These icons link to social bookmarking sites where readers can share and discover new web pages.

Security Scenarios are Syllogistic Fallacy

October 28, 2009 by ADMIN · 1 Comment

By Richard Stiennon, Chief Research Analyst, IT-Harvest

Scenario planning is a useful technique for risk reduction.

A group of key players in an organization are brought together to brainstorm possible events and their impact on business.

Scenario planning, done rigorously, could help an airline hedge against rising fuel prices, a vaccine manufacturer scale up for a pandemic, or a bank prepare for a Distributed Denial of Service attack.

But scenarios have little value in public prognostications of future cyber attacks.

From a review of a 2001 book “Information Warfare” by Michael Erbschloe:

There’s a realistic doomsday scenario described by the author, dubbed Pearl Harbor 2 (PH2), where a group of ten strategically trained hackers can disrupt $1 trillion (US) of economic activities over a sustained period. Offering day-by-day details of the first three weeks of the scenario, you should find much of the details familiar, like using email viruses for the initial outbreak. Overall, a well thought out scenario, and not all that too far fetched these days.

Scary stuff. Realistic? Not.

Winn Schwartau also wrote a book titled “Information Warfare” , which Marcus Ranum calls “Science Fiction”.

I would not fault those responsible for defending critical information infrastructure within their own organizations from postulating various forms of cyber attacks but, I would argue that there are enough attacks in evidence today to keep any IT department busy just defending against them.

Pundits extrapolate from the current state of vulnerability of most systems to predictions of massive power outages, financial collapse, and loss of command and control are falling into the scenario syllogism trap.

Posing scenarios to support your anti-cyber war position can be just as dangerous.

Marcus Ranum is on the lecture circuit with his “Cyber War is BS” pitch. He uses scenarios to defend his position as well.

Watch his Dojosec pitch here.

Ranum, self proclaimed “military historian”, uses his reading of WWII history to attempt to compare cyber war to conventional warfare and dispute the existence of cyber war.

As you listen to his talk note the polite skepticism from the audience.

A professor at the Naval War College has gone further. He postulates scenarios where offensive cyber attacks could be used by the United States in a “kinder gentler” means of war fighting.

From a Wired article, Naval Postgraduate School professor John Arquilla proposes some scenarios: Diffusing tensions between Pakistan and India, stopping Russia from invading Georgia again, and stopping another Al Qaeda 9/11.

You can imagine the unintended consequences of this type of meddling.

During times of heightened tensions Pakistan and India would not react calmly to any type of cyber interference.

Oops, I just argued from scenario. You can see how easy it is to fall in to the trap of speculation.

For now the best practice is to continue to focus on cyber defense. Cyber offensive scenario planning is not worth the effort other than for planning defenses.

As I complete the manuscript for “Surviving Cyber War” I am carefully editing out all scenarios.

There is enough recent history of cyber espionage and targeted attacks to fill several books without resorting to fear mongering and raising the specter of cybergeddon.

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

* * *

Announcing the birth of Cyber Defense Weekly, a newsletter created to give participants in this new category a comprehensive summary of the week’s news, product announcements, and escalations in cyber threats.

Simply provide your email address here to become a subscriber.

Comments and input are welcome as always on this critical new category.

Richard Stiennon, security expert and industry analyst, is known for shaking up the industry and providing actionable guidance to vendors and end users. He recently re-launched the security blog ThreatChaos.com and is the founder of IT-Harvest, an independent analyst firm that researches the 1,200 IT security vendors. He was Chief Marketing Officer for Fortinet, Inc. the leading UTM vendor. Prior to that he was VP Threat Research at Webroot Software. Before Webroot, Mr. Stiennon was VP Research at Gartner Inc. where he covered security topics including firewalls, intrusion detection, intrusion prevention, security consulting, and managed security services for the Security and Privacy group. He is a holder of Gartner’s Thought Leadership award and was named “One of the 50 most powerful people in Networking” by NetworkWorld Magazine.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.

Filed under: Breach, D&O Liability, FEATURE ARTICLE, Financial, Government, ISR News, Insider Threat, Military, PCI, Richard Stiennon, Sarbanes-Oxley, Uncategorized, due diligence, hackers, healthcare, identity-theft, malware, national security, privacy, virtualization

Tags: (ISC)2, 2009, access, AlphaInventions.com, Anthony M. Freed, Breach, breaches, bypass, CFO, CGEIT, Check Point, Chief Research Analyst, CIO, CIPP, CISA, CISM, CISSP, computer, confidential, consumer product liability, control, Costs, CPA, CSI, Cyber Defense Weekly, cyber offensive, cyber security, cyber-crime, cyberattack, cybersecurity, D and O liability, Data, DDoS, DHS NCD, DISA, DOD, DRI, due diligence, Economy, electronic database, Finance, Financial, Financial Identity, Financial InfoSec, governance, hackers, homeland Security, Honda, IAP, ID, Identity and Access Management, identity thief, IIA, India, infiltrate, Infoduciary, Information, Information Fiduciary, Information Warfare, Information-Security-Resources.com, InfoSec, infrastructure, Insider Threat, interview, IP address, IPS, ISACA, ISR, ISSA, IT-Harvest, John Arquilla, Kevin M. Nixon, kinetic attacks, law, legal, liability, Marcus Ranum, Michael Erbschloe, misuse, NAC, national security, Naval Postgraduate School, NCSA, News, outsourcing, Pakistan, paperless, password, phishing, policy, privacy rights, regulations, regulatory, Report, Richard Stiennon, risk, sabotage, Security, shareholder derivative, spyware, SQL, System, systems, theft, third party, Unified Threat Management, UTM, valuation, vendors, white-hat, Winn Schwartau, Wired, zero day attack

One Response to “Security Scenarios are Syllogistic Fallacy”

Chandra Bhan Gupta Says:
October 30th, 2009 at 5:44 am
The article is interesting reading. Defending critical information infrastructure and collation of technological intelligence to run state owned scenario universally is marketing event today. As such, vulnerability of most of the security systems at hand or improved in future will be subject to spy action or ciber crime attacks globally. It may be state sponsored or criminals act to achieve the armament / military / economic lead universally in the apperant scenario.
The best / golden rule for anti - cyber crime would be to keep ear / eye open to learn and keep the mouth shut to shut the breach and any advancement in having products / devices with this value will in future be a guard and security apparatus in conquering the evil event.
Capt.(Retd.) C.B.Gupta

Tell us what you're thinking...

Editor's Pick - Best Anti-Spyware Download
Advocacy
- Electronic Frontier Foundation
- Internet Security Alliance
Business Technology
- BizTech - The Wall Street Journal
- Geekfluence
- Information Week
- InfoWorld - Business Tech & IT
- TechPitch
- TechWeb
- Telecom, Security and P2P
Class Action Litigation Resources
- Class Action News Wire
- Class Action World
- Stanford Law Class Action Clearinghouse
Education Infosec
- Educational Security Incidents (ESI)
Financial InfoSec
- A.E. Feldman Blog
- Bank Info Security
Financial Watch
- Bear Market Investments
- BusinessWeek BX
- Footnoted.org - The Fine Print
- MarketWatch
- SeekingAlpha Investor Analysis
- Silicon Investor
- Telegraph UK
- The Deal Economy
- The Mess That Greenspan Made
- The Oxen Group
Government
- Compliance Online
- Federal Computer Week
- Government Computer News
- Government Contracting News Wire
- Government Technology
- GovernmentSecurity.Org
- Homeland Security Watch
- N.I.S.T. Resources
- Obama’s Security Strategy
- Telegraph UK
- US - CERT
Identity Theft News
- I’ve Been Mugged
- ID Experts Blog
- Identity Theft Assistance Center
- Identity Theft Info
- Identity Theft Resource Center
IDG Network
- CIO Online
- ComputerWorld
- CSO Online
- IDG Connect
- InfoWorld
- ITWorld - An Open Exchange
- MacWorld
- NetworkWorld
- PCWorld
- The Industry Standard
InfoSec
- Armit Williams Blog
- Best of Security News
- Bruce Schneier on Security
- C.E.R.I.A.S.
- CERIAS Blog
- CGI Security
- CIO Forum - South Africa
- CISSP
- Cyber Security Institute
- Cyber Strategies
- Didier Stevens Blog
- FireEye Malware Intelligence Lab
- FrequencyX Blog
- Graves Concerns - Subjunctive Blog
- Hack in the Box
- HowUnSecure
- IIA Security Portal - Australia
- Information Security Short Takes
- Insecure Realities
- Laptop Security Blog
- Last In - First Out
- Lauren Weinstein’s Blog
- Mu Dynamics Blog
- Neohapsis Labs
- Oonnoonny
- Risk and Threat Management
- SecuObs - L’observatoire
- Securosis
- TaoSecurity
- The Breach Blog - Evan Francen
- The DarkNet UK
- The Hacker Diaries
- The InfoSec Blog
- The Tech Herald - Security
- Threat Post
- ThreatChaos - Richard Stiennon
Mortgage Industry
- Housing Doom
- Mortgage Lender Implode
Payments Industry
- Merchant Bill Of Rights
- Payment Systems Blog
- Payments News
- PCI Auditor Community Site
- Pin Payments Blog - HomeATM
- Society of Payment Security Pros
- StorefrontBacktalk
- The Merchant Maven
Privacy Rights Issues
- Emergent Chaos
- Info/Law - Harvard
- Pogo Was Right - Privacy News
- Privacy Camp
- Privacy Rights Clearing House
- PrivacyLaw.org
- The Cutting Edge News
Security Breach Aggregators
- Open Security Foundation
Technology and Law
- Computer Crime Research Center
- CTF Legal Blog
- Cyber Crime & Doing Time
- Tech Law Forum
- Technology & Marketing Law
- The Complex Litigator
- Tsibouris & Associates Law Blog
Technology News
- Ars Technica
- Current Tech
- H-Plus Magazine
- Rob the Geek - New Zealand
- TechBlips
ISR News Feed
- Online Money Mules Aide Theft and Fraud
  By Robert Siciliano, Identity Theft Expert Shipping scams are a common tactic criminals use in which they employ mules to receive goods bought with stolen credit card numbers, who then ship to people who buy them in online auctions. The mules in this process are essentially facilitating selling hot goods and money laundering.
- Effective Security Policy Messaging Important
  By Christopher Burgess, Senior Security Adviser Clearly communicate that, in fact, there are secrets. Once employees understand that they have a responsibility to protect the enterprise, the chasm between the security professional and the rest of the staff not only shrinks, it disappears. Far too often, security policies arrive as a reaction, as opposed to a proactive management of risk. Through this process, the enterprise will acknowledge security as forethought, not an afterthought.
- Windows Security Logs and MS Log Parser
  By Bozidar Spirovski, CISSP, MCSA, MCP Reading through a Windows security log or any other log can be very difficult and time consuming, so a lot of companies have created their own tools to analyze windows event logs. But before you start going commercial, there is a tool that will get you going without any cost. Against all odds, it's a tool made by Microsoft!
- ATM on Craigslist Loaded with Card Data
  By Robert Siciliano, Identity Theft Expert I started looking on e-bay and found plenty of new and used ATMs ranging from $500-2500 but quickly determined I didn’t want to pay $300 for shipping. Next was Craigslist, where I quickly found an ad from a bar north of Boston. They were selling pool tables, Budweiser neon signs and an ATM for $750.
- ISAlliance: Cyber Security is Economic Issue
  By Anthony M. Freed, Information-Security-Resources.com Managing Editor "First, the President is correct in his appreciation of the need to view cyber security as not just a technical and security issue, but as an economic one as well. In the 21st century - the digital century - economics and security are opposite sides of the same coin. You cannot affect one without impacting the other." ~ Congressional Testimony
- Innovative Analytic Tool Empowers Investors
  By Anthony M. Freed, Information-Security-Resources.com Managing Editor An innovative new investor analytic tool made its public debut today, and it offers an exciting look at what may well be the future of online trading for both market experts and arm-chair analysts alike. Trefis, named for its focus on trends, forecasts, and insights, is revolutionary in its forward-looking approach to stock analysis which, incorporates a more intuitive look at the relationship between a company's product divisions and its stock price.
- SaaS and the Need for Enterprise Architecture
  Coby Royer, Technical Product Manager for Symplified Acquisition and deployment of real solutions is now within grasp of business owners (seemingly) without the need for conventional IT delivery and support. But many questions may go unanswered without engagement of EA, and latent risks (such as compliance and security) may turn into real issues.
- New IBM Analytics For Business Intelligence
  BY Mel Duvall, Chief Content Officer at CIOZone In its recently released Global CIO Study, IBM found that 83% of respondents identified business intelligence and analytics as the best way to help enhance their organizations' competitiveness. At the company's Information on Demand conference in Las Vegas, IBM outlined a series of new products and services. It includes tools to analyze the increasing volumes of unstructured data found on Web sites, on social networking sites and in digital files.
- Revolving Door of Abuse: Procurement Fraud
  By Michael O'Connor, President of IronClad Consulting Kellogg, Brown & Root (KBR) was responsible for the kickback fraud that occurred in the US v. Khan case, and has been the focus of many other cases of procurement fraud within the LOGCAP project. Since combat operations began in 2001, DCAA has referred to criminal investigators 32 cases of suspected fraud that were associated with all wartime-support contracts. Of those, the vast majority were related to the Logistics Civil Augmentation Program.
- ISAlliance to Testify for Senate Judiciary
  From The Internet Security Alliance Larry Clinton, president of the Internet Security Alliance (ISA), will testify tomorrow at a U.S. Senate Judiciary Terrorism and Homeland Security Subcommittee hearing titled, Cybersecurity: Preventing Terrorist Attacks and Protecting Privacy in Cyberspace.
- Increase Your Information Security IQ
  By Robert Siciliano, Identity Theft Expert People who generally have to much time on their hands read my posts. Or they simply enjoy my train wreck world view. Anyway there are some fantastic resources that I draw from that help me to break down the complicated issues revolving around how to keep the bad guy from draining your bank account. The following make me look good (not to insult them):
- Fifteen More Smart Grid Privacy Concerns
  By Rebecca Herold (The Privacy Professor) CIPP, CISSP, CISM, CISA, FLMI Wouldn't it be a good idea to have privacy certifications for the organizations that are part of the large smart grid and for the smart meters to help ensure they are appropriately addressing privacy and providing households with informed decision-making capabilities for how the information collected from their homes through these devices are used?
- 2010 Defense Authorization Act Spending
  By Richard Stiennon, Chief Research Analyst, IT-Harvest On October 28th President Obama signed into law the National Defense Authorization Act for Fiscal Year 2010. OK, so more people are needed. Now, let’s talk money. How much money is provided in the 2010 Defense Authorization Act for Cyber Defense? A lot.
- What Could Possibly Be Worse Than A Virus?
  By Robert Siciliano, Identity Theft Expert Once a predator uses your Internet connection to go to into the bowels of the web, your Internet Protocol address, which is connected to your ISP billing address, is now considered one that is owned by a criminal. If law enforcement happens to be chatting with that person, who’s using your Internet connection to trade lurid porn, then someone may eventually knock on your door at 3 AM with a battering ram. And in freakish and relatively new twist, hackers can use a virus to crack your network and gain remote control access, and then store illicit porn on your hard drive.
- DLP is Short for Disturbing Lack of Process?
  By Danny Lieberman, Security Expert and Founder of Software Associates The question is not lack of process but whether or not security is being used to help enforce business process in the relevant areas of product safety, customer service, employee workplace security and information protection in business-to-business relationships.
- HITECH Act and Protecting Health Privacy
  By Doug Pollack, Chief Marketing Officer for ID Experts These new regulations come at a time when healthcare breaches are on the rise; according to the 2009 ITRC Breach Stats Report healthcare breaches account for over 66 percent of all records breached this year, up from 20 percent in 2008. In fact, some of the largest names in healthcare suffered data breaches.
- Congressional Leak Spotlights P2P User Act
  By Robert Siciliano, Identity Theft Expert Congress is still considering the Informed P2P User Act, a law that would supposedly make it safer to use peer-to-peer file sharing software, an effort that is similar to banning mosquitoes from sucking blood. It just isn’t happening...
- Microsoft Threat Assessment & Modeling
  By Bozidar Spirovski, CISSP, MCSA, MCP Every organization has some form of Information Security Risk Assessment - some perform a formal risk assessment, others simply use their practical experience. There aren't that many tools that assist the organization in performing risk assessment. The most widely used one is Excel, but it is far from a good choice.
- ISAlliance To Release Cyber Security Report
  From The Internet Security Alliance The ISA will release a new cybersecurity report, which proposes frameworks for taking key issues in the Obama Administration’s “Cyberspace Policy Review” document to the next level, in an effort to achieve tangible progress. The report will include frameworks for creating a new, practical model for information sharing; addressing the international nature of cybersecurity issues; developing a market for adopting good security standards and practices; building a highly educated digital workforce; and managing the global IT supply chain.
- Report: Globalization of Malware Production
  By Simon Heron, CISSP Internet Security Analyst Hackers are spreading their operational bases further around the world, according to threat analysis from managed security firm, Network Box. Not only should we all be wary about what links we click on in emails, social networking sites and IM, but we should examine what data we put online.
Feedback
- Brian Carroll on Effective Security Policy Messaging Important
- Vedicsoft Solutions IT Consulting Company | Business Intelligence … | Management Business Wisdom on New IBM Analytics For Business Intelligence
- Taming Business Intelligence for CXOs | CMS Report | Management Business Wisdom on New IBM Analytics For Business Intelligence
- Innovative Analytic Tool Empowers Investors : Information Security … | inversiones inmobiliarias - Zentrica Inversiones on Innovative Analytic Tool Empowers Investors
- securitywhispers » Blog Archive » About smart grid on Fifteen More Smart Grid Privacy Concerns
- Michael Bacon on Fifteen More Smart Grid Privacy Concerns
- uberVU - social comments on 2010 Defense Authorization Act Spending
- Michael Bacon on What Could Possibly Be Worse Than A Virus?
- uberVU - social comments on What Could Possibly Be Worse Than A Virus?
- uberVU - social comments on DLP is Short for Disturbing Lack of Process?

Information Security Resources

Security Scenarios are Syllogistic Fallacy

Business

Editor's Pick - Best Anti-Spyware Download

Advocacy

Business Technology

Class Action Litigation Resources

Education Infosec

Financial InfoSec

Financial Watch

Government

Identity Theft News

IDG Network

InfoSec

Mortgage Industry

Payments Industry

Privacy Rights Issues

Security Breach Aggregators

Technology and Law

Technology News

ISR News Feed

Feedback