Interesting bit of a quote

...from a round-table discussion on identity theft in the
current
Computerworld:

 	IDGNS: What are the new threats that people aren't
thinking
 	about?

 	CEO Dean Drako, Sana Security Inc.: There has been a
market
 	change over the last five-to-six years, primarily due to
 	Sarbanes-Oxley. It used to be that you actually trusted
your
 	employees. What's changed -- and which is really kind of
morally
 	and socially depressing -- is that now, the way the
auditors
 	approach the problem, the way Sarbanes-Oxley approaches
the
 	problem, is you actually put in systems assuming that you
can't
 	trust anyone.  Everything has to be double-signoff or a
 	double-check in the process of how you organize all of the
 	financials of the company....

 							-- Jerry

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

That's not a change. You should never have granted
unlimited trust to 
insiders. Just as most organizations do not have the same
person handling 
accounts payable and vendor selection, you should have
checks and balances 
in IT as well.

-Stiennon


At 07:49 AM 7/11/2006, leichter_jerroldemc.com
wrote:
>...from a round-table discussion on identity theft in
the current
>Computerworld:
>
>         IDGNS: What are the new threats that people
aren't thinking
>         about?
>
>         CEO Dean Drako, Sana Security Inc.: There has
been a market
>         change over the last five-to-six years,
primarily due to
>         Sarbanes-Oxley. It used to be that you actually
trusted your
>         employees. What's changed -- and which is
really kind of morally
>         and socially depressing -- is that now, the way
the auditors
>         approach the problem, the way Sarbanes-Oxley
approaches the
>         problem, is you actually put in systems
assuming that you can't
>         trust anyone.  Everything has to be
double-signoff or a
>         double-check in the process of how you organize
all of the
>         financials of the company....
>
>                                                        
-- Jerry
>
>--------------------------------------------------------
-------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

Richard Stiennon
The blog: http://www.threatchaos.com
 


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

| That's not a change. You should never have granted
unlimited trust to
| insiders. Just as most organizations do not have the same
person handling
| accounts payable and vendor selection, you should have
checks and balances in
| IT as well.
There have always been parts of the business where you
needed to enforce
things quite tightly - mainly those that handled cash or
cash equivalents.
Other things were enforced more loosely.  The change is that
so much is
now moving into the "tight enforcement" category
- and not just because
of SOX.  For example, there's a large and growing business
in reviewing
employee-submitted expenses.  These have always been subject
to *some*
level of review, but now they are increasingly scanned by
computer for
the smallest violations of policy.
 
Business ultimately depends on trust.  There's some study
out there -
I don't recall a reference - that basically finds that the
level of
trust is directly related to the level of economic success
of an
economy.  There are costs associated with verification, some
of them
easily quantifiable, some of them much harder to pin down. 
The
difficulty is in making the tradeoffs.  We're now pushing
way over
on the verification side, in a natural reaction to a series
of major
frauds and scandals.
							-- Jerry

| -Stiennon
| 
| 
| At 07:49 AM 7/11/2006, leichter_jerroldemc.com
wrote:
| > ...from a round-table discussion on identity theft in
the current
| > Computerworld:
| > 
| >         IDGNS: What are the new threats that people
aren't thinking
| >         about?
| > 
| >         CEO Dean Drako, Sana Security Inc.: There has
been a market
| >         change over the last five-to-six years,
primarily due to
| >         Sarbanes-Oxley. It used to be that you
actually trusted your
| >         employees. What's changed -- and which is
really kind of morally
| >         and socially depressing -- is that now, the
way the auditors
| >         approach the problem, the way Sarbanes-Oxley
approaches the
| >         problem, is you actually put in systems
assuming that you can't
| >         trust anyone.  Everything has to be
double-signoff or a
| >         double-check in the process of how you
organize all of the
| >         financials of the company....
| > 
| >                                                      
  -- Jerry
| > 
| >
------------------------------------------------------------
---------
| > The Cryptography Mailing List
| > Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com
| 
| Richard Stiennon
| The blog: http://www.threatchaos.com
 
| 

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

Jerrold,

I can corroborate the quote in that much of SarbOx and
other recent regs very nearly have a guilty unless proven
innocent quality, that banks (especially) and others are
called upon to prove a negative: X {could,did} not happen.
California SB1386 roughly says the same thing: If you cannot
prove that personal information was not spilled, then you
have to act as if it was.  About twenty states have followed
California's lead.  The surveillance requirements of both
SEC imposed-regulation and NYSE self-regulation seem always
to expand.  One of my (Verdasys) own customers failed a
SarbOx audit (by a big four accounting firm) because it
could not, in advance, *prove* that those who could change
the software (sysadmins) were unable in any way to change
the financial numbers and, in parallel, *prove* those who
could change the financial numbers (CFO & reports) were
unable to change the software environment.

Jeffrey Ritter, partner in the "electronic"
practice at
(big-name) D.C. law firm Kirkpatrick & Lockhart gave the

major address at the annual meeting of the Cyber Security
Industry Alliance recently.  In it he said that what he
and his firm tell their (big-name) clients is this:

	* That which was not recorded did not happen.

	* That which is not documented does not exist.

	* That which has not been audited is vulnerable.

and he did not mean this in the "paths to
invisibility"
sense but rather that you have liability unless you can
prove that you don't.

While one can say that this has always been true or that
the insider has always been the real threat, or whatever
variation you like, as a consultant for nearly two decades
the burgeoning "prove a negative" focus feels
unprecedented
to me.  And it is not just our field -- today's Boston
newspaper has the State of Massachusetts' building
inspectors
being suspended en masse' for refusing en masse' to accept
GPS position tracking as a newly imposed job requirement.
By next summer, every animal in the country is supposed to
be chipped and the owner's home address recorded in GPS
form (google for NAIS) with a requirement to file with
USDA any off premises transportation (taking the kids'
heifer to the the 4H show included).

--dan

===========
The great distinction: 
A conservative is a socialist who worships order.
A liberal is a socialist who worships safety. 
                        -- Victor Milan', 1999


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

On Tue, Jul 11, 2006 at 01:02:27PM -0400, Leichter, Jerry
wrote:
[...]
> Business ultimately depends on trust.  There's some
study out there -
> I don't recall a reference - that basically finds that
the level of
> trust is directly related to the level of economic
success of an
> economy.  There are costs associated with verification,
some of them
> easily quantifiable, some of them much harder to pin
down.  The
> difficulty is in making the tradeoffs.  We're now
pushing way over
> on the verification side, in a natural reaction to a
series of major
> frauds and scandals.

Trust is not quite the opposite of security (in the sense of
an
action, not as a state of being), but certainly they're
mutually
exclusive. If you have trust, you have no need for security.

Personally, given the choice, I'd rather have trust. I
think that this
is a distinction that could be made more often when deciding
on how to
implement a security system.

-- 
				- Adam

** Expert Technical Project and Business Management
**** System Performance Analysis and Architecture
****** [ http://www.adamfields.com ]

[ http://www.aquick.org/blog
 ] ............ Blog
[ http://www.adam
fields.com/resume.html ].. Experience
[ http://www.flickr
.com/photos/fields ] ... Photos
[ http://www.aquicki.com/wi
ki ].............Wiki

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

On 7/11/06, Adam Fields <cryptography23094893aquick.org> wrote:
> On Tue, Jul 11, 2006 at 01:02:27PM -0400, Leichter,
Jerry wrote:
> > Business ultimately depends on trust.  There's
some study out there -
> Trust is not quite the opposite of security (in the
sense of an
> action, not as a state of being), but certainly
they're mutually
> exclusive. If you have trust, you have no need for
security.

Quoting Ross Anderson's TCPA comments:
A trusted [entity] is one that can break your security.

Quoting John Carrol in Computer Security:
Just because it is trusted, doesn't mean it's trustworthy.
-- 
Resolve is what distinguishes a person who has failed from a
failure.
Unix "guru" for sale or rent - http://www.li
ghtconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098
0C55 1484

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

dangeer.org wrote:
> I can corroborate the quote in that much of SarbOx and
> other recent regs very nearly have a guilty unless
proven
> innocent quality, that banks (especially) and others
are
> called upon to prove a negative: X {could,did} not
happen.
> California SB1386 roughly says the same thing: If you
cannot
> prove that personal information was not spilled, then
you
> have to act as if it was.  About twenty states have
followed
> California's lead.  The surveillance requirements of
both
> SEC imposed-regulation and NYSE self-regulation seem
always
> to expand.  One of my (Verdasys) own customers failed a
> SarbOx audit (by a big four accounting firm) because it
> could not, in advance, *prove* that those who could
change
> the software (sysadmins) were unable in any way to
change
> the financial numbers and, in parallel, *prove* those
who
> could change the financial numbers (CFO & reports)
were
> unable to change the software environment.

my slightly different perspective is that audits in the past
have 
somewhat been looking for inconsistencies from independent
sources. this 
worked in the days of paper books from multiple different
corporate 
sources. my claim with the current reliance on IT technology
... that 
the audited information can be all generated from a single
IT source ... 
invalidating any assumptions about audits being able to look
for 
inconsistencies from independent sources. A reasonable
intelligent 
hacker could make sure that all the information was
consistent.

a counter example is the IRS where individual reported
income is 
correlated with other sources of reported financial
information. 
however, i don't know how that could possibly work in the
current 
environment where the corporation being audited is
responsible for 
paying the auditors (cross checking information across
multiple 
independent sources)

some past posts on the subject
http://www.
garlic.com/~lynn/2006h.html#33
http://www.g
arlic.com/~lynn/2006i.html#1

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

     --
Leichter, Jerry wrote:
 > Business ultimately depends on trust.  There's some
 > study out there - I don't recall a reference - that
 > basically finds that the level of trust is directly
 > related to the level of economic success of an
 > economy.  There are costs associated with
 > verification, some of them easily quantifiable, some
 > of them much harder to pin down.  The difficulty is in
 > making the tradeoffs.  We're now pushing way over on
 > the verification side, in a natural reaction to a
 > series of major frauds and scandals.

Sarbanes-Oxley substitutes formal procedures for real
relationships, but formal procedures are unlikely to
successfully substitute for real relationships.
Sarbanes-Oxley also forces those companies to which it
applies to have a large minimum size, since compliance
costs are so great, so one has a single company
embracing an excessively wide variety of activities,
which of course increases the need for trust, at the
same time as the oppressive bureaucracy of SO compliance
diminishes the supply of trust.

I think we will see in future big scams that comply with
the letter of Sarbanes-Oxley, without complying with the
substance.

What happened with Enron is that they simply made up
some figures, and then when suspicious investors started
to harass them, they proceeded to make up some accounts
that superficially justified those figures.  Had they
started with the accounts, instead of starting with the
fraud, they would have been pretty much in compliance
with what is now Sarbanes-Oxley.   So Sarbanes-Oxley
will not prevent another Enron, rather it will legalize
it.

Sarbanes-Oxley makes it mandatory to do what suspicious
investors demanded of Enron - but it also makes it legal
to comply in form without necessarily complying in
substance.  It makes suspicion mandatory, rather than
making honesty mandatory - forbids trusting behavior,
rather than forbidding untrustworthy behavior.

     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      BtuKBOPO2RPPKVNZMPpxlQMVrOaMFO/q/qzhXTex
      4xGjYNrDxf0b1LuglGzrFFpJNIlrzvvB1U5BPjv/H

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

dangeer.org wrote:
> 	* That which was not recorded did not happen.
> 	* That which is not documented does not exist.
> 	* That which has not been audited is vulnerable.
> 
> and he did not mean this in the "paths to
invisibility"
> sense but rather that you have liability unless you can
> prove that you don't.

Thanks for the quote. But "That which was not recorded
did
not happen" and the other two points can, and IMO
should, also
be taken in the positive sense that you need recorded,
credible,
audited evidence in order to support business in case
arguments
(as they do) arise. Trust depends on parallel channels. So
based, trust actually reduces liability.

The knife cuts the other way too, and that's why
unrevocably
expiring documents that can be so treated (legally and
business
wise) is also necessary to reduce liability.

Cheers,
Ed Gerck

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com