ERM, GRC – Page 20 – Maverisk / Étoiles du Nord

The ransom monster

Now that the ‘No way josé’ solutions against ransomware [regular back-ups, virtualisation of servers, and tight intrusion controls et al.] have become so widely known, and ransomware having evolved to be more of the APT kind (incubating for up to six months before striking — undoing your back-up strategy), a new look at the root cause of the harrassment:

Ransomware is a Monster. Being a thing that refuses to fit a single category for neat classification (sociology/science definition/term).

Which may seem odd, but consider:

It (?) uses Confidentiality-sloppyness to enter;
It undoes Integrity;
Its payload aims at destruction of Availability, both in the Immediate and the Reasonably-timely kinds.
[Bonus: It doesn’t care about (your) morality but strikes even (?) at hospitals et al.]

Capice? … Oh, you wanted a Solution, or a Morale. Maybe something with Blended Defense / Step Up Your Game or so. Well, be my guest …, and:

[The ultimate Up Yours [ , Planning Commission of Racine!], by of course the venerable Frank Lloyd Wright]

"Compliance auditing"

Is two distinct things, or a contradictio if taken as one.

The ‘compliance’ thing is just rote checking of the implementation of all petty rules. The Certificate certification type. If I’d even need to say more…
Some even claim that by repeated checks of implementation, ‘operating effectiveness’ would be established. Fools. The operating effectiveness can only be designed in, so the first 99% of operating effectiveness can be checked in the design; what do you check the design for in the first place? Why would you check the design otherwise? And if you don’t, then what value to the petty paper that the standards are?
Ah, “…the slavery of fear had made men afraid to think.” (Thomas Paine, Rights of Man, p.159) — that’s what this is about… As in a couple of last days’posts. But this is Not Auditing, since ..:
Auditing is the art of application of risk management upfront, and insight and wisdom afterwards. (as also in this.)
Risk management upfront: Even when taking up some standards first and then seeing how it would apply to the case at hand, a true auditor would select, inter alia based on informal and formal risk assessment (in a mix dependent on the case, and experience) wat rules from the standard apply and which ones to check for in what various levels of detail. If ‘all’, you’re doing something Wrong like doing compliance checking.
Insight and wisdom after: There’s no value whatsoever in noting deficiencies as such, or recommending on their remediation simply by inner-productlike fixes. There is value when taken one, two, more, many more, levels up and digging deep (upwards, usually) to find the true causes, possibly root causes (but do NOT overdo this), and then advising in smart, intelligent, wise ways to remediate those. Don’t think black-white here, but about (fundamentally different!) thesis versus antithesis, towards Synthesis… And, along the way of the audit, support and encourage those under stress/duress of audit requirements, petty standards requirements, and micromanaging bosses all standing in the way of actual performance and use of brain. When then, a final overall conclusion is to be had, this would be based on the ability and application to weigh arguments (as Cicero, utterly correct: “One should not count arguments but weigh them”, De Oratore 307-310 LXXVII) and hand down a verdict which all embrace for its wisdom and authority — your personal authority which isn’t power, not rightiousness-by-procedural-justice! Let alone attachment to some organisational body (self-aggrandised company or professional association), or by it of a title to you.

So, either you set your mind to Blank and do compliance checking, or you use your brain for its intended purpose [“irregardless” of its nature/nurture capability levels with you] and audit.
The first, not for nothing to be replaced by AI soon, very soon. The second, the almost-definition of what AI still (your mileage may vary) can’t do, yet… The first, for DAOs; the second, lost through Bureaucarcy (see previous posts).

Plus:

[Shifty facades/faces; Zuid-As Amsterdam]

Two stikes and you’re out of third party standards

What a wobbling title.

When already for a second time (here), the European Supreme Court has ruled that laws requiring broad (meta)data retention for trawling are illegal per se, with a minute few exceptions, making it illegal to consider it legal (i.e., have a law requiring it — which of course is much stronger than just doing it on private company want) you’d better comply.

That’s all, folks, only adding the following thus undoing that:

You may read back some posts on how to pull off better Privacy (-compliance) in a fun and efficient way;
And note how this seems to run counter the above, or does it ..? Distinction is finer than initially thought;
Standards as yet fail to address sufficiently the main cause of leakage, being third parties or in your case, second parties; known for being the #1 Saying Yes (on paper) Doing No when it comes to maintaining security to the impeccable standards of yours. Those impeccable standards of yours that … can’t even seriously assume you’re at those levels. Can’t assume the second parties are anywhere near your levels even, because of their business model which is Profit over Non-profit [think that through] so have no incentive to take the moral high ground and all the incentives to the opposite … Those second parties of course are in your standards (are they? certainly not everywhere) under transparency towards ~~first parties (customers)~~ regulators if ever they’d look so (only just beyond skin-) deep or rather disregard the issue;
If not when those your standards would have been clear enough to yourself to collect and put them up as requirements, and properly communicated to the second parties, and (checked to have initially been) implemented with them;
But then no-one really knows how to pull off even core but real oversight over the infosec quality at second parties — don’t fool yourselves: reporting, always throught their Marketing/Sales, will give no real info (info being the things you’d want to notice, not the stuff you can skip because it’s green lights/smileys all the way); actual audits, are either by third parties most usually on pay of second parties hence on their hand (don’t believe the outright lie of independence [I’ve been there, countless scores of times..]) e.g., when ISAE- or other certification is in play (certification after petty-rules-compliance checking not Auditing see tomorrow’s post) or by your own auditors — how good are they, anyway, when this outsourced stuff is special to them too (as you outsourced, their knowledge / experience re this, tumbled) and again it’s a side show to their audit universe, hard to pull off (have a look at the notification requirements and their freedom of movement in the contracts…) and still with an interest of the second parties to show a nice picture not truth which is almost completely in their hands, or by some third party hired and paid by you, for which the latter flaw of pretty-picture needs; the Diginotar case anyone?
Summa summarum: You may be hosed.

Even more so, when it comes to Privacy. Either as an organisation, or as private person [ditch the oh so pejorative ‘individual’ and ‘citizen’ — don’t start me on the utter ridicule of the moronic ‘corporate personhood’], or both.

Oh well:

[May be prone to strike the wrong way, too, anyway; DC]

No pride, just the same

When you need a book to explain, or enthrall, some unexpected readers into believing Hygge were something exceptional — the Dutch have had Gezelligheid already for ages, without considering it something so special that it would need any investigation; just smile as tourists discover it to their surprise. Certainly not treat it as if it were something that defines the national mood…
No, the English Wikipedia page is wrong on this. The Dutch one is correct period

Whatev’; and:

[This, beating Legoland; Toronto]

A parachute to your Dutch granny budget

If you have no clue about the title, read on.
It’s about a Dutch ‘granny bike’. And about your bosses’ golden parachutes. And how to get budget for the ~~playthings~~ bare minimum tools you require.

First off: the biker part. Note that this has unsurpassably been written up here. On how crappy banger bikes, are locked with supremo but ridiculously expensive gear and how this out-of-all-proportion control-cost still makes sense. Reading is believing.
Second: These days, FUD is Real; à la the “Either you’ve been hacked or will be, soon” line and including the ever bigger transparency in the press. With a warning of impeding disaster for all your remotely involved (even if by negligence — wait did I write ‘if’ ..?) bosses and their tenure, as these days, too, a great many including CEOs get fired / are forced to quit / commit seppuko almost, when <youknowwhat> hits the fan and always runs downstream, hence getting a lot of you superiors their golden parachute. Their mileage may vary, but the threat finally (…!) is a believable one. Either they believe (wrongly) to be able to escape the gauntlet anyway but should then, officially, care about the parachutes’ cost to the company and take that as a clue about the (tenfold++) reputational damage to the company, or … they aim to take the money and run and go on disastering elsewhere, leaving said reputational damage and parachute costs to the laggerds left behind — you inform the odd superior here and there that their colleagues/peers are about to pull their leg and leave the sweeping up of the damage to the stayers.
Summing up to: At the cost side, the rationale is such that the ceiling of any of your proposals takes off to, at last, suitable levels. At the benefits side (cost-avoidance), suddenly the decision makers’ personal interest is there.

Combined, this should as written suffice to finally get sufficient budget for the ~~playthings~~ bare minimum tools you require. Or what.

I tell you what: The above even now may still not make sense to the … [expletive censored] bosses above you. Plus:

[Harmless sea beggars on the Dutch coast; Bloemendaal]

Cozy versus Anti-cozy

Once more reaching back to last Wednesday’s post: Opposing sides may have to recognise the very existence of the other one.

When anti-bureaucracy force battle the eternal struggle against complacency et al., they better take into account that 60% of people (any mass), is of Type B, and hence will diligently work 9-to-5 and not complain too much. And, by their majority and no moral objection to hence realised mob rule, will (try to) encapsulate the Other 40% Type A’s. Whereas if all the Type A’s were contra their nature to band together in some loose-form cooperation, this could very easily deteriorate into B big time.
And, in a world that’s overly complex, even when subsets of the complexity may be institutionalised, B may be the only feasible organisational form — IF one’d want to organise it all. Which one would, if out of fear typical of the 60% …

So we’ll sine-weave from side to side, and:

[The displaced after Romans’ Franks primordial fear of disappearance leading to ultra-centralism as core quality of the (leading socio-cultural-economic elites of) the nation, sometimes leads to something pleasing the eye; e.g., La Défense Paris]

Angst is not temporary

Struck me while going through, near the finish, Graeber’s Utopia of Rules, that the fear for the Unknown What to be Feared that keeps so many captured in Bureaucratia and will defend it and stupidify themselves to such utter stooping levels just by being harrassed into Fear of Anything Else,

is in the end a reason par excellence to venture forth with contracted staff.

Not the other way around, where one still hires unknown qualities, with similar or ex ante already less excellent staff [the truly excellent trust their qualities to survive whereas those shooting for perm contracts, don’t by definition] and then you’re stuck with them.

But straightforward, with staff that has the balls (F/M/~) to do the job, needs no fall-back security through the layoff premiums [hey, if you’d want to fire the perms, you can but at a modest cost], and moves away when they see their talent better deployed elsewhere [hm, a risk to you, to lose your best hires — or you keep them motivated…] or you both do that.

When put into a cost-benefit analysis , it plays out just as well.
Hiring costs: Better on the Temp side; Management/oversight/control/coordination costs: Better on the Temp side (! they’ll manage themselves thank you); Straight paycheck costs: Better on the Temp side! Yes indeed, when compared to fully-loaded super-grossed Perm rates that include all social benefits, schooling, &c. &c.

Just ditch the middle extortionist men.

So, follow your Angst and hire me… Plus:

[Changing the views, improves them…; question: Where?]

DoS Internals

No, no typo. Not DOS Internals or so. Rather, internal DoS attacks.

Are they tractable? [Uhh, that may sound like they’d be positive things to be able to do — sorry, just hinting at “technical feasibility” here]

Yes they are. Stuxnet was the prime example. Something similar would be tractable once one is (somewhat) on the inside, I guess. Like, an APT exploring the internal networks for topology, infecting routers along the way, and then blowing them up all, all at once, with megazillion tons of traffic, internally generated. Denying (internal) network services to all. Or even bricking routers with e.g., flash-ROM attacks. Feasible.

The same, with surreptitious tweaks of kernel scheduling processes, Stux style. Or, there, too, diving deep into and under the virtualisation layers and bricking the core BOISsen and other Level 0 / 1 server software. Overflowing disks with random data (be sure to buffer tons, so restarts / re-mounts will not help too easily).

Hmmm, once one starts thinking about it, the possibilities are huge. Maybe some nationstate party/ies has some arsenal out there in the wild already. Think yesterday’s post; on its own or in combo with Elections, whose interests where?

Oh whatever … plus:

[A hole in your servers’/routers’ “floatation” capabilities will sink your infra; Baltimore]

Did / Did Not (Know Who Did)

Anyone still have an overview of where we (?) stand qua attribution of “cyber” attacks [ #ditchcyber, of course ] ..?? Apart from this…

There’s so much development in attribution with or without proof, e.g., about hacking elections in some outer corner of the world’s population; was it truly hacks, was it some nation state, was it some scapegoat hackster, was it all a set-up, where are Wikileaks, Anonymous, [fill in your favourite Four Horsemen party and colour the pictures] … the possibilities are endless.

But there are indeed flashes like this and this, which spark some controversy whilst blurring the overall picture. And we’d want unblurred pics of hotel room showers oh wait not I.
And what with all the tools out there (remember, the FBI’s stash stolen and now on fire sale for 99% off the previous list price, right?), planting others’ fingerprints and DNA, so to speak (no, literally ..!), and have pictures and videos even that are near-indistinguishable from proof; what evidence if any is still admissible in courts? None …!? So, what attribution …!?

When others talk about “controlling the cyber battlefield” (no, not the FBI but the extraterritorial agency), isn’t there a protracted “cyber” [ #ditchcyber ] world war under way already ..? Just not as hot as the previous one, more like the Cold one, schlepping on ..?

Just accept all Peace For Our Time‘s … and:

[The SocMed approach: Look! Moose babies!]

Ad Lib / Logic

About some ‘logic’ in an @bookingcom ad.

Where this, commonly well-regarded, travel site sent some spam: “Umbrella in hand, J, it’s raining deals!”
Which may or may not be true, but

If it’s deals that it’s raining, I wouldn’t necessarily want to shrug them off with an umbrella
If it’s deals, why associate them with bad weather which I may want to escape, through the deals
Can’t the deals be collected on some company web site or so; why should it rain into my Inbox?

So, methinks the ad is a wide-net phishing run. Right ..?

Oh, and:

[Old analog pic; now there‘s deal weather …! Martinique — once was business travel location 😉 ]