Data on the Markets

I've been interested in the markets for some time, but only recently have begun reading about methods for selecting investing ideas in earnest. One of the books I got was JJ Cramer's Real Money. Overall, I found it a great book; extremely enjoyable and pragmatic. Of particular interest was a graph on page 115, which shows a nice graph of GDP annual growth. The purpose of the graph is to demonstrate the cyclical nature of established economies.

In a nutshell, GDP growth as a percentage is an indicator of which phase our economy is in, waxing or waning, etc. In Cramer's graph, a sine wave is shown oscillating between 4-5% and -1%. At different phases of the economy, different sectors come in and out of favor. As an example, as we move from -1% to 5% (coming out of a recession) paper and chemicals come into favor as medicine and supermarkets go out of favor. On the reverse side we sell the chemicals and paper and pick up those staple stocks again.

Pretty simple, we should all have a picture of this on the wall and use this as a base mid-risk strategy for a portion of our portfolio. So lets get started....where are we on the graph?

First thing is to find some data. After poking around the Internet for a while I came across http://www.bea.gov/national/index.htm. From there I was able to get some data into excel, and graph out 2000 chained dollar annual GDP. Being a bit naive I eagerly anticipated my nice sine wave with a little maker for "You are Here".

Instead, I got the following:

Eh, crap. So the next step is to take the baskets of stocks that should represent the correct cycles and map them against this curve. Hopefully it'll smooth things out, but that's an excercise for another day.

On the plus side, I think this is was worth doing, and something I'll continue to do. Without looking for myself, I might have been tempted to believe things were a lot simpler, and because of that, be a lot more willing to take someones statement "we're on the up side of the curve".

Now a reasonable and informed response will be, "Really? Why do you think that?"

Information in Modern Enterprises

It was late. A long day of talking and thinking and meeting had brought us to a nearly empty airport terminal with nothing much to do for a couple of hours before our flight. A coworker of mine and I started talking about the day, which led to the company, which led to our position in the world as GRC pundits and thought leaders.

We debated GRC a bit. What is it exactly? We debated our current offerings a bit. Are they still relevant and why do companies keep failing at the same things over and over? Eventually we came to the core question. What is the purpose of security in the modern enterprise. Why should anyone care about security at all?

The discussion ended up sparking the following:

Q: What is the core currency of security as we refer to it? What is the key asset that we are concerned with?

Information. We are concerned with all elements or systems that create, process, transmit, store, or consume information. We also understand that all information is not equally valuable.

Q: What are the key criteria to determining the value of information?

Actionable. Can the information directly lead to decisions or actions? The closer the information is to readily triggering an action, the more valuable. There may also be a concept of potential here. Particular bits of information may be unprocessed, and like ore turns to metals turns to tools, you may consider some unprocessed information more valuable based on its potential to drive decisions or actions.

Accurate. How well does the information you have represent the system you are making decisions about? We can also refer to this as internal or external integrity, depending on whether or not the information concerns a system outside of your own.

Timely. How close is the information being consumed relative to the time it would take to make a decision and execute. Answering this question will likely create one or more windows or ranges that represent varying value. If the information is about a decision in the distant future, it may be nearly useless. If it comes so close to an event you can take no action, it is equally useless. Interestingly, nearly all information about events in the past contains some value if it can be trended and correlated with events and outcomes.

Proprietary. How widely known is the information? The value that comes from information being proprietary is derived from the advantage any possible decisions or actions can have over other actors. Even if the information is completely exclusive, if it provides no advantage it is of limited value.

Q: How do these attributes relate to work that needs to be done?

The actions related to information; creation, processing, transmitting, storing, and consuming; all impact one or more attributes. The systems used to perform these actions become the concern of information security specialists. Specifically, identifying key criteria for the confidentiality, integrity, and availability of these systems.

Q: Is there a single framework or mapping that can overlay these concepts onto an organization?

Currently, no. In fact, there likely isn't going to be one in the future either. This is largely due to the specific requirements of individual organizations. Each business treats their information in a somewhat specialized manner. They perform unique operations on unique bits of data. Because of these differences each organization will have different weights and tolerances related to attributes and systems related to their information.

Q: Can we at least begin to group enterprises together along commonalities?

Perhaps. The first attempt at this is listed below. The application to operations and practices is where work still needs to be done.

• Corporations: Primarily concerned with the internal and external integrity of their information. Corporations will rely largely on internally generated information or public information. In order to manage and adhere to regulations they need to be sure information about themselves is accurate. In order to determine appropriate actions they need to be able to have an accurate view of the world in which they operate.
• Intelligence Services: Sourcing seems to be a huge concern. While integrity is an issue, it seems to be most critical during the aggregation and correlation phases. Given the amount of information someone has to sift through to create a picture, which items the concentrate on and which they ignore is critical. Once an actionable work product is created, ensuring the proprietary nature of that work is key.
• Government Agencies: Each one seems to have unique needs. However, all of them need to ensure compliance with regulations. Unfortunately, regulations are derived from policy or law, and as such suffer from the issues of applying a lowest common denominator to all groups, or a once size fits all approach that does not create the maximum benefit for anyone.

Of Pundits and Bandits; Justifying Consulting

I got a request from a friend recently who is working on her Master in Information Services. As part of one of their projects, she needs to analyze the pros and cons of outsourcing, in sourcing, and of course, consulting. In trying to get to exactly what she was looking for the core question seemed to be, are the fees that consultants charge worth it.

I hesitated. Not because I doubt for a second that the good ones are, but because of the complexity of the question. However, speaking specifically for the type of work I do the argument goes something like this.

While security work is commonly considered highly specialized, there are a number of activities that can be done by someone internally. Vulnerability scanning, running MSBA against a host, etc.

However, you still need someone who can interpret the results, prioritize them, level set them against business risks and goals, fit solutions into operations, and overall, be a trusted advisor in the process of keeping up your security posture.

Add to this the relationships in the modern enterprise between compliance requirements, security best practices, PII, governance, and IT efficiency, and well, things get complex.

We're still in scope for an in-house resource, but we're probably talking about someone that has a full time job related to these tasks. If they're going to be in house, you may have a training program in place. If you do, starting salary around 65-70K a year in metro areas is reasonable. If you don't, you're looking at 100K - 150K for an experienced person, or a bit less if you have significant work/life benefits. Figure the average employee costs the company 150% to 200% of salary including health, stock, insurance, etc.

Unfortunately, you might not have 40 hours of work queued up if you're a smaller organization. So, you're paying a lot for some part time work. Even at 150$ to 250$ an hour, it may be more cost effective to hire a contractor for point engagements.

But what if you are a larger company. You do have in house training. You have way more than 40 hours a week of work. Occasionally you may want to double check. Especially in security, occasional validation that you're as good as you think you are isn't just prudent, it's necessary. In these cases bringing a group in for point engagements is still a good idea.

In the end it's the trade off between paying to keep an expert on staff versus renting an expert's time when you need it. Also keep in mind that security experts have a large body of knowledge that needs to be refreshed continuously. If you have someone work on the same problems continuously their skills may need refreshing.

Triage and Recovery in Enterprise Networks

It's not uncommon. You're called in to perform some level of penetration test within an enterprise, and before long, you're describing some level of significant compromise to the client. After the disbelief and shock you begin to dig into how this could be possible. The client assures you that their team is working hard. In fact, they're practically killing themselves securing the network.

What's the problem?

The time and effort of the organization is completely consumed by tactical activities focused on point problems and solutions. Is a system vulnerable? How can I tell? What should I do? What other systems are like this one? How can I tell these systems are also vulnerable?

Attacking the problem of enterprise security in this manner is time consuming and costly. Furthermore, it typically doesn't lead to improvements in the company's policies and procedures. Rather, the experience of the individuals can lead to a feeling that things are improving. Lessons learned are discussed with management. Tasks take less time to achieve. Unfortunately, the improvement is only incremental, and relative to ad-hoc systems. The environment is still focused on tactical problems, and the knowledge is tribal; held with the people. When they leave, the system will have to teach another expert.

When this is overlaid on top of traditional trends in funding and attention paid to security departments the situation becomes more untenable. When is the most attention paid to security? Immediately after an incident. The fire drill begins, fingers are pointed, and stress levels are high. Suddenly full buy in from management comes with a substantial budget to fix the issues that are seen as most critical. As time passes from the original event, point solutions that have sprung up are not maintained, or the rough edges from rapid integration are not smoothed out and fully adopted into the larger system.

The pressing nature of this immediate threat can lead to mistakes in how to address the larger issues. Widely scoped preventative measures are bypassed in favor of short term quick wins.

Everyone picks the low hanging fruit and nobody takes time to build a ladder.

The result is highly tasked people, large expenditures with minimal ROI related to overall security posture, ad-hoc operations, and tribal knowledge of the systems. Everyone agrees there are better ways to do things, and they'll get right on it if they have the time.

So what's to be done?

Organizations need to have the operational discipline to stay focused on the security of an organization after the initial shock of the incident has worn off. Strategic initiatives should be investigated and run in parallel with tactical issues. Given a conflict, the strategic initiatives should take precedence. In turn strategic projects must be run with clear goals, deadlines, and expectations communicated widely to the tactical teams. Of the two, strategic groups should be held more tightly to their advertised goals and time lines.

What are the steps to develop initiatives?

Many organizations may feel that they already are working on strategic initiatives. After all, we're installing a Vulnerability Scanner so we don't have to scan each system anymore; isn't that strategic? Possibly, depending on the homework you've done.

• Have you given your tactical teams the time, resources, and cover to perform root cause analysis?
• Have you assigned a person or group to aggregate root cause findings and analyze them?
• Has management performed a risk assessment for the business to understand which information and processes are critical to operations, and which are not?
• Have you compared the risk analysis with the root cause findings to determine which items, if fixed or changed, would prevent the largest number of point issues while still supporting business processes?

Pro Choice and National Security

For a moment table the ethical, religious, and moral debates surrounding the pro-life / pro-choice debate. For a moment, try and take a look at the issue as a pure legality, an event that is either lawful or not. If you can take a pause and do that, consider an oddity I've recently come across.

In the 1960's a handler by the name of Clarridge obtained and handed off abortion pills to a Polish trade official named Adamski. The motivation behind the Adamski's choice was based on a forced repatriation back to Poland to have their child, something neither wanted to do. Because of the legalities involved, a handler was able to enlist a spy.

In the 1950's a GRU officer named Pyotr Popov was a walk in (or perhaps drop in, as the contact was via planted envelope) for the CIA. Though his motivations may have been complex Frederick Hitz cites in "The Great Game" that Popov's immediate need was money for an abortion.

There are a great many cases of recruitment that do not involve such a charged topic. However, it seemed interesting that if one were so inclined, they could make the argument that legal, affordable abortion is a matter of national security.

Someone might stand up in Congress and say something like, "There is documented case evidence that this particular activity, above the current social stigma, if made illegal would provide leverage to the enemies of this State for the purpose of recruiting otherwise trusted citizens."

If you find that a reasonable statement, take pause. Conspiracy theories aside, the idea that something regarding life, religion, and choice could be rolled up into National Security conversations with a reasonable statement should cause you to look at other rhetoric.

What would be the true increase or decrease to national security if Roe v. Wade were overturned? How about any other arguments that are made working backwards from the method. And that's the key.

As long as you buy arguments formed cause -> method -> effect therefor !method -> !effect, then you will by definition always be reactive and myopic. An attacking force will always look for the lowest cost method to achieve their goals. There may have been many other ways to achieve the same result for a determined attacker.

From liquids on a plane, to having your phone calls recorded, to having your web surfing proxied by your company, or your ISP. Just because the arguments given are reasonably phrased, ask yourself if they rational and proactive? Or is someone trying to put together an argument based on limited data points that you shouldn't buy.

It's every citizen's responsibility to look at these arguments of security critically. Furthermore, it would be irresponsible and Machiavellian to allow a false argument to carry your cause to victory. How you win is just as important as winning itself. Why? Maybe tomorrow the argument you set precedent for is used against, rather than for you.

Google!

It's happened, I no longer have any ideas that haven't already been thought of by someone at Google. Want to select some text and sms it to your phone cause you just seem to never have a pen and paper around your desk? Don't bother learning how to code it up yourself, cause you can already download it at http://www.google.com/tools/firefox/sendtophone/ Can't wait for my next project they've already thought of.

Road Trips

Defcon: 36° 8'5.23"N; 115° 9'46.77"W; 1218110400

Having missed my local fill of shmoo, setting the sites on Vegas in the summer to catch up with folks I rarely see outside of these things.