Sophos’ Graham Cluley explains how to choose a memorable password that is hard to crack. He also recommends using software to help you out:

1Password This is what I use.

KeePass Free and open source.

PhishGuru is an email-based anti-phishing training system in which training messages are designed to look like phishing messages.

In other words, it is beyond the legal or practical capability of most computer crime victims to investigate, prosecute, and incarcerate threats.

Richard points out this CDT press release that explains the State’s inability to protect consumers from online criminals.

Victims of computer crime are at the mercy of the government when it comes to hunting down their criminal. But the government has little to no incentive to do so. If a victim instead decided to track down the criminal and obtain restitution, it would likely be deemed illegal by the same government whose protection services were inadequate for the victim in the first place.

What we have then is a law enforcement monopoly – a protection racket – that makes us all less safe, because the monopolist doesn’t have any incentive to protect us. In the case of the government, they get more funding if they make mistakes. When they do catch criminals, the criminals pay restitution to the government, not the victim, or are incarcerated at the victims expense.

Better technology can only go so far to protect us from online crime. A better legal and law enforcement system would help far more. A free market in law enforcement and protection is the logical alternative.

To improve this number, the paper suggests the following:

• browser vendors follow Mozilla’s lead and implement an auto-update mechanism that checks for updates each time the browser is used
• consumers implement URL filtering to reduce odds of visiting an infected website
• implement a “best by” dating system for software similar to what consumers are familiar with when they shop for groceries. This is supposed to increase awareness of the risk of outdated browsers and motivate users to update.
• someone implement an authentic, open repository of plugin version information that can be queried by vendors to make sure browser plugins are updated regularly

I don’t like the “best by” idea. A little red notice that states “145 days expired, 3 patches missed” isn’t much different from the existing software update schemes. Trying to raise awareness for the sake of awareness is futile. Outdated software alone doesn’t cause loss and discomfort like spoiled produce does so consumers won’t be motivated to pay attention to the “best by” date.

At Bejtlich’s recommendation, I read with great interest Cyberinsurance in IT Security Management by Walter S. Baer and Andrew Parkinson. The bulk of the paper describes the success and prospects of the cyberinsurance industry, but comes to a conclusion that we need government regulation to “facilitate private market development”. This conclusion isn’t based on their informative analysis of the cyberinsurance industry, but rather on an ethical judgement revealed in the third paragraph:

My investments in IT security might do me little good if other systems connected to me remain insecure because an adversary can use any unprotected system to launch an attack on others. In economic terms, the private benefits of investment are less than the social benefits, making networked IT security a public good—and susceptible to the free-rider problem. As a consequence, private individuals and organizations won’t invest sufficiently in IT security to provide an optimal (or even adequate) level of societal protection.

The authors believe that current levels of IT security are sub-optimal and believe it will stay at those levels because “the private benefits of investment are less than the social benefits”. They don’t explain or rationalize these statements in the rest of the article. Instead, they explain the benefits and success of cyberinsurance, but make another value-judgement after noting that only 25% of the market uses cyberinsurance. This is too low in their eyes, so we obviously need government regulation to stimulate the industry, since IT security is a public good. But they never give reasons as to why IT security is a public good suffering from the free-rider problem. Not to my satisfaction, at least. They did offer this example as noted above:

My investments in IT security might do me little good if other systems connected to me remain insecure because an adversary can use any unprotected system to launch an attack on others.

If you deem your neighboring systems as a threat because they don’t live up to your standard of protection and there is a risk of their systems being used to launch an attack, why don’t you take that into consideration when buying security? As Sammy Migues (via Alex) points out, it often makes no difference where the attack comes from. I don’t see how how their example illustrates that IT security is a public good, but let’s go along with it anyway.

The assertion that IT security is a public good suffering from the free-rider problem is one that not all economists would agree with. The free-rider problem and public goods theory are used by some economists to justify government regulation of markets. The supposed “market failure” that occurs because of the free-rider problem is merely an opinion of the economist doing the analysis. From whose point of view are we to judge what the optimal level of IT security is; that of the central-planning economist or that of the individual who owns the means to spend on security? From the point of view of the authors and many security practitioners, we need more security. Obviously companies aren’t buying enough, otherwise we wouldn’t be suffering breaches right? They think private interests aren’t buying the optimal amount of security because of “perverse economic incentives”, i.e. the security they buy benefits others more than it benefits themselves. But from the point of view of the individual actors in the economy, they are already buying the ideal amount security that the market can offer them, given the means they have available and the other options they have for using those means.

A rational approach to the problem looks at the situation from the point of view of the private actors in the market devoid of any personal preference. Each actor uses means (time, money, labor, producer goods) to produce ends (consumer goods or producer goods that later become consumer goods). Every action taken in the economy is aimed at improving the condition and enjoyment of some consumer somewhere. An individual (or company) might perceive a threat of invasion or damage to property. He will determine, to the best of his ability, if he has the means to mitigate the threat or reduce the chances that the threat occurs by buying some form of security. He will buy the security inasmuch as he values the security and the comfort and advantage it gives him. When making this decision whether or not to buy the security he also considers the other uses of his means. His final decision reveals how he values the respective ends. Would he rather use the means to buy or produce more widgets or buy security? We can’t know ahead of time what he would rather do with his means, we can only look at his actions to determine what he values.

Those who value security more than that actor can’t understand why he wouldn’t buy more, blame this on the “public goods” assertion and “perverse economic incentives” and call for government to force the actor to buy more security. Any such security regulation can only reduce the amount of wealth and comfort the economy produces because it is foisting one man’s values upon another – “for the public good”.

The paper pointed out that the cybersecurity market is young, small and growing. I’m sure it will do fine on its own. Let’s just keep government out of it.

The ideal state of security would be when a threat agent gets inside your domain, or gets access to your secrets, property etc., but it doesn’t matter.

Hoff kicked off quite the discussion on the Jericho Forum (follow up here with links to the blogs that discussed JF).

This slide deck (pdf), by Andrew Yeomans, Chairman of the Jericho Solutions Working Group, is a brief intro to the Jericho Forum. It more or less mirrors the enlightening comments by Mr. Yeomans that Rob Newby published today.

As for the arguments against the Jericho Forum, they can be divided into two groups as far as I can tell:

1. Those that that think the JF is right, “but we will still have a perimeter”. (Lonervamp)

   This is partly an issue of semantics and partly an inability to map the way we use networks to the way we defend our network assets. Our assets, (data) aren’t contained within a traditional perimeter. Why surround a network with a perimeter when you really just want to protect the data. (OK, I’m sounding like Rob, but he is right.) This doesn’t mean trash firewalls, but really, we need to trash the perimeter model. The data are all over the place and won’t forever be inside the protection of a UTM device. Furthermore, as noted by Yeomans on Robs blog and on the slides, we are letting outsiders and threats through the perimeter, so we should design our systems to withstand these threats. In a way, this is getting rid of the perimeter. Yes, we will be setting up protection closer to the data. You can call this a perimeter, but I really think we should trash that word. We need to consider the “placelessness”” of data in the future and design our defenses accordingly. “Perimeter” implies a fence of sorts that protects things within it’s boundaries. This doesn’t map to the way business is done now or will be done in the future. That is the problem with the perimeter model in network security. Note: I said trash the word; not trash the firewalls. But the edge devices shouldn’t be considered the cornerstone of the de facto security model. Maybe they will exist to ensure clean pipes, but that doesn’t need to be thought of as a perimeter.

2. Those that have a vested interest in selling edge appliances. (Stiennon)

   JF causes them to stammer in fear because they are scared they might really be tossed in the dumpster for good. They try to argue that things will remain the same to justify what they currently are selling. The nice thing about selling is there will always be something to sell, so don’t let the changes and improvements scare you.

I think the reason I like the Jericho Forum’s ideas are that they remind me of a security ideal that has eluded me since I read it in an article in college. I think it was in Wired by Bruce Schneier, but I can’t remember. It went something like this:

The ideal state of security would be when a threat agent gets inside your domain, or gets access to your secrets, property etc., but it doesn’t matter. The safety of the object is an attribute of the object itself.

At least that’s how I remember it. Ever since then, I wondered how I could give my home this attribute. How could I make it so a thief that makes it into my house is powerless to do anything to my things? E.g. I could make them invisible to him. I could make them unmovable by him, etc. I’m interested to see if the JF’s ideas will help us move closer to this ideal.