Information Security – Page 14 – Maverisk / Étoiles du Nord

No, you're hacked

OK, we have a couple of little things:

“It’s not if but when an organisation is hacked”
This leads to access to some of your personal data however innocious (or not)
Only a handful of your however innocious personal data is needed to identify you and/or take over your ID
Your personal data however innocious on the surface (sic) is with so many organisations.

Syllogically, ID theft will ruin your life, pretty soon.

Now you may counter that … blabla you’re not interesting enough (maybe, but how sure are you, and if you’re so clean your ID has value to the not-so-clean), it won’t happen to you because it hasn’t happened to you (yet, that’s the point) … et cetera.

But oh, you will be hit …

And with that positive reminder, this:

[If life were as simple as at once major global city Edam…]

Four horsemen, with a badge

Now that ‘our failproof heroes of integrity’ (one of those five words is correct) have gained the right to hack and exploit each and every users’ device in their battle (huh) against the four horsemen, each, all and every proof of misconduct of however grave or minor import that anyone would conduct using any such ‘cyber’ device would not hold in court because no-one can prove it was the general user / suspect (sic) that put the data onto there or used it and the police would be implicated as well but cannot prove satisfactory it wasn’t them.

Obliterating any chance of ever proving actual foul horsemen…

But hey, they seem to have wanted that. For a reason? E.g., the above suspects were in majority already among the pursuers ..?

Why would I care… and:

[Your ‘straight’ thinking…; Zuid-As Amsterdam]

The year of IT is no more Department

Or, once upon a long, long time ago in a land far, far away, there was IT, the hero department that ruled over all of information processing. Because information processing was a strange and dangerous thing and if you chopped off one security flaw, seven others would be introduced. So, the IT department was well-trained in keeping the architecture-and-infrastructure beast alive, with all its fresh new and old legacy body parts, fed every now and then with a fair maiden project.

Oh how things evolved. Lately (being the past couple of decades), the department was split, incompletely, between Development/Maintenance, and Operations. Things were run with ITIL and CobIT — as In Name Only as PINO was to the Prince, II.

The INO part being audited throughout (see previous post) but without anyone really caring about the outcomes of that. NO not even regulators or so, so devoid of truly understanding that the qualification ‘parasite’ isn’t too far off, even.

And now, there’s a slow but steady breakthrough of bands of liberators. Deperimetrisation, socmed, cloud, Big Data, flex work(place), hackers-contra-cyber (#ditchcyber), … the many-headed Central Scrutiniser is sprayed wth acid from all sides and is slowly shrunk. Softly wailing for mercy, some do but to not much avail. Maybe an embrace of Sloterdijk’s Part III foams may help.

Ah, I’m not positive but can be — at least, life will remain in the body that is infrastructure management (-coordination) and incident management, etc.

First, this:

Then, this:

[Outsourcing basic shopping to the experts at Milan]

Low standards

The compliance check-box approach is an atrocious thing for and to many things and reasons, but has been induced by the very growth of the industry. Since all margin calls at all controls and controls objectives achievement have been whipped out — and no-one dares to or has the experience for margins calls anymore. How low can your standards of professionalism dive.

Sic transit gloria mundi; the trade once was a veritable gentleman’s (M/F/~) affair, for one put up one’s honour and good name (and standing including life, liberty, welfare and happiness) for the value of the second opinion over the full width of the (opinion about subject matter) playing field.
But one’s good name is no more. Men are no longer honorable, virtue isn’t a thing anymore; pluto reigns, in particular at 1600 Penn Ave — the demise of humanity. In the coming years, the standards will follow; having deteriorated from standards to hold Men to, to straight jackets most easily escaped from by surreptitiously gaming the system, making the system the mockery of men. I repeat myself.

But ideals, values, virtue and all things principle-based will resurface; if only trivially since the now resurgent risk-management approach would not work otherwise. The value is already returning to the dare of the expert to call it not to fold on details.
Hence, new standards will emerge. Pure-principles lists, no nitty-gritty stuff. To be audited on, by knowledgeable advisors that can relate sample controls / -frameworks to the principles and back. The 27k1/2 divide, but strengthened, widened.

About the latter; the renewed gap between principles and samples, will also allow auditors more flex when determining their audit approach as in next week’s post ;-|

By the way, the Dutch may read a bit on the same issue, au fond, and some pointers to solutions, if they’d work (put hypothetically for a reason), in this here piece, released after my draft of the above.

Oh, and:

[A winery, of course; Douro valley]

17 views

Just a tip: 2017 will be all about Augmented Reality. Maybe not VR, or is that a mere intermediate-phase subset. But AR.

When M$ adds some capabilities to WW10 (the platform, or binary),the ground swell (or is it an undercurrent, undertow?) is sure to grow.

So, Be Prepared, to see innovation in business software after the years of stale(mate) in ‘ERP’; no more database-system-usersystem stacking, but a mountain of data with lean and mean engines at/on the top now extended with AR to doddle around — and maybe … do something useful. All of business IT will dwindle in significance, so much less users as simple one-screwturn assembly line workers (to be (sic) replaced by robots anyway), but something-large-and-vague and payful, agile top users in the cloud atop. Top users only, be best and bright (self-declared), the shiny, überemployees, the stars. Huh. How’d they get there, be experienced enough, not be hindered by any wisdom … ? How they’d get so blinkered, conceited, presumptuous etc.? How’d they not get caught in the emperor’s new clothes?

I’ve been instructed (not) to be more positive, to not apply debit where debit is absolutely due… So, how can we turn today’s silo’d work into creative, innovative, flexible functions of tomorrow [and the day after; best wishes ;-] ..?

Plus:

[Your yacht may be a piece of art, but still…; Zuid-As Amsterdam (it was)]

Oh… Yes but still, now it’s true:

@TheMalia The Year of VR = Current Year + 1

— Ben Loveridge (@benloveridge) December 8, 2016

[Edited to add:

Here we go again with the tech BS.

Virtual Reality.
Augmented Reality.
Mixed Reality.
Merged Reality.

When will we ever learn.#CES2017

— Theo Priestley (@tprstly) January 5, 2017

]

Cyberprevention

Just a signal, of a new movement. Which isn’t.

For one, the -prevention — doomed from the [ word Go | – part ]. Which becomes less and less valid. Yes, some deterrent actions may help, but one better focus on the fact of future break-ins… And act accordingly — much more efficient for almost all. Take the 1st graph of this, and weep / go / the rest of it, too.
For two, ‘cyber’ … #ditchcyber nails it, in the Manifesto.

Yes that’ll be all for today, including:

[So, you can #ditchcyber, too]

Oops, there it is! (now you don’t, see it)

Suddenly, there it is, almost as if it’s something new … Malware using stego, as if it might still surprise anyone whereas of course there already was this, and this, and this and this.

What next? Even smarter ad blockers ..? Will not work, as the latter are only in use with the smarter part of the bunch. And smarter ad blockers will be installed by even fewer, as the pay-off is less visible (timely enough).

No, what’s next is first an armageddon [Warning: cultural notion; propose to use the more profound Ragnarök] — of which the result hopefully … is that ads will be marginalised. A great many a socmed platform (looking at you, $FB and other (sic) unicorns) may (signifying possibility and hope) go asunder as ads are their value period

Then, hopefully, Yggdrasil will grow again. E.g., with truly egalitarian platforms; truly global (though that aspect may not have been sunk in the great flood) and free, meaning that also, the trolls can be captured and ring-fenced and not destroy some or many or the platforms / -ideas.

How philosophical one can get in dreams/dreaming, how far off today is the better-than-today’s-should-have-been.

Plus:

[All sorts of meta-info (‘nothing to protect here just move on’/ Í can see you but you can’t see me’ et al); Segovia or what was it]

Golden Oldie Pic of the Day: Interesting read

Yep, again, on how to make things interesting to read …?

The CyberDarwins

As we’re nearing the end of the year (Western calendar, others not spoiling the party — learning point), we draw towards the ‘people being stupid with fireworks’ scenes that are oh so similar to ‘people managing systems’ situation. The former, focusing on the most beautiful display and/or the loudest Bang, the latter the same if you think of it.
The former, with latent recognition of ‘safety’ also re bystanders and collateral injuries possibly grave or life-, liberty- and happiness-threatening. The latter, with a desperate few considering ‘security’ and ‘privacy’, a even fewer thinking of collateral damage and implicit injuries and infractions to life, liberty and happiness — if you think that’s overrated, have you ID stolen.

The former has the Darwin Awards, for those that improve the gene pool by taking themselves out of it.
The latter, none such yet.

That’s where I aim:
Shouldn’t we instate the CyberDarwin Awards (acknowledging #ditchcyber), for the most egregious (i.e., outrageous, glaring, flarant) mindlessness in information security in the widest sense that fly in the face of basic common decent thinking?
So that by their occurence, the candidates volunteer to be taken out of the connected environment which, being their oxygen, improves what’s left (the most).

I have no idea how to pull this off; there should be some sort of portal where candidates may be proposed and results be displayed for common laughter but who will build and maintain such a thing before it can become a success, advertisers will flock in droves to sponsor for ads, and I take over again to reap all the financial benefits… #helpappreciated

And:

[This has zero relevance. Toronto]

No C3PO, just PO

Section 4, article 37, 1(b) of the General Data (sic) Protection Regulation ‘of 2018’ (sic): When the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;, the instantiation of a Functionary for Data Protection is mandatory.
Yes this includes all organisations dabbling in web analytics… No there’s no threshold (that previously was) of 250 or 500 staff minimum.
But hey, there’s arrangements to hire a Functionary — Privacy Officer works better — for less than full-time or on an (on-going) assignment basis. Come to think of it; the mandatory full independence of the PO (party commissioner, anyone?) may sit better with a hired hand/consultant than with someone on the payroll.
Still, one better study the task list for such a PO. Not a C3PO… The bumbling-through-overly-decent butler is not quite the role model you’d want. Or… you’d want the PO to be such, a harmless nuisance. But then, you waste the PO and budget, and still will be vulnerable. The common anglo-saxon (hopefully -only but doubtful) approach that if something goes wrong, you fire the sitting duck scapegoat and hey presto no more worries all are done, satisfied and no damage’s done, will not work here if it ever did. On the contrary, purposeful negligence, wrongful act, et al., may easily be construed, resulting in long-term mismanagement (still a capital offense…! Oh why can’t we jail all the white collar criminals) the misfortune of all your employees, clients etc. will fall on the Board for once… last paragraph of this applies.

To return to the positive: When arranged well, some things in business may have to change but overall, both your processing will run more smoothly (sic) and you public posture will improve (leading to improved data quality, new clients, and the world is yours, right?).
So, draft a PO Charter and hire me.

Plus:

[Back in the days before live-cams…]