The Brandeis GPS blog

Insights on online learning, tips for finding balance, and news and updates from Brandeis GPS

Tag: risk

Technology Transformation for 2019

By Matthew Rosenquist

Digital technology continues to connect and enrich the lives of people all over the globe and is transforming the tools of everyday life, but there are risks accompanying the tremendous benefits. Entire markets are committed and reliant on digital tools. The entertainment, communications, socialization, and many others sectors are heavily intertwined with digital services and devices that society is readily consuming and embracing. More importantly, the normal downstream model for information has transformed into a bi-directional channel as individuals now represent a vast source of data, both in content as well as telemetry. These and many other factors align to accelerate our adoption and mold our expectations of how technology can make a better world.

This year’s Activate Tech & Media’s Outlook 2019 presentation provides a tremendous depth of insights in their slide deck (153 slides) with a great amount of supporting data. It highlights many of the growth sectors and emerging use-cases that will have profound impacts on our daily lives.

Transforming Tech IntelligenceWomen's face being scanned

We are moving from the first epoch of digitally connecting people, to the second epoch of making intelligent decisions through technology. Artificial Intelligence research is advancing and with it the infrastructure necessary to make it scalable across a multitude of applications. Solutions are just beginning to emerge and yet showing great promise to make sense and use the massive amounts of data being generated.

Overall, devices and services continue to evolve with more awareness and functionality. We are in the ramp of adding ‘smart’ to everything. Smart: cars, cities, homes, currency, cameras, social media, advertising, online-commerce, manufacturing, logistics, education, entertainment, government, weapons, etc. It will be the buzzword for 2019-2020.

Such transformation opens the door where tools can begin to anticipate and interweave with how people want to be helped. Better interaction, more services, and tailored use-cases will all fuel a richer experience and foster a deeper embrace into our lives. Technology will be indispensable.

Risks and OpportunitiesGears and numbers

Reliance in our everyday activities means we have the luxury of forgetting how to accomplish menial tasks. Who needs to remember phone numbers, read a map, operate a car, or know how to use a complex remote control. Soon, our technology will listen, guide, watch, autonomously operate, and anticipate our needs. Life will seem easier, but there will be exceptions.

All these smart use-cases will require massive data collection, aggregation, and processing which will drive a new computing infrastructure market. Such reliance, intimate knowledge, and automation will also create new risks.

The more we value and rely on something, the more indebted we are when it fails. We must never forget that technology is just a tool. It can be used for good or for malice. There will be threats, drawn to such value and opportunity, that will exploit our dependence and misuse these tools for their gain and to our detriment. At the point people are helpless without their intelligent devices, they become easy victims for attackers. As we have seen with data breaches over the past several years, when people are victimized, their outlook changes.

In this journey of innovation and usage, public sentiment is also changing across many different domains. The desire for Security, Privacy, and Safety (the hallmarks of Cybersecurity) continues to increase but may initially be in direct conflict for our desire to rapidly embrace new innovations. This creates tension. We all want new tech toys (it is okay to admit it)! Innovation can drive prosperity and more enjoyment in our lives. But there are trade offs. Having a device listen, record and analyze every word you say in your bedroom may be convenient in turning on the lights when you ask, but it may also inadvertently share all the personal activities going-on without your knowledge. A smart car effortlessly transporting you to work while you nap or surf the internet sounds downright dreamy but what if that same car is overtaken by a malicious attacker who wants to play out their Dukes of Hazzard fantasies. Not so much fun to think about.

In the end, we all want to embrace the wonderful benefits of new technology, but will demand the right levels of security, privacy, and safety.

Trust in TechnologyMan poking padlock

Unfortunately, trust in digital technology is only now becoming truly important. In the past, if our primary computing device (PC or phone) crashed, we breathed a small curse, rebooted and went on our way. We might have a dropped call or lost part of a work document, but not much more harm than that. That is all changing.

In the future, we will heavily rely on technology for transportation, healthcare, and critical infrastructure services. That autonomous car we expect not to crash, the implanted pacemaker or defibrillator we expect to keep us alive, or the clean water and electricity we expect to flow unhindered to our homes may be at risk of failure, causing unacceptable impacts. We want tech, but very soon people will realize they also need security, privacy, and safety to go along with it.

But how will that work? We don’t typically think of trust in terms of high granularity. We naturally generalize for such abstract thoughts. We don’t contemplate how trustworthy a tire, bumper, or airbag is, as those are too piecemeal, rather we trust the manufacturer of the car to do what is right for all the components that make up the vehicle we purchase. We want the final product, tied to a brand, to be trustworthy. For those companies that we trust, we tend to believe, whether correct or not, in all their products and services. This reinforces tremendous loyalty. The reverse is true as well. One misstep can become a reputational blight affecting sentiment across all a company’s offerings.

The saying “We earn trust in drips and lose it

in buckets” perfectly exemplifies the necessary

level of commitment.

Writing the word trustedTrust may become the new differentiator for companies that can deliver secure and safe products in a timely fashion. Those who are not trustworthy may quickly fall out of favor with consumers. Privacy is the first in many problems. Consumers, government regulators, and businesses are struggling to find a balance that must be struck between gathering data necessary for better experiences, but not too much that it becomes a detriment to the user. A difficult conundrum to overcome. Security and safety aspects will follow, where the potential risks grow even higher. The challenges are great, but so will the rewards for all those who succeed. I believe those companies which master these disciplines will earn long-term loyalty from their customers and enjoy a premium for their products.

2019 might be the first year where we witness this delineation as consumers may gravitate to more responsible companies and begin to shun those who have misplaced their trust. The big story for next year may in fact be how purchasing decisions for technology are changing, thus driving greater commitment to making products and services more security, private, and safe.

Interested in more insights, rants, industry news and experiences? Follow me on Steemit and LinkedIn for insights and what is going on in cybersecurity.

Read the article as originally published here.

Matthew Rosenquist is a member of the Brandeis GPS Information Security Leadership advisory board. He is a Cybersecurity Strategist for Intel Corp and benefits from 28 years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.

Faces of GPS is an occasional series that profiles Brandeis University Graduate Professional Studies students, faculty and staff. Find more Faces of GPS stories here.

“Ask the Expert” Special Event Webinar

InfoBubblez22

“Ask the Expert: Cyber Security” 

Led by Matthew Rosenquist, Cybersecurity Strategist and Evangelist at Intel Corporation

Wednesday, October 21st at 7pm via Adobe Connect

Matt’s areas of expertise include :
  • Security industry advocacy
  • Security strategy and planning
  • Security operations management
  • Platform security product/service development and sustaining operations
  • Emergency/Crisis response command, control, and communications
  • Security policy development, training, and compliance oversight
  • M&A information security strategy and management
  • Security product strategic planning
  • Technical and behavioral risk assessment and threat analysis
  • Determination of security business value and ROI
  • Threat Agent Risk Assessment (TARA) methodology
  • Internal and external investigations
  • Corporate consulting for risk management and strategic alignment
  • Security industry outreach, evangelism, speaker, and champion

 

RSVP here

 

MatthewRosenquist-Oct.21Webinar

Matthew Rosenquist joined Intel Corp in 1996 and benefits from over 20 years in the field of security. Mr. Rosenquist specializes in security strategy, measuring value, and developing cost effective capabilities and organizations which deliver the optimal level of security. Currently, a cyber-security strategist for the Intel Security Group, he helped in the formation of this industry leading organization which brings together security across hardware, firmware, software and services.

The community can connect with Matthew via Twitter @Matt_Rosenquist, Intel Blog and LinkedIn.

 

SPOTLIGHT ON JOBS: MathWorks

vintage theatre spot light on black curtain with smoke

SPOTLIGHT ON JOBS

Members of the Brandeis GPS Community may submit job postings from within their industries to advertise exclusively to our community. This is a great way to further connect and seek out opportunities as they come up. If you are interested in posting an opportunity, please complete the following form found here.

Where:  Mathworks, 3 Apple Hill Drive, Natick, MA 01760

About: Founded in 1984 and privately held, Mathworks is the leading developer of mathematical computing software. Engineers and scientists worldwide rely on its products to accelerate the pace of discovery, innovation, and development.

MATLAB and Simulink, two products developed by Mathworks, are used throughout the automotive, aerospace, communications, electronics, and industrial automation industries as fundamental tools for research and development. They are also used for modeling and simulation in increasingly technical fields, such as financial services and computational biology. MATLAB and Simulink enable the design and development of a wide range of advanced products, including automotive systems, aerospace flight control and avionics, telecommunications and other electronics equipment, industrial machinery, and medical devices. More than 5000 colleges and universities around the world use MATLAB and Simulink for teaching and research in a broad range of technical disciplines.

Mathworks employs over 3000 people, with 30% located outside of the US.

Position: Senior Software Program Manager

As a Sr. Software Program Manager on the MATLAB Team, you will be part of a highly skilled, dedicated team focused on delivering challenging, high value programs. You will join a growing team that nurtures individual growth, appreciates diversity, encourages initiative, values teamwork, shares success, and rewards excellence.
Responsibilities

The Software Program Manager is a member of the software development management team and supports the planning and execution of multiple projects or programs in support of the continuing evolution of our flagship product, MATLAB. Responsibilities include:
•Partnering with extended software development teams to help them plan, track and execute complex, cross organizational programs while maintaining focus on building the right things at the highest levels of quality.
•Performing program analysis, manage risk, identify and influence necessary course corrections, creatively solve problems, and communicate program status and activities across multiple levels of management.
•Continuously assessing and improving the processes that comprise the software development lifecycle and mentor/coach other members of the Program Management and Product Development Teams.

Position Qualifications:
Minimum
•A bachelor’s degree and 3 years of professional work experience (or a master’s degree) is required.

Additional
•Experience in developing commercial software products
•Outgoing, highly organized, persistent, and tenacious; able to deal with uncertainty and change
•Ability to influence others in order to get things done, even when you have no direct line of authority over them.
•Expertise in providing cross-organizational management of software development programs from initiation through delivery
•Hands-on experience with developing and reporting on metrics for engineering development, test development and execution, bugs, issues, risks, and other aspects of project and program management
•Experience with MATLAB Products

If you are interested in this position, please submit your resume and CV to:

Erin Seiden

erin.seiden@mathworks.com

508-647-2280

Click here to subscribe to our blog!

Footerindesign

Fuzzy Math: The Security Risk Model That’s Actually About Risk

By: Derek Brink

Reblogged from: https://blogs.rsa.com/fuzzy-math-security-risk-model-thats-actually-risk/

Sharpen your number two pencils everyone and use the following estimates to build a simple risk model:

  • Average number of incidents: 12.5 incidents per month (each incident affects 1 user)
  • Average loss of productivity: 3.0 hours per incident
  • Average fully loaded cost per user: $72 per hour

Based on this information, what can your risk model tell me about the security risk?

My guess is that your initial answer is something along the lines of “the average business impact is $2,700 per month,” which you obtained by the following calculation:

12.5 incidents/month * 3.0 hours/incident * $72/hour = $2,700/month

But in fact, this tells us almost nothing about the risk—remember that risk is defined as the likelihood of the incident, as well as the magnitude of the resulting business impact. If internet-security1we aren’t talking about probabilities and magnitudes, we aren’t talking about risks! (We can’t even say that 50% of the time the business impact will be greater than $2,700, and 50% of the time it will be less—that would be the median, not the mean or average. Even if we could, how useful would that really be to the decision maker?)

Let’s stay with this simplistic example, and say that your subject matter experts actually provided you with the following estimates:

  • Number of incidents: between 11 and 14 per month
  • Loss of productivity: between 1 and 5 hours per incident
  • Fully loaded cost per user: between $24 and $120 per hour

This is much more realistic. As we have discussed in “What Are Security Professionals Afraid Of?,” the values we have to work with are generally not certain. If we knew with certainty what was going to happen and how big an impact it would have, it wouldn’t be a risk!

Based on these estimates, what would your risk model look like now?

For many of us, our first instinct would be to use the average for each of the three ranges to compute an “expected value”, which is of course exactly the result that we got before.

Some of us might try to be more ambitious, and compute an “expected case,” a “low case,” riskand a “high case”—by using the average and the two extremes of the three ranges:

  • Expected case = 12.5 * 3.0 * $72 = $2,700/month
  • Low case = 11 * 1.0 * $24 = $260/month
  • High case = 14 * 5.0 * $120 = $8,400/month

It would be tempting to say that the business impact could be “as low as $260/month or as high as $8,400/month, with an expected value of $2,700/month.” But again, this does not tell us about risk. What is the probability of the low case, or the high case? What is the likelihood that the business impact will be more than $3,000 per month, which happens to be our decision-maker’s appetite for risk?

Further, we would be ignoring the fact that the three ranges in our simple risk model actually move independently—i.e., it isn’t logical to assume that fewer incidents will always be of shorter duration and lower hourly cost, or the converse.

Unfortunately, this is the point at which so many security professionals throw up their hands at the difficulty of measuring security risks and either fall back into the trap of techie-talk or gravitate towards qualitative 5×5 “risk maps.”

The solution to this problem is to apply a proven, widely used approach to risk modeling called Monte Carlo simulation. In a nutshell, we can carry out the computations for many (say, a thousand, or ten thousand) scenarios, each of which uses a random value from our estimated ranges. The results of these computations are likewise not a single, static number; the output is also a range and distribution, from which we can readily describe both probabilities and magnitudes—exactly what we are looking for!

Staying with our same simplistic example, we can use those estimates provided by our subject matter experts plus the selection of a logical distribution for each range. Here are my choices:

  • Number of incidents: Between 11 and 14 incidents per month—I will use a uniform distribution, meaning that any value between 11 and 14 is equally likely.
  • Loss of productivity: Between 1 and 5 hours per incident—I will use a normal distribution (the familiar bell-shaped curve), meaning that the values are most likely to be around the midpoint of the range.
  • Fully loaded cost per user: Between $24 and $120 per hour—I will use a triangular distribution, to reflect the fact that the majority of users are at the lower end of the pay scale, while still accommodating the fact that incidents will sometimes happen to the most highly paid individuals.

The following graphic provides a visual representation of the three approaches.

Based on a Monte Carlo simulation with one thousand iterations—performed by using program-hero-infosec1standard functions available in an Excel spreadsheet—we can advise our business decision makers with the following risk-based statements:

  • There is a 90% chance that the business impact will be between $500 and $4,500 per month.
  • There is an 80% likelihood that the business impact will be greater than $1,000 per month.
  • The mean (average) business impact is about $2,100 per month—note how this is significantly lower than the $2,700 figure computed earlier; the difference is in the use of the asymmetrical triangular distribution for one of the variables.
  • There is a 20% likelihood that the business impact will be greater than $3,000 per month.

If warranted, we can try to reduce the uncertainty of this analysis even further by improving the estimates in our risk model. (There will be more to come, in upcoming blogs, on that.)

What to do, of course, depends entirely on each organization’s appetite for risk. But as security professionals, we will have done our jobs, in a way that’s actually useful to the business decision maker.

About the Author:

BA8D94F2924E634831C8CA3D8E7179C7477BBC1Derek E. Brink, CISSP is a Vice President and Research Fellow covering topics in IT Security and IT GRC for Aberdeen Group, a Harte-Hanks Company. He is also a adjunct faculty with Brandeis University, Graduate Professional Studies teaching courses in our Information Security Program. For more blog posts by Derek, please see http://blogs.aberdeen.com/category/it-security/  and http://aberdeen.com/_aberdeen/it-security/ITSA/practice.aspx

Click here to subscribe to our blog!

Image and video hosting by TinyPic

Footerindesign

So What Is the Risk of Mobile Malware?

By: Derek Brink

Originally from: https://blogs.rsa.com/risk-mobile-malware/

Obvious, or oblivious? Short-term predictions eventually tend to make us look like one or the other—as Art Coviello astutely noted in making his own predictions for the security industry in 2014—depending on how they actually turn out. (Long-term predictions, however, which require an entirely different level of thinking, are evaluated against a different scale. For example, check out the many uncannily accurate predictions Isaac Asimov made for the 2014 World’s Fair, from his reflections on the just-concluded 1964 World’s Fair.)

Art’s short-term prediction about mobile malware:

Chapa NO MALWARE2014 is the tipping point year of mobile malware: As businesses provide greater mobile access to critical business applications and sensitive data, and consumers increasingly adopt mobile banking, it is easy to see that mobile malware will rapidly grow in sophistication and ubiquity in 2014. We’ve already seen a strong uptick in both over the past few months and expect that this is just the beginning of a huge wave. We will see some high-profile mobile breaches before companies and consumers realize the risk and take appropriate steps to mitigate it. Interestingly, the Economist recently featured an article suggesting such fears were overblown. It is probably a good idea to be ready just the same.

The Economist article Art references (which is based on an earlier blog) asserts that “surprisingly little malware has found its way into handsets. . . smartphones have turned out to be much tougher to infect than laptops and desktop PCs.” (Ironically, the Economist also publishes vendor-sponsored content such as How Mobile Risks Are Pushing Companies Towards Better Security. I suppose that’s one way to beat the obvious or oblivious game: Place a bet on both sides.)

RSA’s Online Fraud Resource Center provides some terrific fact-based insights on the matter, including Behind the Scenes of a Fake Token Mobile App Operation.

But the legitimate question remains: What is the risk of malware on mobile? Let’s focus here on enterprise risks, and set aside the consumer risks that Art also raised as a topic for another blog.

Keep in mind the proper definition of “risk”—one of the root causes of miscommunication internet-security1among security professionals today, as I have noted in a previous blog—which is “the likelihood that a vulnerability will be exploited, and the corresponding business impact.” If we’re not talking about probabilities and magnitudes, we’re not talking about risk.

Regarding the probability of malware infecting mobile devices:

  • The Economist‘s article builds on findings from an academic paper published by researchers from Georgia Tech, along with a recent PhD student who is now the Chief Scientist at spin-off security vendor Damballa. Their core hypothesis is that the activities of such malware—including propagation and update of malicious code, command and control communications with infected devices, and transmission of stolen data—will be discernible in network traffic.
  • From three months of analysis, they found that about 3,500 mobile devices (out of a population of 380 million) were infected—roughly 0.001%, or 1 in 100,000.
  • Compare this to the computers cleaned per mille (CCM) metric regularly reported by Microsoft: For every 1,000 computers scanned by the Microsoft Malicious Software Removal Tool, CCM is the number of computers that needed to be cleaned after they were scanned. For 1H2012, the infection rates per 1,000 computers with no endpoint protection was between 11.6 and 13.6 per month.

All of this nets out to say that currently, mobile endpoints are three orders of magnitude less likely to be infected by malware than traditional endpoints.

But doesn’t this conflict with other published research about mobile malware? For example, I’ve previously blogged about an analysis of 13,500 free applications for Android devices, published in October 2012 by university researchers in Germany:

  • Of 100 apps selected for manual audit and analysis, 41 were vulnerable to man-in-the-middle (MITM) attacks due to various forms of SSL misuse.
  • Of these 41 apps, the researchers captured credentials for American Express, Diners Club, PayPal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime, among others.
  • Among the apps with confirmed vulnerabilities against MITM attacks, the cumulative installed base is up to 185 million users.

In another blog, I’ve noted that mobile applications have a more complex attack surface mobile-appthan traditional web applications—in addition to server-side code, they also deal with client-side code and (multiple) network channels. The impact of these threats is often multiplied, as in the common case of support for functions that were previously server-only (e.g., offline access). This makes security for mobile apps even more difficult for developers to address—mobile technology is not as well known, development teams are not as well educated, and testing teams are harder to keep current.

Meanwhile, malware on mobile is indeed becoming more prevalent: Currently over 350,000 instances from 300 malware families. It is also becoming more sophisticated—e.g., by obfuscating code to evade static and dynamic analysis, establishing device administration privileges to install additional code, and spreading code using Bluetooth, according to the IBM X-Force 2013 Mid-Year Trend and Risk Report.

But threats, vulnerabilities, and exploits are not risks. What would be obvious to predict is this: The likelihood of exploits based on mobile malware will increase dramatically in 2014—point Art.

The other half of the risk equation is the business impact of mobile exploits. From the enterprise perspective, we would have to estimate the cost of exploits such as compromise of sensitive corporate datasurveillance of key employees, and impersonation of key corporate identities—e.g., as part of attacks aimed at social networks or cloud platforms, where the mobile exploits are the means to a much bigger and more lucrative end. It seems quite reasonable to predict that we’ll see some high-profile, high-impact breaches along these lines in 2014—again, point Art.

Obvious or oblivious, you can put me down squarely with Art’s prediction for this one, with the exception that I would say the risk of mobile malware is much more concentrated and targeted than the all users/all devices scenario he seems to suggest.

About the Author:

BA8D94F2924E634831C8CA3D8E7179C7477BBC1Derek E. Brink, CISSP is a Vice President and Research Fellow covering topics in IT Security and IT GRC for Aberdeen Group, a Harte-Hanks Company. He is also a adjunct faculty with Brandeis University, Graduate Professional Studies teaching courses in our Information Security Program. For more blog posts by Derek, please see http://blogs.aberdeen.com/category/it-security/  and http://aberdeen.com/_aberdeen/it-security/ITSA/practice.aspx

Footerindesign

Protected by Akismet
Blog with WordPress

Welcome Guest | Login (Brandeis Members Only)