Category: Geen categorie

Retrofitting IoT Security

Pitch before I did the idea that for a while be with us will Legacy IoT be, here.
But what about stubbing around it? Developing cheap and easy (necessary since/for backwards compatible, by definition) security solutions that can be plugged onto old IoT stuff.
What ya’reckon, are we too far gone with old IoT and economically-having to keep that alive, or is there sufficiently much more recent stuff to attempt such a thing (and ring-fence the real cr.p)..?

I’m not completely sure how one would approach this thing, technically, but cannot imagine that there aren’t solution models around like, potentially, some form of hardened (lean and mean and armour-coated) enterprise IoT bus thing, possibly with security zones, et al., similar to the obvious and hopefully ubiquitous separation of office automation (why isn’t SAP dead yet? This, some time ago. Oh, might be useful to set up separate mandates to ‘run’ factories yes, which was its original purpose, right; what did E-R-P stand for ..?) from Process Automation, and within the latter, Supervisory Control from operational (close-in) control, engineering-wise, but then with subsets for safe/unsafe hardware.
The isolation stubs could then act as gatekeepers between zones, between potentially-safe and the legacy-most-probably-unsafe.

Though I suspect that the ‘zones’ will have to ‘air’gap at many network layers, including towards the physical end of OSI — meaning that higher up, the connection will have wider gaps, not less why is this so often overlooked ..?

On a separate end note: Where are the wares that should have followed the scares, i.e., we have had a couple of years (yes) now of IoT scares; have the vendors truly stepped in or was it just window dressing e.g., dole out some monitoring tools and good luck with it..?

Progress… and:
DSCN1834
[See? Engineering is beautiful; Brussels]

Temporary Awareness

A call for poignant pointers.

You may be aware that research is on-going (among other, by Yours Truly) in the area of sustained ‘security awareness’ — a misnomer for security habit change. Which is driven by psychological stuff like everyone’s individuality, everyone’s individual circumstances (not only at work, not only formal short/medium term) and everyone’s learning and operations style and preferences. And hence, habit change would also have to cater for all these differences. One-time ‘awareness training’ (sic), yeah, right on.

Still, such would be a somewhat valid approach … for perm staff.
Not for infrequent visitors, like your garden variety (IS) auditor, that would drop in every now and then and till have access to sensitive data; on purpose or not, benign or malign leakage or not.
Not for temps, interns et al., that are around too short for true awareness to sink to the back of the head, for instinct reflexes (oh ideal). Or the induction program would be a grilling drill; conter-productive.
Not, and this is where my problem is mostly, with third party staff, that primarily work for the vendor and have other KPIs than client security — at least, higher on their agendas. They come in (physically or remotely), do their thing that hooks quite deep into your operational processes (physically like cleaners and installers, logically through e.g., software and parameter updates) almost always at arms’ length control with still their other KPIs first, and then leave you possibly vulnerable or robbed, and ith full accountability without grip on actual operations taken place.

Apart from the platitudes of requiring transparent compliance with all your security policies (purely hypothetically, IF you’d be able to find and collect them, they’d be sorely outdated, and 50% or more wouldn’t be applicable but which 50% you have no clue), what about the above-mentioned change to the good sufficient habits ..?
Your input would be much appreciated…

Also:
DSC_0546
[Temp attention, eternal bliss; Syracuse]

Nocial Media

… How did yesterday’s post know about what I type here now ..?

Too easy. Now for something real:
Nocial Media.
Which is about the distribution of socmed interactions.

Because, the best we have so far is stratified data, by country, age group / gender. Which totally misses that, my guess [hence: fact], a great many relations, either current/frequent or distant/loose, are distributed over a different set of classes. Like, a chunk will be global among peers of any sort (or several of such groups), but also the other chunk will be local, traditional, geo- or socially close like (well, F2F peers but they’re an in-between group) family, IRL colleagues, and association co-members.

Now, would any of you have data on such, probably exponential-in-many-directions, distributions ..? I’d love to hear, TIA.

Oh and on a side note; maybe worthwhile to have some sociology expert elucidate on this: What-how is our future when ‘kids these days’ use /Insta…/Snapch… etc. that leave so little trail; how will your future self be able to browse through old youth pics …? [Advertisers will … Be very sure of that…]

Plus:
DSCN8592
[What bin you’re in — Zuid-As Amsterdam]

Rejoice, you the Puzzled

Unless you were doing stuff on Nocial Media (see tomorrow — never mind, I’m not one for linear Time), you may have missed or noticed (same) the release of a facsimile of one of the most veritable puzzles of the ages (Western world), in this here thing, which is posted here. Yeah, that’s how hyperlinks work, I kno, I kno.

So, now you the puzzlers AKA crytographers around the globe, may swoop down in even larger numbers than before, to crack the thing. Or, probably, not. And you knew about this whole thing.

Question: (Why | _ ) hasn’t already some Watson-class frigate AI tool (literally certainly not figuratively) been set loose on this ..? Lack of purpose? Of would it be a good ‘Turing test’ of sorts, if we test the capabilitites (learning/analysis time ..!?) of any AI tool, by the time it would take to make mincemeat out of the Manuscript — Duh-tch for tearing apart. Any attempt after the first successful, would need to be instructed not to find the solution out there on the ‘net, obviously (?) …

One may hope, may one not? And:
h7C312413
[Found it! This is what the Manu is about!!]

SecPoll

Finally, a competition where you can win, too, seriously.

Yes you can, I’m serious. And you win something serious…
The deal:
Your top-3 predictions, in comments, about what new ‘cyber’security stuff (#ditchcyber) will happen in 2017.
In return, if you’re the top predictor (NO.), to celebrate you’ve best found ’17’s bubbles of the year you’ll receive a perfect bottle of ’17 bubbles.
The things you describe can be of any sort, related to information security in the widest sense. Something-cloud, something-privacy, something-Docker, something- Layer 7 or 8 firewalls, something-systemic-breachlike, whatever, it’s up to you. However:

Some terms and conditions [subject to updating when needed..! My call and prerogative]:

  • No editing your predictions after entering them;
  • Three apiece;
  • None should not be around per second half of December 2016;
  • All should be measurable, and measurably the largest over 2017, suggestions for measurement/metrics should be attached.

I’ll be awaiting your wisdom / totally random stuff with:
DSC_0789
[Who would’ve predicted the success, and beauty, of this/these, eh? DC]

Dense, but study

All about this here article. Yes I too, started out as picture browser through this. But more careful study unearthed a lot of gold, qua understanding of the issues. Even to the point of pointing out some gaps, here and there — well, the understanding did, not as much the overview — in ‘moral continuums’, that can and should be filled.
And, much work can be done on opeationalising the Obvious breaches of fundamental human rights (as per Universal Declaration) so don’t go babbling about commerce needs a chance.

[And now for a switch of goal but you’ll find the relation …!]

Where the latter is one big part often missing with ‘disruptions’ quod non:
Doing something simply illegal is just that and is not ‘allowed’ because innovation should be allowed to be tested.
Innovation should not be attempted when the new has been determined already to be illegal
How hard can it be? Laws had been put in place to protect the weak against the powerful, specifically at points where the need was obviated. IF some law has no purpose anymore, one should first do away with it, first through political ways and if that wouldn’t work out to be possible, only then, through e.g., courts for obvious unfairness (sic; if your law system is of the common type you’re hosed anyway). When you don’t succeeed in this the only legal ways, too bad that’s how democracy works, if.
If some law still has purpose but there’s negative side effects you’d want to do away with, do away with the side effects not the law; in the two ways as before doofus!

Oh well. Mock disruptors beware; the world does not need nor welcome you.
And:
dsc_0555
[Sometimes, Classics are perfect enough; Prague]

Mumbling, much ..?

How come that almost (?) everyone (for sure) recognises the tune of this, but none know the lyrics — well, by heart, and able to sing somewhat proficiently…?

Just asking.

And:
dsc_0599
[Beautiful, but linked to tragedy; Prague — only need to straight the horizon…]

Some quick notes on Audit / service development

An invitation for co-development or I go it alone…
[This also being a copyright / idea claim]

  • Undecided what name will stick; either
    Ethics Test Services, or
    Autonomous Judgement/Decision Analysis Services;
  • Because it is about checking the morality baked into, or emerging from, algorithmic decisions and/or decisions and conclusions from autonomous and self-learning systems;
  • Contra “Computer says No”, obviously.
    If you’d want to learn what that refers to; see here;
  • [Intermission] Whereas some in European politics (sic) discuss to impose a limit where autonomous systems without one human in the loop anywhere would have to have an ‘explanatory’ function that can display in layman’s terms how it arrived at some decision, and that being contestable. But the questions are: What if the ‘system’ were hosted outside the EU (and just like inflation, Gresham will obviously apply), and what if (maybe ‘when’; we’re talking politicians here) such a very first step towards transparency may still not make it, and what if as a cheap escape trick the human would and could only click ‘OK’ — could (s)he be culpable?
  • Elements would be:
    • Process correctness,
    • Data correctness,
    • Exceptions handling; essential and necessary.
  • This, in Standard Form and with an overall human (me; run to the hills) judgement both over process/systems quality and over moral/ethical admissability;
  • Will have to extend the notions of ethics, morality et al. here; e.g., how humans make decisions in the first place with all their errors of all kinds, what to do when systems/humans don’t follow morality and/or the decisions from the systems.

So, everyone (dabbling in this space from now on,) will pay me serious license fees for using the above ideas in commercial services… [note: I’m serious]
And/or all help is welcomed.

To add:
DSC_0752
[Would deliver above services to this address for expense reimbursement only …]

Log not Log

About the resurgence of ‘logging’ as a thing.
In compliance, for whatever reason because everyone lost the Original purpose.
In ‘audit’ (like, checking bookkeeping — no you drop the pretense and lies that’s all there is to it!), since we (??) can now do den totalen Prozesskontrolle.
In systems management, to …:

  • Monitor the health of systems — note that a lot of logging will be superfluous for this purpose (lest the next bullet comes into play), and a lot of the other records will be processed near-completely-automated into nice dashboards; note also that in this environment, that seems to work whereas in enviroments where ‘dashboards’ have been promoted for ages (decades, mind you) without any success, with the cause already known just as long;
  • Detect/find, and process, intrusions. Being proxies for ‘fraud’ (quod non, and note that legally, there’s no such thing!) to be committed.

Most efforts of late go into the latter thing (apart from the good work (sic) done by, e.g., the Coney‘s of this world). Where we see a jump to the worst, most atrocious, of Big Brother privacy obliteration by processing each and every little in-systems program step that can be logged, traced. Even by, what could have been, proper all-out systems management integrating the traditional style of it, with IoT device management, as e.g., Splunk now is focusing on whilst leaving their core competence behind.
Missing the point that ‘systems management’ over all transactions having started with the human ones, was the Original purpose. To monitor (at the speed of annual bookkeeping ..!) the health of ‘systems’, the business as performed and understand that not all transactions could be perfectly in line with the, unthinkingly overstandardised ideal transaction patterns.

Can we now, now that we do have the mechanics (log writing speed, all-connectivity, and storage (!) and processing tools available) regain that latter part..?
Hopefully.

And:
DSCN2229
[Modern (purpose), still also a sun dial; Barça]

Quitting a club

Where some trade association of … drum roll … chartered (sic) IS auditors declared Cybersecurity is becoming an ever bigger problem. An IS auditor should need to keep informed of the latest developments as an argument to join in some CYBER ARRGHHH! lecture,
one better leaves. I did.

Sure, I’m member of some other, global, of the same trade and tricks one might say. But to list the other arguments to quit the local (i.e., Dutch; could have characterised them as ‘provincial’ but why) one, would take ten pages (yes I have them, spelled out including various legal trespassing of the vilest kind, far from complete after some this-years developments within the club…) and I don’t want to bother you with the water under the bridge.
And sure, I re-joined yet another trade association. And try to contribute in another way, as yet not yet disclosed. And #ditchcyber.

But I’m unsure about my discretion in leaving (behind the hopeless) and would be curious about your best advice when and how (that’s two) to quit a club. Thoughts?

Oh:
DSC_0804
[Not only T towers might need (sic) to be renamed…]

Maverisk / Étoiles du Nord