New in the DeepSec Ticket Shop: Tor Tickets for Early Birds and InfoSec Minds

Link to the DeepSec 2018 ticket shop.We have a new category in the DeepSec ticket shop. We now have Tor tickets! Why is that? Well, information security relies heavily on the tools of the trade and the knowledge to use them. Tools can be created and used, knowledge can be shared and used. It’s not a new insight. The special Tor tickets are a way to help the German non-profit registered association Zwiebelfreunde e.V. for rebooting their infrastructure. They run Tor nodes and provide the necessary infrastructure to do this. Member of Zwiebelfreunde have been speakers at DeepSec in the past, because they are also active security researchers. The difference between the Tor ticket and the normal ticket price will be given to them to recover the damage to their infrastructure.

Security tools such as Tor are widely used by law enforcement, agencies, security researchers, academics, normal people, businesses, and more. The Tor project maintains a list of typical Tor users. Non-profit organisation keep Tor alive, and the ticket category is our contribution. We use Tor and other security tools daily, too. So if you want to contribute, you just need the right ticket. We will confirm your contribution and send the price difference to Zwiebelfreunde. Security is a team effort. We hope that some of you give their support as well.

ROOTS and DeepSec 2018 Call for Papers – Reminder and Bugfix

The ROOTS and DeepSec Calls for Papers are still running! We did some bugfixing on the web page, so the deadline for any ROOTS submissions is 26 August 2018. Please spread the word and submit your research. If you need any assistance, feel free to contact us.ROOTS Call for Papers link.
The DeepSec Call for Papers closes on 31 July 2018. Now is the time for your submission. We are looking forward to see your presentation on stage at DeepSec 2018!

Thoughts on the Information Security Skill Set

Converting coffee into experience and knowledge.As mentioned in an earlier blog article we moved our office infrastructure to a new location. Once you use a space for more than a decade, thing inevitably pile up. So I had to sort through hardware, software (on optical storage hardware and floppy disks), lecture notes from a previous life, ancient project documentation, and note on ideas for a brighter future. Most things were thrown away (i.e. responsibly recycled), some stuff could be saved by enthusiasts (for example the two old Amigas that were sitting in the basement). All of the things we had to moved had a purpose once. The main purpose was to get familiar with technology, accumulate knowledge, and understand how things work. This is essentially the hacker mindset, also found among scientists. Given the many presentations at past DeepSec conferences, the workshops, the many hours spent with bad documentation and even worse code, there is a simple question. What do you need to know to work in information security?

I want to give you an example for illustration. During the past weeks I had to write a summary about the state of affairs regarding Transport Level Security (TLS) for email transport. If you have 20+ years actual experience as a postmaster, running MTAs and routing email, and you haven’t stopped looking at new protocols or standards, then you know all you need. Nevertheless it took days to get the document done. Written correctly, it featured almost 100 sources for everything mentioned. The introduction alone was the biggest part. You have to understand all the parts involved – Internet protocols such as DNS (which includes DNSSEC and DANE), the SMTP family, SSL/TLS obviously, but also local considerations such as storage and the intermediate end end points of the message chain, cryptography (X.509, algorithms and friends), and more stuff I leave out. After that you can get to the point and describe the current state of affairs. This says a lot about the skills necessary for a „simple“ thing as email transport. Yet you are right in the middle of information security, because even as a system administrator you are responsible for doing the best you can to protect the content your systems are transporting. End-to-end encryption is still missing in this picture.

Modern society is run and requires an army of specialists. The days in science where a researcher could know everything in all fields were probably more than 300 years ago (my teachers taught me that Gottfried Wilhelm Leibniz was the last human who could do this, they might have been wrong about this though, hard to measure what people really know and what they don’t). Information security is no different. Security tests and implementations are done in teams. Learning is done in groups. Knowing a single skill set is not enough. Having worked in three different fields for some time (i.e. longer than a year) is a good start. Sysadmin’s often say: „Rome wasn’t burnt in a day.“ 😈 It’s true. 🙃 People new to information security often don’t know where to start. Well, the fact is that you have to start more than once, and you have to keep going. This is exactly why we support the Rookie Track at BSidesLondon for years. You need to be around a group of people who will share their experience and give you insights into what you can do next. Make sure never to start from unfamiliar ground. If you are interested in secure communication, then you have to know about communication in general first (you might even want to forget about digital ways to communicate to get a good start, most things don’t change when being turned digital).

The DeepSec schedule will be published in three weeks. We work hard to give you the diversity you need, topic-wise and human-wise, to get a good start in and to continue with your information security path. If you have a knack for teaching, think about submitting a presentation with these thoughts in the back of your mind. If you want to aquire a knack for teaching, please submit too. You have to start somewhere, and in information security you will never start without helping hands.

How the BND monitors Communication in Austria

[Editor’s note: This article was originally published on the web site of the FM4 radio channel of the Austrian Broadcasting Corporation. We have translated the text in order to make the content accessible for our English-speaking audience.]

How the BND monitors communication in Austria

At the most important connection to the Frankfurt node DE-CIX data streams from Austria are copied in their entirety to lines of the BND. Selected results of their evaluation are returned by the BND to the Austrian Army Intelligence Office in Vienna.

by Erich Möchel for fm4.orf.at

The reaction of the Austrian government regarding the publication of a list of targets of the German Federal Intelligence Service (BND) in Austria has caused surprise and amusement amongst intelligence experts. The general tenor: Either the Austrian government really has no idea how the data exchange between German and Austrian intelligence services works, or this is a domestic political manoeuvre.

Really affected were the domestic intelligence services that via the BND gain insights of Austrian networks, to which f.ex. the Army Intelligence Office (HNaA) itself has no access. The communication of the Austrian targets is tapped at glass fibres with a throughput of up to 100 Gigabit/sec at the Frankfurt node DE-CIX. There is no reason to put a stop to this, because the BND has a legal mandate for tapping the targets, while the HNaA in Austria has none.

Crime Scene Frankfurt Internet Exchange

At the world’s largest Internet node located in Frankfurt the networks of international data transporters converge, one of which is the A1 Telekom. Via the DE-CIX, Internet traffic, telephone calls and metadata are forwarded to other carriers, so it deals primarily with foreign communication. On the left the graphic shows the headquarters of A1-Telekom (AS8562), already the second node (AS8447) is located at Frankfurts Internet Exchange.

The basic graphics are from the US carrier Hurricane Electric, the retro spooks were implanted by Pia Reiser (FM4).

The tip of the bold arrow marks roughly the tapping point of the BND, because that’s where all outgoing data of the A1-Telekom as well as all incoming data pass through. Only after this point, depending on their destination, the data will be split up among other carriers that are in the domain of other intelligence services. Two of AS8447’s highest-throughput connections lead to the networks of US carriers NTT America (AS2914) and Level3 (AS3356). These lines are filtered by the NSA, whose machines, thereby, receive all communications of the Austrian surveillance targets with their counterparts in the USA.

How fibre optic monitoring works

The third throughput-strong connection leads to the network of the Swedish carrier Telia (AS1299) where they also tap and evaluate the data, since the Swedish military secret service FRA has the necessary license for tapping since 2008. So there are several secret services interested in the data streams from Austria, but only the German BND has access to all data that is delivered from the A1 network in Frankfurt. However, the data streams are tapped and filtered by the same method everywhere.

The entire fibre optic line is copied via a so-called splinter to a second fibre strand. In a nutshell, at ultra-fast switches only transport-related, meaning irrelevant data are sorted out, and the relevant data are split among server batteries ,depending on their protocol (email, http, VoIP, etc.), and stored there. Only then the “selectors” of the respective secret services appear on the scene, these are telephone numbers, e-mail addresses, chat IDs, etc., which are assigned to the surveillance targets.

The data economy of the secret services

The intercepted data are used to extract insights that, however, will not remain in the sole domain of the respective intelligence. The secret services connections among each other are much closer than is commonly assumed, mainly for technical-practical reasons. As shown in the example above even the overpowering NSA has to rely on cooperation if it wants to access certain, for example Austrian, data sets. In fact, a good part of intelligence data economy consists of barter transactions with other secret services.

Only those who have enough intercepted records themselves will also receive data from intelligence partners. On behalf of the Austrian Army Intelligence Office this fact is presented in a slightly roundabout way: “The HNaA … has to procure and prepare security-related information on regions and actors that affect the national security of Austria and thus the EU and present it in the form of situation reports and situation lectures to the highest political and military leadership of the republic.” “In addition to the “essential users” of Austria, the HNaA also provides the “EU Military Staff with needs-based news”.

“The governments indignation is ridiculous”

That’s why the Graz intelligence expert Siegfried Beer described the public indignation of the Federal Government regarding the BND’s tapping activity of Austrian data sets in several interviews as “ridiculous”. As a former foreign minister, now Federal Chancellor and top recipient of the secret briefings of the HNaA, Sebastian Kurz should know how closely BND and HNaA are connected and how the data exchange between the secret services generally works. Already in 2015, as foreign minister, Kurz discussed this very topic with his German colleague Frank-Walter Steinmeier several times in detail. Since then, the BND’s tapping of lines from Austria DE-CIX, including a few monitoring targets, which are also on the list, is already known in this country.

Selectors have increased at least tenfold

That said, the research of the colleagues of “Der Standard” and “Profil” should by no means be degraded. Although what Michael Nikbakhsh and Fabian Schmid have unearthed dates back to the early days of fibre optic surveillance and already ended in 2006. However, these are selectors that directly refer to surveillance targets. And one’s own selectors are among the best-kept secrets of any secret service. Even to friendly services insight is usually granted only on an ad hoc basis and in selective extracts.

Insofar, this list is quite a rarity and it also allows for conclusions about today. If there were about 2,200 selectors by 2006, then there are at least 10 times as much in 2018. With the rapid growth in mobile communications and data traffic overall, the numbers of selectors are also growing. What’s more, Vienna is considered the world capital of espionage, because there are already as much as 18.000 accredited diplomats only located in this city. Therefore, the number of selectors now used by the BND for Austria could very well be in the mid to high five-digit range. By the way, the Frankfurt Internet Exchange has filed a lawsuit against the data-tapping machine, which is now on its way to the Federal Constitutional Court.

Infrastructure Update – Privacy Shield, Call for Papers, DNSSEC, ROOTS, and Humidity

Our blog has been a bit silent in the past weeks, because we had to move some stuff around and rearrange our infrastructure. The old office had a problem with too much water. Leaking is for whistleblowers, not water pipes. Rain is fine if the water can get to the drains. If you take a look at the photograph, imagine the scene with Summer temperatures and a high dose of humidity. Moving infrastructure around is a lot more fun when having APIs, lots of bandwidth, and server minions to take care of the storage. This wasn’t the case with our office infrastructure in meatspace. So we did a bit of a workout. It’s amazing what ancient hardware The old DeepSec office building. Keep it green!you can find when sorting through real storage space. Remember AUI Ethernet connectors with matching network interface cards? 😎

The infrastructure overhaul has brought DNSSEC to the deepsec.net and deepintel.net domains (thanks to our DNS hoster). Ask your local DNS resolver, you should see DNSSEC being used. We will also do some changes to our email infrastructure. We are unhappy with the Safe Harbor and Privacy Shield „agreements“. There is a well-deserved storm coming regarding the adequacy of the protection afforded by the EU-US Privacy Shield. We won’t wait for this to happen and move our mailboxes to a private cloud platform. It’s always nice to know where your data actually is and who has access to it. We might even implement DANE while we are at it. 🔧

The Call for Papers for DeepSec 2018 is still running. Don’t forget to submit! So far we got a lot of trainings and many interesting presentations. It will be harder than last year to decide. The schedule will be most interesting. Please prod your friends and ask them to submit to DeepSec 2018! For all you researchers out there: the Call for Papers of ROOTS 2018 is also open and waiting for your research results!

DeepSec Web Server is moving today

Z3 (computer)We are doing a little relocation of computing infrastructure today. Between 2000 and 2200 CEST we will shift the computing node to a new location. Most content is still being delivered by the reverse proxy, but you may encounter errors for the call for papers manager. For those of you who got a 5xx HTTP status code when submitting a workshop or a talk, we hope that the new infrastructure will solve this problem.

Call for Papers: Reversing and Offensive-Oriented Trends Symposium (ROOTS) 2018

ROOTS 2018

The second Reversing and Offensive-Oriented Trends Symposium (ROOTS) 2017 opens its call for papers. ROOTS is the first European symposium of its kind. ROOTS aims to provide an industry-friendly academic platform to discuss trends in exploitation, reversing, offensive techniques, and effective protections. Submissions should provide novel attack forms, describe novel reversing techniques or effective deployable defences. Submissions can also provide a comprehensive overview of the state-of-the-art, and pinpoint promising areas that have not received appropriate attention in the past.

To facilitate interaction with industry, the ROOTS ticket will be valid for all DeepSec conference tracks on both days, including the industry tracks, and the DeepSec conference tickets for the industry track will be valid for ROOTS. The usual rules for academic discounts apply. Please contact the DeepSec staff or our sponsors for discount codes.

Topics

Topics of interest include, but are not limited to:

  • New exploitation techniques and methodologies
  • New reverse engineering techniques and methodologies
  • The role of exploitation in the science of security
  • The role of reverse engineering in the science of security
  • New unintended models of programming and execution wherein the program is encoded in data, metadata, descriptors, etc.
  • Formal models of exploitation and formal methods for exploitation
  • Systematization of knowledge in exploitation
  • Systematization of knowledge in reverse engineering
  • Exploitation of trending platforms and architectures: IoT, cloud, SDNs, etc.
  • Reverse engineering of trending platforms and architectures: IoT, cloud, SDNs, etc.
  • Exploitation perspectives on emerging trust models: SGX, blockchains, etc.

PC & Publisher

The Call for Papers is open, and we welcome any kind of submissions. All submitted presentations will be reviewed by the programme committee consisting of the following persons.

Program chair: René Pfeiffer (DeepSec)
General chair: Edgar Weippl (TU Wien, SBA Research)
Co-General chair: Adrian Dabrowksi (SBA Research)

Patroklos (argp) Argyroudis (CENSUS S.A.)
Stephen Checkoway (University of Illinois at Chicago)
Lucas Davi (University of Duisburg-Essen)
Mario Heiderich (Cure53)
Marcus Niemietz (RUB)
Alexander Peslyak (Openwall)
Konrad Rieck (TU Braunschweig)
Sebastian Schinzel (FH Münster)
Juraj Somorovsky (Hackmanit)
Edgar Weippl (TU Wien, SBA Research)
Fabian Yamaguchi (TU Braunschweig, LeftShift)
Stephano Zanero (University Politecnico di Milano)

Application for inclusion in ACM DL via the International Conference Proceedings Series (ICPS) is pending. See ACM’s details about author’s rights.

The Call for Papers uses the Easychair CfP manager. All submissions must be sent until 26 August 2018. Authors will be notified by 15 September 2018. We need your camera-ready papers until 6 October 2018.

Submission Instructions

Submissions to ROOTS are not limited in page count, but their length should be commensurate with the results; 5-10 pages of two-column PDF using the sigconf template from https://www.acm.org/publications/proceedings-template. We encourage submissions of papers based on results previously presented at industry or hacker conferences, so long as the papers themselves have not been presented elsewhere. We also encourage Systematization of Knowledge (SoK) submissions.

If you have further questions, do not hesitate to contact us.

BSidesLondon 2018 Rookie Track Follow-Up

We would like to share some impressions about the BSidesLondon 2018 Rookie Track presentations. It gets hard and harder to tell which one of the talks is the best. And picking a winner is not the right approach. We do this, because we can only invite one person to DeepSec, and because the intention is to have a motivation to work hard on the presentation. From what we have seen, we were quite impressed. The quality has much improved, also thanks to the tireless efforts of the mentors (if you see someone with a mentor badge, please buy them a drink!). Apart from the 15 minute time slot some talks were hard to distinguish from their bigger cousins in the main tracks. The topics were well-chosen. The mix was great. Every single rookie did their best, and it showed.

We will support the Rookie Track in 2019 again. So if you have something on your mind, don’t stop thinking about it. Look for a mentor, make notes, see how others present their knowledge. We love to see your submission!

Speaking of 2019, please think of the BSidesLondon crew and fill out the feedback form! It’s always nice to know what went well, what needs to be improved, and what your ideas for the future are. Feedback loops make the world go around, literally.

Speaking of submitting a talk, the DeepSec Call for Papers is still open. We have a U21 category for young talents. It’s not exactly a rookie talk slot, because you get the big stage. It’s worth it, and if you submit, we will help you with preparing your presentation.Source: https://en.wikipedia.org/wiki/Centennial_Light

Big Data Analytica – What Attackers might be after

A while ago the Cambridge Analytica issue rocked the news and the online discussions about how personal data and profiles should be used. Frankly the surprise of data being abused comes as a surprise. The terms and conditions of most online portals, services, and platforms contains lots of rights – which you give to the owner of the platform. Once something is concentrated, cached, and accessible to digital evaluation, it will be harvested for its content and context. It’s as simple as that. This has always been the case. Penetration testers (best case) select their targets based on this criterion (among others). What has all of this to do with information security? Well, information security, just as the social media platforms, just can’t do without analysing data. The difference is how to protect and transport it. Data collected by social media interaction is refined and can be accessed via API by selected parties, i.e. customers. Your infrastructure’s data based on security metrics and its refined versions of the data should not be accessible outside tightly controlled security zones. When’s the last time you have checked this? Are you sure that there isn’t some system talking to an API out there?One of the oldest surviving fragments of Euclid's Elements..

The glory of continuous integration and the DevOps hype have led to automated systems that have access to repositories, source code, databases, documents, and possibly production systems. Build systems such as Jenkins have a lot of access privileges. Configuration management tools need to access hosts in order to do their work. In turn they get their configuration from somewhere. Monitoring systems have access to data. The Cloud introduces lots of access tokens and secret keys that are distributed. Make sure your systems only do what they have to do, and that no one interferes with your set-up. Shodan is full of systems that act as a node, interfacing different systems with different access levels. These hosts should never be there. They were the topic of one of BSidesLondon 2018’s Rookie Track. The presentation yielded some scary findings.

So apart from the truth, your data might be out there. Smart attackers won’t tell you when they get access. They might mine your data quietly, create profiles, and then know what they need to know in order to strike. Just like social media platforms. 😀

Rookie Track – BSidesLondon 2018

We are looking forward to see the Rookie Track at BSidesLondon 2018! If you are curious what the rookie have to say, drop by and have a look! Presentations are meant to be heard. Do the newbies a favour and listen to them. They have put a lot of work into their 15 minute talk slot. They deserve an audience.

Source: https://www.publicdomainpictures.net/en/view-image.php?image=34361&picture=cute-ducklingsPresenting a topic is hard. You have to understand what you are talking about. Furthermore you need to know a bit extra, because people will ask questions. Richard Feynman once said: If you want to master something, teach it. A great way to learn is to teach. If you have ever conducted a workshop, this will sound familiar.

DeepSec sponsors the winner of the rookie track – a ticket to DeepSec 2018 and a stay in Vienna is the reward for daring to hold a presentation at BSidesLondon 2018. You have to start somewhere. 😸 And winner is the wrong word. The Rookie Track is not a competition. It’s a place to get started. Very different.

DSGVO / GDPR / RGPD Update – We have Policies and Stuff!

In information security policies are like opinions – everyone has one or more. So this is why we did some updating. You can now find our privacy policy on the main DeepSec web site and on our blog. We use few third party services, because most of our infrastructure is hosted on our own systems. When it comes to (tele)communication, payment services, and (sadly) email we have to rely on operators doing this for us. Our email infrastructure will move in the near future (i.e. in 2018). We will announce the change via your local DNS resolver when the time comes. 😊

Bear in mind that we take the agile approach when it comes to developing policies. Publish often, do rolling releases. At least that is how we understand the process. A policy is not written in stone. We may have missed something, because a lot of data is being processed and logged these days. Furthermore a lot of data protection and privacy controls are moot when people keep using devices and software which uses „telemetry“ features. We try to keep the IT ecosystem as Free (as in Free Software) as possible. This also means that we do not create profiles of attendees or speakers, keep data tied to persons only as long as we need it, and that we do not share data with third parties except for the mentioned entities described in our privacy policy.

Let us know in case we missed something. 🖋

#efail, Crypto, HTML, PDF, and other complex Topics

You probably have noticed the #efail hashtag that came with the claim that the crypto world of PGP/GPG and S/MIME is about to end. Apocalyptic announcements were made. The real news is due for 15 May 2018 (i.e. the publication with all the facts). There was even the advice to stop using encryption until more information is known. The authors of the bug claimed that responsible disclosure was being followed. Well, it seems that this is not the case. Judging from the Internet response, the bug depends on the content of the encrypted message, not on the protocol of the encryption or the encryption tools. Lessons learned so far:

  • It is a bug in some mail user client software.
  • It’s all about the content of the message and how it gets interpreted.
  • Responsible disclosure was not followed.
  • Do not use HTML in emails.
  • Use authenticated encryption.

You may note that these recommendations are heavily on the side of the protocol/data format designers, not on the user’s part or the user interface. It’s hard to point fingers into the right direction, but the vulnerability is all about the content and they way software handles it. That’s not shifting the blame. HTML content (or any active content) in emails have long been the source of heated discussions. There is a reason why a lot of phishing uses HTML. Bashing PGP/GPG or S/MIME for its complex data format is also no excuse. Have you ever taken a look at the PDF standard or the many office document standards? Why is there no recommendation to stop sending documents via emails?

The DeepSec conference in 2017 had the motto „Science first!“. We didn’t go for this slogan because of the first academic ROOTS workshop. We know that information security can do a lot better with a healthy dose of the scientific method. Your work doesn’t count and has no impact, if you can’t base it on solid facts. The claim that „There are currently no reliable fixes for the vulnerability.“ is plain wrong.

So please continue to write encrypted emails to us. We do not read HTML message in conversation.

Reminder: DeepINTEL and DeepSec Call for Papers are still open

We have been a bit radio silent. We have to deal with the General Data Protection Regulation (GDPR), and we are moving our infrastructure across the Internet. The blog is already moved. Further services wait for their transport. The reason is simple maintenance work and hosting our data a bit more privacy-friendly. For example our new ticket portal features privacy by design.

Since the threats to information security don’t have to deal with boring stuff such as privacy and upgrades, we would like to remind you that the call for papers for both DeepINTEL and DeepSec is still open.

Manufacturers integrate Blockchain into Processors to counter Spectre and Meltdown

The Spectre and Meltdown security vulnerabilities gathered a lot of attention in January. Processor manufacturers have rushed to fix the design of the chips and to patch products already in production. The vulnerabilities show that secure design is critical to our modern infrastructure. Computing has become ubiquitous, so has networking. The current fixes change the microcode on the chips. Altering the flow of assembler instructions is bound to have a detrimental impact on performance. There is not much you can do about this – but there is hope. Future generations of processors will have a defence against unknown security vulnerabilities – the blockchain!

The past decade in information security has taught us that a pro-active holistic approach to IT defence is not enough. To counter unknown threats you have to go below 0(day). The blockchain offers a perfect solution to the problem of weaknesses at the processor level. The key is consensus. Since all modern processors have multiple cores, the components act as peers that don’t trust each other. Instructions are regarded as transactions. Every core verifies every transaction by its own ledger containing a history of known good instructions. The consensus protocol between all cores guarantees that instructions are verified and can be trusted. Storage for the ledger is provided by the firmware, ensuring that the ledger cannot leave the system. Hidden storage without a published documentation has been an important key ingredient for secure systems for many decades. It adds another protective layer. Storage can be extended by Cloud services (with military-grade encryption) in case the systems runs longer or is subject to high processor load. You cannot work without being connected to the Internet anyway. Thus any performance impact can be regarded as negligible.

The first blockchain-based processors are expected for November 2018. Since you will have to use the new chipsets as well, the manufacturers have conveniently changed the socket again (one socket specification per manufacturer, so multiply your choices by the number of competitors).

If you have read this far, then you should already have some doubts on „modern technology“. The big problem with 1 April and satire in general is that reality has caught up. Given the density of buzzwords and hypes in information technology, it’s next to impossible to separate the hard facts from the (marketing) agenda. Information security is no exception. Most events centre around products. They create needs you do not have, and they provide solutions to problems that aren’t yours. Taking a step back and re-evaluating your current and future situation is the key. We have seen a lot of technological cul-de-sac designs when it comes to information security. We still pursue quite some questionable approaches to solving problems we do not have. Blockchain speaks for itself once you analyse what it is about. Your information security defence strategy should not get distracted by fashion trends.

DeepSec and DeepINTEL were created to help you seeing through all the distractions you are exposed to throughout the year. Let’s keep in touch.

Metrics, Measurement, and Information Security

Metric is a great word. Depending how you use it, it changes its meaning. The metric of a network path is quite different from the metric system. When it comes to measuring something, the might be an agreement. Why bother? Because we have heard of the term security metrics being used for something which should better be called security statistics.

In mathematics a metric is a function which tells you the distance between each pair of elements in a set. While this does not necessarily have to do something with distance, it is a fitting analogy. It also connects metric to physics. Measuring how far two points are apart gives you usually a distance (either a straight line or a sum of straight lines). In essence measuring something boils down to comparing your object of interest with a reference. The International System of Units (Système International d’unités) is a good example. The unit, which you are using to express the result of your measurement, has a definition. For example the metre we all (well, almost all of us) are using is defined by the speed of light in vacuum (which is a natural constant). Devices that measure length or distance use this definition. Once you measure something in the real world, it is always a comparison to something else (references are really old). This is true in physics, and it should be true in computer science, too.

Counting is also a form of measurement. Again you use comparisons (your fingers, a herd of cats, collections of stones, visualisations of numbers). Often the number will be bigger than anything you can imagine, but counting is a basic task, so we are used to it. The nice thing about counting is that you can count anything. For example you could count the number of red cars driving past your office, the number of cobblestones on the way to the supermarket, the number of exclamation marks in your Twitter feed, and much more. The problem is that not everything you can count has meaning. Sadly, this is where statistics comes into play. Statistics is really an important branch of mathematics. The methods are as scientific as they can get, and statistical methods work without the real world (which is good, this way they can’t introduce a bias). The problem is the application of these principles. You can calculate a lot, just as you can count a lot. Think Big Data. Plus visualisation gives you pretty pictures – but it doesn’t give you neither context nor meaning. This has to come before you start your analysis. That’s what I meant by the terms security metrics in the beginning. Picking something you can count and extracting meaning from it can be very hard in information security. We are used to being exposed to all kinds of data. Timestamps, word counts, length of (pass)words follow us throughout our digital lives. Context is the key. Ask anyone who deals with intrusion detection/prevention (called data loss prevention these days).

Back to metrics itself. Be careful with metrics being used to derive a statement about security. We all know the endless benchmarks and performance tests for hardware, software, and everything that is a part of a computer (or a network). It gets a lot worse and a lot more crucial in information security. The number of dropped packets does not equal the number of attacks stopped. The security appliance with the highest throughput might have its reasons for beating the competition. It gets worse when incidents happen.

Don’t get caught in the security metrics hype! There is a lot of consulting going on. Databases are being filled. White papers are produced. Cloud(s) cover the sky. Time is wasted. Start with the context. Everything else is bound to fail sooner or later.

If you have some thoughts to share on this matter, please let us know.