Security Curve Weblog

The Security Tarot: Trump 1, The Fool

I've decided to have a little bit of fun today, since talking about the same topic every day can be boring without putting different spins on it. And it's Friday after all. Anyway, today I'm kicking off a "Security Tarot" series where we examine infosec through the lens of the tarot. I'll post these as they seem relevant and illustrated by happenings in the industry - maybe they'll get posted quickly, maybe slowly, maybe not at all. Anyway, here goes.

The first trump in our security tarot deck is the "The Fool." Signifying infinite and limitless possibility, the fool is characterized by opposing forces, unpredictability, and anarchy. What the fool lacks is clarity of purpose and direction. Is he walking into danger or on the road to greatness? Who can say: it is the beginning of his journey and the destination is undefined.

The Fool is a force we see every day in security. Lack of clarity? We see it all the time - we don't have clarity around how to analyze the threats we're bombarded with, we don't have clarity about the metrics we gather (if any,) we don't have clarity around the research we do, and we don't have clarity about the terminology that we use to talk to each other. To prove that this force is at work, I don't have to reach beyond today's headlines; consider, for example, the Finjan Web Security Trends Report (published last week) and compare it to the ScanSafe Global Threat Report published yesterday. ScanSafe says, "ScanSafe reported that Web viruses decreased 47% in September, despite recent high profile Microsoft vulnerabilities..." while "Finjan’s position was that the market for malicious code would continue to expand... Recent findings show that our assessment was accurate and that the examples from our previous report were just the tip of the iceberg. This is clearly a growing phenomenon, and we can expect this trend to take on wider proportions in the foreseeable future." So which is it? Is it growing and continuing to expand or is it decreasing over time?

In both cases, the methodology is opaque enough that I can't verify the results; ScanSafe says that they base their assessment on "data generated by ScanSafe from analysis of over five billion individual web requests each month from 20+ countries", but how do they do that? Can I reproduce it here in my lab? Nope, not enough data. Finjan's methodology, though more detailed, still doesn't provide enough information for me to reproduce.

And what is a "web virus" anyway? In general, our terminology is non-standard and unclear. I suppose I could take a guess about what ScanSafe means based on the types of threats that they catalog in the threat report, but guess what - those names aren't used ubiquitously by all researchers either. So I can't categorically determine what those metrics mean. Look - not to do down either vendor - they're both doing what they do well. But security (in my opinion) should be a hard science, and "The Fool" isn't the mode and modus of a scientist. What would happen if a physicists at MIT published papers talking about acceleration in meters per second squared and physicists at Stanford published papers referring to speed-up-itude in cubits-per-year-per-year - or if the folks who claimed they found cold-fusion in the nineties didn't publish their methodology allowing other labs to disprove their findings? In a word, we'd have chaos and unpredictability... in other words, "The Fool."

Posted by Ed at October 20, 2006 11:26 AM | TrackBack