It’s All About Trust

Yaacov Apelbaum-Trust me

Mata Hari and Friends (Robert Hanssen and Aldrich Ames)

Over the years, I’ve had this recurring conversation\argument with security technologists regarding the trust lifecycle. The crux of it revolves around how you go about effectively assigning, monitoring and adjusting individual trust levels. Most of us when questioned about trust will tell you that it’s made up of behavioral elements like:

Indeed, these are all virtuous traits, but how do we use them in designing a complex security infrastructure? After all, it’s hard to code a function that will check if a user has a hidden agenda. In order for these social concepts to be of any use, we need to understand the nature of trust; we must go "Beyond good and evil”. Under the microscope, trust exhibits the following four characteristics:

  1. It’s transferable—We assign a higher degree of trust to individuals who come recommended by people we already trust,
  2. It’s inheritable—we tend to trust a relative of a trusted friend,
  3. It’s socially derived—We tend to trust individuals who share our cultural heritage,
  4. It’s cumulative—We tend to increase our trust levels in individuals who previously have proved themselves trustworthy.
    These evaluation criteria (which, interestingly enough, are essentially deterministic Turing tests) work very well in social relationships, but frequently fail in complex security infrastructures. The source of the problem is that most of us instinctively tend to classify the world into a “friend”, “foe” or “unclassified TBD” categories. We also like to believe that once categorized, the subject in question will continue indefinitely to conform to our classification. This simplistic tendency is hard wired into our evolutionary decision making process and to a large degree also forms the basis for many irrational behaviors like anti-Semitism.

After conducting quite a few security sweeps and post mortems, I have come to conclude that most individuals—given the right opportunity and enough curiosity—could spontaneously flip the color of their “hat”.

The concept of credential-based security (that is, non-expiring clearance) is reminiscent of cheese, especially the cheap Swiss variety, the one with too many holes. Now, don’t get me wrong I have the same tolerance for curious mice as the next guy, but the text books are full of big rats that were—paradoxically—supposed to guard the cheesy comestibles, not eat or sell them! Recall that Aldrich Ames, Robert Hanssen and Kim Philby, just to name a few, each had the highest top-secret clearance and all the right personal and social attributes.

So ultimately, it’s not the rogue, external, blood thirsty anarchists or money hungry crackers one needs to worry about. Rather they are the trusted senior employees responsible for the daily maintenance, administration and security of the corporate resources. This could run the gamut from as high as the CISO who spies on the CEO’s e-mail all the way down to DBA who is running Select statements on the HR comp database.

The lesson that I have learned from all of this is that most people regardless of how trustworthy they seem, cannot be completely trusted at all times.

And you can trust me on this one.

© Copyright 2008 Yaacov Apelbaum All Rights Reserved.

Risking it All!

Yaacov Apelbaum-The Wall Street Curise MS
The Wall Street Cruise
 

Over the past two years, it has become increasingly clear that the scenes of carnage starring the world’s oldest and largest banks and our 401Ks are merely a symptom of a larger problem. By now, everyone has gotten used to the daily media’s serving of congressional hearings and testimonies showing the pale captains of industry publicly gnawing their fingernails, sobbing and informing us that they ‘did not and could not have predicted’ such an outcome.

Suddenly, everyone (including the FBI) is trying to figure out what happened to the money, why the global credit crunch is so severe and ultimately what is the single silver bullet that will solve the problem. Good questions to which there are many answers but probably no permanent solutions.

The causes of this great turmoil are really simpler than the media portrays them. They have nothing to do with complex derivatives and speculative trading. They can be attributed to the simple failure of the traditional banking risk assessment and mitigation practices. Ten years ago, no bank would lend a dime to somone that is credit unworthy. So why did veteran banks like Chase let down their guard? Because we are all in it for the money, and ultimately the banks can’t resist a good bubble, no more than you or I could.

From the historical prospective, this hysterical investment extravaganza is certainly not new. You can easily find a large number of similar examples—all of which oddly tend to replay themselves every few centuries—like Tulipmania, South Sea Company, Railway Mania, and the ever popular real estate bubbles.

The bankruptcy filing of Lehman Brothers (they lost a whopping $40 billion!) is probably one of the most poignant illustrations of how the toxic fumes of incompetent leadership, the inability to understand risk, and mitigate it have permeated the global economy. Though the handwriting has been on the wall long enough for all professional money managers to have reduced their exposure, surprisingly very few actually have. Even the black prince of finance, George Soros, who ran $20 billion in assets, actually raised his stakes in Lehman Brothers just months before its collapse.

Unfortunately, the tide raises and lowers all ships and due to the tightly coupled nature of the financial industry where trust and risk are easily transferable, the collapse of one bank on the scale of Lehman Brothers will by extension cause other banks to slump over like wet burritos.

Hyman Minsky had struggled with these problems for quite some time before eventually concluding that, for better or worse, our two stroke economic engine is driven by these business cycles and there is not much we can do about it.

 

© Copyright 2008 Yaacov Apelbaum All Rights Reserved.