Here is an interesting case of detection, mentioned in the Krakow Post

A recent seizure has put a new meaning behind the phrase “a killer pair of shoes.” On April 22nd, customs officials on the western border of Poland seized 32,000 pairs of flip-flops – plastic sandals with only a strap in the front – that were made of carcinogenic substances. The footwear had been imported from China for sale in the country.

Is it just me or is there more humor in the English versions of European news sources than in America? Killer fashion? Good one.

The carcinogenic material in the shoes was originally detected by the border guards due to a strong odor coming from container. Tests at the Wroc?aw Customs Laboratory confirmed the presence of carcinogenic substances, which become active when exposed to heat. The shoes were shipped back to China before a single pair made it to the Polish market.

Were these guards trained in smelly shoes? Haha. The odor must have been something unmistakable like burning plastic, or maybe the guards automatically suspect Chinese export controls are lax and opened the shipment for special attention.

Moscow News attempts to explain how propaganda is related to presentation of facts, with a look at their own history of reporting.

The newspaper under Lomko’s editorship gives off an eerie feeling of having been transported to a parallel universe. The language is English, so you don’t immediately envision a propaganda machine like Pravda. It looks like a newspaper, it feels like a newspaper.

It has pictures and headlines and cartoon illustrations. It has facts, figures and commentary. In fact, you would be hard pressed to argue with Lomko when he insists that he was producing an informative and objective newspaper.

[…]

Reading the newspapers long enough, one notices a glaring absence: there are no negative facts about any aspect of life in the Soviet Union. Problems are not “challenges to be overcome,” as they are in Western-style political correctness. They are simply never mentioned.

This simple omission is what defined propaganda in general and Soviet newspapers in particular, and it is key in understanding the task that lay before Lomko in producing the paper after Khrushchev’s thaw and Brezhnev’s stagnation. Only the relevant facts are revealed, and the right conclusion is always drawn.

Such insight is essential to security reporting and data analysis. The ability to report on all the facts must be allowed by management, else they run the risk of instilling a propaganda-like view of their environment.

Network World published my opinion piece yesterday:

The Verizon Business RISK team recently released its “2009 Data Breach Investigations Report,” which gives a fresh look into the question of whether insiders or outsiders are the larger threat group. The report concludes that 74% of breaches result from external sources and “the predominance of total records lost was attributed to outsiders.”

With nearly three-quarters of attackers still originating from outside, it is tempting to accept the inside threat as a lesser concern. Later, however, the report states external breaches have dropped nearly 20% over five years. The growth in threats seems to come from partners rather than insiders. Or can we really tell?

This question is something everyone should ask themselves, whether they store, process or transmit personal identity information. When looking at the data and conclusions of breach reports, it is important to consider several factors before accepting conclusions or taking a security posture.

First, the incident-response-team perspective does not reflect every environment or industry. Verizon provides data on only 600 incidents over five years, whereas public resources and research groups suggest 573 incidents occurred in 2008 alone and close to 1,500 occurred over the past five years. What happens if we include all other data points, or estimate the number of unreported breaches, or isolate breaches by industry?

Second, data points themselves remain blurry. External and internal threats often are not exclusive. External agents often include an element of insider activity. There are a number of reasons for this, such as the sophistication of monitoring at the perimeter compared with that at internal segments.

Note that the Verizon report defines insider threat to include individuals who “contribute to the breach” by picking up malware while browsing. With that in mind, 11% of all attacks are attributed to internal breaches alone, with no known external component involved. However, 39% of breaches involve multiple sources. The combined total of attacks involving insiders is therefore actually 50%. Furthermore, the 11% of attacks exclusive to insiders translates into 25% of all compromised records. When you consider this, the threat represented by insiders appears to increase substantially above 50%.

Viewed that way, the Verizon report helps put current security monitoring systems in perspective. Are your controls able to identify insider attacks? Consider the UCLA or recent Kaiser Permanente breach incidents. Is it possible to correlate external exposures with internal activity and access? Are your partner access points monitored? The answer to these questions comes from a modern logging and monitoring solution.

Carl Sagan used to say “The absence of evidence is not the evidence of absence.” Collecting logs, storing them and performing analysis at the system, network and application layers will provide evidence of threats. Here are just two examples of how to build the necessary evidence of absence.

The first way to build evidence is to stop using shared accounts – there is a reason why they are always discouraged by auditors and regulators. How can you figure out who did what if everyone uses a single account? Imagine trying to catch 23 attackers from outside and inside with just one data point – a single generic username. Now imagine trying to catch 23 attackers from 10 IP addresses, 100 Web site logins, and 200 badge reads. Once a picture of staff habits and procedures is in place, organizations should be able to collect a meaningful view of user activity. An attack will not only stand out but be pinpointed with certainty as being external, internal or a blend before it is too late and forensic investigators have to be involved.

A second example builds upon that idea. High rates of access are often considered a sign of an attack when things go awry, but a business has to be able to define what “high rates” really mean. There might be high rates during certain procedures such as end-of-month batch processing, giant print jobs or similar circumstances. Therefore a spike in activity that is unique is not always sufficient as an indicator of attack. Building a centralized log system can give essential insight that illuminates trends and narrows down attack data to avoid false positives. The more data that is analyzed efficiently, the more likely an attacker will be profiled correctly.

Creating a picture of security activity most relevant to your specific organization and industry reduces the uncertainty about where breaches originate, whether your organization is highly dependent on diverse partner connections, requires relatively open access for insiders, or has a high profile under constant attack from external agents. The key is to use a system that allows you to become familiar enough with log activity to detect threats and respond before they become an incident. That is not only a good measure for business, but it also will keep you out of the debate over the next annual report on breaches.