Information Risk Management – Page 14 – Maverisk / Étoiles du Nord

Said, not enough

Here’s a trope worth repeating: Humans are / aren’t the weakest link in your InfoSec.

Are, because they are fickle, demotivated, unwilling, lazy, careless, (sometimes! but that suffices) inattentive, uninterested in InfoSec but interested in (apparently…) incompatible goals.

Are, because you make them a single point of failure, or the one link still vulnerable and through their own actual, acute, risk management and weighing, decide to evade the behavioral limitations set by you with your myopic non-business-objectives-aligned view on how the (totalitarian dehumanized, inhumane) organisation should function.

Aren’t, because the human mind (sometimes) picks up the slightest cues of deviations, is inquisitive and resourceful, flexible.

Aren’t, because there’s so many other equally or worse weak links to take care of first. Taking care of the human factor may be the icing, but the cake would be very good to perfect for making the icing worthwhile…!

Any other aspects ..? Feel free to add.

If you want to control ‘all’ of information security, humans should be taken out of the (your!) loop, and you should steer clear of theirs (for avoiding accusations of interference with business objectives achievement, or actually interfering without you noticing since your viewpoint is so narrow).

That being said, how ’bout we all join hands and reach for the rainbow ..? Or so, relatively speaking. And:

[Where all the people are; old Reims opera (?)]

Right. Explain.

Well, well, there we were, having almost swallowed all of the new EU General Data Protection Regulation to the … hardly letter, yet, and seeing that there’s still much interpretation as to how the principles will play out let alone the long-term (I mean, you’re capable of discussing 10+ years ahead, aren’t you or take a walk on the wild side), and then there’s this:

Late last week, though, academic researchers laid out some potentially exciting news when it comes to algorithmic transparency: citizens of EU member states might soon have a way to demand explanations of the decisions algorithms about them. … In a new paper, sexily titled “EU regulations on algorithmic decision-making and a ‘right to explanation,’” Bryce Goodman of the Oxford Internet Institute and Seth Flaxman at Oxford’s Department of Statistics explain how a couple of subsections of the new law, which govern computer programs making decisions on their own, could create this new right. … These sections of the GDPR do a couple of things: they ban decisions “based solely on automated processing, including profiling, which produces an adverse legal effect concerning the data subject or significantly affects him or her.” In other words, algorithms and other programs aren’t allowed to make negative decisions about people on their own.

The notice article being here, the original being tucked away here.
Including the serious, as yet very serious, caveats. But also offering glimpses of a better future (contra the title and some parts of the content of this). So, let’s all start the lobbies, there and elsewhere. And:

[The classical way to protect one’s independence and privvecy; Muiderslot]

Golden Oldie Pic of the Day

Yes, again, since Cucumber Time is early, this year…

Nopsrisk, Irisk

When it’s time, it’s time. Of course, meaning that the tough get going.
Lately, there has been a resurgence in Risk Management. In particular, in Operational risk management. That has been outclassed. Due to, among others, the calimero hanging-on at the tails of financial risk management but having failed to gain traction because the latter’s models were wholly inapplicable and seriously outright unusable for ops risk, due to having no clothes of one’s own (still, the upstart little peasant kid wanted to be emperor), due to having been outflanked by its little nephew of Information / IT Risk Management. That took on the coat of ‘cyber’ (#ditchcyber!) and gained prominence on all the vast wastelands that were left for the picking — and are now overwhelming the heartland with their successes in actual, frontline, FLOT hand-to-hand combat and battles (won).

Time, maybe, to give IRM the prominence it deserves, and forego the subsumption under ops risk ..?

It’s nothing personal…

[Soon again: Serralves]

DAUSA

Maybe we should just push for a swift implementation of the megasystem that will be the Digitally Autonomous USA. No more need for things like a ‘POTUS’, or ‘Congress’ or so. When we already have such fine quality of both and renewal on the way into perfection (right?), and things like personal independence and privacy are a sham anyway, the alternative isn’t even that crazy.

But then, there’s a risk (really?): Not all the world conforms yet to, is yet within, the DAUSA remit. Though geographical mapping starts to make less and less sense, there’s hold-outs (hence: everywhere) that resist even when that is futile. The Galactic Empire hasn’t convinced all to drop ~~the Force~~ irrationality and take the blue pill, though even Elon Musk is suspected of being an alien who warns us we’re living in a mind fantasy [this, true, actually — the story not the content so much].
But do you hope for a Sarah Connor ..? Irrationality again, paining yourself with such pipe dreams.

On the other hand … Fearing the Big Boss seems to be a deep brain psychology trick, sublimating the fear of large predators from the times immemorial (in this case: apparently not) when ‘we’ (huh, maybe you, by the looks of your character and ethics) roamed the plains as hunter-gatherers. So if we drop the fear, we can ‘live’ happily ever after; once the perfect bureaucracy has been established. Which might be quite some time from now you’d say, given the dismal idio…cracy of today’s societal Control, or may be soon, when ASI improves that in a blink, to 100,0% satisfaction. Tons of Kafka’s Prozesses be damned.

Wrapping up, hence, with the always good advice to live fearlessly ..! 😉

[Some Door of Perception! (and entry); De Haar castle]

Overwhelmed by ‘friendly’ engineers

The rage seems to be with chat bots, lately. Haven’t met any, but that may only be me — not being interesting enough to be overwhelmed by their calls.
Which will happen, in particular to those in society that have less than perfect resistance against the various modes of telesales and other forms of social engineering (for phishing and other nefarious purposes) already. Including all sorts of otherwise-possibly-bright-and-genius-intelligent-but (??)-having-washed-up-in-InfoSec-for-lack-of-genuine-societal-intelligence types like us. But these being the ones of all stripes that ‘we’ need to protect, rather than the ones apparently already so heavily loaded that they can spare the dime for development of such hyper-scaling ultra-travelling foot-in-the-door salesmen. Is this the end stage, where none have a clue as to which precious little interaction is still actually human-to-human, and the rest may be discarded ..?

As for the latter … It raises the question of Why, in communications as a human endeavor… Quite a thought.

But for the time being, you’re hosed, anti-phishing-through-social-engineeringwise.

Just sayin’. Plus:

[Retreat, a.k.a. Run to the hills / Run for your life; but meant positively! Monte Olivieto Maggiore near Siena]

Plusquote: Critique of the Pure Reasonlessness

This episode, by reference to the excellent Future Crimes (Marc Goodman, as here), one originally by G.K. Chersterton (The Blue Cross):

The criminal is the creative artist; the detective only the critic

To which we would want to add: And the auditor, only the disgruntled desk-bound traffic cop.
Since, the checker (and penaliser) of the trivial petty little rules, should remain in the third line, right ..?

Where by the way, the creativity of the artist is required to make the art work that sells — and hence all make their living off straightforward crime or would perish. The more you bureaucratise into totalitarianism, the more you see life wither, till death. Even if the crime keeps on being perpetrated — by laxity of the second and particularly third lines, in cahoots with the profiteers. … Maybe that’s a bit deep-but-overly-lapidary …
Hence, just:

[Panopticon Central, Strassbourg]

Miss(ed), almost ..?

One might have easily missed one of the most valuable annual reports … but if you trust it (you can) or would want to dismiss it (you can, for various reasons like the management babble leading to a great many missed threats and ~levels as here, always of course, but still), it is an important item when you’re in InfoSec despite #ditchcyber! so you’d better study it.
Oh, yeah, this being the thing.

OK now. Plus:

[In “cyber”space (#ditchcyber once more), easily scaled. Haut Koenigsbourg again.]

Still, 3LD is the 4th leg

This, not as much a monster under the bed as it is a monster elsewhere; Three Lines of Defense (quod non).

I’ve discussed the utterly nonsensical, totalitarian bureaucratic, lie of its utility already over and over again, but the thought — through encounter in daily practice so often still — returns every now and then. And then, one realizes: Three Lines of ‘Defense’ (quod non) are not the third, but the fourth leg of a flipover stand. Yes, indeed, you hardly see that ever — for a reason: Where the third leg is flimsy already and certainly so compared to the stability provided by the first, essential, two legs, any fourth might impress but destroys stability of the whole!
Yes, as three ground point define a surface hence stable stance on any irregular surface (and, hence again, are completely sufficient), four such touch points are very hard to get stable, onto a plane surface. Therefore, the fourth leg destabilizes the whole shazam, undoes the effectiveness of the third. Now, two are bungling.

And no, not because a flipover has three legs does that reflect TLD; the first two legs are equally required and face us, thus giving the thing its purpose which is completely, fundamentally, different from TLD where there’s three lines behind each other that only ‘protect’ (quod non) against regulatory oversight by massaging all embarrassment away through ever more dubious language. When you don’t see the fundamental of that difference, you may or may not be hopeless. Stop dragging the IQ average of whatever group you consider yourself part of, down so low.

I now rest my case.

[‘Transparency’ and building material? We see right through that both, Chanel!
(PC Hooftstraat)]

Rien vous ne pouvez plus …?

When business is about betting, hopefully educated guessing, the near and bit further future developments of <somethings>. Educated, of course with a pinch of theory — but then, only the parts that are actually true, and still valid, for the future, too so throw away all (seriously) but a few nuggets of the most absolute que sera, sera of economics / business administration (sic) — and a healthy dose of experience — but not too much as it would lead to a lachrymose same as the (true) theory and we still need Action, don’t we ..?

Then totalitarian bureaucracies, like the banking world (in a suffocatingly tight grip, including the regulatory-captured but also holier-than-thou regulators), will try to squeeze all involved so thoroughly that no business is feasible anymore. But will fail, as the spirit has been out of the bottle since the Apple; Original Sin is about being human, above animalistic sustenance-supporting instinctive compliance with the laws of nature. Again and again, the stupidity of belief that Apollo wins out over Dionysos ..! They’re equal in all respects, certainly in the spirit of Man, and remember that even Zeus was forced to break marital laws (what a player he was, by necessity …:) because at the End of Times, the titans, the powers of Chaos, will almost win out. A trope so powerful that all belief systems have it (but a few exceptions) so to be held for certain; until proven wrong…?

Even more: The higher the pressure (that the straightjackets on subjects can take), the more fluid everything becomes. The more zealous, zealotic, crazy (outright that word, yes) compliance efforts micromanage (lest the ‘manage’ part which is utterly ridiculous if used in this sense), the more devious and deceptional will the business be, caused by this very reason of compliance efforts. LIBORgate, anyone ..?

‘Trust, but verify’ is a lie. Since only the slightest hint of the latter, immediately completely destroys the former ..! As the former is a two-way street! Seek out those that support this lie, and you’ll find the true culprits of the above.

So far, so good for a Monday morning’s rant, right ..? I’ll stop now, with:
20151008_123437
[Rigid, but colourful, the max you can achieve; Nieuwegein]