05.07.2010

By nature, I am an empiricist; it is who I am and works for me based on my bent toward analytics and multi-faceted (at times onerous),  levels of thought and pontification.   I am unapologetic about the way I approach things; it is simply who I am.   Having said that, I recognize that I am not – nor is my way of approaching things, universally embraced or right for everyone.   To assert otherwise would be intellectually dishonest.   I am particularly intrigued (and spend a lot of time reading and studying), determinism and randomness theory and philosophy.   For many of us, life is as simple as asking a question which the quintessential Canadian thinking mans band Rush asked on its 1991 album Roll The Bones “why are here, because we’re here, roll the bones”; while for others the question of why and perhaps more importantly the answer is not so simple.  I fall into the latter camp.

I a student of empiricism; I am a stalwart advocate of critical thinking and reasoning especially when it deals with philosophical schools of thought such as determinism vs. randomness and how they interact within the world in which I professionally live and work.   These ideas are not new.  In fact they are quite old.   They are in many respects extremely old and as a result of their vintage, they have been and remain the subject of great debate.   Authors and thinkers such as Nassim Nicholas Taleb, who wrote two of my favorite books on the subject : Fooled by Randomness and The Black Swan: The Impact of the Highly Improbable, go to great lengths to explain these concepts along with their impact on causality.    So too did David Hume, the famed Scottish philosopher, along with Karl Popper and Colin Howson.   Needless to say there is a long and strong tradition in examining deterministic vs. random philosophy as it relates to probability.   The concepts are as old as time itself; as long as mankind has had the ability to reason he has struggled with whether or not events occur due to deterministic causes (or more appropriately because of events which exist and influence other events thus arriving at the cause for a current event), or due to sheer randomness.  We are no different than our predecessor in this respect.   We seek knowledge with respect to the origins of things and events in addition to what there existence will mean to us as we move forward.   This desire to know unequivocally what influences outcomes and the probability of those outcomes is central to the theme of our existence.  As a result, it infiltrates (if we are paying attention), all aspects of our lies from the most complex to the least.   We find ourselves asking why certain things occur at the time and place that they did, and to what end.   I happened to be in New York City last weekend making my way to LaGuardia Airport via the Holland Tunnel at the height of the melee that was underway  surrounding the events of the car bomb discovered in Times Square.   Needless to say, traffic through the Holland Tunnel neither was less than forgiving nor was that which we encountered on way to Queens any better as a result.    On the trip into the city news commentators could be heard speculating with respect to the cause of this event.   Why would a young, respected young naturalized American citizen (Faizal Shahzad), find it acceptable to place a makeshift bomb in Times Square?  What was his reasoning?  His goal?   His message?   Who was behind the activity and what might be the logical extension seen as a result of this event? All valid questions.   All seeking validation with respect to understanding whether or not the causality associated with these questions and the event in question (not to mention the young man), was in fact deterministic in origin or random.  We know that it was in fact not random based on evidence that had been collected and authorities are continuing to investigate the events that lead to this event and ultimately influenced it from the perspective of cause.  We humans tend to this with all manner of things ranging from the serious to the trivial.

With respect to information security or security in general, I believe we do so more often than people realize.  Security or being secure, is in many respects dependent upon being able to detect, identify and observer causality.  In being able to accomplish these three things, we are better positioned to account and prepare for the unknown.  If you stop to think about that for a moment it should become quite clear that the act of securing anything – home, car, host, server, network, people – requires the acknowledgment  of historic reasoning (in both deterministic philosophy and randomness), while at the same time the acknowledgment of the unknown.

We see this often within the friendly confines of our industry.  Take for example the following:  An organization is instructed by a governing body that in order to achieve a state of conformity with its governing body the organization in question must meet and demonstrate achievement of x number of criteria.   Failure to do so will result in negative ratings that may or may not result in fines and / or the inability to conduct business transactions.   The governing body assumes that arriving at a state found to be in alignment with its standards will discount and eliminate (due to deterministic causality), any potential for randomness to manifest, thus negating the possibility.   But what if their assumption is wrong?   What if the data which they have assumed to be whole and comprehensive is not so?

I fear that this is more common than not within our space due to a lack of due diligence and grasp of historical accuracy with a forensic like precision.

Here’s another example:

A software-publishing house for quick processing of financial transactions develops an application.  It is seen as being mission critical to organizations that purchase it looking to capitalize off of any edge they can to beat their competitors to the market.   Speed in this case is very good.   The software publishers, realizing the importance and value of the application to their clientele decide to expeditiously develop and push the code to market rushing through all quality assurance (QA) and beta testing in order to beat the deadlines set by the executive teams in order to realize the greatest degree of revenue possible.  The developers run through the exercise of white boarding the data flow and block diagrams, technical requirement documentation, marketing requirement documents and product roadmap documents.     From there the code is pushed through the QA gauntlet at light speed and rushed into the beta testing customer environments.   Initial results are noted and brought back to product management and engineering who then wrestle with addressing the issues in a timely fashion in order stay within budget (both financial and time budgets), while not missing their window of opportunity within the market space.   The code is run through QA again, and pushed for GA candidacy.

But there is a fly in the ointment.   Some young (or not so young), perhaps charismatic (or at the very least quirky), individual is asked to look at the code or application as part of an audit and assessment and finds that low and behold it is vulnerable to an abundance of potential threats all of which can be exploited in a trivial manner.  At the same time this assessment is occurring the code and its publishers are reaping great successes and accolades.  The code, now a fully baked financial suite is swiftly on its way to becoming one of the most popular suites of its kind in 21st century business; yet, it is as vulnerable to exploitation as a runaway at a Port Authority bus station.  While our young or not so young, assessor of questionable charismatic quality, is reviewing the code, carefully noting the deficiencies and potential for complete exploitation, reports begin trickling into our software publisher that exploitative events have begun.  Worse yet, they were events that were not accounted for during initial or secondary quality assurance testing and thus perceived as being random.   We know however that randomness is simply the failure to take note of events that feed into causality, which therefore can be interpreted as a failure in paying attention to detail.   Perhaps one of the gravest mistakes anyone can make yet all too common within our world and history, let alone our industry.  So what are we to do about this?   How can we, as professionals convey a sense of urgency that supersedes and avoids a “chicken little” like knee-jerk response to events we encounter?  This is easier said than done especially in a world where information travels at the speed of light.   I believe that in order to achieve the proper perspective we need to encourage the following:

This is by no means a trivial event; nor has it ever been an easy proposition.   The ability to interpret historical events and data — even when they appear to be disparate and unrelated is paramount to achieving the goal of comprehensive deterministic understanding.  In short this allows us to avoid via scientific means the pitfalls associated with randomness and its associated theories.   In order that we may achieve this the ability to reflect upon our data sets and circumstance all while applying observing ego is of paramount importance.

Tags: , , Filed Under Assessment, Information Security Philosophy, Threat Modeling, risk management 

Comments

Leave a Reply