Category: Information Security

The logic of automated decisions;
ransparency through audits ..?

Not bashing, nor FUDhyping…
Was triggered by various treads, e.g., The Book on the subject (or, het boek in Dutch), and scores of elucidation (yes. be happy finally there is some truly) from the legal perspective, on GDPR article 15.1h and article 22.

The latter two not being conclusive, however. They are about requirements of transparency on the logic underlying automated decisionmaking. But there is no clarity about how deep that should go. Will “Hey your data is processed by some AI system [literally, factually incorrect statement because it’s only Machine Learning at max, today; does that construe a false statement i.e. fraud ..? ed.] and even we the builders ourselves have no clue what goes on in there – that’s the whole point of using it besides being able to fire a great many inherently expensive humans and we don’t care the least about the biases and other grave errors of the system it works fine for us!” be acceptable? Hint: No. Will “Oh it’s so intricate that we, let alone you, have no clue when looking at the audit trails that the system generates” fly? Same hint.

Because here, we see a new area developing for IS auditors: Auditing ‘AI’ [quod non but read ‘ML’ and you’re good; ed.]. As IS auditors are (supposed to be, I happen to know a fair share of peers … etc.) the experts in gauging systems functioning qua .. reliability overall, too. Which goes way beyond mere C-I-A but still, has Always been part and parcel of IS auditors’ education, right ..? I will come back to you soon, with more definitive info on how IS auditors should go about this all.

Oh by the way yes I did already notice that the more the system in scope behaves, and is constructed to behave, intelligently like the average (sic! statistically you have zero reason to put yourself above that! oh wait you read my blog so you are definitely, way off the right end of the scale) human, the more the audit will have to be like we audit humans today. Uniting psychoanalysis and explicit rules on paper (in procedures, algorithms et al.), very dogue much fun.

Plus:
[Though a flat, and has iron, legally misidentified as flatiron …; NY – Pic tilted to fit in the pic frame of course]

Self-driving my a..uto mode

What was it; that car company we’ll call ‘T’ as we don’t want their lawyers’ badgering, claimed the EULA on the self-driving of their cars required the auto-mode to only to be allowed when on reasonably straight roads in reasonably light traffic with full oversight always.

Apart from that being no driving fun whatsoever, and no help whatsoever in ‘normal’ (other) conditions, I have a question: Why use the system at all, then, when already I have cruise control and Mk.1 eyeballs for such circumstances and do nothing but steer lightly ..!? What improvement from ‘steer lightly’ to ‘not steer at all but always be ready and alert to’..? You’ll never be allowed to text while driving or binge-watch ‘flix while in traffic jams anyway. Is that worth all the trouble, hassle, and hype ..?

No it isn’t. It’s more like ‘cybercrime insurance’ (#ditchcyber) – when you apply all rules, you don’t need cover (and have none for the risks accepted or new in the first place) / don’t get any help from auto-mode; if you don’t, you lose all cover period

So, better get better auto-mode, without the circumstances-requirements and without the EULA extortions. Or, drop the whole idea and get on a bus.

Which may also beget auto-mode… ;-|

Oh, and:
[“Look mummy no hands!” would really take out all the fun…; Baltimore thank you sir for not jumping on the green light to enable me to take this pic]

Compare the innovation fruits apples and oranges, please

How is it that long-standing discussion-stoppers persist ..? Take, for the sake of argument and for reason of being the raison d’être of this post, the common “One shouldn’t compare apples and oranges”. Or ‘with’, or ‘to’.
What fun is there in comparing apples to apples ..? Since various species are still very much alike, the attention will go to the, certainly relatively, minor differences, losing the bigger picture. Even when including crabapples, mostly it isn’t worth the trouble. Except for a few experts.
Entrat oranges.
They are so different (Well, overall; there’s also many commonalities like being in your fruit salad with other fruits like tomatoes oh wait) that at once, both the main lines and subtleties of differences can be discussed. Because one compares to discuss, right? If not, just don’t compare anything and sit there like a plant.

Actually, this whole post is about the realisation that in business or other organisational life, we should do both when it comes to innovation. There, tradition has it that one competition in the apples-only markets. Slight differences are sought out, and marketed, as significant whereas usually, they’re not.
Until some orange disruptor appears. Then suddenly, the picture changes – for proper anaylsis, one should compare the apples and oranges, to see how they fit market demand including substitutes et al. And do follow that link to see at which touch points the surprise element rests. Or so.

Just sayin’. And:

[A morning’s comparison of premier cru and grand cru grapes, from Ludes towards Reims, is definitely worth the fine nuance ..!]

Fighting the Fifth Estate

The Fourth Estate it was called, before it succumbed to sycophantry and fake news. The journalistic world, that by its moral code and behaviour cleansed the news so that the trias politica, and the populace, could do its job of monitoring and correcting each other.
Now that the fourth is no more (effective) [edited to add: some holdouts, like Bellingcat], but the Fifth is (Facebook, Google, … the Frightful Five), one might need extra resources to get the first few scratches of control back.
With this little device. An anti-bug. Not preventative yet, but detective with resilience against detection. Counter-intelligence.

Oh this was just a HT to the developers. And BTW, any half-decent TLA would support these guys [edited to add again: Bellingcat], for their adherence to lofty principles does in fact align with the ultimate, ulterior purpose of any country’s TLAs. Only the stupid will fight against noble straight-backs.

Oh and:

[Yes even HMs GCHQ would, in principle, concur. Or, they work for the Dark Side; London]

AI Blue-on-Blue

We keep on hearing these great things about how AI will help us in the battle against no-gooders qua information security. Like, in hunting for bugs in software (as asked for here, borne out in various much more recent cases or rather, news items hinting at pilot prototype vapourware) or hunting for fraudsters, possibly hiding in plain sight (superrrintelligent anomaly detection; unsure how false positives / false negatives are handled…).
Where on the Other side, great strides are also feared to be made. Deploying AI to improve (better fuzzify) attack vectors, and help with improvements in evasion and intelligence gathering in various other ways.

Pitted against each other …
When you know what Blue On Blue stands for (first of this), you will now see it coming, inevitably. What if autonomous (for speed of response!) retaliation kicks in …?

Never mind. I’ll like the fireworks show. Plus:

[Yeah, yeah, ships are safe in harbour but that’s not what they’re made for – I’ll just enjoy this view from a truly excellent restaurant; Marzamemi Sicily]

Stochastic culture (change)

This ‘personal research’ hobby of mine had taken me into the ‘From Security Awareness all the way to Behavioural Change’ alley(s).
Where it got stuck. Among others, through the realisation that ‘culture’ as such doesn’t exist, certainy not within larger organisations. Local cultures, yes. Overall cultures … maybe as the most degenerate common denominator; the more numbers you throw in a basket, asymptotically but very fast the common denominator will come crashing down to 1.

In infosecland, it’s worse. To actually adress and change the oft unconscious parts of personal culture (behaviour), one has to move away from organisation-wide awareness training ouch if you call it that, all are lost – into the realms of individual coaching, for each and every employee.

But then the stochastic cooling of particle physics rears its head, as a phrase that is. Can we somehow differentiate the to-be-learned from one-size-fits-all into separate sets of behaviours to be rote trained (in practical use; experienced) so the sets become unconscious behaviour(s), and then overlay these transparent sets [Remember, the ‘sheets’ you could stack on an overhead projector? You don’t – even know from a museum what an overhead projector is… Oh. ed.] over the organisation populace, according / in relation to the expectance to need such behaviour ..?

I’m rambling, as usual. Anyway:

[Not all grapes are evenly grown, still great wine is made without stochasctics…; Valle dell’Acate]

Deviate for Resilience

Well there’s an imperative. Deviate for resilience. Which goes waaay beyond mere ITCM or its linkage into BCM. What I mean here, though, is a reflection from the B side into the IT side.
Once encountered when it was still supposedly somewhat ‘cool’ (as it was called in the grandpa’s days) or so to work on … can you believe it, $AAPL infra. Where the Infosec staff had carved a corner for themselves: That they’d actually need to deviate from corp policies (the devolved kind) of using M$ stuff for alibi reasons of needing in ITsec par excellence, a fall-back that would actually work when all of the M$ infra would’ve collapsed due to some class breaking glitch exploit. Yeah. That meant that you did need a substantial budget to your own discretion without much transparency towards effectiveness of spend and no gadget and toys buying, right?
Nowadays, the coolness if ever it truly was (stupid sheeple), has worn off totally and is a tell for no comprendre qua cost/benefits analysis, sufficient tech-savviness to cut it in today’s world, and forward compatibility even to the cable mess (costing you tons). Predicting which unicorns will succeed, or fail, is easy; the former are on M$, the latter on … you guessed correctly. Nevertheless, the resilience argument still holds.

Which goes beyond the mere platform choice. It goes for global/local deviations as well. IF yes that’s a big if, if done right, not for NIH purposes (both ways ..!) but for resilience purposes. It’s not efficient to the max, but if you strive for that, you’ve done so much wrong already it might be irrecoverable. E.g., mission, organisational culture, risk management (incl analysis), control choices and implementations (case in point: multiple malware scanners), etc.

But remember: When done right, you very probably do need to deviate all over the place for resilience…

Just remember that to defend yourself, OK? And:

[If telecom fails due to clock synchro errors, it’s still a sun dial (really it is); Barça]

Your security policy be like …

The theme of your security policy and how good it is (not), is of course a recurring one. The recurring one, annual cycle (Is that still frequent enough? Yes if it’s truly a policy like here) included, with an all else follows attached. But then, it’s only Bronze when only a top-10 bulleted list extracted from … ISO2700x, mostly. It’s Silver when actually compliant in all directions, which includes serious ‘local’ adaptations…
And it’s Gold, when over and above that, it looks like this.

Not even kiddin’, really. Since your information security policy, next to the other security policies …, covers all of information of any kind and medium processed anywhere in the business. Which means that the from-IT angle will very probably not suffice.
But which also means that it helps when it rocks, in ways that interests all of your audience which is all of your colleagues including all colleagues at outsourced, cloudsourced and what have you processes and lines of business. Transparency, right ..? Runs all the way down the food/supply chain.

Indeed, the maturity of a company may be gleaned from the maturity (rocks’iness) of the information security policy. Get that right, and all else need not follow since it has gone before.

And oh, did I mention that in the implementation, resilience should be built in and not only be through formal (for-) BCM practices ..? I’ll return to that tomorrow. Plus:

[Lightning (-) rocks (pavement), too; Ottawa]

Shadow IT – no problem

In the upheaval of the last decade or so on the rush to the cloud (no, not that cloud though rush-related), a similar development preceded it – and still runs on. It is the spectre not only hunting Europe (and certainly the deviant [all manners? ed.] off the coast, splitting but not drifting away like an Iceberg would. should…), but everywhere else as well, the spectre depending on who you ask of Shadow IT.

Which is facilitated through XaaS (SaaS/PaaS/IaaS/…) availability. But which hardly ever is allowed… — allowed through being compliant with organisational standards. From anyone’s perspective but the IT club’s, it is not about breaking the in-house IT vendor lock-in barriers. That were breached becaused the bounds were straight-jackets. Don’t try to break those, just sneak out the back door. But it’s about the latter, seeking what wasn’t provided in-house on one’s own account, previously not having been ‘allowed’ but it was IF the solutions sourced, complied with the security (mostly) requirements set at the organisation-wide level, and set from the business side of the organisation.
Controls in or out of IT, required by IT to be implemented elsewhere, are about the particular IT solutions chosen. Solutions to the problems identified in control objectives and controls, always having alternatives in the latter. So, when through these IT-dictated controls, your preferred solution cannot be made to fit (or only near-unusably awkwardly so), they do allow you, even in a sense require you, to go for shadow IT.

Which, hence, is permitted If ad only if being (security) controlled at at least the same level of control objectives achieved. So, some department might have to re-build all of the IT department’s load of overhead qua systems management, all of ITIL or even CObIT, all of … wait, not ISO 2700x – that is an organisation-wide thing already or it is of fact a crappily implemented thing. So covers the shadow IT as well, fitting in the latter under the umbrella of the former. That’s where the battle would need to be fought, if at all since the shadow runners may very well have done a good job at running an outsourced-portfolio coordination team, neatly sheltering under the umbrella already. Showing the IT department how that’s done.
Possibly [hey I’m over-using the em-tag or what; ed.] doing it both proper and cheaper. Usually doing not the former, hardly the latter and certainly not the latter if the former is corrected. But sometimes, showing how; when IT told them that was impossible, they just did it. As good / better, and cheaper. Yes you can, to paraphrase some sorely missed leader.

In the interest of the organisation, sometimes shadow IT should be the preferred solution direction…
I’ll stop now before angering too many. And:

[The (black) details, are they essential? In a way, but could they be different or would you have chosen these in the first place …!? Prague]

Copying it bluntly, for you

Just like that, a full page of niceness and arguments to consider. Guess which one I’m switching to. So should you. Competition, leading to improvement.

Maverisk / Étoiles du Nord