The Week That Was - 10/15/2012

The big news last week was the U.S. officially calling out the PRC for putting backdoors in telecom equipment.  So how many of you are shocked?  I'm just shocked it took this long to come out officially. [2-3],[6] If anyone is looking for good Loss Event Frequency (LEF) data surrounding data breaches, check out the Chronology of Data Breaches site. [1]  You can slice and dice this data in many ways.  Should be helpful in any FAIR analysis you do on the subject.

Speaking of FAIR and risk assessment methodologies, SecureState has issued a new risk framework called iRisk.  Being a FAIR fanboy, I applaud their effort, but warn you that this seems to be a qualitative system pretending to be a quantitative system.  That isn't necessarily a bad thing but be aware of it.  I had an interesting conversation with @slandail about how risk management evolves in organizations.  He suggests, and I agree, that this kind of qualitative assessment is a part of the risk management system evolution.  You have to live through it for a little while in order to understand its capabilities and if your organization needs more.  I argue it's not completely worthless if it gets you thinking about risk consistently. Based on Jeff Lowder's response on the SIRA Blog, he'd disagree.  Tell me what you think in the comments. [7]

And, take some time to read the article on the CIA burglar that went bad for some recreational reading.  [11]

Link Dump

“Chronology of Data Breaches,” Privacy Rights Clearinghouse, 06-Oct-2012. [Online]. Available: [Accessed: 09-Oct-2012].
S. Gallagher, “Congress accuses Chinese tech giants of un-American activities,” Ars Technica. [Online]. Available: [Accessed: 10-Oct-2012].
K. Jackson-Higgins, “Congressional Intelligence Committee Warns Against Doing Business With Chinese Telecom Firms,” Dark Reading, 08-Oct-2012. [Online]. Available: [Accessed: 10-Oct-2012].
B. Yirka, “Distributed Credential Protection: Trying to beat the hackers and protect our passwords.” [Online]. Available: [Accessed: 10-Oct-2012].
D. Fisher, “HTTPS Everywhere 3.0 Released,” ThreatPost, 09-Oct-2012. [Online]. Available: [Accessed: 11-Oct-2012].
S. Sharwood, “Huawei says US probe had ‘predetermined outcome’,” The Register, 09-Oct-2012. [Online]. Available: [Accessed: 10-Oct-2012].
J. Lowder, “IRM Quackery: SecureState’s iRisk Framework,” Society of Information Risk Analysts, 10-Oct-2012. [Online]. Available: [Accessed: 11-Oct-2012].
P. Gray, “Kernel crimps make Windows 8 a hacker hassle,” The Register, 09-Oct-2012. [Online]. Available: [Accessed: 11-Oct-2012].
B. Ray, “PGP founder’s mobile privacy app goes live,” The Register, 10-Oct-2012. [Online]. Available: [Accessed: 11-Oct-2012].
C. Farivar, “Supreme Court allows wiretapping immunity law to stand,” Ars Technica, 09-Oct-2012. [Online]. Available: [Accessed: 10-Oct-2012].
D. Wise, “The CIA Burglar Who Went Rogue,” Smithsonian magazine, Oct-2012. [Online]. Available: [Accessed: 10-Oct-2012].
B. Prince, “What An Executive Order On Cybersecurity May Mean For Enterprises,” Dark Reading, 09-Oct-2012. [Online]. Available: [Accessed: 10-Oct-2012].