Category: Information Security

All against all, part 3

OK, herewith Part III of:

Tinkering with some research that came out recently, and sometime(s) earlier, I had the idea that qua fraud, or rather ‘Cyber’threat analysis (#ditchcyber!), some development of models was warranted, as the discourse is dispersing into desparately disparate ways.

The usual picture suspect:
DSCN8587
[What no throwback to the socialisixties ..?]

Second up, as said: The same matrix of actor threats, (actor) defenders, but this time not with the success chances or typifications or (read horizontally) the motivations, but with typical strategy-level attack vectors. Not too much detail, no, but that would not be possible or the matrix would get clogged with all the great many tactical approaches (including social engineering, spear phishing, etc.etc.).
Fraud matrix big part 3
Next up (probably the 12th) will be typical countermeasure classes.

Hmmm, still not sure this all will lead anywhere other than a vocabulary and classification for Attribution (as in this piece). But I see light; an inkling that actually there may be value and progress through this analysis …

Coolness 1 – progress 0

Hm, on the face of it, this here is interesting: the director of Europol (no less) saying that TOR and Bitcoin shouldn’t be vilified even if they pose problems for agencies, since they allow cittizzzens to enjoy the freedoms of the Interwebz.

Nevertheless … Claiming that means: ‘may still be needed to trace and convict those colouring outside the boxes’, which would raise suspicion of window dressing. Let’s see how this talk will be walked, shall we ..?

After which dense text you deserve:
DSCN8502
[Typical Zuid-As]

Repudiation, repudiation (not) everywhere

With DARPA’s quest for Active Authentication (as here), what will the future spread of (non-)repudiation look like ..? By means of strength of proof e.g. before courts, when system abusers may claim to accidentally have the same behavioural ICT use patterns as the unknown culprits, or be victims of replay attacks.
I’m unsure about how this will play out, then; whether Innocent Until, or Proof of Innocence, or even Reasonable Suspicion may still exist.

Yeah, I get it – you’ll claim that this is for DoD purposes only. Of course, as it never has, in the past. @SwiftOnSecurity would (need to) be on the alert.

Well, as this kind of innovation (by this agency) usually reaches society in all sorts of very unexpected ways, there’s hope that something in support of the Constitution may in the end come out… for now, I’ll leave you with:
Photo21
[Light on the inside, though without outlook… FLlW at Racine, WI]

IR-L or 0 (BC)

The spectre of BCM has been haunting ‘business’ departments of about any organization for too long. It needs to go away – as spectre, and take its rightful place in ‘Risk’ ‘Management’. The latter, in quotes, since this, this, this, this, and this and this.
Much link, very tire. Hence,
DSCN4069
[Opera! Opera! Cala at Vale]

Which actually brings me to the core message: ‘Governance’ [for the quotes, see the last of the above link series again] fails for a fact (past, current, future) if it doesn’t include risk management, and when that doesn’t take this into account:
Turf wars
[Here, highlighted for InfoSec as that’s in my trade portfolio…]

First, a reference to that RM-in-Gov’ce mumbo jumbo: Here. (In Dutch, by way of crypto-defeating measure vis-à-vis TLAs… (?)) Listing among others (diversity, sustainable enterprise, external auditor role) the need to do more about risk management at ‘governance’ levels. Which might of course be true, and how long overdue after COSO has been issued and has been revised over and over again already.

But then, implementation … No strategic plan survives first contact with the enemy (ref here). And then, on turf are the wars that be, in all organisations. Among the great multitude of front lines, the one between Information Risk (management) the Light brigade [of which the Charge wasn’t stupid! It almost succeeded but because the commander wasn’t a toff so supporting a brilliant move by such an upstart wasn’t fashionable, he was blamed – an important life lesson…], being overall generic CIA with letting A slip too easily on the one hand, and the all too often almost Zero Business Continuity (management) on the other, outs the lack of neutral overlordship over these viceroys by wise (sic) understanding of risk management at the highest organizational levels. As in the picture: It’s all RM in one way or another. And (though the pic has an InfoSec focus) it’s not only about ICT, it’s about People as well. As we have duly dissed the ‘Process’ thinghy as unworthy hot air in a great many previous posts.

Where’s this going …? I don’t know. Just wanted to say that the IR-to-BC border is shifting, as IR becomes such an overwhelming issue that even the drinks at Davos were spoilt over concerns re this (as clearly, here). But still, BC isn’t taken as the integral part of Be Prepared that any business leader, entrepreneur or ‘executive’ (almost as dismal as ‘manager’) should have in daily (…) training schedules. Apart from the Boy Cried Wolf and overly shrill voices now heard, the groundswell is (to be taken! also) serious: IR will drive much of BC, it’s just that, again, sigh, the B will be too brainless to understand the C concerns. Leaving BC separate and unimplemented (fully XOR not!) next to great ICT Continuity.
Or will they, for once, cooperate and cover the vast no-man’s land ..? Hope to hear your success stories.

To study; unconscious compliance, conformity

A quite good analysis here, of this book.

Which throws a wrench in many discussion positions for or against privacy … also in the light of this book. Are we numb mindless drones in larger schemes, or are we individuals whose choices happened to coincide? Through availability of emergent too-selective alternatives or what?

Think about that. And revel at:
000011 (3)
[Cheney interior, original. And B&B ..! Hey don’t complain, ‘t is from an analog one again, circa 1997.]

Disarming the citizens of the US

Ah, yes, prohibiting any discussion of or even link to possibly cracking-enabling information. Already worded in a veiled way, as in:

this would mean taking away the arms that a great many US citizens are equipped with (and prohibiting gun range training), once, against the English (Brits?) now against just any outsider and US citizens themselves? Quite a Second Amendment thing, these days…

As a European, I don’t want to meddle in US domestic affairs. But I tend to the interpretation of constitutions and amendments anywhere, all of them, as principles not absolutes. Absolutes never (sic) work in societal organisation. When quite a number of those concerned [again, I’m not] would gladly see all amendments interpreted to principle not literally except this very dangerous one.

‘nough of that. Now, onto the more recent EU moves towards banning hacker tools … (and the UK push for banning encryption tools, even). I just have questions:

  • What about free speech? Seems to be an issue for discussion as democracies need more absolute protection of that. Amazon wouldn’t be allowed to sell hacker books in selected countries. Banning books, anyone?
  • How many % of crackers would live in the applicable jurisdictions, to be under the prohibition provisions, and how many are outside those jurisdictions ..? What would happen if one would exclude the former from being armed and ready but giving the latter a, most probably, more vulnerable target?
  • The honest researchers in those countries would be jobless; never a good incentive to stay in the right side. The honest researchers elsewhere would have a bonanza as all bugfix trade must move to the outside. Either that XOR through a form of licensing one creates a humungous random hence erratic but totalitarian public/private cartel. In the Home of the Free, in the pursuit of happiness.
  • If through this, the balance is lost, will the US and/or EU start to isolate itself (its ‘Internet’ (quod non as per this)) from the rest of the world ..? If so, how any trillions of $/€ will be lost to others, whereas any related industry (that will be the future as the mature-industry-little-growth primary, secondary and tertiary industries will be what’s left for the EU/US but serious growth will be in the new industries?) will not come off the ground, hindering greatly any recovery from the intermediate term (slump) before booming, à la this.
  • Will stego boom? The Hiding in Plain Sight can bring an additional benefit of plausible deniability (with some tweaking).

Seems like the above POTUS quote might indicate that he’s not planning any censoring of the spread of direct or indirect vulnerability information but on the contrary would be stepping up efforts to bring the US back on top of the game. E.g., by not focusing solely on physical terrorists but also on outside-in and from-within (sic) cyber attacks. Or was the quote an apology for the NSA being in NK even before the (known to them!) Sony hack ..?

The picture is still murky. Too murky to take sides already, for my take. I’ll leave you with:

20140905_201502
[Bergen aan Zee, Autumn dominos]

‘Algorithm’ or ‘Intelligence’ or Who Cares?

This appeared:


But hey, an algorithm … exists on paper, in the head of programmers, just anywhere. But is an object, however ephemeral, not an actor. What’s probably meant, is that an actual computer, equipped with software that implements the algorithm, and with tons of data, and with electricity, will generate output that sufficiently resembles ‘human’ output. Any news there ..?

hFA00C326
[Your ‘brain’..?]

PbD

Suddenly (?), amidst all sorts of ‘backlashes’ to whip the 90%, or 99%, back into sully compliance and complacency, this ENISA report came out. Issuer → importance. Get it and read…

For the effort:
20150109_144328
[Somewhat close to near perfect alignment. But no cigar for the Gemeentemuseum Den Haag …]

IoTOSI+

In order to get proper information risk management and audit in place for IoT, on top of IoTsec, the frames of mind should be grown and extended so at least they touch, if not overlap in a coherent way.
Where IoTsec-and-IRM-and-audit is about the I and C of All Of ICT, we could do worse than to have a look (back) at the OSI stack. All People Seem To Need Data Processing, remember. (Not even a question mark but a period Or else go back and study, a lot.)
Which we should extend, clarify for IoT, and deepen in detail, downwards towards the sensors and actuators, and upwards beyond the A level into … Meaning, like, Information and stuff ..?

As an interlude, you already deserve:
20150109_145625
Heh, ‘smart’phone pic; not FLlW but Van ‘t Hoff’s Villa Henny. As here in Dutch, though that states the style would be related to FLlW only – wiping the ‘near-perfect carbon copy’ aspect under the rug…
Now here’s a few actual FLlW’s…:
000005 (6)000023 (6)
How’zat for copying ‘in a style related to’…!
[Sorry for the pic quality; these scanned from analog…]

Now then, back to the OSI stack and the absence of Security in that. Audit is even further away; the orphaned nephew (role, function!) will be attached later to the whole shazam.
Given that the A is there for Application, do we really have anything like the function of the communications/data at that level or higher up ..? Well, it seems Higher Up is where we should aim indeed, as a starting point. And end point. Because the information criteria (being the quality criteria that information may or may not meet) play at that level. Resulting in all sorts of security measures being applied everywhere ‘in’ the OSI stack itself [as a quick Google shallows shows] for safeguarding these criteria at lower levels; lower in the sense of below the Meaning level i.e. A and down.

Because, the CIAEE+P (as partially explained here and here) regard quality criteria in order to ‘have’ appropriate data as medium in which Information may be seen, by interpretation, and by letting it emerge from it. (Sic, times two.) Above which we might, might possibly, even have Meaning getting attached to Information. (Big Sic.)

Oh, and, the even-below P-level implementation I’d relegate to the, usually not depicted, physical not-comms-box-but-signal-source/destination physical objects of sensors and actuators… Obviously.

So, all the Security in the picture regards the quality criteria, and the measures taken at all levels to enhance their achievement. Enhance, not ensure. Because whoever would use ‘ensure’ should be ashamed of their utter methodology devastation.
And, to be honest, there is some value in having measures at all levels. Since the grave but too common error of doing a top-down risk analysis would require that. And a proper, due, sane, bottom-up risk analysis would still also have this, in a way.
Where the conclusion is: Requirements come from above, measures to enhance meeting any requirements, should be built in as extensively and as low down as possible, only extended upwards as needed. Note that this wouldn’t mean we could potentially do without measures at some level (up), since the threats (‘risks’) would come in at intermediate and upper levels, too, not having been taken care of at lower levels ‘yet’.
Audit, well… just checking that all is there, to the needs whims of apparently unintelligent requirement setters…

I’ll leave you now; comments heartily welcomed…

Maverisk / Étoiles du Nord