Category: Information Security

T-Rend Not Found

DSCN3994
[How to call this, politically correct..?]

Uhm, would anyone have a serious overview of security trends as they unfold this year ..? So far, there’s nothing but a handful of incidents. Or is my memory just insufficient …

Anyway, I’d really like to at least have some classification scheme whereby we can bin various news items. “Antivirus is useless since it’s reactive and too slow for the rapid morphing of fingerprints” versus “Heuristics and profiling [secondary signatures?] solve this, as does upping the effort; unprotected neighbours go down first, please” would go into the Basic Endpoint Protection bin, for example. Privacy would be a similar bin. But who has a useful (sic) partial taxonomy or tree ..?

Frameworks, the inventions for …

DSCN5676
[Sturdy volume, i.e., Rotjeknor]

… for hanging.

Most unfortunately, after the demise of SOx et al. (as in this and many other places) there still hasn’t been a decline in interest for ICT management frameworks.
Which is bad, because

  • The Odies of this ICT management world, that is, both the ‘managers’ themselves and all the hangers-on like consultants, internally and externally, compliance freaks, auditors, etc., will still require yet more implementations of ‘new’ frameworks that, luckily, are so much blown out of proportion that their giant bubble content has diluted to a level both easily implemented and ever more quickly demonstrated to be failing the achievement of original objectives. Much ado about nothing.
  • [But after so many rounds of failed framework implementations, why a. do you not realise that it’s stupid to even try, b. do you not fire all that were involved as they apparently didn’t deliver ..? The latter, as continuous renewal and improvement must have been part of the implementation all along, and that hasn’t happened …!]
  • The strive for framework implementation still takes all the resource away from growth avenues, to calcification practices.

Get over it! The world has never been more unstable than [pick your most recent timeframe you consider relevant, when less than one year …(!)] … I mean ever before. [Sorry for the warped sentence; you get my drift.]
Which means that the cozy cold (!) sitting still like a rabbit in the headlights that frameworks will coax you into, will not carry the day if it ever did (do you need the spoiler? : it didn’t). By stifling any other, maybe actualy innovative, useful-in-prepping-you-for-tomorrow projects as they get implemented, and afterwards in particular if they’re successful.

Would I hence advise to use frameworks?

  • I don’t, if you’d want to take them as more than rough guidance. Use your brain! Frameworks are what they are, they’re not filled-in voids in between.
    And/or I can, and want, to help.
  • I do, if you want to crucify yourself (sic) on them. Not trying to be harsh, but good riddance.

OK, now have a look at your own industry. Finance including (ever more) central(ised) banks, anyone ..? Ever more attempts to regulate, to smother in totalitairan bureaucratic control …? And still wondering why and how the disruptive greenfield ops take over?

Straight

Was triggered by this:

That is in front of this little post: 15k infections is only 0.001% (a 0.0001 fraction) of all apps installed, that have malware. So, ruling out that you install anything remotely rougue or hacked-for-free-download, the risk is negligable.

Which is why we may ask anyone would care. After, for pennies!, we can have antimalware and not bother anymore, we should even care less… which is when it gets interesting. Je vous présente… the attack vector of three years from now, when everyone will have forgotten about it.
For now, I’ll leave you with a picture. Of course.
Photo20 (4)
[No wuss consin, by FLlW]

Mehhh Practice

Mehhhdrid
[Mehhhdrid?]

This appeared:

Nicely summing up a widespread complaint. E.g., against ISO 2700x. One should be forbidden to call those ‘Best’, as they are average, at best.
Because they’re adopted by the ones with no imagination of their own so implementations will fall short of average, thus in mass lowering the average even further.

And Best has never been Best in the first place. ‘tWas a compromise, as it had to cover so much, over so many contributors at its inception already. Remember, BS7799 ..!? And on and on in review rounds, committees decided over changes. A camel is a horse designed by a committee. And it all had to be applicable to as many industries as you can dream up. Another flattener par excellence. Standards work, where there is little variation required. Here, much variation, tailoring to each and every implementation over and over again, is a prerequisite for any success. I might continue.

Luckily for you, the new ISO27001:2013 of last October, is a huge improvement…. To the panic of the knights of busywork, one cannot anymore rely on following the herd as described, prescribed, because, at last, the prescription tends to Use Your Own Brain. Principle-based at last ..! For some elements. Tuning required, not by the (C)ISO (office) (only), but by the Business itself. Oh dear! The implementation efforts… Consultants’ dreams.

Well, get the lowdown of this, from experts [disclaimer: don’t own anything of them]. Just wanted to post the tweet and my take on it.

TL;DR on TLD (or 5LD)

Ah, yes, let’s not forget to add the biggest Quod Non of the decade to our list of subjects for the redevelopment of information security / information risk management / risk management / management of risks / management ‘book’ forthcoming.
Indeed, three lines of ‘defense’ will be in. As well as the extension to five lines of defense. Which will all not work, and will all just add to the culpability of those proposing them, as they must know better or declare their incompetence at an even broader scale and abstraction layer.

Because, and here I repeat myself, and many others, how can something help defend when it’s not between a threat and a vulnerability ..!?

000026 (3)
[Dee An Bee]

Because I already discussed this in the past (way back, couple of months ago (final one)), and will discuss in all detail in the overall Book (white paper) on the above subjects, I’ll leave it here. For the believers in the idea: Full speed ahead into the blind alley …!

InfoSe€€€

DSCN5667
[Infra to use, to protect]

On then, with the dream of rational (i.e., ‘cost-effective’) information security control selection. Apart from the definitions, distinctions and boundaries between operations management, information management, data management, information security, IT security, business continuity management, etc. – I don’t really care, they all end up with the same sort of ‘risk analysis’ quod non (see earlier posts, the most prominent being this one) and a sort of afterburner about weighing costs versus benefits of controls to be put in place. Nothing on all the stuff I discussed in that prominent post; the time-sensitive chances, impacts and effectivenesses of threats, vulnerabilities, controls individually and in interactions, feedforward and feedback loops, the enormity of lack of reliable data and the overwhelming noise and error this introduces into any calculation.
And nothing on how one should go about estimating the costs of controls vis-à-vis their effectiveness. Because that’s even harder to do, when one has continuous but very often hardly-quantifiable costs of controls individually let alone in conjunction with others (all with costs varying in time, again, too ..!).

Continue reading “InfoSe€€€”

Awful wareness

A shortie, once again. Through

I was triggered to add some Awwww areness sauce to my previous snippets on security. Will do. Pete Herzog’s idea in

will also get a place.
And an archi pic for your viewing pleasure:
DSCN5735
[Gran Via, what else]

Maverisk / Étoiles du Nord