Category: Information Security

OSSTMMPerimeter ..?

Just a note; was struck by the OSSTMM approach towards the structure of infrastructure. [Disclaimer] though I am quite a fan of the OSSTMM approach (and do want to write up tons of whitepapers linking it with my ideas for moving forward in the InfoSec field without having to revert to #ditchcyber bla), I feel there’s a snag in it:
The analysis part seems to still take a perimetered, though onion, approach. The Defense in Breath is there, for sure, but still the main (sic) focus is on the primary axis of the access path(s). Does this still work with the clouds out there and all, focused as they are on principalled agnostics on where your data and ‘systems’ might hang out?

OK yes now I will go study the OSSTMM materials in depth to see whether this is just my impression and I’m proven horribly wrong, or …

So i’ll leave you with:
DSCN3689
[Hardly a street, next to Yonge]

Note: M$ is just a vendor

Microsoft declared the era of XP finally over, amongst others by not providing fixes in Updates per May 13 (not a Friday, but close).
Markets (use base out there) declared Microsoft to be just one vendor among many, not to dictate anything but to deliver at want, at need. No more. They did so through continued use of XP in oh so many machines, of the general-purpose computer type, and in embedded systems et al. Microsoft weighs, the user base decides.

And, of course:
DSCN7921
[A sunny pic of Ståckhølm]

Not news, still suppressed?

Why is it that this paper on chip-and-pin fraud hasn’t gained much more attention in the Netherlands ..!?

Maybe because NL has only just sort-of completely switched off the magstripe to EMV.
Which even before its comprehensive roll-out here in NL, was known to be weak. Years before. And still no-one took action.

A picture for your efforts. But (payment) industry, you fail with a big F again
MEDIUM09
[London temp, also years back]

Cybersecurity, yeah!

This is how you do it:
20140610_124346
[As spotted in Voorburg. No, not ‘shopped a single bit.]

Yes, indeed, this is how your ‘cybersecurity’ (#ditchcyber ! #wegmetcyber !) compares to the real deal. But hey, if you want to believe you’re up there with the Big Boys, go ahead. I won’t stop you from your own make-believe. At kindergarten.

CIAAEE+P

Privacy came to the fore last week, at a very interesting ISSA NL event.
Where we discussed the prevalent Confidentiality-Integrity-Availability approach (where impacts mandatorily regard the data subject(s), not you the processor, as the data subjects are legally owner of their info …!) and whether those three actually cover privacy aspects sufficiently.

Well, we did conclude that for now, CIA is ‘still’ the common denominator. But … hey, Auditability might be added, as that’s a sort-of requirement throughout privacy protection. And Effectiveness and Efficiency – of the data handling! – have a place as well, being representative of proportionality and legal-grounds-for-the-privacysensitive-data-handling-in-the-first-place (i.e., real purpose / purpose limitation!); if you collect more than very, very strictly necessary, you’re culpably inefficient in a hard legal sense, and at least part of your data handling is not effective.

But should we add Privacy as yet another factor ..? Does it have value in itself? Initially, I thought so, as the common CIA somewhere will always have lost its connection to information value, e.g., through the Bow Tie effect and other deviations (lagging) from modern developments.

Which I’ll discuss below. But now, first, an intermission picture:
OLYMPUS DIGITAL CAMERA
[Yup, Whistler]

So, as said, Privacy may be covered by CIA. But, … with specific deviations of interpretation. Continue reading “CIAAEE+P”

Can’t have your cake

I guess you can’t have your space cake and eat it over your keyboard.

If only they’d hire me. I bring [1337 hacker skillz and dope use]negated; not-fully and absolute none, respectively.

But then, …:
DSCN1297
[Beeb]

Aweariness.

Tweeks ago, at this successful! symposium, I noted the developments in the Awareness side of our IRM business. Multiple speakers were onto the subject without hesitating to move beyond the mere annual poster campaign for awareness, and moving into the daily-normal subconscious behavioral change work that was for a long time so much lacking. From ISO 2700x as well.

Which of course is a very, very good thing. Before the 80% of hard work in IRM as such (after discounting the first 80% in hardcore information security), the 80-100% of effort should go into this socio-/psycho-/behavioral fluffy stuff that yields so many benefits and returns. Though we ‘still’ may not be good at it, at least there is development, and leading examples. Thanks, speakers, for that; and for now:
DSCN1807
[Your guess. No, not Paris, Reims; not even Strasbourg and that’s a hint]

Who has your back; who’s up your back side?

Depends on how you foresee the world’s wheels of fortune turn…:
cntzyd5kxvsfhujxspwj
[Plucked via some byways from this originating site. Worth a visit!]

But beware … Things may change rapidly.

The enemy from below

I know, I’ve been guilty of it too. Thinking, tinkering, and musing about all sorts of abstract risk management schemes, how they’re a giant mess, mostly, and how they could be improved. Here and there, even considering a middle-out improvement direction. But mostly, ignoring the very fact that in the end, information risk management hinges on the vastly complex technological infrastructure. Where the buck stops; threat-, vulnerability- and protection-wise.

A major (yes, I wrote major) part of that low-level (Is it? To whom? It’s very-highly intellectual, too!) technological complexity is in the trust infrastructure in there. Which hinges on two concepts: Crypto and certificates. In fact, they’re one but you already reacted towards that.

For crypto, I’ll not write out too much here about the wrongs in the implementation. There’s others doing that maybe (sic) even better than I can.
For certificates, that hold the crypto keys, the matter is different. Currently, I know of only one club that’s actually on top of things, as they may be for you as well. Yes, even today, you may even think the problem is minor. Since you don’t know…

Really. Get your act together … This is just one example of how deep, deep down in ‘the’ infrastructure, whether yours or ‘out there’, there’s much work to be done, vastly too much complexity to get a real intelligent grip on. How will we manage ..?

And, of course:
002_2 (13)
[Showboating tech, London]

Maverisk / Étoiles du Nord