Tag: Information Risk Management

Temporary Awareness

A call for poignant pointers.

You may be aware that research is on-going (among other, by Yours Truly) in the area of sustained ‘security awareness’ — a misnomer for security habit change. Which is driven by psychological stuff like everyone’s individuality, everyone’s individual circumstances (not only at work, not only formal short/medium term) and everyone’s learning and operations style and preferences. And hence, habit change would also have to cater for all these differences. One-time ‘awareness training’ (sic), yeah, right on.

Still, such would be a somewhat valid approach … for perm staff.
Not for infrequent visitors, like your garden variety (IS) auditor, that would drop in every now and then and till have access to sensitive data; on purpose or not, benign or malign leakage or not.
Not for temps, interns et al., that are around too short for true awareness to sink to the back of the head, for instinct reflexes (oh ideal). Or the induction program would be a grilling drill; conter-productive.
Not, and this is where my problem is mostly, with third party staff, that primarily work for the vendor and have other KPIs than client security — at least, higher on their agendas. They come in (physically or remotely), do their thing that hooks quite deep into your operational processes (physically like cleaners and installers, logically through e.g., software and parameter updates) almost always at arms’ length control with still their other KPIs first, and then leave you possibly vulnerable or robbed, and ith full accountability without grip on actual operations taken place.

Apart from the platitudes of requiring transparent compliance with all your security policies (purely hypothetically, IF you’d be able to find and collect them, they’d be sorely outdated, and 50% or more wouldn’t be applicable but which 50% you have no clue), what about the above-mentioned change to the good sufficient habits ..?
Your input would be much appreciated…

Also:
DSC_0546
[Temp attention, eternal bliss; Syracuse]

SecPoll

Finally, a competition where you can win, too, seriously.

Yes you can, I’m serious. And you win something serious…
The deal:
Your top-3 predictions, in comments, about what new ‘cyber’security stuff (#ditchcyber) will happen in 2017.
In return, if you’re the top predictor (NO.), to celebrate you’ve best found ’17’s bubbles of the year you’ll receive a perfect bottle of ’17 bubbles.
The things you describe can be of any sort, related to information security in the widest sense. Something-cloud, something-privacy, something-Docker, something- Layer 7 or 8 firewalls, something-systemic-breachlike, whatever, it’s up to you. However:

Some terms and conditions [subject to updating when needed..! My call and prerogative]:

  • No editing your predictions after entering them;
  • Three apiece;
  • None should not be around per second half of December 2016;
  • All should be measurable, and measurably the largest over 2017, suggestions for measurement/metrics should be attached.

I’ll be awaiting your wisdom / totally random stuff with:
DSC_0789
[Who would’ve predicted the success, and beauty, of this/these, eh? DC]

Some quick notes on Audit / service development

An invitation for co-development or I go it alone…
[This also being a copyright / idea claim]

  • Undecided what name will stick; either
    Ethics Test Services, or
    Autonomous Judgement/Decision Analysis Services;
  • Because it is about checking the morality baked into, or emerging from, algorithmic decisions and/or decisions and conclusions from autonomous and self-learning systems;
  • Contra “Computer says No”, obviously.
    If you’d want to learn what that refers to; see here;
  • [Intermission] Whereas some in European politics (sic) discuss to impose a limit where autonomous systems without one human in the loop anywhere would have to have an ‘explanatory’ function that can display in layman’s terms how it arrived at some decision, and that being contestable. But the questions are: What if the ‘system’ were hosted outside the EU (and just like inflation, Gresham will obviously apply), and what if (maybe ‘when’; we’re talking politicians here) such a very first step towards transparency may still not make it, and what if as a cheap escape trick the human would and could only click ‘OK’ — could (s)he be culpable?
  • Elements would be:
    • Process correctness,
    • Data correctness,
    • Exceptions handling; essential and necessary.
  • This, in Standard Form and with an overall human (me; run to the hills) judgement both over process/systems quality and over moral/ethical admissability;
  • Will have to extend the notions of ethics, morality et al. here; e.g., how humans make decisions in the first place with all their errors of all kinds, what to do when systems/humans don’t follow morality and/or the decisions from the systems.

So, everyone (dabbling in this space from now on,) will pay me serious license fees for using the above ideas in commercial services… [note: I’m serious]
And/or all help is welcomed.

To add:
DSC_0752
[Would deliver above services to this address for expense reimbursement only …]

Log not Log

About the resurgence of ‘logging’ as a thing.
In compliance, for whatever reason because everyone lost the Original purpose.
In ‘audit’ (like, checking bookkeeping — no you drop the pretense and lies that’s all there is to it!), since we (??) can now do den totalen Prozesskontrolle.
In systems management, to …:

  • Monitor the health of systems — note that a lot of logging will be superfluous for this purpose (lest the next bullet comes into play), and a lot of the other records will be processed near-completely-automated into nice dashboards; note also that in this environment, that seems to work whereas in enviroments where ‘dashboards’ have been promoted for ages (decades, mind you) without any success, with the cause already known just as long;
  • Detect/find, and process, intrusions. Being proxies for ‘fraud’ (quod non, and note that legally, there’s no such thing!) to be committed.

Most efforts of late go into the latter thing (apart from the good work (sic) done by, e.g., the Coney‘s of this world). Where we see a jump to the worst, most atrocious, of Big Brother privacy obliteration by processing each and every little in-systems program step that can be logged, traced. Even by, what could have been, proper all-out systems management integrating the traditional style of it, with IoT device management, as e.g., Splunk now is focusing on whilst leaving their core competence behind.
Missing the point that ‘systems management’ over all transactions having started with the human ones, was the Original purpose. To monitor (at the speed of annual bookkeeping ..!) the health of ‘systems’, the business as performed and understand that not all transactions could be perfectly in line with the, unthinkingly overstandardised ideal transaction patterns.

Can we now, now that we do have the mechanics (log writing speed, all-connectivity, and storage (!) and processing tools available) regain that latter part..?
Hopefully.

And:
DSCN2229
[Modern (purpose), still also a sun dial; Barça]

WindTalker

Right. So we have a side channel attack where your hand movements over your mobile, when typing in your key, will interfere with WiFi signal patterns in a detectable, traceable way thus revealing your key. Like this (PDF).
Would this, on a second trend note, destroy or obviate even more the need for, Active Access Control ..?

Plus:
20161025_150242
[Mock-up for fabrics not mockery of your security; Stedelijk Amsterdam]

First Rule of Risk

First rule of risk: Never underestimate risk. Even when you follow this rule, and even when your estimates seem ‘proper’.
Where of course, the propriety of your estimates is in grave doubt, either on the “This has never happened to us so / Come on, get real, [we’re not a target because we’re of no interest to anyone] what are the odds!? / Ho hum, there’s the boy cried wolf again”,
or on the “I’ve been reading this thing about CYBER! Arrrgh! In the Inquirer so why aren’t all staff hiding under their desk and we didn’t yet have the Marines take over and destroy the office to defend it ..?” FUD-side.
[Side note: You did have ‘consultants’ over (office (culture, motivation) destroyed, seems like a preventative measure?), but be aware that’s the opposite of Oorah]

Because when every nanosecond brings the possibility of an ‘event’ (how’s the repeat of sampling with (! … is it?) replacement over so many draws working out in your frequency estimations..!?), one can be sure that a 99% chance of something not happening, will result not in the virtually certainly not happening every time, but in the certainty that the 1% will strike, repeatedly, and a strike will endure much, much, much longer that the inception of it. The ‘event’ isn’t measured in nanoseconds, but in days, weeks, months and sometimes even years (think the, near-certain, reputational damage). So, your estimates are too low, all too low.

But since the detractors are always downplaying your estimates due to their other-directed agendas, do follow the First Rule of Risk …

fight-clib
[Your in-house security gurus are quite like that, yes, being the absolute rookies at the BlahBlah Seat At The Board Table — probably available only when the Board is out — or any level they’re relegated to]

The Risk of Human Existence

Where Risk should be in the ‘first’ line of any defense, and subsequent lines are mere (subsumed …!) support, as in the line of reasoning where Risk or rather Uncertainty [don’t start me on the semantics pure kindergarten discussions per definitional differences] is essential to do business; nay is essential to any organisation’s ‘business’ even when as non-exposed to market conditions as e.g., government departments.
Which, and this is the title reference, of course hinges on: all human endeavour seeks to eliminate uncertainty as uncertainty in the state of bare survival that humankind still is (sic; on average, and in the near future thanks to global warming [no thanks, global warming!]), would mean deterioration i.e. extinction.

Against which we (well, I; uncertain about you dear reader) have developed these whimsy precious things called brains (i.e., including the prefrontal cortex) to enable us to not only cope with the most complex of things including paradoxes, infinity et al., but also with uncertainty. Through induction and Big Data-like pattern extraction, sometimes taken to the levels at which most current Big Data analysis stands (turning spurious correlations however weak, into causation theorillets and/or rites), sometimes actually achieving something — models that ‘work’ to sufficiently accurately predict some aspects of the future (i.e., behaviour of predators) to enhance survival by staying away from the most unsurvivable situations.
Now that a precious few (??) have managed to ward off the evils of existential threats, such death scare of death has turned into a death scare of anything that doesn’t go according to our plan of doing the least possible to do nothing but eat ourselves into obesity.

Meaning, not accepting that now all reasonable threats, uncertainty, has been reduced by extreme CYA everywhere, at the same time we (not I) accept less and less that bad things just happen, and will ever more fanatically look for someone(s) to blame.

Solve the latter by ‘solving’ the former. Fight CYA!

And:
20160805_134239
[What’s our love … but the Art of Glass; Blondie for no apparent reason, Dordrecht]

When it comes to Risk, Appetite is Tolerance

Previously, with many others I believed that Risk Appetite would have to be the starting point of discussion for anything Risk within organisatons. The appetite, following from discussions on Strategy being the choices of directions and subsequent steps that would need to be taken to achieve strategic objectives, i.e., where one sees the organisation ending up in the future. Very clearly elucidated here. Backtracking, one will find the risks associated with these possibly multiple directions and steps — in qualitative terms, as NO valid data exists (logically necessarily, since these concern the future and hence are determined by all information in the universe which, logically, cannot be captured in any model since then, the model would have to be part of itself, incurring circularities ad infinitum and already, the organisational actions will impact the context and vice versa, in as yet (for the same reason) unpredictable ways.
And then … This risk appetite, automatically equated with the risk tolerance by the Board for risks incurred bottom-up by the mundane actions of all the underlings (i.e., including ‘managers’, see yesterday’s post), then suddenly would have to be in quantitative terms… [Yes, bypassing tolerance-as-organisational-resilience-capacity]
As all that goes around in organisations, through the first 99.9% of Operational / Operations Risk, and then some 10% industry-specific risks (e.g., market- and credit- for the finanical industry), not measured but guesstimated by hitherto outstandingly some that have least clue and experience [otherwise, they would have been much better employed in the first line of business themselves… The picture changes favorably (!) where we see some organisations shift to first-line do-it-yourself risk management… finally!] with what the chance and impact figures would be. As if those were the two only quantities to be estimated per ‘event’… As if any data from anywhere would be sufficiently reliable benchmarking material — If you believe that nevertheless, you should be locked up in a treatment facility… Yes sometimes it’s taken to be this moronic… No need to flame bigger here, as that was already done here.

But wait where was I. Oh, yeah, with the bypassing of tolerance defined as what the organisation could bear. The bare fact being, that no-one can establish a reliable figure for that. What the Board can and want to bear … Considering that the Board would have to be all-in, i.e., not only all of their bonuses since ever under clawback threat, but also all of their earned income incl salaries and personal wealth — if any of the Board would not want to risk all they ever had and have, bugger off this is what you signed up to. Considering also that strategic decisions are about wagering the existence of the company on choosing right or else, this wagering the well-being and wealth of all employees however unable to bear loss by mere fact of never had the ability to create some reserves, the previous consideration isn’t exaggerated. You wager others’ very existence, you wager your own ‘first’.

Summa summarum:
Risk Appetite is what the Board lets happen as Risk Tolerated Already.

Plus:
20160529_142237
[And away goes your grand hallway down the drain; [non-related] Haarzuilens, Utrecht]

Positive Performance Plans — Done That, part I

Regarding the latest spat on dumping personal performance plans, P-KPIs et al.

Which one shouldn’t. Even at the most negative end of What Gets Measured Gets Done, there is some truth like, some grains. Where no measurement and reward (sic I) for performance, may not entice too many to be worth their salt (sic II). In today’s total-information society, it’s the free riders, the freeloaders, that escape unharmed with their booty. ‘Hedge fund manager’ like. Possibly to be villified by history as the worst atrocities of humanity ever, but that remains to be seen as history commnly is written by the winners and forward-looking one is not (can not be) sure who that will be.

But change is in the wngs, and is needed indeed. Too many are still driven by assembly line (i.e., geriatric) target setting and (micro)management. Don’t get me started on the latter or I spam you into oblivion with bold 80 point [Expletive starting with an F] You’s.

From the Other Side, there’s renewed talk of personal development through not To Do lists but Have Done lists.

Now, can these be deployed to structure human activities’ objectives ..? Having biweekly open discussions about ‘production’ even when the employee is somewhat free to decide what to work on as long as it’s slightly related to a long-term organisational goal that everyone shares — the Original idea why people banded together in companies, taking that label from the military where already it denoted comradeship and protection towards a common achievement.
Even where proxies are needed, as e.g., project-style work with deliverables only after some time, at milestones and deadlines. Even where managers’ understanding needs to be raised through the (their) roof to capture the content innovation and disruption of the Knowledge Workers doing the creation of work/deliverables/-content and actually understanding how that ties into the total achievement – / required. Even when those ‘managers’ need to grasp the idea that much time is spent very maybe not being worth the salt, to in a blink of an eye arrive at some final nugget worth all the salary previously invested (‘thrown overboard on useless loafing’ which is required for the nugget to materialise). Enabling work at home for many; much more efficiently and with the very same productivity if not much more in the end (when all have become accustomed to the idea(s as here before)).

Yes, this leaves overall performance to ‘managers’, to integrate and achieve, and to report, and to translate downwards to personalised (individualised and adapted to individuals’ personal capabilities and development goals) general work directions. No more forty hours sitting in a cubicle — brains dying of boredom all around but “you don’t get paid for not being bodily present less than forty hours (plus/plusplus) even if you aren’t in the least productive overall”. Such is life. The organisation doesn’t give a [expletive starting with an s] about how you get [same] done, as long as your group delivers… Managers are of the work force, not above it ..!

I’ll work on this topic later, to develop the organisational structures to support this…
Oh, and:
20161027_152637
[Where Museum is splendid form and function; Teylers’ Haarlem]

The legacy of TDoS

So, we have the first little probes of TDoS attacks (DoS-by-IoT). ‘Refrigereddon’.
As if that wasn’t predictable, very much predictable, and predicted.
[Edited to add: And analysed correctly, as here.]

Predicted it was. What now? Because if we don’t change course, we’ll achieve ever worse infra. Yes, security can be baked into new products — that will be somewhat even more expensive so will not swarm the market — but for backward compatibility in all the chains out there already, cannot be relied upon plus there’s tons of legacy equipment out there already (see: Healthcare, and: Utilities). Even when introducing new, fully securable stuff, we’re heading into a future where the Legacy issue will grow for a long time and much worse than it already is, before (need to be) huge pressure will bring the problem down.

So… What to do ..? Well, at least get the fundamentals right, which so far we haven’t. Like this, and this and this and here plus here (after the intermission) and there

Would anyone have an idea how to get this right, starting today, and all-in all-out..?

Plus:
20150323_213334
[IRL art will Always trump online stuff… (?); at home]

Maverisk / Étoiles du Nord