Tag: Information Risk Management

OM als tooltje

Wat ik me bij deze link nou afvraag:

  • Het genoemde risico van concurrentie-pesten / uitschakelen (het Internet vergeet niets, en daar kan heel de rijksoverheid of wie dan ook geheel niets aan doen) is levensgroot, ondanks de minieme en volledig transparante schaamlap van eigen beslissing die bij de betaaldiensten wordt gelegd – die zullen zich zeker (ontkenning diskwalificeert van handelingsbekwaamheid) verschuilen achter het OM. Wat gaat het OM daartegen doen?
  • Zoals in het commentaar bij bovenstaande link; de ‘bewijslast’ is een aanfluiting en treft de kleinere webwinkels veel zwaarder dan de grotere die veel meer middelen hebben om hun ‘onschuld’ (juist daar: quod non!) te ‘bewijzen’ afgezien van hun marktmacht richting betaaldiensten. Drie klachten voor de grotere, drieduizend voor de kleinere wellicht ..?;
  • Als het OM informatie doorgeeft waarvan volslagen duidelijk is dat doorgifte disproportioneel is (hoeveel aangiftes van véél kwalijker zaken werden/worden ook alweer geseponeerd omdat dozijnen ambtenaren gewoon geen zin hebben om hun werk te doen?), zijn zij mede aansprakelijk voor de gevolgen. Gemiste omzet, gederfde levensvreugde (juist bij de kleinere webshops die door de groten aan de kant zullen worden geschoven – dát zijn pas onoirbare praktijken, maar ja die groten hebben de willoze lendepop het OM in hun zak – zal een blokkering wegens de minste aantijging van ongeoorloofd gedrag, hoe onterecht later ook zal blijken, al snel tot volledige sluiting leiden, met alle faillisementskosten en afwikkeling op privévermogens van dien – het leven van de eigenaar zal nooit meer hetzelfde zijn. De aanzet die eerst blokkeren, dan uitzoeken inhoudt, is een regelrechte omkering van de bewijslast, en treft zéér onevenredig veel onschuldigen (valselijk beschuldigd, onevenredige en onherstelbare schade) terwijl de schuldigen gewoon verder zullen shoppen; die hebben de plan-B betaaldiensten allang opgelijnd.
  • Het OM legt dit betreffend onderdeel van haar taak naast zich neer, derhalve dient het evenredig te worden gekort op het budget. Ad infinitsimum. Het OM laat zich willens en wetens als ‘conduit’ misbruiken door de grotere webshops, en verspeelt daarmee haar gezag en rechtsgrond van optreden. Sluiten die tent dus ..?

Het is duidelijk: Als dit wordt doorgezet, failleert het OM zichzelf. Toch ..?
[Van bastion tot ruïne; Cardona]

Arms / race coming to an end ..?

When this is still necessary and (counter)x-measures will continu to be developed, for sure, how will this little nugget of WP29 change things?
Because it has power. That may lead to a throwback. For how long? The harder the throwback, the longer to recover. But the more powerful will be that rebound ..? We’ll see. For now, canvas blockers are still the way forward, so implement them, right?

This post was brought to you as a public service announcement from the sanity of browsing for information security and privacy blog you’re reading.
But seriously, why is there so little analysis of the WP29-on-Profiling stuff ..!? And:

It doesn’t matter

A great many before me have discussed the merits pro and contra using contractors instead of perm contracted staff.
I will still give it one more go. Since lately, there has been some back and forth again about motivational issues and how certain is one in one legal contract situation compared to the other hence how motivated can one be and why the need to cater to so different audiences as ‘manager’.
The thing is
It doesn’t matter:

When investigating the differential motivators, one invariably ends up with the same motivators, and much the same demotivators (nicely depicted here of course still going strong, since tout a continué).
This, coupled with:

  • Financially, you’ll have to pay for income taxes (buy side yes), holidays, sick days, etc.etc. (welcome to Europe!) and all of the administration surrounding that when you hire someone on a perm contract. If you hire a contractor, not so much; all costs are for the contractor
  • You’ll also have to pay for continued education and a company car for perm contracters. For contractors, not so much; all costs are for the contractor
  • Add in a ton for pension contributions (we’re still in Europe). For contractors: Nope.
  • How about severance packages? (Oh, shouldn’t differ much…)
  • Going through the calculation motions, it is little wonder that fully loaded costwise, a perm contractor will cost you 2,5-to-3,5 times per hour what a contractor bills you
  • And your perm contractor is scientific reasearch confirmed actually productive for four (upper bound) to two (lower bound) of any eight-hour working day. Your contractor can only bill you for two hours slippage per day, at most
  • You can even expect to pay more for the above motivators when dealing with perm staff. Contractors behave more mature and don’t need as much of everything

clearly leads in one direction. Isn’t there a catch ..? No, only if you’re Mr Tax Man; then, you’re the one losing out. Otherwise, you as an employer can gain seriously even when paying out ‘huge’ hourly rates to contractors.

Remember that.

Your comments, please.

Norm over substance of risk management

Overheard: A major company in a relevant industry re infosec – and well-known for their good and even so recently much improved infosec posture – doesn’t follow the mantra of “risk management first, policy/standards second” but first sets some quite rigid standards and then, when vendors can’t deliver (even when the standards are strict but quite reasonable and doable), do some form of risk analysis plus compensating controls / acceptance or what have we.
Because otherwise, everything gets so mushy (hey, normal (?) risk analysis is business driven, what do ‘they’ know ..!?) that the end result is a chaos of quasi-accepted risk all on one huge unmanageable infra heap of backdoors and byways (those in particular) which results in zero security. And because this way, standardisation is encouraged and security plus manageability hugely increased i.e. big bucks are saved.

So, it’s an interesting High Baseline Minus approach. Though I guess you may have some comments, so take it away …:

Oh, and already:

[Maybe green, but not fond of blaugrana ..? M’drid]

Fog(gy) definitions, mist(y) standards

If you thought that containers were only something to ship wine in, by the pallet, you a. would be right, b. would maybe have overslept on the new concept, c. would not mind I introduce the next thing, being fog computing. I’m not making this up as a part, or extension, of low-hanging cloud computing.
You think I’m kidding, right? Or, that I should have called it mist computing which is a thing already but only a somewhat different thing… You’re still with me?

Then it’s time to read up. And weep. Over this here piece that sets the standard, quite literally.

There. You see ..? Indeed low-hanging, as in the stack … That wasn’t so hard. But implementation will be, if required to be secure. Have fun, will TLS. Or so.

OK, this post was as it stated just an introduction to the IoThing – I was serious though about the Go Study part. Plus:
[Cloudy top cover, smiley backside of a place of worship; Ronchamps FR]

3D of the nudging to simplest infosec behaviour

Before you’re put off by the title its complexity … [Oh. You clicked. Wave function collapsed long before; ed.] This post is about improving the People part of infosec. Beyond the mere ‘awareness’ that begets you … a couple of days’ attention, then slippage into muchlessofthesame.

Two roads away from the dead end you were in, open up:

  • Nudging. Which is about small, inobtrusive and non too brainwashing incentives and disincentives, rewarding and penalising the good and bad so that ‘users’/people choose to do right without having to rationalise through all sorts of intricate, overly (sic) complex lines of reason why some shimmy is better than another twist. Just gently guide, don’t Law and Forbid. [Edited to add: This post was drafted and schedules for release weeks ago, before that Nobel Laureate was awarded his medal for this very method…]
  • Secure simplest option. Like the great many traffic controls; no traffic lights but roundabouts – the former, can be run through at high speeds in the middle of the night (and other times); the latter, require slowdown or you’re thrown off the road. The secure solution being the obviously simplest – the simplest solution being the secure one. People will take the simple road in stead of the difficult one. Better make the simplest one the safest. Not require the user to jump all sorts of complex hoops for safe behaviour! Like password complexity rules: The more you make them ever more difficult, the harder it is for users to resist finding loopholes and escape vents like writing them up (which isn’t a bad solution per se, but …). And in the end, you’ll loose the arms’ race against skillful attackers anyway; at the point where their smartness is hardly less than benign users need to get into your systems, you’ll have to revert to some other way anyway (re: dead end roads).
  • Ah, I’m not one for counting all that simple…
    Smart trickery. This of course being a perfect example … a 3D zebra (road-crossing). Many great, very-marketable other such solutions may exist, to your (image’s!) advantage.

Now that you’ve read the above, how would you change your infosec ‘controls’ throughout …? Like, filling out the last matrix of this, in a smart way and changed to general infosec …?
For an additional bonus, outline how you apply this to your GDPR-compliance efforts… And:
[Advertising the trust you can have in this Insurance co.; Madrid]

Measure and/or die

For 10 points only, not the usual 50/100/150 and without pictures to color, identify the stupidity of this here rambling with an air of sophistication
The ‘quality’ (quod non) of which is nicely summed up in the ‘metrics chart’ ..: “If you can’t measure it, you can’t improve it” – referring to the degree (sic) of the stupidity; unimprovable…?
Be aware Always (link, here again yes), people, …:
Not everything that counts, can be counted, and not everything that can be counted, counts ..!
Oh well. Nice effort to get from ‘nothing’ to ‘something’: when shot for the moon and missed, one ends up between the stars.
In a vacuum, light years away from any matter. [Excepting virtual Heisenberg’ian particles; ed.]

Plus:

[To hope that one day, this king’s -dom may understand the British Crown / Commonwealth model before an all-out civil war breaks out…]

Are you scared of perfectionism ..?

Not of but to.
This dawned on me, suddenly – as dawning of this better kind is unenforceable – a lot of people list ‘perfectionism’ as their default weakness-read-humblebragged-strongpoint. But it’s a weakness indeed because any such feeling will be rootcaused by insecurity, of the angst kind.
When taken forward, from the latter, one sees: Fear of the unknown, uncontrollable impact on the edges (first), will lead to overzealous focus on those edges, the rougher parts, to prevent even the tiniest deviation from the all-of-the-world’s-plan that totally deterministically was supposed to be followed to not introduce Uncertainty of any kind. No quantum collapse of the wave function allowed; no wave function allowed – that’s all heretical deviation from a supposed Plan from up high (where ?); der Herrgott würfelt nicht in the least! Quantum entanglement is that each and every quantum particle was predestined to be and behave / move as it does. No Uncertainty!

Or else … bad things may happen to you, e.g., your career.
You may get fired, for not perfectly achieving your Personal Year Plan. You may get fired anyway but that’s Bad, the devil’s work, or the shareholders’ (his rep’s..!) wish for slashing by the FTE numbers. To prevent this, just be perfect. Or, more practically, (say to, only!) strive for perfection. Bossed might want to believe then, that you’ll do your utmost and give your life, to make that happen. So bosses’ year plans are achieved. Or bosses, just to be sure, revert to the inhumane micro-management practices … so very common still today…

Let’s hope that proper risk management wins out in the end. If only since the more Chaos, the universe’s drive to entropy, is suppressed, the more gigantic will be the outburst of the Uncontrolled energy because it will burst out. Better to be able to control that through not letting the pressure build so high, by allowing steam to blow off in much more benign, possibly profitable, ways long before.

So, embrace entropy! Embrace balance ..! Just don’t be ‘perfectionist’ like everyone else and then be found out to be the very average sloppy that one reads so much too much of, even in trivial non-control of basic writing skills. If you write without care for proper spelling, etc., and don’t proofread, you’re waaay off to the wrong side of the balance ..!
Plus:
[Discuss, progress to the dialectic third way – which is NOT in the middle by definition; study Aristoteles on that..! Ottawa, BTW]

AVG is the Law

If you wondered whether (if?) I’ve gone besirk and declare some little anti-malware tool to be officially authorised: No. What then? A Yes. Because whenever you read ‘AVG’ related to the Netherlands, you’ll find it’s the Law indeed. Being a fumbled translation of the GDPR. And full of the lawyers’ stuff on detail, demonstrating incapacity to understand the issues that the GDPR was originally trying to tackle. Of course, these got watered down to ineffectiveness before even being officially issued (and that’s not per 25/5/2018 but already behind us ..!!). So we find ourselves now in a struggle on all sides for clarity and practically viable interpretations – vis-à-vis some specific law. From a legal perspective, this might work; just wait for jurisprudence (authoritative-case law) and all will become clear. From every other of the asymptotically-infinite number of sides (don’t even try to explain that to the eager beavers among various parties), jurisprudence means the death of their organisation and of all employment that goes along with, is built upon that including the livelihoods and perspectives for a decently doable pursuit of happiness of employees and their (extended) families invloved.
So NO, you cannot leave things to jurisprudence, to case law. Modern society has moved far beyond that, leaving all trailing in understanding that, in the dust of ignomy and ridicule. We the People (of the EU++, and of the world affected) need clarity upfront.

Awwww this is turning into a rant. Which wasn’t the purpose, which was   just to point out the irony of one antimalware-maker’s name being now wringed into something laughing-stock [ with an ? or an ! ].
Oh, plus:

[(From analog to digital when the latter wasn’t much good yet) sinking into the landscape, this time perfectly as intended, not out of shame; Melvyn Maxwell and Sara Stein Smith House, Bloomfield Hills MI]

Extra, extra! A Fine!

It was bound to happen: Fines! For privacy violations! Oh how do the Frightful Five shudder at the thought of these economic penalties that will down their businesses. Not so much. Is there anyone that thinks the fines will do better under the GDPR regime ..?

Kindergarten dreams. If all people are nice to each other there will be no more war and world peace. If GDPR kicks in …

Plus:

[An air of nice, just the air; not Nice but 4711 Cologne]

Maverisk / Étoiles du Nord