Skip to main content

View Diary: Is data security worth it? Depends who's counting. (37 comments)

Comment Preferences

  •  It's not a matter of buzzwords. (0+ / 0-)

    And by possible, I mean right now.  We're doing it.  There's a shitload of other companies that are too.

    I am very aware of the expiry rate on data.  My living gets made by processing publisher and marketer data in real-time, keeping data secure down the customer cookie level so that other companies can't snoop that/your data, and presenting our analysis to our customers.

    The computer part of the security equation isn't difficult with the right expertise.  The people part of the security equation is addressed with training, limited access to production environments, proper physical security, paying your employees enough to give a crap about the company and not just the bare minimum to maximize profit, and actually giving a crap about your employees as people and not as just another resource to get chewed up and spit out.

    Data's data, whether it's marketer data, census data, etc.  Same 0s and 1s with the same protection regiments.

    So since I do this stuff everyday, would you like to tell me why it's not possible?

    Everyday Magic

    Any sufficiently advanced technology is indistinguishable from magic.
    -- Clarke's Third Law

    by The Technomancer on Mon Feb 10, 2014 at 03:33:59 PM PST

    [ Parent ]

    •  Yes, we are launching humans into space (0+ / 0-)

      What we haven't done is actually eradicate or even severely curtail the breach incidence.  

      The point of automating security is to reduce human error; you've just listed off three moving parts dealing directly with humans (+ one more if you include the two others that basically boil down to offering an uncapped bribe not to commit fraud or be negligent).  None of which actually quantifies risk and reliability worth a damn.  I don't care how good you say you are.  I want the data showing that this much money I'm shelling out to deploy your product solves the security problem I'm faced with by that much.

      "Data's data" has to be the most irrelevant point mentioned yet.  You can organize sources, pipes and sinks for data into countless families of vulnerability, including the ones you don't know that you don't even know.

      •  Some points... (0+ / 0-)

        1.  Good luck with the argument that paying a good salary amounts to a bribe to make people give a crap.  Redstate's over that way.  You'll find better luck there.

        2.  The point of automation is to reduce human error, not eliminate humans.  If someone logs in that I'm not expecting or at a time I'm not expecting, my systems let me know and proactively counter the threat and send me a summary of any actions, commands, or changes made to the system.

        3.  That info you ask for is in our sales decks.  We have had zero data theft instances.  The number of attempts at data theft is a non-zero number.  Our security gets regularly audited because our customers demand it.

        4.  My job -is- to know about vulnerabilities, from reported security issues to 0-days to our own internal and external security.  We're trying to hack ourselves all the time, and hiring others to do it too.  How the hell else am I going to be confident my systems are secure?

        I'm quite aware of the numerous and varied attack vectors out there.  So let me repeat my question you so artfully avoided:  

        Would you like to tell me why what I do every day isn't possible?

        There's a reason why you didn't answer it the first time.

        Everyday Magic

        Any sufficiently advanced technology is indistinguishable from magic.
        -- Clarke's Third Law

        by The Technomancer on Mon Feb 10, 2014 at 04:01:08 PM PST

        [ Parent ]

        •  We're paid great salaries (0+ / 0-)

          1. Our average salaries are well above the American median; safely in the second highest quintile in fact.  All for a job that requires considerably less toil and offers more comfort than say sweating in an Amazon warehouse. As you say, Redstate's over that way.

          2. That's good to hear, but it tells me nothing about the fault modes.  

          3. That's an extraordinary claim, but at least it's on the track towards actual numbers.  Care to point out the sales deck, Mr. I Make The Internet Run?

          4. I'm not saying you're not doing the Lord's work.  But, to again draw an analogy to NASA's safety obsession, it's work that we can't readily correlate to desired outcomes simply because the space of potential vulnerability is not well defined.  So you end up with a landfill of conditional measures (many of dubious quality) you have to sift through and none of them really answer the question the customer's asking.  "How much risk is there of this data getting out over 1, 5, 10, 15 years?"   And that's not not simply limited to information security, either; it's a problem endemic in all regimes of control.  

          And finally, why would I answer a question that has nothing to do with anything we're talking about?

          •  You said it can't be done. (0+ / 0-)

            I asked why.  You can't answer it because you have zero useful, up-to-date knowledge on the topic.  A junior sysop could bullshit their way through that question.  Someone with actual skills could actually provide interesting conversation about.  It's an easy topic to discuss if you know your shit.

            But, you're not here for discussion, and you don't know your shit.

            Regarding pay, it actually matters less than respect and treating one's employees and coworkers like adults so long as you're actually covering their financial needs and getting them ahead as far as savings and retirement go, but it stops the good talent from getting more elsewhere.  Making sure employees own equity in the company helps too -- we all make money when the company does well.

            And if you're doing this particular part of computer engineering and you're only making second quartile pay, you're happy where you are and don't mind getting paid a third of what you can get on the market, you suck at pay negotiations, or you're unaware of what's actually going on in this field and I'd like to offer you an interview because I don't care what kind of dick you are, if you've got skills, I've got a job on my team for you and I can beat the crap out of a second quintile salary.

            And that's not me bragging.  That's all the companies in this field that are serious players in it.

            If you think companies like the one I work for and the ones that hire us aren't thinking aren't doing long-term forecasting, you're wrong.  In fact, that's pretty much the core piece of any cost/benefit analysis when hiring a company like the one that employs me.  If you actually knew your shit and were attempting to have constructive discussion rather than trolling using 5 or more year old information.

            0 data thefts is not an extraordinary claim.  Simple back-of-the-napkin math shows that there's a few data breaches every year, and a few orders of magnitude more companies that weren't breached.  This number is still quite small stretched out over a 75 year time span.  Again, if you're going to claim expertise on this topic, you should know this.

            The math's there.  Companies with valuable data do the right thing and either secure it themselves or hire companies to do it for them, and ones that don't decided the cost/benefit analysis wasn't in favor of doing it right and banking on herd protection to avoid getting owned.

            And I'm serious about the interview.

            Everyday Magic

            Any sufficiently advanced technology is indistinguishable from magic.
            -- Clarke's Third Law

            by The Technomancer on Mon Feb 10, 2014 at 05:19:30 PM PST

            [ Parent ]

            •  I never said it couldn't be done (0+ / 0-)

              I said it hasn't been done.  And it is eradicate or substantially reduce the risk of breaches across the industry.  That's a friggin' fact, regardless of how high of an opinion you have of yourself.

              Zero data thefts is an extraordinary claim.  I also point out it's the only claim you've made that uses an actual number.  And I also point out you still haven't backed it up.  

              I'm pretty sure you're bright enough to tell the difference between an average salary and the salary of some guy you've never met doing things you know nothing about about.  Thanks for the invite, but East ain't too shabby at kicking the shit out of the second highest quintile.  And the food's better.

              Pretty much everything else you've said boils down to shit talking.  If that's all you got, be my guest.  I'll wait for you to eventually point us to what will likely be a brochure and at best at least one but probably no more than five white papers on very narrow topics.  Please, proceed.

              •  Right. (0+ / 0-)

                You're making a claim.  Burden of proof's on you, bud.  It's your handle at the bottom of the comment that started this thread, and your claims.  You've refused multiple opportunities to back it up, then have the chutzpah to make demands of someone else.

                Eradication of these threats doesn't happen.  Claiming that that's a knock against data security is like claiming that the fact people die is a knock on the medical industry.  They claim they can save your life, but everybody dies!

                You're also quite well aware why it's impossible to get a count of the rate of successful security breaches -- because the numbers get reported as a number of successful breaches.  Successful ones are rising.  Do you have a count of unsuccessful ones to present your numbers to show that the overall rate as a percentage of attempts isn't getting better?  You made the claim, so I assume you do.  Present at any time.

                Shoot me a KosMail with where I should send the NDA to and I'll be happy to show you my numbers.  KosMail me if you require an NDA to show me yours.  I don't do brochures, and the white papers are marketing crap.  You're (supposedly) an engineer.  You know that.  I'm slightly hurt that you'd think I'd lean on those.

                My problem with working back East is that the weather is ass and both Government and Financial information services are soul-draining jobs.  Did it for Citi's high-frequency trading servers...never again.  Nothing like getting bitched out in three languages by 5 different trading desks for having a perfect failover (fiber line cut) with zero transactions lost, but the extra 5ms that failing over from Wall St. to the DR site across the river supposedly cost Citi $1.6mil/minute until they patched up the cable.

                Mind you, I had a request for a failover connection in that DC open for 6 months.  My predecessor for months before that.  You'd think Citi would have spent the money on it if a perfect failover cost 'em $1.6mil/min, but apparently it was insured and it was easier to bitch out the system engineers than prevent the need to use the insurance.  Request is probably still waiting for approval somewhere in that gawd-awful system.

                But I digress.  If you're working financial or government IS, then let me be the first to apologize for your bad day.  Don't lie and say you aren't having one, if you work for either of those types of shops, you are.

                I'd argue about the food, too.  SF has tasty eats and startup services to make 'em convenient.

                We've both been talking shit this whole time.  Figured you were enjoying yourself.  If it bothers you, say the word and I'll talk like I'm around the Christian uncle I have that still cuffs me upside the head if I'm not polite and curse-free.

                Everyday Magic

                Any sufficiently advanced technology is indistinguishable from magic.
                -- Clarke's Third Law

                by The Technomancer on Mon Feb 10, 2014 at 06:26:16 PM PST

                [ Parent ]

                •  Burden of proof met (1+ / 0-)
                  Recommended by:
                  The Technomancer

                  http://datalossdb.org/...

                  http://www-935.ibm.com/...

                  https://www.riskbasedsecurity.com/...

                  Honestly, didn't think there was any dispute about it, seeing as it's a key subject of the goddamned diary.

                  Since we're running long, and since you seem to be more interested in fighting strawmen, I'll respond to each point directly:

                  Eradication of these threats doesn't happen.  Claiming that that's a knock against data security is like claiming that the fact people die is a knock on the medical industry.  They claim they can save your life, but everybody dies!
                  If I may quote myself: "That's not a slap at the quality of work being pursued, but simply a reflection on the piss poor state of industry research on matter."
                  You're also quite well aware why it's impossible to get a count of the rate of successful security breaches -- because the numbers get reported as a number of successful breaches.  Successful ones are rising.  Do you have a count of unsuccessful ones to present your numbers to show that the overall rate as a percentage of attempts isn't getting better?  You made the claim, so I assume you do.  Present at any time.
                  I applaud you for restating something I said earlier: "it's work that we can't readily correlate to desired outcomes simply *because the space of potential vulnerability is not well defined. *"
                  Shoot me a KosMail with where I should send the NDA to and I'll be happy to show you my numbers.  KosMail me if you require an NDA to show me yours.  I don't do brochures, and the white papers are marketing crap.  You're (supposedly) an engineer.  You know that.  I'm slightly hurt that you'd think I'd lean on those.
                  You brought up the sales deckk, not me, so I'm not terribly impressed with how hurt you might be.  If what you have to show beyond that requires an NDA, let me save you the time and say I'll welcome any open source evidence of the closest competing system you can name: even a theoretical one.  
                  My problem with working back East is that the weather is ass and both Government and Financial information services are soul-draining jobs.   Did it for Citi's high-frequency trading servers...never again.  Nothing like getting bitched out in three languages by 5 different trading desks for having a perfect failover (fiber line cut) with zero transactions lost, but the extra 5ms that failing over from Wall St. to the DR site across the river supposedly cost Citi $1.6mil/minute until they patched up the cable. Mind you, I had a request for a failover connection in that DC open for 6 months.  My predecessor for months before that.  You'd think Citi would have spent the money on it if a perfect failover cost 'em $1.6mil/min, but apparently it was insured and it was easier to bitch out the system engineers than prevent the need to use the insurance.  Request is probably still waiting for approval somewhere in that gawd-awful system.
                  Lot more than Finance and Government jobs in New England (and I agree, they are soul draining).  We have lots companies and universities doing great work in EE, aerospace, health, and so on and so on. Personally, I prefer an office with ready access to workbench and all the boards and elements I could ever want.   And I like my weather shitty.  
                  But I digress.  If you're working financial or government IS, then let me be the first to apologize for your bad day.
                  I'm not, so don't worry about it.
                  I'd argue about the food, too.  SF has tasty eats and startup services to make 'em convenient.
                  So does Midland, TX.  I'm a New Yorker, so I'll leave it at that.
                  We've both been talking shit this whole time.  Figured you were enjoying yourself.
                  No, I don't.  Because I don't like making claims on my own authority.  However, as far as I'm concerned that's all shit-talking is.  You can be as sleeves-rolled-up abrasive as you want to be, and so long as you push a valid point and don't pack up your marbles you'll get the same in turn.
                  •  Now that's more like it. (1+ / 0-)
                    Recommended by:
                    rduran

                    Firstly, let me apologize for reading you wrong and therefore being a dick.  I'll tone the aggro.

                    Except like you said, the eradicate portion isn't in question, and, as you point out, you've said so yourself that since unsuccessful attacks aren't reported, we have no idea if the rate of successful attacks is increasing.  I'm going to be a stickler on the fact that your it in question is:

                    eradicate or substantially reduce the risk of breaches across the industry.
                    I'm not aware of any mathematics that allow you to calculate the rate of successful attacks when you don't have the denominator require to calculate successful attacks divided by total attempts and no data set available to make even a reasonable estimate of whether a year over year increase or decrease is happening.

                    Seriously, if you know a way or you even have a decent theory, I'm all ears, and that's not sarcasm.  The closest way I can think of to even come close to deriving that answer is to use the growth rate of total devices connected to the Internet, which is rising at a faster rate than the total number of successful break-ins.  If the number of targets is rising at a faster rate than the number of successful break-ins, and devices are passing around more data than ever, I'd say that's about as close as we can currently get to proof that you can substantially reduce the risk of suffering a breach.

                    An alternate calculation that might approximate the relative decrease or increase of data breach severity would be to calculate the change in the amount of data breached vs. the growth of the total data set.  We know that's growing at an exponential rate, while the amount of data breached doesn't appear to be.

                    I'd wager the same goes if we compared value of the data breached vs. total estimated value stored in data.

                    And again, given the weak tea that attempt at calculation represents, if you've got a better idea on how to do it, I'm all ears.  But unless you've got something better, I don't see how you can claim that incidents haven't been severely reduced, or even have a way to make a claim of reduction, increase, or non-movement either way.

                    You can't back your claim because the numbers don't exist.  I can't back mine without a signed NDA to show we've had zero successful data security breaches.  Even asked my boss before I left work because I do feel like a dick having to pull the NDA card, and I can't say I'd react any differently from you if I were in your shoes.  I was actually hoping you'd play ball, because I like showing off my work.

                    And winning arguments, but that's secondary to the pursuit of knowledge.  ;)

                    So, that seems to leave us at an impasse.  Call it good game and see you in the next thread?

                    And if you are out in SF anytime, shoot me a KosMail, and I'll buy you lunch as penance for going aggro.  Fair enough?

                    Everyday Magic

                    Any sufficiently advanced technology is indistinguishable from magic.
                    -- Clarke's Third Law

                    by The Technomancer on Mon Feb 10, 2014 at 08:28:43 PM PST

                    [ Parent ]

                    •  You can take "eradicate" as you would (0+ / 0-)

                      if someone said "we eradicated polio and smallpox."  It's only accurate in the sense that no one's complaining about it enough to draw the attention of the epidemiologists.  

                      On measuring vulnerablity, a couple of points.  As you pointed out earlier, we really can't pin down the numerator with any certainty.  You can only aggregate what's reported, and what's reported is spread across as many news sources as there are known incidents.  Data feed problem aside, there are also powerful incentives not to air your dirty laundry in public.  

                      You could rough it.  The ratio has an upper ceiling of one (obviously a successful attack as to have at least one attempt behind it).  So just fix your denominator to be the number of successful incidents in some peak year in a range of interest.  Index against some known growth trend in connected devices for a rough proxy of growth in data and vectors for attack.  You won't give a measure of absolute risk, but from period to period you'll get deltas that should at least tell you if you're going in the right direction (and how quickly).

                      That said, I don't have a decent model that tells you anything you really want to know: like how what it is you can do to make the trend curve up or down.  It certainly doesn't deaggregate well; you've got thousands of data breaches and each have their own stories--I wouldn't be surprised if they sorted into as many as hundreds of different families of vulnerability.  And as Dumbo pointed out, it's an arms race.  Obviously there aren't just thousands of attempts a year, not when a single man can generate a few hundred billion port scans in that same period from a single box.

                      I still don't know if we were at an impasse.  My main point is that companies have next to know idea how safe their data is or to what extent anything they're buying or developing in house will keep their data secure from an industry perspective.  That isn't a slam against the engineers, it's an acknowledgement that the problem space isn't very well defined. Unless I'm reading you wrong, you make that point yourself.  And it's a problem not unique to computer security.  It's one that's plagued security in general for millenia.  Beyond that, it's a major problem in software QA (which, in my view, has become more of a religion than a discipline--but that's another discussion).

                      If I'm out SF way, I'll take you up on that offer.

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site