Tuesday, August 12, 2008

New blog, and thoughts on Firefox 3 self-signed cert behavior

We launched a new blog to share some thoughts about the security practices at my employer.

The blog is here: http://www.thesecuritypractice.com/.

The basic introduction and purpose can be found here: http://www.thesecuritypractice.com/the_security_practice/who-are-we.html

And, a post about Firefox-3.0's handling of self-signed certificates can be found here.

This was in reaction to a piece published on Risks a bit ago - "Firefox 3's Step Backwards For Self-Signed Certificates".

Monday, August 11, 2008

Economist.com - Confessions of a Risk Manager

I was reading the Economist this week and came across an excellent article titled "Confessions of a Risk Manager".

In the article a risk manager for a major financial institution talks about managing risks and how the risk department was viewed as an obstacle by the rest of the business. I'll just quote a section here so you can see that governance roles, especially those involving trade-offs of risk vs. return are difficult not just in security.
In their eyes, we were not earning money for the bank. Worse, we had the power to say no and therefore prevent business from being done. Traders saw us as obstructive and a hindrance to their ability to earn higher bonuses. They did not take kindly to this. Sometimes the relationship between the risk department and the business lines ended in arguments. . . .

Tactfully explaining why we said no was not our forte. Traders were often exasperated as much by how they were told as by what they were told.

At the root of it all, however, was—and still is—a deeply ingrained flaw in the decision-making process. In contrast to the law, where two sides make an equal-and-opposite argument that is fairly judged, in banks there is always a bias towards one side of the argument. The business line was more focused on getting a transaction approved than on identifying the risks in what it was proposing. The risk factors were a small part of the presentation and always “mitigated”. This made it hard to discourage transactions. If a risk manager said no, he was immediately on a collision course with the business line. The risk thinking therefore leaned towards giving the benefit of the doubt to the risk-takers.

Collective common sense suffered as a result. Often in meetings, our gut reactions as risk managers were negative. But it was difficult to come up with hard-and-fast arguments for why you should decline a transaction, especially when you were sitting opposite a team that had worked for weeks on a proposal, which you had received an hour before the meeting started. In the end, with pressure for earnings and a calm market environment, we reluctantly agreed to marginal transactions.

Every time I read about decision making like this I refer back to an some excellent presentations I've come across by Reidar Bratvold. He has done some excellent presentations on decision making in the face of risks/uncertainty.

Sunday, August 10, 2008

[Offtopic] Beginning Hacker

My daughter and I were playing a little online Dora computer game today. As we got to one of the screens where you're supposed the click the letters Dora tells you to, Elise decided it would be more fun to experiment with the game to see what happens when you click the wrong letters instead. She liked the reaction from the game as it repeatedly tried to tell her the "right" thing to do and she deliberately ignored it.

Makes me pretty proud - don't do what the software expects you to do, break the rules instead and see what happens.

Courtesy of my friends at iSec Partners, here she is dressed in her hacker garb.