Tag: Information Risk Management

Nudge, nudge, wink, wink, know what infosec behaviour I mean?

Am working on an extensive piece, a long-longread, on as many aspects of behavioural change towards true ‘secure’ user behaviour as I can cram into text. I.e., moving beyond mere full ‘awareness’ as phases 2/3 of this, to phase 4. Strange, by the way, that there is in that no end ‘phase’ or cycle in which one finds out to have been in phase 4 already for some time but didn’t notice and now forgets just as quickly as that seems ‘logical’.

But back to today’s subject, which is the same, but on a tangent. My question to you dear readers [why the plural, or >0 ..?] is:
Would you have pointers to (semi)scientific writing on the use of nudges to (almost)stealthily change (infosec-related) behaviour ..?
I could very much use that. Other sectors of human behaviour influencing studies have ample info on the effectiveness of such nudges, but for infosec I’m still with Googlewhack-like results.

Thanks in advance… Plus:

[The ways to seek prosperity from misery; EPIC Dublin]

1. Train like you BCM

Isn’t it strange that one of the most prominent success factors of Business Continuity Management, actually training for eventualities of all kinds and sizes, is so little done?
Or has the basic tenet Train like you fight, then you fight like you train been forgotten?

Or not even learned in the first place. Shameful.

And, by the way, it’s true. When you train (well, as serious as if you’d actually be in a ‘fight’ for survival), you get experienced. Surely no trained scenario will play out in the unlikely event of an emergency of any kind that your BCM aimed for, but you will be experienced to handle such unknown situations, be flexible, and have the acumen, courage, and wit to come up with a solution, no sweat, right ..? Because you know you can, no sweat, and hence, clear thinking about the right things.

So, … have fun shooting down the bogeys. And:

[Hey,, that’s a pic from a scanned slide (physical, Kodak), of the bitches of South, at Twente (no more)…]

Stay put while moving your address

Lately, there were a number of times I was reminded that for those that still use email (i.e., the overly vast majority of us!), some email addresses have been more stable over time than mere snail street addresses. And, with the different use of email versus the type that it was (derived-)named after, quite some times your ‘stable’ email address is harder to change. Where moving physical home address will easily redirect your mailman’s delivery for a large sway of services (utilities, subscriptions, et al.), such service doesn’t necessarily exist for email.
Not strange. You can move house and then take your email with you. Come to think of it, this is part of the greatness of the OSI model, right?
But strange. Try to ‘move’ (i.e., change) your private email address, that you use for innumerable websites, affiliation subscriptions, socmed profiles, etc.etc., and … you’re hosed. In particular, when you don’t have access to your former email address e.g., when switching employers (wasn’t a good idea to begin with, even in about-all of the world where using company equipment still leaves you with all privacy protection you’d need, excepting the corner of the world that their figurehead took out of the world’s developments so will revert to backwater, developing country-terrain), the confirm-change email may be unreachable as you can’t login to your old mail account… No solution provided anywhere.

So, as easy as it should be to move physically and have your physical address changed in public record systems, as easy it should be to keep some email address(es) that are used to identify you in person even when you’ve moved ISP…
Question to you: Is this covered under the “Must be able to move” hardcore requirement always under the GDPR..? *All* data should be coughed up in a machine-readable format to be processed in similar manner by some other service provider. That goes for email services too, automatically, so how will the (your!) sender/receiver addresses still be valid when you’ve moved ..?
If the latter works, then any service provider ID in your email address must work on any other provider’s systems, or your former is liable for up to 2% of global (sic) turnover. Quite a (damages avoidance) budget, to make things work…

Oh, and:

[Take a seat; not your address of any kind; Dublin Castle]

The Legend of Knuth the Agile

Once upon a time in a land far, far off-shore to today’s centers of economic, political of civilised-society gravity, before DevOps was a thing even, there was a great algorithm champion warrior named Knuth. Unlike his fellow programmer clansman, that coded for fun and profit deep innovation and peer recognition [f&p came only decades i.e. ‘centuries’ later; ed.], in a world that was barren of bad code but still inhospitable to what later would become hero geeks and nerds (for whom this was still obvious), Knuth was just that little bit less quickly-footed in his subject matter, earning him the nickname The Agile, just to deride his profound work.

Because, you see, he was a man of honour and clean algorithms, two things that in his days were nearly the same. And he was in favour of solving things with fundamental parts. Not ‘process steps’ or so – how would he laugh at those that propose that, these days. Nor happenstantially bundled ‘sprints’ of fast (hacked, in its profound meaning) coding – though extreme coders live on here and there, not given the honour and credit they deserve.
But real, standardised, tried and tested (even in a semi- or fully mathematical way) logically consistent actual process steps. But then, he understands that the real warrior body (brains) belong only to those that have honed the warrior spirit, have grinded and polished their skills over decades to shine like blank sheet metal of the finest alloys. So, not like ‘hey I had this one-year (??, mostly one-week or so ..!) course in agile programming now I’m a l33t h@x0r’ kind of pre-puerile nonsense.

Well, dear readers, you know how times can fly and how reputations can change overnight. So it happens that his nickname suddenly meant something else. No more poetic escapes of sparse code and clean, logic-based algorithm library linking and calling/returning at the side of the waterfall. development method. No more re-use of the tried and tested. No more frozen waterfalls at all, due to scope creep leading to progress-temperature drops to zero and below, leading to icy atmospheres where nothing works anymore. No more basic weapons training of even knowing how to deploy re-usable code and algorithms…
All we have now, in these days with no more heroes (but the baddies are still out there, everywhere), is/was faint attempts at “patterns”, being of course the latter-day devolution of the very algorithms that made Knuth the hero he was. Is.

And then, DevOps came to the scene. If only Knuth were still in his prime, he would know what to do

Plus:

[Only in such art is extremely precisely applied sloppiness a virtue …! Gemeentemuseum Den Haag]

Panoptic business

Recently, I heard the gross error of thinking again “When people use their business IT for private purposes, they have no right to privacy” – rightly countered from the room that standing European law most clearly has the opposite: Employer has zero rights to see anything unless there’s prior evidence of some malfeasance or malfunctioning (e.g., performance problems – of the employee, not of the infra…). So, blanket or categorical surveillance (or blocking, which presupposes monitoring how the heck else would you detect the to-be-blocked URLs..!?): No sir.

What about the recent spat where a bank blocked Netflix because employees’ use of it at home, using company laptops that Citrixed back to the bank and from there onward, overloaded networks of sad (typo not said, intended to characterise the) bank? Well, a. how dumb can you be to Netflix over Citrix etc, or is one so incredibly cheap (hey, works at bank; apart from the exceptions you know, go figure) that bandwidth cost is an issue? Then maybe you’re too scroogy to be allowed to wok at a bank in the first place; monumental failure of ethics wise, b. in this case, clearly there are performance issues – when it’s noticable on the company network level, certainly it goes for a number of individuals, even if only by disturbing the performance (bandwidth availability) of others. c. there’s no absolutes in what employers cannot do.

But clearly, in just about every case considered today where categorical blocking by blacklisting would be attempted because managers sideways involved in HR stuff would understand what the URL is about, i.e., not-business-related entertainment however SFW or N-, skipping the blacklisting of the really to be blacklisted sites (torrents, malware shops and other rogue tooling),
we have again the panopticon argument of “observation changes behaviour” – and in these times of clueless managers (the less they know that of themselves, the worse cases they are!), you need in particular those ‘users’/employees that go beyond monkey typing away to be creative in their work and find new revenu / cost reduction directions. Which means that when you observe, or only log to be able to observe, you squelch productivity and profitability… Way to go!

Oh, and:

[Not the one mentioned above; HypoVereins München on a heat-hazy day]

Bringing back symmetry/-ia

Some issues, aspects of interest, collided a couple of weeks ago.
Macron’s team with their skillful double-cross deceit in the ‘leakage’ of election-sensitive info (!read the linked and weep over your capabilities re that, or click here for (partial?) solutions or others or devise your own).   One down, many to go; Win a battle, not win a war yet.
In unrelated (not) news, what are the tactics used IRL to actively engage in pre-battle tactics? Can we plant our own systems with scar (?) tissue i.e. fake immunised (for us!) / unused information that is weaponised with trail collecting (or only source-revealing) capabilities, like shops and private persons can get “DNA” spray paint thus called because it’s uniquely coded so is identifiable and traceable? Can we harbour ‘hidden sleeper (?) cells’, pathogens i.e. malware, that doesn’t affect us but when ‘leaked’ to an adversary’s environment / stolen, oh boy does it become virulently active and destruct? (Silent) tripwires, boobytraps where are you?
How far behind the curve are the general public (us, I) with intel on developments in these areas? If the French used some of this stuff (using is revealing, qua tactics, unfortunately) certainly others would have considered the methodologies involved. Raises questions indeed, as were around, about whether or not the cyrillic traces were planted into WannaCry1.0 or left there in error. [There’s no such thing as perfect Opsec but this would severely hurt some involved at the source / would’ve cared better, probably.]

Just so we can get a better view on the balance being shaken up so vehemently, between asymmetric simpleton hacks [the majority you know (like, you actually can learn about; the real majority you may not hear about) of big organisations with their huge attack surfaces and attackers only needing one pinhole] and more-or-less regaining-symmetric nation-state attacks against each other (all against all) where the arms’ race of tooling now is so out of balance.

Would like to know, for research purposes only of course, really.

We’ll see. And:
[Yes that’s real gold dust on the façade hiding in plain sight, but you wouldn’t be able to scrape it off. Would you? Toronto]

D-raacdronische maatregelen

Okay, for those of you unable to understand the disastrous (understatement) word-play in the title because it’s in Dutch… It’s about a court case (verdict here) where neighbours were in this vendetta already and now one flew a camera drone over the other’s property succinctly the other shot down the drone.
Qua culpability for the damage to the drone, the Judge ruled that a. the drone pilot was trespassing so put the drone illegally where it was shot down, b. the gunman [an experienced shot, apparently] was not to damage other peoples’ property, both are guitly and should share the damage (and share the legal expense).

Side note: the verdict also states through witnesses, that the damage incurred was to one rotor only (after which the drone made a controlled landing; not such a good shot after all) and it had been flown into a tree before the incident (not such a good pilot in the first place), so the damage amount as reported by an independent expert were doubtful, even more so since the independent expert nowhere indicated in the report how the assessed drone was identified or identifyable, as the drone in question or otherwise.
Stupid amateurs.

Moreover, the Judge stated that a breach of privacy weighed no more of less that a breach of property rights. Now there‘s the Error [should be all-caps] in the assessment of current-day societal ethics which in this case, where the Judge appears to demonstrate a sensibility of the case i.e., the vendetta between the neighbours having dropped to a state where mediation is an option no more, would have called for understanding of the derogation of property rights by the privacy concerns as is prevalent (yes; fact) in society in which the verdict should fit. Apparently, neighbour considered the privacy breach already of more value that the risk to his property otherwise would have abstained from the risk of property damage. And the property rights should be compared with the privacy rights one has when e.g., throwing away printed materials; when discarded in the dumpster, one has surrendered one’s right to privacy-through-property re the dumped information. When voluntarily move into or over another one’s property, certainly without consent and against that other one’s want, does one not surrender one’s [protection of!] property rights to the other one? Of course one can ask one’s property back but what if the other one refuses or uses it as security re exchange for something else?

Legal scholars don’t seem to Always have a “hackers’ mentality” when it comes to finding all the side roads … Most unfortunately!
And:

[From the department of infinitely high control; Ronchamps]

Appetite for destruction ..?

Not even referring to the Masterpiece. On the contrary, we have here: … Well, what?
Interested as we all are in the subject, since it is defined still so sloppily, we all look for progress, I started. But stopped, when it turned out … risk appetite is defined in hindsight, with a survived disaster being the appetite threshold. Nice. So you’ll know what your appetite is when it hit you and were lucky enough to survive. If you didn’t survive, you now know you passed the threshold. Same [?] with projects: Only if it fails, do you have to write off the investment. The idea of sunk costs may be an enlightenment..?

Etc.

I believe the CRISC curriculum has other, actually somewhat useful, information on this, and on risk tolerance ..?
Your comments, please.

Plus:
[For 20 points, evaluate the risks, e.g., qua privacy, bird strikes, value development; Barça]

Not there yet; an OK Signal but …

But the mere fact that Congress will use strong crypto Signal, can mean many things. Like, “we” won the crypto wars, as Bruce indicated, or the many comments to that post are correct and it’s for them only and will be prohibited for the rest (us), or … nobody cares anymore who uses Signal, it’s broken and those that balked in the past, now have some backdoors or other coercive ways to gain access anyway. [Filed under: Double Secrets]

But hey, at least it’s something, compared to nitwittery elsewhere… And:

[Ode to careless joy; NY]

Generate some positivity, please

Something I believe(d) in for a long time already. Being, that I don’t belong. Nor do you, or anyone, to some dreamt-up category of whatever dimension. Didn’t I refer to this (at 0:30) over and over and over again ..?
To change the tack of the posts of late, let’s take a more positive attitude. E.g., by reading Brian Solis’ story here, and elsewhere: There exists no typical generation of any characterisation. Which leaves you free to pursue your own Happiness, in whatever way you’d want — with the caveat of not inroading of the freedom of others, and respecting the Commons in various directions.

Also, contra profiling, filter bubbles, echo chambers, social isolation, shallows, etc. Contra the dark side, who wouldn’t want that ..?
Pro the eternal fact that any average is, except for rare and particular cases, unequal to about all elements over which you took the avg. Even more so when talking multidimensional elements, and hoomans are possibly infinite in that.

So, be Free(d). And:
[Spread that word! Riga]

Maverisk / Étoiles du Nord