Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Could InfoSec be Worse than Death?

from [Paul Schmehl] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Could InfoSec be Worse than Death?
Date: Mon, 25 Sep 2006 23:08:42 -0500
--On September 25, 2006 3:14:12 PM -0400 "Kenneth F. Belva" <ken@ftusecurity.com> wrote: 

I understand your concern and it is perfectly valid. I would be skeptical
too initially. But I do not think it is a euphemism. It seems to me there
are real world examples of revenue generating assets based on information
security mechanisms.

iTunes, Unbox, Speedpass/Easypass/Paypass. Do these not create cash
flows? Could they create cash flows (or even exist) if the security
mechanisms (DRM/authentication) were not present?

The information security mechanisms are a necessary but not sufficient
condition to create these new assets. The loss prevention model shows how
this necessary condition breaks down and what we can do to stop the
breakdown. The virtual trust model says that once we have this necessary
condition, here are the things we may do with it. The focus is different.

Please keep in mind, I'm not trying to argue that you are wrong. I'm thinking out loud, if you will, trying to grasp the crux of your argument.

I agree that things such as iTunes (et. al.) create new flows of revenue. If they could be implemented without any security, however, I'm pretty certain they would be. Why would a business spend 3 cents more per widget if they didn't have to? The fact that e-commerce products are wrapped in security apparatus is an acknowledgement that without them the revenue stream could be compromised or stolen. But I don't see how that makes the security portion a revenue producer. Take iTunes, for example. What makes it a revenue producer is a product that is attractive to a significant number of people. The internet provides a mechanism for moving the product that facilitates sales. But the security merely protects the revenue stream, doesn't it?

Mind you, I understand that you are saying that without the security mechanisms only a fool would use that method of delivery, but certainly an iTunes could exist in other forms.

For example, the "old" way of renting movies was to walk or drive to the local store, pick the movies off the shelf, pay at the counter and return home to watch them. The internet version eliminates the walk or drive and provides a (perhaps) more convenient way of picking the movies, and the US Postal Service (in the case of America) delivers the movie to your door.

From a security standpoint, however, what has changed? In the former case
you have to pay for locks on the doors, an alarm system, a monitoring company, a theft prevention program and training for your employees. In the latter case you have to pay for an SSL certificate (the analog to locks), breakin prevention (the analog to alarms and monitoring) and other systems for maintaining and tracking inventory, etc.

ISTM the security aspects remain costs of doing business.

I am very well aware of the loss prevention model. It seems to me there
is an addition way to describe how security mechanisms function other
than loss prevention. The virtual trust perspective is coherent, logical
and accurately describes the world. It does not exclude the loss
prevention model but can incorporate loss prevention into it.

I'm not disagreeing with you on this. I think the virtual trust model might be a valid way to sell security to upper management. I just don't think they're going to be so enamored with the idea that they won't see that you've simply repackaged loss prevention and risk avoidance. They might be more convinced by the trust model, so it's certainly worth presenting it that way.

But you haven't yet convinced me that security actually generates revenue. It might *enable* otherwise unavailable sources of revenue. And there's no question that being able to sell something on the internet increases the potential customer base by orders of magnitude. So enabling those new sources of revenue is a good thing, and selling security that enables those sources is a good thing. Basically that's the argument you make in your paper. With that I agree.

Perhaps we're quibbling over terms. Enabler versus generator. To me the latter implies the actual creation of wealth, whereas the former implies opening up new avenues to wealth.

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: p7su00jmDTLzL.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] USB Penetration, h0W@rD Sh33n
Next by Date:  [Full-disclosure] Ruxcon 2006, cfp
Previous by Thread:  Re: [Full-disclosure] Could InfoSec be Worse than Death?, Kenneth F. Belva
Next by Thread:  Re: [Full-disclosure] Could InfoSec be Worse than Death?, Pavel Kankovsky
Indexes:  [Date] [Thread] [Top] [All Lists]