Tag: Information Risk Management

Emerging degrees of privacy

Given that ‘privacy’ is a property that emerges from good Security, more particularly from Confidentiality (and Integrity), there’s two avenues to succeed in this field:

  1. If quick and maybe even too dirty: Data minimalisation (as e.g., here, in Dutch)
  2. Else (OR?): Fine-grained protection, also against the default Read all down the stack (user / end point / comms channels / applications / middleware / servers / storage — with the latter maybe crawling up and down the stack again when virtualizing in the cloud)
  3. Because binary’s not my thing and keeping it real (i.e. (!) not being consistent) is: Would any of you have pointers to some science on possible degrees or levels of privacy ..?
    The idea keeps floating around in my skull. Including degrees of invasion! Where sometimes, the required degree (as set by the subject) would be less than the degree for some government agency so everything goes … for this some data point only. Yes, Value creeps in as a boring subject but isn’t everything. Should be a field of study …?

Thanks anyway for all your pointers on the last item… (none); hence:
DSC_0732
[It’s watching over your shoulder….! Het Loo]

Repeat: Trawling for noise

So… Legal developments go at glacial ‘speed’, thus mumbling critical oversight to sleep. Happened, once again, in NL. Mass collection (sic) of and trawling through all sorts of data ‘out there’ is free game for gov’t agencies.
NO the oversight committee will not do anything. Anyone saying so, plainly and simply lies under oath to overthrow the constitution (isn’t that high treason?)

But what will happen of course, is that those that in the past weren’t able to connect the dots (proven fact), will now be swamped in enormously bigger piles of noise data. At the very very best (??) they’ll find bucketloads of false positives — ruining perfectly normal, perfectly legally operating citizens’ lives, of course without any serious recourse or restitution of lost life’s pleasure and happiness…
And the false negatives will also explode, induced by the very ‘countermeasures’.
So, also those that propose and implement and work with such ‘solutions’ quod non, will be culpable to.

Oh well Or well was right. Plus:
DSC_0516
[I don’t want or like, but do expect, a similar thing again; for different reasons but with no really different methods — Prinsenhof Delft ya’know]

Paradise Lost

.. of not the Milton kind, unfortunately.
But of the kind of Age of Innocense. In crowdsourcing. You remember, from before the days of Mechanical Turk and similar no cure, no pay but the pay’s a rip-off scams. Close to (?) post-slavery slavery by Hobson’s Choice.

But as said; before that, there were the dreams of free agents delivering their best efforts to common problems and getting handsomely rewarded for their solutions (if the best). The Age of Aquarius dawned. No more masters, no servants, all equal.
Or so.
The brevity of hapiness…

DSCN5189
[All play and sunny weather now that you have been returned to Consumer status (pejorative). Sure to (have) change(d) …; NY of course]

Plusquote: Be not a hampered herring but a free speedboat

Yes, again one in this series of quotes of my own making (predominantly), intended to be motivational. Just like www.despair.com… This time:

Be a free speedboat, no hampered herring

Which, for an explanation, starts at the back. Being about the choice between being a (hopefully growing into too) big fish in a small pond, or a small fish in a big pond. And, since the former is limiting by its ‘boundary’ condition already and the latter has grown to be to be a tiny fish in the world’s oceans all together, none are more than a suckers result in a Prisoners’ Dilemma match.
But then, the choice is a false one — no-one asked you to remain a fish, of set growth or flexibility. Turn into a speedboat! Do not want to be, to become, an oil tanker but keep agile, manoeuvrable, successful rather than doomed by size.

And yes, speedboats can go anywhere. May not be a survivable as a tanker in some storm, but being flexible enough in movement and destination hence travel routes, you’ll be able to not get caught in one in the first place; no fun so avoided almost naturally. Storms are for others to wither, you keep in nice weather.

Oh yes, there’s risk and danger, also caused by you e.g. running over some silly swimmers on onto rocks, by careless steering. But think of the upside …

Also:
130673480_moose_463656c
[Remember the moose though I have no clue why you should … ;-| ]

Be-four you turn enthousiastic

[Warning: Long-read. Opiniated, and structurally your recommendations may be are needed, too]

About all of the banking industry, and other financials in their wake, have had to deal with loads of regulatory requirements. Justified, some say, for ‘they’ cause(d) so much misery beyond mere most temporary loss of bonuses that the ‘un’ should be (have been long before) detached from bridled. So, Basel II and -III regulations swooped in requiring much more explicit and detailed handling of financial business than ever before. The move from laissez-faire to regulation, to regulation with sanction schemes, to sanctions (possibly interpreted as ‘token’…), was extended with provability and then complete proof-demonstration as minimum requirement.

This all, however, has created a large, and in general even I would say quite overpaid [disclaimer: am profiting too] industry of consultants, quants, ‘risk managers’, reviewers, assessors, auditors, and scores of Toms, Dicks1 and Harries of the GRC kind. That are all very likeable nice lads and lassies, but maybe not quite worth their salt, certainly not their bonuses, or even be sure to be worth much lending one’s ear to.

Since March, suddenly, there’s news. The Basel Committee on Banking Supervision has released a consultative paper on ideas for (much-needed, many know) simplification of the operational risk management part of regulations. For Basel-IV forthcoming.
Continue reading “Be-four you turn enthousiastic”

Crash’in the wings

… Thinking back of the Taleb’ian remarks, and truths, on Extremistan, and how some more or less closely watched parameters may lose their variance but not their uncontrol since such petering out of shock’lets are just the precursors of an asteroid impact scale collapse, I wondered what is about to happen in infosecland. Since for weeks, nay months already, there has hardly been any news… Apart from the usual suspects (#ditchcyber ..!), there hasn’t been anything serious, has there, by means of yet another class break or more comprehensive controllability breakdown?

Which is why everyone should sit more uneasily, in stead of the opposite sleeping better than ever.

But then, this was the message from your Wolf-crying boy …?

To which:
elk-06

[Since last Friday, you know this isn’t a reindeer but an elk that is no moose, at least not everywhere]

Security so(m)bering

There’s this discussion going down on the merits of privacy versus security. Whether the one is part of the other, or the other way around, or both. Whereas the smarts are with considering privacy enhanced by good confidentiality settings ’cause they see that privacy is an issue of higher (abstraction) order than mere confi; achieved by it but only as infosec are the bricks and mortar when all you wanted is not bricks or so but a wall.
Through which you may reflect on compliance in infosec. Because hardly ever, is that taken to include compliance with the principles and business objectives and conditions that include being sparse with hinder to the business. Really, those that truly set only guiding rails not enforcement rails, are the unicorns of the trade. No, not those unicorns, those are just frauds anyway.
You may try to do better; really. It starts with risk … when properly applied, you would not get the remarks about ‘why, it has never happened to us before / what are the odds?’ but might even get better support for some slightly hindering process changes and better (but less end user detectable) ‘infra’ i.e., everything under the users’ level of visibility.
So, I’m not sombering or if, about the eager beaver pervasive prevalence. Because sobering up, wising up, may win the day and may be due…

We shouldn’t somber too much… Isn’t this a perfect opportunity to finally demonstrate how we do (… can …) link up information security to real business issues at the highest GRC levels. Since we shouldn’t be passive, and leave ‘privacy’ to be taken over by lawyers jumping into the current Privacy Officer void. Since we can translate all the operational and tactical work that we do on privacy, all the way up to strategic levels and still be very concrete. And not have to wait till ill-understandable “guidelines” (shackles) keep us from achieving something.
No more wannabe whining about ‘deserving’ a seat at the Board table or at least be heard; not asking to be allowed but matter-of-factly showing ‘Done.’ … if, not when, you did informtion security right all the way…

Just like that:

[“Na na nanana can’t hear you!”; Porto]

Miss Quote: Your way. Or ..?

In the series of unfortunate misquotes, a famous one:

Anything that can go wrong, will (Murphy)

As a secondary quote from somewhere:
But Edward Murphy did not say this. What he most likely did say is something along the lines of:

‘If there’s more than one way to do a job, and one of those ways will result in disaster, then somebody will do it that way’.

Which only by you with the way you do things, does indeed result in disaster, without fail. So, if you use the misquote, you should add “when I do it”…?

That was a short and easy one … so, for you:
DSCN7697
[You picked its current spot; deep into the harbour…; Baltimore]

De nieuwe KvK-registratie

Voor velen is het een klusje dat lastig is, maar er nu eenmaal bijhoort als onderdeel van ‘being in business’.
De registratie bij de Kamer van Koophandel. De basics, bij de enthousiaste start van bijvoorbeeld een zelfstandig bestaan. Het onderhoud, bij wisselingen in het verenigingsbestuur — en dan blijkt de KvK dermate relevant, dat men nog een natte handtekening vereist maar dan wel in het bekende veel te kleine rechthoekje te plaatsen waardoor de gezette handtekening welhaast per definitie niet klopt…! Hoe diep in het vorige millennium kan je achtergebleven zijn; dit toont wel aan dat de KvK welhaast niet nuttig meer kan zijn…

Maar nu is er in tijden van ‘cyber’ (#ditchcyber!) een alternatief of eerder, een vergelijkbare registratie: Bij de AP.
Jawel, de Autoriteit Persoonsgegevens, zo genoemd omdat de verwarring met het begrip ‘privacy’ nog niet groot genoeg was wellicht, en hernoemd om weer een decennium opstarttijd te geven voordat effectiviteit kan worden verwacht en alsdan weer een nieuwe tijd aangebroken is die vraagt om een ‘andere’ instantie ..?
Want we hebben immers de Wet meldplicht datalekken… Met 700 registraties in de eerste twee maanden (rekening houdend met een volle eerste maand nieuwjaarsborrels, dus een week of vier) is wel duidelijk dat het een kwestie is van (aan)melden en verder gelukkig niets — tenzij men pech heeft niet politiek relevant te zijn en ‘dus’ najaagbaar …

Ach, overheid; leuker kunnen ze het niet maken, wel onmogelijker…?
DSCN1834
[En daar komt nou ook niet echt tegenwind vandaan…]

The ides of March

… aren’t today only, but are indicative of … well, a lot of what goes on in infosecland these days.
Who to trust, when your buddies and experts and both in ones, may carry knives or worse. Like, turning their your defenses against you behind your back. Like the Brutus’es and Ed S.’s did because their consciousness revived (true in both cases ..!), like the great many are doing without tipping you off already. Until it’s too late. And, in similar vein, how’zat for your backdoors built in ..?
But then, as long as you can sit there like a rabbit in the headlights … sleep now in the fire [insert appropriate link to RATM clip] because the Time Till Collapse may leave you less room for Après Nous la Déluge than ever before.

Just to wake you up, by the way; if you read the above as some kind of chagrain I may have achieved my aim of making you think beyond mere Mehhhh.
So, I’ll leave you with:
DSCN7971
[Shifting politics, shifting alliances…]

Maverisk / Étoiles du Nord