Category: Geen categorie

Automobiles, (trains,) Planes

What a disaster it would be if all those (self-driving, or augmented-driving as they are today already) cars could be taken over by some madman or unrelatedly hacker … One could remotely steer a car off the road! One could remotely steer a whole bunch of cars within some area / country (?) off the road in a broadcast … With pre-emptively having disabled manual override, of course. [Though, noted before, the ability to do so would on the human side deteriorate very quickly as it wouldn’t be needed to be seriously trained/experienced (anymore).]

Yes, that’s bad. How is this same idea, but applied to current-day planes ..? Where about-all is automated, and users get more and more access hence control (think that one through; qua nothing’s 100% secure) to still but what do you know limited zone(s) of plane networks, e.g., re on-board wifi. The known-to-be-stellar-secure wifi.
Of course, this would be suicide — or airport-proximity (from just outside the fence) runway-DoS …; but not all seem to care about the sacrifice… on the contrary. And don’t come with the argument of having to know systems to break in / run amok. Some had gone through the effort of going through a pilot’s training, right? And here, one can be a passenger and do recce from business class, and/or deliver and C&C from there.

I love my old-style car / driving … and:
Photo15
[Warped, but quite safe from hacking… Somewhere upstate WI]

They're Security Scrum!

Yet another trend: The recoil of Agile practices since uncontrollable isn’t what you’d want from your IS infrastructure..?

Where the scrum and other development methods using emblematic sprints by that very idea have to lose all the ballast …
But would you run a marathon-length Chinese Whispers game (Telephone if you’re from the US, inable to go with the rest) …? Because that’s what you get, quality-wise, if you deploy sprinters for the whole 42k195m — no use for miles either — and (wide-sense) security’s one major part of it.

Again, a baby with the bath water thing, here. Moreover, since even with large Waterfall development — which should’ve been V-shaped for the right half of it ..! — security (wide-sens, incl. proper-usability, documentation for maintainability et al.) was too much of an afterthought. When taken seriously, by the way, proven to be much less of a nuisance either during the project or or during implementation/roll-out or during the production phases, than it was taken for.

So, the question is not how fast ‘we’ can dump Security when adopting something agile, nor ow to ‘ split up’ the CISO’s thinking and acting and standards over App Devt and DevOps, but how to get suitable Sec into DevOps-or-whatever. The only road that’s not a dead end, sounds like “Sorry Dave, I can’t let you do that” [I know]. A sort of thick-concrete sandbox — creating tons of overhead in sprints, and when later exposed in the Real World of production. Retrogade.
Your start-up hacktons just don’t cut it in the big boy business..? Better ideas?

Plus:
20160408_133824
[Where all you wanted was one big coat hanger… Beurs van Berlage]

Four Cyber

Where a Big 4 consultancy (or rather, a hang-on-by-the-teeth-fourth intensive-people(?)-farming accountancy-wannabe-advisory) now has a (unit) label “Cyber”. Where #ditchcyber (here) hardly helps… ‘Cyber’ is like being a lady; when you say it of yourself, you aren’t. This qualifier as head of a Linked List — you didn’t need the link to get the wink or did you? — a very long list it is. How desperate can one be to maintain extortionist fee levels and labour practices, to have to label yourself so empty-barreled ..?

I’ll halt now, and:DSC_0700 (2)[Or, like a dolphin not leggard]

White Mannism

The baby with the bath water.

Slate: “Glamour just published its first issue completely produced by women. It’s about time.” Meh. Check. Move on.
Some agency trying to find a diversity manager: Probably only non-white mentally and/or physically challenged LBGTQ ‘persons’ need apply ..?

Now the politics (mostly, of the PC kind; as completely isolated and locked up it was in its cultural-economic elite without real power) slowly finds that the Trumpists (or ~, fill in your European ‘OMG he (sic) doesn’t play by the over-ritualised pastel crayon coloured emptybabbletalk schemes’ overly-labeled-xenophobe polls-moonshooter) aren’t the Angry White Men that the (tell-tale) rushed qualification need (fear fo being found out not to have any insight, maybe?) had thought them to be,
it is time to also consider even more sobering. In the area of: No, I can’t help being a white man I’m just born that way. And raised, by the way, in an environment that worked towards imprinting penalty for that already. To think that I don’t know this, don’t notice, or unconsciously or consciously abuse the privilege because some have attached the idea that I have that to me, unwantingly, is a scam and demonstrates that those involved, in fact do NOT know me but it demonstrates as well their limited world view of trying to lock up all they meet (or not even) in extremely limited confines of classification. If that’s your need, you have other problems than your supposed underprivileged childhood so maybe use your lifetime trying to grow a pair (F/M)?
This translates into: If you care to hire such a diversity manager as mentioned above, you demonstrate to want a token woman. If you care that some women’s magazine (yeah, I do realise that, sigh.) is finally made by women only, you consider no man capable of understanding women ..? Are you helping by trying to avoid that? Did you check all suitable male candidates for their inability to deliver the quality you need? (My guess: at the printer’s, there’s quite a few men working there, by the way) Or do you care less for quality than for gender accidentally (!) fixed at birth or medical facility?
Again, being born white male, does that mean I’m less because I’m supposedly ‘privileged’ …? If the (medically) colourblind can’t tell red from green, are others privileged and discriminating (usually taken to mean the one and the other are inseparable somehow) and shouldn’t be allowed to ever use those colours?
(Apart from some, rare, groups seriously trying to undercut common superstitions; I like those — as far as they see the limits of their purpose and stretch)

Or do you want to change the world by practicing what you preach?

There’s anger for you. Anger for being told why one is supposedly stupid for reasons of not seeing and recognising one’s stupidity. There’s why the protests by voters (the ultimate source of power, it shows, and of authority in our world) are from all those not in command. Re-read Thomas Paine’s Rights of Man again; you’ll only have to add ‘self-righteous PC babbling airheads’ [disclaimer: I’m one, too] (in)to ‘government’ and you see where the current set of politicians went off the rails.
By the way, don’t be fooled by the tone of the above: I’m not even angry! Just sad and disappointed. And unhopeful about the future [ _ | for me ].

Now, there’s also the Age thing … like, this and you’re aiming for sheeple not experience…

Oh, plus:
DSC_0854
[Classical burden; this, for Heroes — Arlington]

Switching to the Offence Defence wait what?

Lately, the Preventative Doesn’t Work Quick / Well Enough So All Heads Turn To Reactive Security has had its effect. But not the intended effect of doing both, just the latter it seems [yes, I know].

And, where the FLOT hadn’t been up to it before, often by lack of proper budget, the hardly sufficient funds have been shifted. Recipe for …

Indeed, the Reactive part had been neglected much too long, but a shift was not asked or, but a doubling of efforts on both sides (?). Hence, the now ‘new’ SIEM et al., may have had all the attention but that doesn’t mean success (yet!), objectively.

And subjectively, maybe less — ’so what did you do with the money ..?’ — also caused by the shift-not-double of allocations (budget, in Count da Money, time and supremely capable staff).

Not so strange, when you go, at a strategic level, from one point (/) solution to another…

So, the way out ..?

This is 2017. Do it in the mix. As presented here and here. But certainly here.

I.e., find the balance and play chess at Grand Master level on all boards (including B~ see last Thursday’s post below). Starting at the front, your attack surface, by means of Activity-Based Access Control and Integrity of Systems. And all other stuff you did in the past but have to bring back up to snuff and clean out like Augeas’ stables (thinking of your ‘user administration’ here).

And then realise that all this is still asymmetrical to the hilt, so absolutely not enough. Do not throw away what you built over the last year / and a half but extend it… With smart fill into the matrix of this. Which should be much cheaper than (thinking, faintly trying) to tighten your FLOT shut; the thin red line that it is. And with this blended approach also much less hindering the Good ones.

[Oh, edited to add after schedule-time: this. For the balance… But will, I think per Feb 27, return with a high(er)-level view why ‘preventative’ and ‘in control’ are definitely two distinct things…]

Plus:
20140905_201502
[No you st.p.d that’s a blue’ish-and-white’ish line of sorts; Noordwijk]

Ah, security rules — not for Us

When the Last Mile in infosec is convincing the Board to stick to ‘their’ own rules and not think themselves above it, how do we’d want to pull this off ..?
Where, so often, they complain that sticking to the rules is too complex or cumbersome for them — for no extra credit, reflect on their capacities to be in there position to Lead and Show — whilst forgetting their underlings have to deal with it anyway, possibly being more capable yes but not as claimed dealing with less sensitive information …
Where the reaction for themselves is they Have to carry on, counter to sane advice and rules, with unsafe behaviour often in particular when dealing with the most sensitive stuff; either not recognising that as such or hardball playing down the sensitivity and/or their attractiveness as targets — out of some form of cognitive dissonance and often contrary to their lightly-to-grossy inflated self-worth estimates respectively.

Where, also, we see con-zultands playing up their self-importance and -assigned capabilities, as per this. Recognisable, all too recognisable [been there, done that, didn’t even got the T-shirt; ed.].
And realising that this all, seems to work… reminds me of what Thomas Paine can still bring to bear on this, which is not good. Not at all. Though the advisortypes may co-opt and exploit the courtiers’ methods (hey, how hard have you studied these ..?) without being caught in the courtiers’ ‘regulatory capture’ error and maintain a bedrock of sanity until My Precious is had; is that the only viable road?

Or would you have something else? No, not plain forward address that is so sure to fail, to fall flat on your face before it’s out of the starting block; if you don’t see that, you may very well be too inexperienced to have a clue…
But seriously, folks, what have ..?

Oh, and:
20170104_131738_hdr
[When the castle goes down, all go down but the upper class (sic) has (golden) parachutes so why would they care? Bouvigne Breda]

The ransom monster

Now that the ‘No way josé’ solutions against ransomware [regular back-ups, virtualisation of servers, and tight intrusion controls et al.] have become so widely known, and ransomware having evolved to be more of the APT kind (incubating for up to six months before striking — undoing your back-up strategy), a new look at the root cause of the harrassment:

Ransomware is a Monster. Being a thing that refuses to fit a single category for neat classification (sociology/science definition/term).

Which may seem odd, but consider:

  • It (?) uses Confidentiality-sloppyness to enter;
  • It undoes Integrity;
  • Its payload aims at destruction of Availability, both in the Immediate and the Reasonably-timely kinds.
  • [Bonus: It doesn’t care about (your) morality but strikes even (?) at hospitals et al.]

Capice? … Oh, you wanted a Solution, or a Morale. Maybe something with Blended Defense / Step Up Your Game or so. Well, be my guest …, and:

Photo20 (2)

[The ultimate Up Yours [ , Planning Commission of Racine!], by of course the venerable Frank Lloyd Wright]

"Compliance auditing"

Is two distinct things, or a contradictio if taken as one.

  • The ‘compliance’ thing is just rote checking of the implementation of all petty rules. The Certificate certification type. If I’d even need to say more…
    Some even claim that by repeated checks of implementation, ‘operating effectiveness’ would be established. Fools. The operating effectiveness can only be designed in, so the first 99% of operating effectiveness can be checked in the design; what do you check the design for in the first place? Why would you check the design otherwise? And if you don’t, then what value to the petty paper that the standards are?
    Ah, “…the slavery of fear had made men afraid to think.” (Thomas Paine, Rights of Man, p.159) — that’s what this is about… As in a couple of last days’posts. But this is Not Auditing, since ..:
  • Auditing is the art of application of risk management upfront, and insight and wisdom afterwards. (as also in this.)
    Risk management upfront: Even when taking up some standards first and then seeing how it would apply to the case at hand, a true auditor would select, inter alia based on informal and formal risk assessment (in a mix dependent on the case, and experience) wat rules from the standard apply and which ones to check for in what various levels of detail. If ‘all’, you’re doing something Wrong like doing compliance checking.
    Insight and wisdom after: There’s no value whatsoever in noting deficiencies as such, or recommending on their remediation simply by inner-productlike fixes. There is value when taken one, two, more, many more, levels up and digging deep (upwards, usually) to find the true causes, possibly root causes (but do NOT overdo this), and then advising in smart, intelligent, wise ways to remediate those. Don’t think black-white here, but about (fundamentally different!) thesis versus antithesis, towards Synthesis… And, along the way of the audit, support and encourage those under stress/duress of audit requirements, petty standards requirements, and micromanaging bosses all standing in the way of actual performance and use of brain. When then, a final overall conclusion is to be had, this would be based on the ability and application to weigh arguments (as Cicero, utterly correct: “One should not count arguments but weigh them”, De Oratore 307-310 LXXVII) and hand down a verdict which all embrace for its wisdom and authority — your personal authority which isn’t power, not rightiousness-by-procedural-justice! Let alone attachment to some organisational body (self-aggrandised company or professional association), or by it of a title to you.

So, either you set your mind to Blank and do compliance checking, or you use your brain for its intended purpose [“irregardless” of its nature/nurture capability levels with you] and audit.
The first, not for nothing to be replaced by AI soon, very soon. The second, the almost-definition of what AI still (your mileage may vary) can’t do, yet… The first, for DAOs; the second, lost through Bureaucarcy (see previous posts).

Plus:
DSCN4777
[Shifty facades/faces; Zuid-As Amsterdam]

Two stikes and you’re out of third party standards

What a wobbling title.

When already for a second time (here), the European Supreme Court has ruled that laws requiring broad (meta)data retention for trawling are illegal per se, with a minute few exceptions, making it illegal to consider it legal (i.e., have a law requiring it — which of course is much stronger than just doing it on private company want) you’d better comply.

That’s all, folks, only adding the following thus undoing that:

  • You may read back some posts on how to pull off better Privacy (-compliance) in a fun and efficient way;
  • And note how this seems to run counter the above, or does it ..? Distinction is finer than initially thought;
  • Standards as yet fail to address sufficiently the main cause of leakage, being third parties or in your case, second parties; known for being the #1 Saying Yes (on paper) Doing No when it comes to maintaining security to the impeccable standards of yours. Those impeccable standards of yours that … can’t even seriously assume you’re at those levels. Can’t assume the second parties are anywhere near your levels even, because of their business model which is Profit over Non-profit [think that through] so have no incentive to take the moral high ground and all the incentives to the opposite … Those second parties of course are in your standards (are they? certainly not everywhere) under transparency towards first parties (customers) regulators if ever they’d look so (only just beyond skin-) deep or rather disregard the issue;
  • If not when those your standards would have been clear enough to yourself to collect and put them up as requirements, and properly communicated to the second parties, and (checked to have initially been) implemented with them;
  • But then no-one really knows how to pull off even core but real oversight over the infosec quality at second parties — don’t fool yourselves: reporting, always throught their Marketing/Sales, will give no real info (info being the things you’d want to notice, not the stuff you can skip because it’s green lights/smileys all the way); actual audits, are either by third parties most usually on pay of second parties hence on their hand (don’t believe the outright lie of independence [I’ve been there, countless scores of times..]) e.g., when ISAE- or other certification is in play (certification after petty-rules-compliance checking not Auditing see tomorrow’s post) or by your own auditors — how good are they, anyway, when this outsourced stuff is special to them too (as you outsourced, their knowledge / experience re this, tumbled) and again it’s a side show to their audit universe, hard to pull off (have a look at the notification requirements and their freedom of movement in the contracts…) and still with an interest of the second parties to show a nice picture not truth which is almost completely in their hands, or by some third party hired and paid by you, for which the latter flaw of pretty-picture needs; the Diginotar case anyone?
  • Summa summarum: You may be hosed.

Even more so, when it comes to Privacy. Either as an organisation, or as private person [ditch the oh so pejorative ‘individual’ and ‘citizen’ — don’t start me on the utter ridicule of the moronic ‘corporate personhood’], or both.

Oh well:

DSC_1024

[May be prone to strike the wrong way, too, anyway; DC]

No pride, just the same

When you need a book to explain, or enthrall, some unexpected readers into believing Hygge were something exceptional — the Dutch have had Gezelligheid already for ages, without considering it something so special that it would need any investigation; just smile as tourists discover it to their surprise. Certainly not treat it as if it were something that defines the national mood…
No, the English Wikipedia page is wrong on this. The Dutch one is correct period

Whatev’; and:
DSCN1420
[This, beating Legoland; Toronto]

Maverisk / Étoiles du Nord