Tag: controls

Temporary Awareness

A call for poignant pointers.

You may be aware that research is on-going (among other, by Yours Truly) in the area of sustained ‘security awareness’ — a misnomer for security habit change. Which is driven by psychological stuff like everyone’s individuality, everyone’s individual circumstances (not only at work, not only formal short/medium term) and everyone’s learning and operations style and preferences. And hence, habit change would also have to cater for all these differences. One-time ‘awareness training’ (sic), yeah, right on.

Still, such would be a somewhat valid approach … for perm staff.
Not for infrequent visitors, like your garden variety (IS) auditor, that would drop in every now and then and till have access to sensitive data; on purpose or not, benign or malign leakage or not.
Not for temps, interns et al., that are around too short for true awareness to sink to the back of the head, for instinct reflexes (oh ideal). Or the induction program would be a grilling drill; conter-productive.
Not, and this is where my problem is mostly, with third party staff, that primarily work for the vendor and have other KPIs than client security — at least, higher on their agendas. They come in (physically or remotely), do their thing that hooks quite deep into your operational processes (physically like cleaners and installers, logically through e.g., software and parameter updates) almost always at arms’ length control with still their other KPIs first, and then leave you possibly vulnerable or robbed, and ith full accountability without grip on actual operations taken place.

Apart from the platitudes of requiring transparent compliance with all your security policies (purely hypothetically, IF you’d be able to find and collect them, they’d be sorely outdated, and 50% or more wouldn’t be applicable but which 50% you have no clue), what about the above-mentioned change to the good sufficient habits ..?
Your input would be much appreciated…

Also:
DSC_0546
[Temp attention, eternal bliss; Syracuse]

SecPoll

Finally, a competition where you can win, too, seriously.

Yes you can, I’m serious. And you win something serious…
The deal:
Your top-3 predictions, in comments, about what new ‘cyber’security stuff (#ditchcyber) will happen in 2017.
In return, if you’re the top predictor (NO.), to celebrate you’ve best found ’17’s bubbles of the year you’ll receive a perfect bottle of ’17 bubbles.
The things you describe can be of any sort, related to information security in the widest sense. Something-cloud, something-privacy, something-Docker, something- Layer 7 or 8 firewalls, something-systemic-breachlike, whatever, it’s up to you. However:

Some terms and conditions [subject to updating when needed..! My call and prerogative]:

  • No editing your predictions after entering them;
  • Three apiece;
  • None should not be around per second half of December 2016;
  • All should be measurable, and measurably the largest over 2017, suggestions for measurement/metrics should be attached.

I’ll be awaiting your wisdom / totally random stuff with:
DSC_0789
[Who would’ve predicted the success, and beauty, of this/these, eh? DC]

Dense, but study

All about this here article. Yes I too, started out as picture browser through this. But more careful study unearthed a lot of gold, qua understanding of the issues. Even to the point of pointing out some gaps, here and there — well, the understanding did, not as much the overview — in ‘moral continuums’, that can and should be filled.
And, much work can be done on opeationalising the Obvious breaches of fundamental human rights (as per Universal Declaration) so don’t go babbling about commerce needs a chance.

[And now for a switch of goal but you’ll find the relation …!]

Where the latter is one big part often missing with ‘disruptions’ quod non:
Doing something simply illegal is just that and is not ‘allowed’ because innovation should be allowed to be tested.
Innovation should not be attempted when the new has been determined already to be illegal
How hard can it be? Laws had been put in place to protect the weak against the powerful, specifically at points where the need was obviated. IF some law has no purpose anymore, one should first do away with it, first through political ways and if that wouldn’t work out to be possible, only then, through e.g., courts for obvious unfairness (sic; if your law system is of the common type you’re hosed anyway). When you don’t succeeed in this the only legal ways, too bad that’s how democracy works, if.
If some law still has purpose but there’s negative side effects you’d want to do away with, do away with the side effects not the law; in the two ways as before doofus!

Oh well. Mock disruptors beware; the world does not need nor welcome you.
And:
dsc_0555
[Sometimes, Classics are perfect enough; Prague]

Log not Log

About the resurgence of ‘logging’ as a thing.
In compliance, for whatever reason because everyone lost the Original purpose.
In ‘audit’ (like, checking bookkeeping — no you drop the pretense and lies that’s all there is to it!), since we (??) can now do den totalen Prozesskontrolle.
In systems management, to …:

  • Monitor the health of systems — note that a lot of logging will be superfluous for this purpose (lest the next bullet comes into play), and a lot of the other records will be processed near-completely-automated into nice dashboards; note also that in this environment, that seems to work whereas in enviroments where ‘dashboards’ have been promoted for ages (decades, mind you) without any success, with the cause already known just as long;
  • Detect/find, and process, intrusions. Being proxies for ‘fraud’ (quod non, and note that legally, there’s no such thing!) to be committed.

Most efforts of late go into the latter thing (apart from the good work (sic) done by, e.g., the Coney‘s of this world). Where we see a jump to the worst, most atrocious, of Big Brother privacy obliteration by processing each and every little in-systems program step that can be logged, traced. Even by, what could have been, proper all-out systems management integrating the traditional style of it, with IoT device management, as e.g., Splunk now is focusing on whilst leaving their core competence behind.
Missing the point that ‘systems management’ over all transactions having started with the human ones, was the Original purpose. To monitor (at the speed of annual bookkeeping ..!) the health of ‘systems’, the business as performed and understand that not all transactions could be perfectly in line with the, unthinkingly overstandardised ideal transaction patterns.

Can we now, now that we do have the mechanics (log writing speed, all-connectivity, and storage (!) and processing tools available) regain that latter part..?
Hopefully.

And:
DSCN2229
[Modern (purpose), still also a sun dial; Barça]

Sticky Wicked

I’ve been seeing ‘wicked problem’ turn up again lately. Again, hardly in its original sense let alone to the criteria. But rather, as problems where the counterforces to solutions are just too dug in against change, to be overcome. As human, societal problems rather than something systemically hard. To bulldozer over, with a MBT, maybe ..? What a fine demonstration of irritation to let loose.

And, of course:
maxresdefault

Misquote: No Problem, or are you?

Don’t come to me with problems, only with solutions

Is wrong in so many ways…

  • When not if a manager would say such a thing, he denies his (her, not often enough) very job. Yes, the job of a manager in times of knowledge workers truly is what it was in times past, glorious as they were; “decision making under uncertainty”. Which has devolved into sickly-panic over any uncertainty that is inherent in results as future states;
  • So, workers — sounds too much like worker bees, working to their untimely death for the blip of glory of the Leader (quod non ..!) — should come to their bossy type or that empty vessel would have too little to do..?
  • When workers would come to their bossy types with problems and solutions, the latter would be degraded to secretaries of the collect-input-collate-and-report types. Because that would be what they’d do;
  • And not would they be the emperors in charge of Decision Making (preference ratification) over proposals (researched scenarios / preferences) to solve problems, as that suggests managers of this type, would have any inside knowledge. True, sometimes, very sometimes, one meets these old-style (old school is too old school) true managers that actually have the best of knowledge over the problem at hand, and knowledge of the environment, context and strategies surrounding and/or overarching the decision, at the same level as the workers doing the solutions research.
    If the manager would really have better info on the latter categories than his workers, he’d have failed to give them proper information (mention not the risk of the atrocious destruction of humanity that micro management is) i.e. not delegated properly, for the scenarios of the workers would limp and be of greatly suboptimal quality to his decision making;
  • Rare then, would be the true manager, that has sufficient knowledge nay wisdom to know how much to decide himself and what swarms of decisions to delegate and sit as go-beween and stakeholder representative of his workers to other departments and upper regions, facilitating whatever goes around in his department;
  • Rare then, the manager that says, can handle: “Solve what you can and report the solutions via my business office; bring me not solutions but problems that need over-head resolution”. Not the mis-quote; they’d not say that which makes it the one deserved, righteous forms of humblebragging-by-remaining-silent allowed.

However rare … the quote is still a misquote. As so many are of the manager type of the first couple of bullets, and say the thing only when they intend to degrade themselves to the pitiful that don’t see their own empty-vesselness when uttering the quote.

Oh, and:
20160529_145950
[If you think you’re in, you aren’t; Utrecht]

Dear Trudy. My baby doesn't even notice my Post-Its.™

My baby doesn’t even notice my Post-Its. How can I make clear it has to stop crying?

November 18, 2016 by Trudy
trudie-660x386

Dear Trudy,

My four months old cries day and night. I’ve put up Post-Its in its crib with a kind request it stops that. But now I begin to realise it doesn’t even notice them. How to make clear that I am not positively inclined to let this disregard pass just like that?
Regards,
At Wits’ End

Dear Wits’ End,

Probably your baby does not want to be micromanaged by Post-It. A lot of people take that badly. It isn’t your cleaning maid for one thing! So please try to take a more gentle approach. E.g., next time don’t write “Please don’t cry” but rather “How can we manage to agree to not cry after 2AM ;)”

[Original, in Dutch, on the Speld; translated with permission]

For members, useful insights

I’d suggest making this available widely; beyond membership only. Because it ties in so well with, e.g., this and many other issues at this.

Yes, I may be biased; just like everyone if only for having been member of this. Which (subject) plays a much more prominent role in your lives than you think, certainly in the nearest of futures. Beware.

And be aware of:
20140917_144554
[Your ethics reasoning: All corners, leading nowhere, abandoned; Fabrique Utrecht]

Move; to Canadaya ..?

While discussing the options for those in developed countries that would not necessarily agree with the outcomes of recent or pending elections, of course Canada was on the table. Not quite in the Tim Horton / Hudson’s Bay / Blue Jays style, but rather as evac site. Not the Thinking Class leaving, but the retreat of the Others [needless to say, the 1%-and-up aren’t anywhere anymore already; they escape no matter which way the wind blows] is what we have seen with/before/at the Elections in this case; back into the countryside as if the cities aren’t the major country elements these days (‘states’ and electoral colleges as artifacts, makeshift solutions to early-days haphazard nationwide (then, more height than width) comms).

Or still, nevertheless, this here old (Spring) post may provide an option.
Which is perfectly possible; aren’t they where they’d retreat in the first place? But that would bring the ‘risk’ [ P(X)=1 ] that it turns out that the ones not retreating into the billyhills, can perfectly do without the retreaters [many letters in common with traitors], or even fare better.
Calling into question whether the pres that will ‘represent’ all, does, for all or doesn’t, for a majority (!) thus undermining the very idea of validity of the representer in that position and the systems/schemata of elections that brought him there despite the majority not wanting him.

Interesting.

May still bring the near-(sic) Yucatan arrangement closer.

Oh well, plus:
20160610_124406
[Defensible against those so utterly bluntly lied to, but also my next / client offices; Breda]

Maverisk / Étoiles du Nord