Category: Information Risk Management

Top 5 things that Awa isn’t

When dealing with awareness, certainly in the infosec field (#ditchcyber!), there seems to be a lot of confusion over the mere simple construct under discussion. Like, the equasion (with an s not a t) of Awareness with Knowledge plus Attitute plus Behaviour. Which, according to the simplest of checks, would not hold. Since Knowledge, and maybe Attitude, are apt components. But Behaviour is what eludes the other two, by the unconscious that drives 95% of our behaviour, in particular when dealing with any but the most hard-core mathematical-logic types of decision making and interaction.

Which is why so many ‘Infosec awareness programs’ fail …
First of all, they’re Training, mostly, even when in the form of nice posters and QR cards [that’s Quick Reference, not QR-code you history-knowledgeless i.e. completely clueless simpleton-robot-pastiche one!], and it’s true that “If you call it Training, you’ve lost your audience’s want to learn” – your audience will figure out it’s Training despite you packaging it differently; they needn’t even explicitly but intuitively (the level you aimed for, or what?) they will.
Second, all the groupwise that you do, doesn’t reflect in-group dynamics at the actual workplace and work flows, nor does it reflect the actual challenges, nor the individuals changing moods (attitudes). Oh the latter: Your attempt at changing Attitude is geared towards A in relation to infosec but that’s only such a tiny, so easily overlooked and forgettable part of the A all-the-time in the workspace.
Third, and arguably foremost, to plug ‘arguably’ as a trick’let to appear more interesting, What you aim for is not blank flat knowledge, nor even attitude, but Behavioural change. Do you really use the methods to achieve that ..?

No you don’t.

Oh and of course I titled this post with something-something 5, to get more views. Geez, if you even fell for that… And:

[Your kindergarten Board wish they could ever obtain such a B-room; Haut Königsburg]

Ten reasons quantum crypto will not

There may be more reasons that quantum crypto will not protect you against those evil villains out there, as suggested here (in Dutch) but quod non!!! (as I said; in Dutch ;-| ), for the not ten but one single reason:

When ‘hackers’ will not be able to access your comms when you will be using quantum crypto, so governments will also not so forget about it you will be jailed for life for using quantum crypto in the first place and also you are the most suspect of all and if still you’d try to use it, you will be whacked off-line … and your house raided, etc.etc. Because this.

And because, however clever you might think you are, obviously in vein, there will always be the ‘endpoint-to-you gap’ where parties may intervene.

Or they put a gun to your head. Good luck refusing.

And governments will restrict to their own comms; the most powerful one grabbing the scene and leaving all of the rest in the dust. And IF you believe their beneficial ethics, well you just removed yourself from serious discussion.

Anyway:
[Drone with too much tilt shift, or ’70s display scanned from an (actual, physical) slide..? (mine; ed.); <undisclosed location>]

Nudge, nudge, wink, wink, know what infosec behaviour I mean?

Am working on an extensive piece, a long-longread, on as many aspects of behavioural change towards true ‘secure’ user behaviour as I can cram into text. I.e., moving beyond mere full ‘awareness’ as phases 2/3 of this, to phase 4. Strange, by the way, that there is in that no end ‘phase’ or cycle in which one finds out to have been in phase 4 already for some time but didn’t notice and now forgets just as quickly as that seems ‘logical’.

But back to today’s subject, which is the same, but on a tangent. My question to you dear readers [why the plural, or >0 ..?] is:
Would you have pointers to (semi)scientific writing on the use of nudges to (almost)stealthily change (infosec-related) behaviour ..?
I could very much use that. Other sectors of human behaviour influencing studies have ample info on the effectiveness of such nudges, but for infosec I’m still with Googlewhack-like results.

Thanks in advance… Plus:

[The ways to seek prosperity from misery; EPIC Dublin]

Knitting against Cyberrrr…

This here piece, being the explanation why hiding in plain sight beats overtly-crypto tools. Quite enough said, right, apart from the note that the solution is a form of arms’ race flipping, as predicted. Would only wonder (again) how many cat pics out there, have stego messages, and how many TLAs are constantly scanning all Pinterest- and others- uploaded pics for nefarious content. Where the sheer volume created by innocent users, helps the bad guys (girls…!) to escape (timely) detection, or what?

Maybe sometimes human interaction can still help, like with this. Of quite another category but deserving massive global support nevertheless. Can ABC’s and Facebk’s image recognition engines be sollicited, or are we looking at the hardest pics still eluding the strongest AI-yet ..?

Back to knitting-style help it is … And:

[If you recognise this’ your country, you just got an interesting PM story… (truly congrats)]

1. Train like you BCM

Isn’t it strange that one of the most prominent success factors of Business Continuity Management, actually training for eventualities of all kinds and sizes, is so little done?
Or has the basic tenet Train like you fight, then you fight like you train been forgotten?

Or not even learned in the first place. Shameful.

And, by the way, it’s true. When you train (well, as serious as if you’d actually be in a ‘fight’ for survival), you get experienced. Surely no trained scenario will play out in the unlikely event of an emergency of any kind that your BCM aimed for, but you will be experienced to handle such unknown situations, be flexible, and have the acumen, courage, and wit to come up with a solution, no sweat, right ..? Because you know you can, no sweat, and hence, clear thinking about the right things.

So, … have fun shooting down the bogeys. And:

[Hey,, that’s a pic from a scanned slide (physical, Kodak), of the bitches of South, at Twente (no more)…]

Stay put while moving your address

Lately, there were a number of times I was reminded that for those that still use email (i.e., the overly vast majority of us!), some email addresses have been more stable over time than mere snail street addresses. And, with the different use of email versus the type that it was (derived-)named after, quite some times your ‘stable’ email address is harder to change. Where moving physical home address will easily redirect your mailman’s delivery for a large sway of services (utilities, subscriptions, et al.), such service doesn’t necessarily exist for email.
Not strange. You can move house and then take your email with you. Come to think of it, this is part of the greatness of the OSI model, right?
But strange. Try to ‘move’ (i.e., change) your private email address, that you use for innumerable websites, affiliation subscriptions, socmed profiles, etc.etc., and … you’re hosed. In particular, when you don’t have access to your former email address e.g., when switching employers (wasn’t a good idea to begin with, even in about-all of the world where using company equipment still leaves you with all privacy protection you’d need, excepting the corner of the world that their figurehead took out of the world’s developments so will revert to backwater, developing country-terrain), the confirm-change email may be unreachable as you can’t login to your old mail account… No solution provided anywhere.

So, as easy as it should be to move physically and have your physical address changed in public record systems, as easy it should be to keep some email address(es) that are used to identify you in person even when you’ve moved ISP…
Question to you: Is this covered under the “Must be able to move” hardcore requirement always under the GDPR..? *All* data should be coughed up in a machine-readable format to be processed in similar manner by some other service provider. That goes for email services too, automatically, so how will the (your!) sender/receiver addresses still be valid when you’ve moved ..?
If the latter works, then any service provider ID in your email address must work on any other provider’s systems, or your former is liable for up to 2% of global (sic) turnover. Quite a (damages avoidance) budget, to make things work…

Oh, and:

[Take a seat; not your address of any kind; Dublin Castle]

The Legend of Knuth the Agile

Once upon a time in a land far, far off-shore to today’s centers of economic, political of civilised-society gravity, before DevOps was a thing even, there was a great algorithm champion warrior named Knuth. Unlike his fellow programmer clansman, that coded for fun and profit deep innovation and peer recognition [f&p came only decades i.e. ‘centuries’ later; ed.], in a world that was barren of bad code but still inhospitable to what later would become hero geeks and nerds (for whom this was still obvious), Knuth was just that little bit less quickly-footed in his subject matter, earning him the nickname The Agile, just to deride his profound work.

Because, you see, he was a man of honour and clean algorithms, two things that in his days were nearly the same. And he was in favour of solving things with fundamental parts. Not ‘process steps’ or so – how would he laugh at those that propose that, these days. Nor happenstantially bundled ‘sprints’ of fast (hacked, in its profound meaning) coding – though extreme coders live on here and there, not given the honour and credit they deserve.
But real, standardised, tried and tested (even in a semi- or fully mathematical way) logically consistent actual process steps. But then, he understands that the real warrior body (brains) belong only to those that have honed the warrior spirit, have grinded and polished their skills over decades to shine like blank sheet metal of the finest alloys. So, not like ‘hey I had this one-year (??, mostly one-week or so ..!) course in agile programming now I’m a l33t h@x0r’ kind of pre-puerile nonsense.

Well, dear readers, you know how times can fly and how reputations can change overnight. So it happens that his nickname suddenly meant something else. No more poetic escapes of sparse code and clean, logic-based algorithm library linking and calling/returning at the side of the waterfall. development method. No more re-use of the tried and tested. No more frozen waterfalls at all, due to scope creep leading to progress-temperature drops to zero and below, leading to icy atmospheres where nothing works anymore. No more basic weapons training of even knowing how to deploy re-usable code and algorithms…
All we have now, in these days with no more heroes (but the baddies are still out there, everywhere), is/was faint attempts at “patterns”, being of course the latter-day devolution of the very algorithms that made Knuth the hero he was. Is.

And then, DevOps came to the scene. If only Knuth were still in his prime, he would know what to do

Plus:

[Only in such art is extremely precisely applied sloppiness a virtue …! Gemeentemuseum Den Haag]

Chasing the GDPR hippo

As I was reminded of the ‘Kill the Hippo’ meme, I realised its application is valid in specific circumstances, too.
Where the Hippo is of course here. And the application that I was thinking of, is here.
Not this one, that may stay where appropriate (which is much less than always)…

No, your Usual Suspect isn’t the CEO or whatever, and suggesting the CISO is just a pun, but … the lawyer(s) involved…
All you have to do, is take a look at their billing rates. And at the hippo-original abbrev meaning (sometimes, even the original meaning outright qua looks but in the most-expensively-dressed-in-the-room version, hopefully?) — pointing at the need to not listen to them as the most effective way to deal with the issue(s) at hand since they may on occasion (50,1%++) have the least useful insights to bring to the table…

Oh well. I’ll leave you with:

[Dead straight, according to your lawyer. Cromhouthuis Ams]

Where’s F Fatigue ..?

Considering the fatigue seen everywhere re fake news, about all that is out there is called into question.
Which led me to search for a meme that just swirled into my mind: ‘Facebook Fatigue’. Boy did I think that could be quite some recent development, with the brag about ‘users’ (meant to mean ‘addicts’; the brag being towards ad salesmen as street corner suppliers, and investors as proceeds rippers ..?) being at something over 1.8B or so.
Boy was I wrong. Already in 2008 … And 2012, and 2015, and since …

When you try the same thing over and over again, and expect different results, you will!

Update later: This here; QED.

Now, where did ‘Newconomy’ go ..?

So there is hope. And there is:

[Paint your castle – is such a hass’le; Dublin C]

Effective presentations

May be elsewhere.
Recently delivered a ppt full of bullets and text [hold it; see below], to gather response and feedback. Put in quite some effort, like two days’ driving to the venue, including overnight stay, lunch and dinner costs, transport expense, sweating away at the location (the venue was only a couple of °s cooler than the 30°+ outside) with an extra night stay at the location, plus lunches, dinners, and a return trip of two days’ driving, incl overnight stay, lunch and dinner costs, transport expense, et al (sic).
For … well, not any sort of renumeration or token gift, even. Not, like, a promisingly large room turning out to be less than 40% (rounded way up) filled.

Which wouldn’t be so bad, if suitable, useful feedback had been received, or only publicity gained e.g., through (live or late) tweeting, LI mention or so.

But now, all I got was not even the T-shirt; all I got was 0. As in: zero.
Yes that’s the number of tips (let alone useful ones), or tweets about the pres (let alone far out reaching ones). I did disclaim the fullness of the slides (sic) to give impressions of all the content delivered (did not read them line by line, mind you), and yes I did before, during and after ask for feedback… Only some old hand pre-known friendlies with form/delivery compliments.

Oh well; at least now I know not to submit for free anymore. And/or, is this the beginning of the Classroom Learning Is Dead for trade conferences ..?
Yes, sponsor opportunities will make conferences et al, still feasible economically, but not when attendee rates will go down. Yes, online webinars et al are still bandwidth-challenged and most often, sketchily interactive at best – which is an opportunity for TEDx style beautifully told fairy tales but not for the ability to interrupt and, in particularly necessary very often with these kind of powering-on talks, correct huge biases, false assumptions, and certainly pastiches of logical reasoning, nor for feedback or pointer tips.

So, where are the (affordable…!) online conferences that are worthwhile to visit?
Not 2-way IRL (‘F2F’ like in the olden days of still today) but virtually – warping the meaning of the latter so far beyond its Original, and not taking it to the limit here but having only the channel un-physicalised, even; where is total two-way VR and/or AR in this ..?

Oh well, and:

[Still only had time for ‘drive-by’ i.e. walk-by tourism…; München]

Maverisk / Étoiles du Nord