your mother” vs. “The auditor”).
• Surprise visits scares the $hit out of you, when they finally arrive you usually feel you just lost the ability to speak, You never really know if they come for a brief visit or they will stay for months – and you can’t kick them out.
• They come and ask the most embarrassing questions
• You’re not allowed to hide anything from them or else if they will find out you’re dead
• they sometimes makes you realize you were/are a fool and make you confess you were to everyone around you,
• And whether you like or not you already know that “Resistance is Futile. Your life, as it has been, is over. From this time forward you will service us.” (Captain Jean-Luc Picard, AKA Locutus of borg from TV series Star Trek, the Next Generation).

Living jokes aside (I love you mom! ), the human interaction that is indeed required by auditors sometimes scare some of the more introvert personalities out there. First I actually think that this experience can be very beneficial to people whose natural tendency is to be quiet because it helps them expand and experience human interaction. Second, a good auditor is not someone who spread fear but someone whom you feel you can trust in telling him what’s working and what’s not working so at the end of the day things will change. This brings me to the next subject:

The fear factor

I have witnessed fear from audit in many organizations. This is due to perception that our daily work in an office is like “What happens in Vegas stays in Vegas” versus the concept of audit where everything is being challenged, and the perception is that “What’s being discovered in an audit will go straight to the board’s meeting agenda”.

In reality none of those visions are true. Any position in any organization requires you both personal and professional manoeuvres, and way too many times other people feedback on you could have grave implications on your future career. While final audit reports are being reviewed at a very high level – those are the final reports. Before that there are drafts, and a negotiation phases, and at the end of the day you are actually being given via audit way more opportunities then you can imagine.

Some organizations do not encourage free thinking and consider anyone who challenges the mindset as a threat. To those, an outsider who is being given a mandate to come, asks what he wants, come to conclusion and tells them about it is sort of a mental rape. If this is the common perception within your organization then I don’t think auditors are the real problem. Auditors collect evidences, so if for example your processes or system had design flaws then instead of hating the auditors for it maybe it’s better to re-think your design flow?

Creativity, or, Are you auditing me or you’re just happy to see me?

Audit with its pre-written rules seems like a no-win to many creative people, yet the truth is that when organizations – and especially the management – look at audit as a way to innovate forward, as a way to bring a wing of change – audit can be a positive enabler that allows an objective perspective on processes that matters to the business.

I know this is not the common perception of audit, mainly because audit had been historically oriented in the financial domain, and we all know that accounting is the most exciting work in the world.  This has already changed – almost every organization on earth depends on its IT for all business operations, and while many audits are conducted within the “old-school” domains there is an ongoing understanding that the risks organizations are facing are expanding into new territories that in the past were considered a fantasy (take for example social network and mobile application auditing).

Audit provides creativity from a different direction then the one we are used to. For many people the concept of creativity is of someone who comes up with a cool idea and makes tons of money (Mark Zuckerberg -> Facebook, Bill Gates -> Microsoft, Sergey Brin and Larry page -> Google, and finally Steve Jobs and Steve Wozniak -> apple). Yet creativity is a very unique process, one in which being an outsider is one of its key enablers for creativity. And auditors, as you already noticed, are the perfect outsiders. Wait a minute – aren’t hackers are usually naturally born outsiders? You got my point

Closing words, or, Audit 2.0, or, Process Penetration Tester

So what do you think? Will hackers start to look for jobs as auditors? Will the use of new technologies by many organizations means they will be required to re-think their strategies in order to attract talented people into audit?

You don’t really need to convince shareholders that audit is good. For shareholders that have a vested interest in an organization an independent audit is probably the best way (if not the only way) to make sure their investment is being taken care, and that the controls they were promised indeed function.

Yet in my career I have seen way too many people who would never even think of combining audit as part of their own career path, and that’s a shame. Maybe if ISACA  change its certification name from Certified Information Security Auditor (CISA) to Certified Information Security Process Penetration Tester (CISPPT) it could help, I don’t know

That’s it. I wrote this blog to hopefully give a different perspective on audit and auditors. If you would like to read more, I strongly suggest taking a look at PWCs 2011 state of the internal audit profession study – It can give you more insight on current trends in audit. I will leave you with two quotes from that report:

Quote #1:

“How to audit is simple, the question is ‘what to audit?’ You have to audit risk. There are
four levels—risk that is unique to the process, to the organization, to the industry, and to the environment. Whether you are an eight-person or an eighty-person department, every audit you do should reconcile to one of these risks.
Every internal auditor needs to know what can bring the organization to its knees.”

Joel Kramer, managing director, MIS Training Institute

Quote #2:

“What we need are people in IT who can also be project manager thinkers
and challenge what’s going on within the company. Do we have some of
those people? Yes. Do we have enough of them? No.”

A leading CAE (Chief Audit Executive)

Interesting, isn’t it?

© all rights reserved, 2011.

Or – what’s the link between conspiracy theories and information security?

A blog in honour of the victims of 9/11.

It’s 1:35 AM, and I just finished watching both 3 episodes of Californiacation then watched a BBC special on the never-ending conspiracy theories about 9/11. I feel I must write, so I do.

Earlier yesterday my beautiful and intelligent 12 years old daughter had told me she had learned about the attack in school. She described to me the story as we all heard it. “Oh, how little does she know; How little does she know that in the eyes of so many people she is nothing but a fool” I thought to myself as I looked sadly over the headlines of all the world leading newspapers of 12/11, the day after, that I found on some website.

For so many people my reality is just a fake. For them 9/11 was nothing more than a carefully planned conspiracy, for them, everything you heard was a lie. For them, it’s all about the perfect plan. After watching the BBC program I can only say that this virtual reality that those people live in reminded me why information security fails so many times.

What strike me so clearly is the fact obviously none of the people who believe in the conspiracy theories have ever been involved in information security.

Why? Because there is no such thing is a perfect plan.

Let’s start with keeping the whole plot secret. I have been involved in many projects throughout my career. IF there was such thing as a planned 9/11 and if they were forced to implement any discipline of information security, then the size of such project would have been SO huge that the chances of no information leakage is simply unrealistic. We talk about an event that requires so much secrecy that the ability of predicting a 100% success in maintaining such secret by a very large group of people is simply not realistic. There is no way such a secret would have stayed for so long, and a sudden death of a large group of people who were supporting such an operation in order to silence everyone is simply unrealistic in our days when information is so fluid. It was just another reminder that my reality has nothing to do with the way other human beings perceive the world. Sure, we probably could agree that the earth is turning around the sun, but other than that I’m pretty sure we don’t really share a lot in common with people who claim that 9/11 was a master plan.

What else can we learn from 9/11? That there is no perfect plan – neither to the attackers (United 93 who failed to reach the congress or the Whitehouse) and neither to the way the USA had constructed its aviation security. Still for many people this is all a fake. After many years in the field of information security I can testify I saw more events in which the organization I worked for had chosen to take the easier path and ignore security concerns then I would have wanted to see. Way, way too many events. Why? Because we are only humans and because most of us don’t really understand what it means. “The organization had failed to identify the threats”, “there was lack of awareness”, “security controls did not function when they were required to” – It was true in 9/11, but I’ve also heard it all before so many times in my line of work. Why do we believe what we believe in, why do we perceive what we perceive in, why do we do the things we do – those questions many times will be disregard by organizations, not understanding that our own perception sometimes construct our biggest risk.

I am sending my condolences to the families of the victims that have died in 9/1, and to everyone in the United States of America who will mourn today.

May love be forever in your hearts

Uri Biber

Brussels, Belgium

© All rights reserved, 2011

Behind the Scenes of "Killing Social Engineering"

By Uri Biber

Part 1 – Who the @#$% is Uri?

July, 2011

When I posted the opening part of my new presentation on human manipulation I was well aware that my views on the subject would be accepted by some with the same enthusiasm a southern Christian community will welcome an Afro-American gay couple with an adopted white child, or the way an Israeli settler will be welcomed in a Palestinian refugee camp.

To those who tried to figure out who the @#$% is this Uri that claims social engineering must be killed the search usually resulted in very few references to support those claims, and so I totally understood people that question my views. After all I’m not making my living as a pen-tester (penetration tester), I was never involved in the community of pen-testers, and to some of the people who work in the field seeing a post entitled “killing social engineering” that was calling them to re-think the whole methodology they base their work upon seemed like an insult.

“May you live in interesting times” is a Chinese proverb that was once translated in the west as a curse. I however believe that it is up to us to decide what to do with whatever we experience in life. Everything has a purpose, we all have a purpose – and so does this post. If you’re searching for part two of my new presentation I’m afraid you will not find it here. This post is here to tell my personal story, a story that will allow those of you who choose to read it another insight on who I am.

I am dedicating this post to my friends who always told me that I must write a book about all the things that happened to me. Thank you for being there for me, I forever cherish your wisdom, your friendship, your support and love.

It’s time to start.

Part 2 – Tragedy

I begin after the middle. In 2001 my wife and I were blessed with the birth of our youngest son. Like his older sister and brother he is a beautiful, smiling, loving child – with one distinguish fact – he has autism.

Autism is defined (today) by science as a neurological disorder, which means his brain is wired differently than most of us. When we received our son’s diagnostic at the end of 2004 we were told that he is suffering from severe autism, that he will never be able to communicate with us, and that the faster we will accept that fact the better we will be.

I refused to accept that, and thought to find solutions via science. That led to endless hours of research on the subject and as I did so a sad truth emerged: scientist who were investigating autism had no clue what causes it, they didn’t know how to treat it, not how to cure it. Our beautiful son was locked within his own world, and everything we tried to teach him failed. There was no key to open the gate of his castle of awareness (or so we thought), the Belgian education was light years away in implementing even the conventional treatment methods that were used elsewhere in the world, and the future seemed hopeless.

The statistics of families who have an autistic child are harsh – most couples get divorced. In our own universe the autism of our son came after losing our second child on the 8^Th month of pregnancy, then seeing our daughter (our third child) dying in front of our eyes after her birth. It wasn’t the autism that “destroyed” our marriage – it was just the last straw. In 2007 my ex-wife and I got separated, and in 2008 we became officially divorce.

AND welcome back everybody!

To those of you who think “WTF does this has to do with human manipulation?” then please consider the part you just read as an introduction to the next chapters.

As a side note, I do talk more about son in my presentation, explaining how we eventually managed to communicate with him and what lessons it brought me to the understanding of human manipulation.

OK, time to continue

Part 3 – I am your lover!!!

My marriage breakdown felt like the scene from the movie “The Wizard of Oz” in which Dorothy’s house was thrown out from one world to another. After a 17 years relationship with the first woman I’ve ever dated whom I stayed loyal to throughout that period I had no clue whatsoever where I was. Communicating online with other people was never a problem for me (after all, I’ve been doing it since I was a teenager) and charming women was easy. However, when it came to real life the thought of initiating a conversation with a woman scared the shit out of me, as I had no clue how to do it. I started to go out regularly because for me music and especially dance were always a way of expressing my feelings, and I had a lot of them that needed to be expressed at that time. I used to go alone, sit in a bar or a club, and listen to music, sometimes dance but not really with the intention of initiating anything with the ladies who were around me. To my surprise it seems that ignoring women actually attracted some of them. Looking back I realize that women sense the focus of attention men have even when men try to hide it, and as I wasn’t really interested in them it seemed to make me more attractive. This attractiveness ranged from women who initiated conversation with me, via women who offered me free drinks to occasional one-night-stands which made me wish escaping as soon as the intercourse had ended. As I felt I had a lot of catching up to do in that area I became highly interested in the seduction scene, and I’ve started to read, listen and practice various techniques of pickup artists like Ross Jeffries and Mystery. Even though the method they used worked perfectly for them I had the sense that pick up artists developed an arsenal of seduction-magic-tricks to overcome their own shyness, and that those methods would never bring me a deep trustful relationship, one that I craved for. At the end of day it all boiled down to approaching a woman in a way that will not frighten her, then charm her, intrigue/amaze her, add sexual content and that’s it. Sure it worked, even for me when I tried it, but I felt no happiness in having women telling me at the end of the evening “I don’t know how you did it, I never sleep with someone on the first date”. I felt a need to understand more, and so I started to learn NLP via G&B (John Grinder and Richard Bandler) writings – or as Bandler would insist of correcting me: B&G. To those of you who never heard those names – B&G were the odd couple of the alternative psychological world of the 1970s with personalities that were as different from each other than can be, yet their research provided us an alternative view of the importance of spoken language as a tool to alter people perception and conscious state.

I remember the endless conversations between people who were playing the game talking about the complex sentences they build that make women sexually attracted to them and I know many people still believe in NLP, while others do not. What I saw in real life was that words alone never defined the success – it was the combination of the words and the way they were expressed. The music was as important as the words, most of the time much more important.

Part 4 – look deeeep into my eyes

One day I was chatting with a woman who told me she work as a hypnotherapist. “Wow” I thought to myself, “A total mind control – I really should learn that shit!”

At first I hoped that via hypnosis I might be able to find a way to bypass my youngest son’s autism, and if you combine that with the illusion I had that learning hypnosis will make any woman that I meet do anything I wanted you can understand why I was so motivated. Luckily for me I was in between jobs so time was not an issue, and after a month of studying every day from the moment I woke up till midnight I felt I’m ready to practice. I first tried to hypnotize my youngest son but he was totally unimpressed with my hypnotic commands (make sense now when I know more about the way hypnosis works and the neurological nature of autism). I was however able to hypnotize my daughter in a snap and via her I’ve learned a lot about the nature of hypnosis. In hypnotic state I was able to make her ignore pain, remember her second birthday in vivid details and even make her go back to hypnotic state after showing her an ice-cream (one of her favorite things at that time) – only to see her waking up after a brief second with a big smile asking to eat the ice-cream. You cannot command a person to do under hypnosis a thing that will contradict an inner belief system unless you managed to alter it (which is much harder than people think after watching the Manchurian prisoner movie).

After my kids I moved to adults, and I started to hypnotize people whom I known and that asked me to to help them overcome something that were bothering them. Even though the hypnotic sessions I’ve conducted lasted about 3 hours it usually took about 15 seconds to make a person go to that state (transferring a willing person to a state of deep hypnotic was much faster than most people can imagine if you knew how to do it). While I rarely practice hypnosis anymore I strongly believe that under a caring, loving hypnotist an hypnosis can succeed were prescribed medication or psychotherapy cannot. Practicing hypnosis was an amazing experience for me: I saw a woman who had a skin allergy that under hypnosis traced the cause of it to an event that occurred to her in a previous life, in the 19^th century. I saw a woman that lived a tormented life of drugs, prostitution and partner abuse that under hypnosis was able to trace the root of her problem but was unable to let go of it no matter what I tried, and that at some point of the session when I asked her to do something she told me “I cannot do it because she do not let me”. The “she” turned out to be what she believed was a second personality that came into life after a childhood sexual abuse. Till today the memory of speaking with that “other personality” brings shiver down my spine, it felt like talking to the possessed person from the movie “the exorcist“. Each and every one of those sessions was as exhausting to me physically and emotionally as it would have been to anyone who ever tried to help a good friend in real crisis, but it was well worth it.

Before I will move on to the next chapter, I wish to make three personal observations on hypnosis:

1. The one common thing that occurred in practically all of my hypnotic sessions – from my daughter to adults – was the amazed look in the eyes of everyone who came up from the hypnotic state. It thought me an important lesson on how blind we are to the complex subconscious ocean we all have.
2. Hypnosis is a wonderful, powerful tool that can be a lethal weapon if practiced by people who do not know what they are doing. Many professionals who works in the field tend to use written scripts to try to treat different problems and this is one of the reasons of the bad reputation hypnosis seem to have. If a person under hypnosis was unable to change what they wanted to change in their lives it is mainly because each and every session should be considered unique – some of the professionals do not understand it, and by doing so they not only bring bad reputation to hypnosis, they also can cause damage.
3. I hope that in the future it will be much more common than it is today to see a hypnotherapist, However, I think that this field should be revised, because the main element of a good hypnotic session is compassion of the hypnotherapist. A non-compassionate person can not only cause more damage, and they should not be allowed to practice it.

Part 5 – Burn baby, (re)burn.

At the beginning of 2009 I was so happy – I had a new job, I was about to become 40, my employer had offered me a permanent contract – everything was going the way I wanted. Then out of the blue one of my closest friend died after a stroke, and that trauma combined with a very unhealthy lifestyle that included extremely long working hours at the office with a unique diet that was based on eating a huge package of Belgian waffles every day totally unbalanced me. At the end of 2009 I had to take 3 months to recover from a burnout.

How burnout does feels like? I love to describe it via the opening scene of Hollywood’s finest movies – “The Sound of Music” (God I love musicals).

Most of you probably know the beginning of the movie. A prelude of Rodgers and Hammerstein – a beautiful landscape – beautiful meadow, clear blue sky with summer clouds passes gently. Vision to yourself the lakes, the mountains with icy peak-tops, the soft music, and the everlasting tranquility. Now try to imagine that you just transformed everything you see to the planet mars. Now replay the same camera travel, but with no music, no atmosphere, no life – only rocks and stones, sometimes surrounded by ruthless winds and horrible temperatures. Burnout felt to me like an emotional desert.

Yet even a state of emotional desert gives its opportunities. For me that state allowed me to work on myself. I used to wake up in the morning and until the evening in order to think, and thing, and think. Think about my feelings, and why do I feel how I feel. Under burnout our perception changes and it allows us – if we practice it correctly – to reach the root causes of many of our beliefs. It brought me a new understanding of why I reacting to life the way I was, it provided me new insights of the way I experience life, and it opened for me the window to the next chapter of my life.

Part 6 – Wired for life.

In January 2010 I’ve returned back to work with a new insight of myself. During the burnout I was trying to understand its causes, and the more I was reading the more I realized that my neurology played a dominant role in it. Due to my son’s autism and to the fact I was diagnosed with ADHD at the end of 2007 I was already exposed to a lot of neurological jargon, however as scientist were unable to identify the neurological causes of autism and as ADHD label is still highly controversial I never invested a lot of time learning about the subject who seemed to me way too technical.

In 2010 I’ve decided that I must know more on the subject. I’ve started to read and learn as much as I can and the more I’ve learned the more I realized how much the field of neurology had developed in the last years. In September 2010 I attended as a participant Brucon – the Belgium hacker’s conference, and there I’ve met the security officer of the Dutch high-speed academic internet. After talking to him in between sessions he asked if I am interested in giving a presentation about social engineering in their February 2011 event, and as the subject had nothing to do with my daily work I said I believe I can, and asked my employer’s permission. At the end of 2010 I was returning from work to studying neurology every day for 5-6 hours, and that led to the presentation I’ve previously posted. While I felt it was a personal achievement to be the first person in the information security world who suggested human manipulation should be measured via the neurological impact of different elements, I felt I didn’t reach my target audience – the information security experts. There were many reasons for that, starting with the fact I’ve compressed a subject that can fill in a week seminar in half an hour, via the fact many people who attended the session had no background in neurology and ended up with the fact almost no one realized the drastic change in methodology I was suggesting. But even with all those flaws I’ve realized when I listened to the next speaker in the conference I attended who was teaching social engineering in a university that current studies on human manipulation that were being conducted in the framework of information security studies had to be revised. While students were given a period of time to prepare before approaching a person prior to his/her manipulation, they had no way to quantify their efforts in an objective way. I felt that until we can have an objective, scientific way of measuring human elements we will not be able to have repeatability of success neither in manipulation nor in prevention.

Part 7 – What g*d got to do with it?

One of the main reason information security experts fail again and again in being able to create an awareness program that will have a long term effectiveness is due to the fact awareness programs can never “overwrite” a person’s set of beliefs – and the minute a perpetrator is aware of those set of believes all he/she has to do to overcome the rules organizations and societies tries to put in place is use the beliefs of the individual(s) as a leverage.

This caused me to think on the role of faith in information security. Most of the population on this planet believes in god and most scientist view this belief as a sign of ignorance. It seems there is a constant struggle between the two, and the more I was thinking about it, the more I’ve realized that in order to protect the majority of the population from being manipulated via their set of believes I must try to understand this thing called “god”.

But what is god? I never “felt” god! Sure, I learned about the all-mighty in school but I sort of developed my own interpretation of it. How can I address what I do not understand?

One day before I gave my presentation I set down, went via the processes I was now aware of that was running in my brain and I started to shut them down. Suddenly I felt I don’t think of anything anymore, and then I felt what I cannot describe in words. It was like flying via a universe composed of endless galaxies, experiencing the beauty of creation as was engraved in my own personal brain. I felt for the first time in my life the presence of god within me, just by letting go. Sensing the presence of god was the difference between knowing that we have 100 billion neurons in our brain vs. actually being able to sense them.

That experience had led me to profound understanding: If this is what people who believe in god sense, or even a glimpse of it, then anything we try to teach them about security is worthless if a person can utilize those set of believes. It made me understand that we must look for a new path to approach people, and that we cannot simply assume that whatever we teach them could be effective. I’ve realized we had to start from scratch, give people the understanding that the goal of science is to make them connect to their own private personal experience of life they have – regardless what it is, and to do so we must first accept everyone as they are.

To be honest at that point of time I neither had the time to go into that in my presentation, nor did I feel ready to go into what seemed to be a definite battle with those of us who see the concept of spirituality via the eyes of the current scientific belief.

Part 8 – a new beginning

After I gave my original presentation I was asked by many people what’s the next step, and to be honest I was not sure. I had many ideas on how to progress, but I also had professional obligations that I felt must be completed. One thing however became clear to me – if I wish to move forward I had to be honest to myself about myself, and that an inner voice within me was something I’ve learned I should not ignore, or else the result will be an unbalanced state.

In the last few years I’ve experienced manipulating others, I’ve experienced being manipulated by others, and while today I’m extremely aware of what others think or feel even when they try to hide it I do not have any need any more to use that knowledge. Manipulation is a dual edge sword – you can only be untrue to others by being untrue to yourself, and at the end of the day you become as manipulated as the person you try to manipulate. This is why I am no longer working for my previous employer, and I feel it was the right thing to do. I’ve realized I wish to be who I am, and I think it was a mutual understanding of both me and my previous employer that we do not see the world via the same personal and professional perspective. I’ve always said that the way we leave is the way we live, and thus I’ve closed that professional chapter of my life with feelings of love, gratitude and understanding.

And that brings me to the reason I published the introduction of my new presentation – I’ve realized via studying the brain that we are all neurologically unique, and that this neurodiversity should be celebrated and not be viewed as a problem, a defect, a fault. Our brain is a miracle, and the future of humanity and the planet depend on accepting all of us as we are.

So this is it – I close this extremely long chapter in my life, one that started with what seemed to be a tragedy and ended up with a higher understanding of life. Alan Watts once said that there is no past and no future, only endless moments of “now”, and if you stayed until now I wish to personally thank you for being here for so many nows. Gandhi once said “The World is big enough for everyone’s needs – but it is too small for the greed of one man”, and I believe our goal in life is to find the way to live a better now by simply being who we really are, being part of the unity of this wonderful universe.

Namaste

Uri

(C) All rights reserved.

Part of a presentation I recently wrote for a security event.

Uri Biber

I’ve been professionally involved in information security since 1987, while starting hacking a few years before. I’ve witnessed information security become more and more sophisticated and advanced for both attackers and defenders. However, when it comes to what is known by information security experts as “social engineering” – or, as I prefer to call it – human manipulation – it seems that little progress has been made in that field.

After years of trying to understand how people can be influenced due to my youngest son’s autism that prevented him from being able to communicate with us I have been investigating in the last year the connection between neurology, human manipulation and information security. I’ve discovered a fascinating world, and the more I’ve learned the more I felt that it’s time to kill social engineering as we know it.

It’s time to grow up,  it’s time to approach the field via a scientific method.

Scientific method refers to a body of techniques for investigating phenomena, acquiring new knowledge, or correcting and integrating previous knowledge.^[1] To be termed scientific, a method of inquiry must be based on gathering empirical and measurable evidence subject to specific principles of reasoning

(wikipedia)

Today the people known as experts in the field of social engineering use intuition, methods, practices, and sometimes technology to enhance their skills. But, at the end of the day they will all admit that their success rates varie from one situation to another. If you ask for scientific reasons to their success or failure they will provide answers originating in psychological explanations, sometimes they will talk about micro facial expressions, and body language reading, but none of them seems to focus on the root of everything – our human neurology.

This is also why all the information security awareness training I’ve seen (and sometimes wrote) where unscientific -  the approach to the subject was based on endless assumptions; many of them were false and lead to negative results. None of the social engineering training I saw was driven from a factual scientific reason as to why we all are susceptible to manipulation.

In the last 20 years humanity has discovered more on how our brain works than in the last 2000 years, yet when it comes to information security we seem to disregard that progress. Why is it that when we go to a hackers conference we see presentations of people who go down to the core elements of the system they are hacking, but when it comes to human manipulation no one provides explanations on the issue through the perspective of human neurology?

In my presentation I will show how developments in science require us to move away from old paradigms and how technological changes require us to abandon “social engineering” and start talking about human manipulation as a neurological phenomena. All of us have embedded technology in our daily lives, even in Afghanistan people are connected to the Internet. The future of humanity is tied to our ability to provide current and future generations with an understanding of both why they can be manipulated and how technology plays an important role in it. I consider us, Information security experts, as educators. We have two choices – we can either help humanity reach a bright future or act like bystanders who watche a person destroying himself/herself without assisting him/her. Wayne Dyer, a famous American psychologist says that responsibility is to respond with ability. It is our responsibility to make a change. Let’s not waste this wonderful rare moment of time, Let’s begin…. NOW