[WG-HealthIDAssurance] [WG-P3] [IE]:Re: [WG-IDAssurance] Trust frameworks at risk ...

Joni Brennan joni at ieee-isto.org
Thu Feb 21 14:51:08 EST 2013


Right Anna.  It's worth noting that I believe the article is sponsored by
Venafi (certificate and key management company). And in some of that
context they are really focusing on the perils of what happens when certs
and keys are mis or under managed.

I'd argue it's an issue of organizations not understanding or doing proper
planning / risk assessment regarding their certificates and keys and -
again - it argues that having an architecture that verifies tech AND policy
is a key value to helping these organizations ensure they are correctly
applying policies and management there of.  All the tech in the world does
not save environments from bad policy application/management.

- Joni

On Thu, Feb 21, 2013 at 10:48 AM, Anna Slomovic
<Anna.Slomovic at equifax.com>wrote:

>  I keep trying to figure out what the word “trust” means in this context.
> It seems that what the study is discussing is the potential consequences of
> failed key and certificate management. Here is what the blog says:****
>
> ** **
>
> For this report, we examined four very real scenarios related to attacks
> on key and certificate management, such as a phishing attacks using a
> certificate signed by a compromised certificate authority (CA). The survey
> presented generalized scenarios; however, every scenario was rooted in an
> incident that has actually occurred.****
>
> ** **
>
> Is this really a “trust” issue or a “trust framework” issue? Is our
> definition of “trust” or “trust framework” limited to key and certificate
> management? If so, we’ve been spending a lot of time trying to figure out
> something quite different and much broader.****
>
> ** **
>
> Anna****
>
> ** **
>
> Anna Slomovic****
>
> Chief Privacy Officer****
>
> Equifax****
>
> 7927 Jones Branch Drive, Suite 400 | McLean, VA 22102 ****
>
> O: 703.761.0332| C: 703.254.9656****
>
> E: Anna.Slomovic at equifax.com****
>
> ** **
>
> *From:* wg-p3-bounces at kantarainitiative.org [mailto:
> wg-p3-bounces at kantarainitiative.org] *On Behalf Of *Bob Pinheiro
> *Sent:* Thursday, February 21, 2013 1:37 PM
> *To:* Richard G. WILSHER (@Zygma)
> *Cc:* 'DeVaul, James W'; 'IAWG'; 'P3WG'; arb at kantarainitiative.org;
> wg-healthidassurance at kantarainitiative.org
> *Subject:* [IE]:Re: [WG-P3] [WG-IDAssurance] Trust frameworks at risk ...*
> ***
>
> ** **
>
> Note that the article leads off by saying that a breach costs "almost $400
> M per organization", but the next sentence says that such attacks *can
> cost* an organization up to $398 M per incident.  In other words, the
> second sentence seems to be saying that $398M is the worst case scenario,
> whereas the leading sentence suggests that this figure reflects the actual
> losses.
>
> Looking at the methodology that Ponemon used, the assumption is that total
> exposure times likelihood of occurrence equals expected exposure.  Maybe I
> just don't fully understand the methodology used, but two things stand
> out.  First, there seems to be an assumption that a certain loss will occur
> if an attack occurs.  So if $125M is at risk (in the example given), and
> the likelihood of an attack is 18%, then the expected loss is $22.5M (125 x
> .18).  This implies that if an actual attack really does occur, the
> expected loss is the whole $125M.  But every attack probably doesn't lead
> to the same loss, since presumably the organization has mitigating
> strategies to protect against attacks.  So in this example, is 18% the
> likelihood that an attack occurs, or is it the likelihood that the
> organization will be negatively impacted if an attack occurs?  The
> methodology description does not (to me) seem clear which interpretation is
> correct.   The second thing is that the likelihood (of an attack, or
> negative impact from an attack) is derived from the answers that
> respondents have given.  That is, this likelihood is derived from responses
> provided by the survey participants, so that the end result ($400M)
> reflects the subjective opinion of the respondents about their expectations
> of being attacked (or being impacted by an attack).  I'm not saying this is
> the wrong way to estimate this likelihood, or that there's a better way to
> do it.  Just that the interpretation of the end result ($400M) is not as
> clear as the article suggests.
>
> Bob Pinheiro
>
> On 2/21/2013 12:12 PM, Richard G. WILSHER (@Zygma) wrote:****
>
> Interesting articles, although I find the numbers hard to believe (i.e.
> exaggerated).  But, Nathan, where does this put trust *frameworks* *per se
> * at risk?  (The articles do not use the word ‘framework’ – I’m assuming
> either you injected it or you clipped it from LinkedIn (and what does that
> tell you)?)  Isn’t it the trust within the organisations that appears to be
> under threat, but can’t trust framework providers apply this knowledge to
> enhance the criteria they apply and thereby the practices which their
> assessors will specifically address?  Because of the pervasive use of PKI I
> suspect that this dilemma has ramifications within the infrastructure
> supporting More than just LoA4, where the PKI is ‘out-front’ because it is
> the technology of the primary credentials.
>
> R****
>
>  ****
>
> *Richard G. WILSHER
> Founder & CEO
> *[image: Description: cid:image001.png at 01CDA23E.6E8F4E90]*
> O:  +1 714 965 99 42
> M: +1 714 797 99 42
> E:**   RGW at Zygma.biz
> **W:** ** **www.Zygma.biz <http://www.zygma.biz/>*****
>
>  ****
>
> *From:* wg-idassurance-bounces at kantarainitiative.org [
> mailto:wg-idassurance-bounces at kantarainitiative.org<wg-idassurance-bounces at kantarainitiative.org>]
> *On Behalf Of *j stollman
> *Sent:* February 21, 2013 16:42
> *To:* Faut, Nathan E
> *Cc:* DeVaul, James W; IAWG; P3WG; arb at kantarainitiative.org;
> wg-healthidassurance at kantarainitiative.org
> *Subject:* Re: [WG-IDAssurance] [WG-P3] Trust frameworks at risk ...****
>
>  ****
>
> Nathan,****
>
>  ****
>
> Thanks for the heads up.****
>
>  ****
>
> Here's the Ponemon Institute's explanation of their methodology in coming
> up with their shockingly high figures:
> http://www.ponemon.org/blog/understanding-the-methodology-and-staggering-costs-in-the-annual-cost-of-failed-trust-report
> ****
>
>  ****
>
> Jeff****
>
> On Thu, Feb 21, 2013 at 11:21 AM, Faut, Nathan E <nfaut at kpmg.com> wrote:**
> **
>
> Colleagues –****
>
>  ****
>
> I saw this article through LinkedIn – I offer it as thought-provoking
> material and without the LinkedIn overhead:****
>
>  ****
>
>
> http://www.securityweek.com/trust-based-attacks-against-ssh-ssl-cost-firms-big-money-report
> ****
>
>  ****
>
>  ****
>
> -Nathan
> =-=-=-=-=-=-=-=-
> Nathan Faut
> Manager, IT Attestation, Federal
> KPMG LLP ****
>
> 1676 International Drive****
>
> Suite 1200
> Mclean, VA 22102****
>
> office: 703-286-6883****
>
> mobile: 301-335-2656****
>
>  ****
>
>  ****
>
>  ****
>
> ***************************************************************************
>
> The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter.****
>
> ***************************************************************************
>
>  ****
>
>
> _______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3****
>
>
>
> ****
>
>  ****
>
> --
> Jeff Stollman
> stollman.j at gmail.com
> 1 202.683.8699****
>
>  ****
>
> Truth never triumphs — its opponents just die out.****
>
> Science advances one funeral at a time.****
>
>                                     Max Planck****
>
>
>
>
> ****
>
> _______________________________________________****
>
> WG-P3 mailing list****
>
> WG-P3 at kantarainitiative.org****
>
> http://kantarainitiative.org/mailman/listinfo/wg-p3****
>
>    ****
>
> _______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-healthidassurance/attachments/20130221/af7cfec3/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 10010 bytes
Desc: not available
Url : http://kantarainitiative.org/pipermail/wg-healthidassurance/attachments/20130221/af7cfec3/attachment-0001.png 


More information about the WG-HealthIDAssurance mailing list