Risk Analysis

I’ve been thinking about risk analysis recently. The Times Online has an interesting story on teaching risk analysis in schools. People need proper tools to assess the deluge of information given to them. They tend to blow emotional stories up (like one person in the US getting mad cow disease) even if their personal risk is very low. It doesn’t help that it’s so easy to lie with statistics either.

Speaking of a risk analysis deficit, there must be a major one on the interstate. Every time I’m driving along, I notice when going from a 65 mph zone into a 55 mph zone most people seem to maintain their previous speed. People who wouldn’t go over the speed limit, or were only going 5 mph over had no problem with suddenly going 10 or 15 mph over. Hello?! What’s wrong with people? Maybe it’s just because I’m sort of in that risk mindset, but it seems rather silly.

Of course, if you’re being really risk adverse you’d probably take the bus instead! 🙂

Interesting SANS posts

Some interesting posts on the SANS Internet Storm Center blog. I’m sure these have already been posted everywhere (I saw one on delicious earlier), but it’s always good to have these kinda things to refer back to later.

The first post is about targeted social engineering. One of the more interesting aspects:

In one incident, an attacker used phrases directly taken from a public blog, as well as a cordial greeting that the blogger had used when writing about a personal topic. This made the message significantly more authentic to the target, who duly clicked on the attachment.

Pretty clever. Anything you can do to make people even subconsciously believe a message is legitimate will increase your success rate. It only takes one person to fall for it in most cases, to get a foothold that you can leverage for a deep internal attack.

The other post is simply a list of what NOT to do when it comes to IT security. Some of the highlights:

  • Assume the users will read the security policy because you’ve asked them to.
  • Assume that policies don’t apply to executives.
  • Don’t review system, application, and security logs.
  • Expect end-users to forgo convenience in place of security.

I’d add a couple of my own to the list:

  • Assume that because you’ve never been compromised you’re secure
  • Assume that you can prevent all compromises
  • Protect only the perimeter
  • Have no incident response plan

Style

You may notice the blog at times might not look quite right. I’m still perodically working on the CSS style to get it to look correct. While I work on it you might notice it looking whacky. I’m temporarily leaving on the default look until I finish the design.

Juxtaposed

Transatlantic Cables Terminated in Avon NJ

Transatlantic Cables Terminated in Avon NJ

I couldn’t resist this juxtaposition. These cables are VSNL submarine telecommunications cables that cross the Atlantic and come above ground in the VSNL building in Avon, NJ. They are capable of carrying over an estimated 3.5 Tbps (that is terabits per second). Probably less from over head and my guess from the article’s figure (60,000,000 simultaneous voice calls = 60,000,000 DS0s = 60,000,000 * 64kb/s). In any case, those cables are extremely important for international communication but they look like utterly unimportant buried utility cable. Just a great photograph. Via Wired.