This came up as a rather entertaining political science question the other day. "It is better for N many criminals to go free than for 1 innocent person to be punished." This concept goes way back to the 18th century, originated by English judge William Blackstone. It is now known as Blackstone's Ratio in criminal law.

A few years ago, the National Center for State Courts ran an experiment where they compared cases when both the judge and the jury could submit guilty/not-guilty verdicts. Through signal analysis, they could predict not only what percentage of the time they disagreed, but predict who was wrong. The results pointed to approximately 17% of the jury verdicts being incorrect and "N" equaling roughly 1.43 guilty parties let go per innocent punished. On the other hand, about 12% of the judge's verdicts were incorrect leading to an N of 0.1 (1 guilty person let go for every 10 punished innocent people).¹

Blackstone's pick for N was 10. My assumption for the reason behind the change in this ratio is that in the last 200 years, with tools such as modern forensic evidence, DNA sampling, fiber testing and omnipresent video cameras, we have made significant strides in being able to exonerate innocent people before the fact, and only bring guilty parties before the court.

In data security, we're continually bombarded with "false positives." We get false positives when our tools are set to be too sensitive – but most admins prefer this to the alternative of having them not be sensitive enough and miss an event entirely! This is not a new problem – what is new is that our tools are evolving in a way to reduce the amount of alerts we receiving, letting us take more time to analyze the ones that really need our attention.

As technology advances, we'll continue to lower the number of false positives we get, improving our organization's Blackstone Ratio – and this ratio is something that you can measure and prove to others that your security is improving over time. In the last year at GSI, we've dropped our false positives by 73.6% through reconfiguring and tuning our current monitoring systems. Additionally, we recently installed more security appliances that are even more accurate, so I expect this trend to continue. All of this adds up to data center security that's more accurate, more effective – and more measurable.

Footnotes
1. Spencer, Bruce, On Measuring the Balance between Wrongful Convictions and Wrongful Acquittals in Criminal Trials (November 7, 2007). 2nd Annual Conference on Empirical Legal Studies Paper. Available at SSRN: http://ssrn.com/abstract=997188

There has been a lot of commentary about terrorism over the past few years. Since 2001, we've seen the word "terrorism" overused, misapplied, with over reactions to it. Well, get ready for the same reaction to the next buzzword: Cyberterrorism. Already, Congress is preparing laws that will provide strong security for our nation's SCADA systems -- something that has left many people saying, "What's SCADA?"

SCADA stands for Supervisory Control and Data Acquisition. Your local water purification and power plants use SCADA devices to monitor levels, control valves and switches, and alert to dangerous conditions. However, just as the SCADA devices can be remotely controlled, they can be remotely abused. There was an incident in Australia seven years ago where raw sewage was dumped into the water supply by a disgruntled employee via remote control. Vendors have just now gotten around to providing HTTPS as an optional add-on!

Most SCADA systems are designed to be operated in a fairly secure environment. For smaller operations with only a single building's worth of systems to worry about, security is not an unreasonable expectation. Locations with a single building can easily have a secure perimeter locked down from physical access. For larger suppliers, such as power plants with substations and oil companies with far-flung pipelines and valves, remote security is much more of an issue.

Of particular concern to me is the growing trend of SCADA systems using increasing numbers of remote systems for monitoring. Many electricity suppliers are using these systems in power meters for billing and the ability to shut on or off power to residential buildings on demand. We've already found out recently how WPA is insecure. How many wireless SCADA systems do you think still use WEP?

There are many secure SCADA implementations out there, but most of those belong to large companies that can afford to hire not just system administrators, but dedicated security professionals as well. Many suppliers -- particularly ones that serve rural areas -- don't have those resources to draw upon. For them, managed co-location services can provide serious benefits. By using an existing network infrastructure, secured with encryption, auditing, and policies strong enough to protect financial data, these suppliers can be sure that even far-flung servers are secured, and get back to their business -- supporting our nation's critical needs.

At least a couple times during the summer, there's a dry spell when I need to give my garden some extra water. Invariably, the cheap hoses I used last year are still hooked up to the faucet, have frozen over the winter, are cracked in three places, and instead of soaking the plants when I turn it on, soak my pants. You would think I would know to take them inside in the fall by now.

At the hardware store, I bought a brand new hose. I went back home, hooked it up, got the sprayer ready, and turned on the water. The hose promptly fell off the fitting at the spigot. After turning off the water (with soaked pants again), I inspected the design of the fitting they used. There were at least three ways they could have designed it to work properly – with ridged edges or ring clamps or finger clamps to hold the hose on. Instead, they used a smooth attachment for the hose. It could have been properly secured in many different ways, but the designers went for a durable hose with cheap fittings at either end.

This scenario reminds me of many of the computer systems I've seen in my career. When a system gets broken into, it's never just one failure. People use weak passwords on systems (strong ones are hard to remember!), authenticate using insecure protocols (https is just too slow!), don't patch their systems (it's always some update!), get infected with malware (but I cleaned it off when I found it!), and then wonder when their SQL database password is stolen.

Just like hose fittings having been refined over the past hundred years, there is nothing truly revolutionary about computer security. As security technologist Bruce Schneier recently pointed out, it's the "boring network security administration we already know how to do." Patch your systems. Run anti-virus/anti-malware software. Use firewalls. Use encrypted protocols for important connections. Review your logs. There's nothing surprising about the attacks happening; what is surprising is that systems are still vulnerable to them. Take the time and care to secure your networks - otherwise, you may end up with wet pants.

Further Reading

Schneier on Security - North Korean Cyberattacks