Category: Information Risk Management

WIoTables

Am I too late with this post, or are people still mixing up the Internet of Things and Wearables ..?

First, a picture:
DSCN0468a
[Rarely seen Cala, at ON]

Because we’re talking quite distinct things. Yes, there’s a crossover area where e.g., the sensors or ‘reflectors’ we wear, operate in the IoT realm of ambient intelligence.

But for starters, there’s wearables. Mostly, human-to-Matrix sensors / Matrix-to-human feedback interfaces. Hooking you up in a blue pill world. Oh yes so helpful; often providing morsels of value like Likes through displaying to all out there, mostly to trolls, your (under)achievements. Or calling attention to your slacking; business can’t wait! (You’re not essential though, by the way, easily dumped by the wayside if some human or not algorithm plays it that way).

And there’s the IoT, sensors, networks, actuators, and Central Scrutinisers (1979 mind you!!) that form the Matrix itself. Out of control, soon to be out of control of any human or (alternatively) TLA. Soon to be run by its transient Singularity.

Now, don’t make that error again!

Not news, still suppressed?

Why is it that this paper on chip-and-pin fraud hasn’t gained much more attention in the Netherlands ..!?

Maybe because NL has only just sort-of completely switched off the magstripe to EMV.
Which even before its comprehensive roll-out here in NL, was known to be weak. Years before. And still no-one took action.

A picture for your efforts. But (payment) industry, you fail with a big F again
MEDIUM09
[London temp, also years back]

Cybersecurity, yeah!

This is how you do it:
20140610_124346
[As spotted in Voorburg. No, not ‘shopped a single bit.]

Yes, indeed, this is how your ‘cybersecurity’ (#ditchcyber ! #wegmetcyber !) compares to the real deal. But hey, if you want to believe you’re up there with the Big Boys, go ahead. I won’t stop you from your own make-believe. At kindergarten.

CIAAEE+P

Privacy came to the fore last week, at a very interesting ISSA NL event.
Where we discussed the prevalent Confidentiality-Integrity-Availability approach (where impacts mandatorily regard the data subject(s), not you the processor, as the data subjects are legally owner of their info …!) and whether those three actually cover privacy aspects sufficiently.

Well, we did conclude that for now, CIA is ‘still’ the common denominator. But … hey, Auditability might be added, as that’s a sort-of requirement throughout privacy protection. And Effectiveness and Efficiency – of the data handling! – have a place as well, being representative of proportionality and legal-grounds-for-the-privacysensitive-data-handling-in-the-first-place (i.e., real purpose / purpose limitation!); if you collect more than very, very strictly necessary, you’re culpably inefficient in a hard legal sense, and at least part of your data handling is not effective.

But should we add Privacy as yet another factor ..? Does it have value in itself? Initially, I thought so, as the common CIA somewhere will always have lost its connection to information value, e.g., through the Bow Tie effect and other deviations (lagging) from modern developments.

Which I’ll discuss below. But now, first, an intermission picture:
OLYMPUS DIGITAL CAMERA
[Yup, Whistler]

So, as said, Privacy may be covered by CIA. But, … with specific deviations of interpretation. Continue reading “CIAAEE+P”

Can’t have your cake

I guess you can’t have your space cake and eat it over your keyboard.

If only they’d hire me. I bring [1337 hacker skillz and dope use]negated; not-fully and absolute none, respectively.

But then, …:
DSCN1297
[Beeb]

Aweariness.

Tweeks ago, at this successful! symposium, I noted the developments in the Awareness side of our IRM business. Multiple speakers were onto the subject without hesitating to move beyond the mere annual poster campaign for awareness, and moving into the daily-normal subconscious behavioral change work that was for a long time so much lacking. From ISO 2700x as well.

Which of course is a very, very good thing. Before the 80% of hard work in IRM as such (after discounting the first 80% in hardcore information security), the 80-100% of effort should go into this socio-/psycho-/behavioral fluffy stuff that yields so many benefits and returns. Though we ‘still’ may not be good at it, at least there is development, and leading examples. Thanks, speakers, for that; and for now:
DSCN1807
[Your guess. No, not Paris, Reims; not even Strasbourg and that’s a hint]

On the verge of many breakthroughs

Just to note; my feels are that this piece on scientific analysis on the verge of chaos is an emergent technology for many current applied fields. E.g., analysis of where the Internet of Things will bring us; Singularity or not, or what. And brain analysis obviously in the first place. But also sociologically, I see many applications just beyond the horizons.

And, of course:
DSCN5710
[Somewhat hidden, still a Major Place]

Who has your back; who’s up your back side?

Depends on how you foresee the world’s wheels of fortune turn…:
cntzyd5kxvsfhujxspwj
[Plucked via some byways from this originating site. Worth a visit!]

But beware … Things may change rapidly.

The enemy from below

I know, I’ve been guilty of it too. Thinking, tinkering, and musing about all sorts of abstract risk management schemes, how they’re a giant mess, mostly, and how they could be improved. Here and there, even considering a middle-out improvement direction. But mostly, ignoring the very fact that in the end, information risk management hinges on the vastly complex technological infrastructure. Where the buck stops; threat-, vulnerability- and protection-wise.

A major (yes, I wrote major) part of that low-level (Is it? To whom? It’s very-highly intellectual, too!) technological complexity is in the trust infrastructure in there. Which hinges on two concepts: Crypto and certificates. In fact, they’re one but you already reacted towards that.

For crypto, I’ll not write out too much here about the wrongs in the implementation. There’s others doing that maybe (sic) even better than I can.
For certificates, that hold the crypto keys, the matter is different. Currently, I know of only one club that’s actually on top of things, as they may be for you as well. Yes, even today, you may even think the problem is minor. Since you don’t know…

Really. Get your act together … This is just one example of how deep, deep down in ‘the’ infrastructure, whether yours or ‘out there’, there’s much work to be done, vastly too much complexity to get a real intelligent grip on. How will we manage ..?

And, of course:
002_2 (13)
[Showboating tech, London]

Maverisk / Étoiles du Nord