IRM – Page 10 – Maverisk / Étoiles du Nord

First Rule of Risk

First rule of risk: Never underestimate risk. Even when you follow this rule, and even when your estimates seem ‘proper’.
Where of course, the propriety of your estimates is in grave doubt, either on the “This has never happened to us so / Come on, get real, [we’re not a target because we’re of no interest to anyone] what are the odds!? / Ho hum, there’s the boy cried wolf again”,
or on the “I’ve been reading this thing about CYBER! Arrrgh! In the Inquirer so why aren’t all staff hiding under their desk and we didn’t yet have the Marines take over and destroy the office to defend it ..?” FUD-side.
[Side note: You did have ‘consultants’ over (office (culture, motivation) destroyed, seems like a preventative measure?), but be aware that’s the opposite of Oorah]

Because when every nanosecond brings the possibility of an ‘event’ (how’s the repeat of sampling with (! … is it?) replacement over so many draws working out in your frequency estimations..!?), one can be sure that a 99% chance of something not happening, will result not in the virtually certainly not happening every time, but in the certainty that the 1% will strike, repeatedly, and a strike will endure much, much, much longer that the inception of it. The ‘event’ isn’t measured in nanoseconds, but in days, weeks, months and sometimes even years (think the, near-certain, reputational damage). So, your estimates are too low, all too low.

But since the detractors are always downplaying your estimates due to their other-directed agendas, do follow the First Rule of Risk …

[Your in-house security gurus are quite like that, yes, being the absolute rookies at the BlahBlah Seat At The Board Table — probably available only when the Board is out — or any level they’re relegated to]

The Risk of Human Existence

Where Risk should be in the ‘first’ line of any defense, and subsequent lines are mere (subsumed …!) support, as in the line of reasoning where Risk or rather Uncertainty [don’t start me on the semantics pure kindergarten discussions per definitional differences] is essential to do business; nay is essential to any organisation’s ‘business’ even when as non-exposed to market conditions as e.g., government departments.
Which, and this is the title reference, of course hinges on: all human endeavour seeks to eliminate uncertainty as uncertainty in the state of bare survival that humankind still is (sic; on average, and in the near future thanks to global warming [no thanks, global warming!]), would mean deterioration i.e. extinction.

Against which we (well, I; uncertain about you dear reader) have developed these whimsy precious things called brains (i.e., including the prefrontal cortex) to enable us to not only cope with the most complex of things including paradoxes, infinity et al., but also with uncertainty. Through induction and Big Data-like pattern extraction, sometimes taken to the levels at which most current Big Data analysis stands (turning spurious correlations however weak, into causation theorillets and/or rites), sometimes actually achieving something — models that ‘work’ to sufficiently accurately predict some aspects of the future (i.e., behaviour of predators) to enhance survival by staying away from the most unsurvivable situations.
Now that a precious few (??) have managed to ward off the evils of existential threats, such death scare of death has turned into a death scare of anything that doesn’t go according to our plan of doing the least possible to do nothing but eat ourselves into obesity.

Meaning, not accepting that now all reasonable threats, uncertainty, has been reduced by extreme CYA everywhere, at the same time we (not I) accept less and less that bad things just happen, and will ever more fanatically look for someone(s) to blame.

Solve the latter by ‘solving’ the former. Fight CYA!

And:

[What’s our love … but the Art of Glass; Blondie for no apparent reason, Dordrecht]

When it comes to Risk, Appetite is Tolerance

Previously, with many others I believed that Risk Appetite would have to be the starting point of discussion for anything Risk within organisatons. The appetite, following from discussions on Strategy being the choices of directions and subsequent steps that would need to be taken to achieve strategic objectives, i.e., where one sees the organisation ending up in the future. Very clearly elucidated here. Backtracking, one will find the risks associated with these possibly multiple directions and steps — in qualitative terms, as NO valid data exists (logically necessarily, since these concern the future and hence are determined by all information in the universe which, logically, cannot be captured in any model since then, the model would have to be part of itself, incurring circularities ad infinitum and already, the organisational actions will impact the context and vice versa, in as yet (for the same reason) unpredictable ways.
And then … This risk appetite, automatically equated with the risk tolerance by the Board for risks incurred bottom-up by the mundane actions of all the underlings (i.e., including ‘managers’, see yesterday’s post), then suddenly would have to be in quantitative terms… [Yes, bypassing tolerance-as-organisational-resilience-capacity]
As all that goes around in organisations, through the first 99.9% of Operational / Operations Risk, and then some 10% industry-specific risks (e.g., market- and credit- for the finanical industry), not measured but guesstimated by hitherto outstandingly some that have least clue and experience [otherwise, they would have been much better employed in the first line of business themselves… The picture changes favorably (!) where we see some organisations shift to first-line do-it-yourself risk management… finally!] with what the chance and impact figures would be. As if those were the two only quantities to be estimated per ‘event’… As if any data from anywhere would be sufficiently reliable benchmarking material — If you believe that nevertheless, you should be locked up in a treatment facility… Yes sometimes it’s taken to be this moronic… No need to flame bigger here, as that was already done here.

But wait where was I. Oh, yeah, with the bypassing of tolerance defined as what the organisation could bear. The bare fact being, that no-one can establish a reliable figure for that. What the Board can and want to bear … Considering that the Board would have to be all-in, i.e., not only all of their bonuses since ever under clawback threat, but also all of their earned income incl salaries and personal wealth — if any of the Board would not want to risk all they ever had and have, bugger off this is what you signed up to. Considering also that strategic decisions are about wagering the existence of the company on choosing right or else, this wagering the well-being and wealth of all employees however unable to bear loss by mere fact of never had the ability to create some reserves, the previous consideration isn’t exaggerated. You wager others’ very existence, you wager your own ‘first’.

Summa summarum:
Risk Appetite is what the Board lets happen as Risk Tolerated Already.

Plus:

[And away goes your grand hallway down the drain; [non-related] Haarzuilens, Utrecht]

The legacy of TDoS

So, we have the first little probes of TDoS attacks (DoS-by-IoT). ‘Refrigereddon’.
As if that wasn’t predictable, very much predictable, and predicted.
[Edited to add: And analysed correctly, as here.]

Predicted it was. What now? Because if we don’t change course, we’ll achieve ever worse infra. Yes, security can be baked into new products — that will be somewhat even more expensive so will not swarm the market — but for backward compatibility in all the chains out there already, cannot be relied upon plus there’s tons of legacy equipment out there already (see: Healthcare, and: Utilities). Even when introducing new, fully securable stuff, we’re heading into a future where the Legacy issue will grow for a long time and much worse than it already is, before (need to be) huge pressure will bring the problem down.

So… What to do ..? Well, at least get the fundamentals right, which so far we haven’t. Like this, and this and this and here plus here (after the intermission) and there…

Would anyone have an idea how to get this right, starting today, and all-in all-out..?

Plus:

[IRL art will Always trump online stuff… (?); at home]

All Your Data Are Belong To Us

Or, in the form of a question: When
a. One has to notify authorities of any (possible!) data leak, per law, in Europe and soon maybe also in the USofA,
b. Even BIOSses aren’t secure anymore, baked in from the word Go and onwards,
Shouldn’t all organisations declare all of their infrastructure and hence all their data, possibly compromised ..?

Just asking.

[Edited to add this. Also relevant; this one deeper (?)]

And:

[Calm, not private; Museumplein Amsterdam]

New Normal Hacking

Errm, anyone still surprised about (not) new news on data being stolen, ransomware striking, or democracy perverted, anywhere, all the time ..?

Got a bit worried, and wondered whether there would be others the same, about the current Mehh impression of everyone in the loop, about even political parties [now openly], voting machines, etc., getting cracked and data stolen which combined with at last, at very last finally, the hackability of voting machines not, against all sane arguments, being tamper-resistant — which leads to the vulnerability and class broken-ness of fundamental human values.

And still, there’s hardly more than Mehhh.

Would anyone have a reason not to worry …?

Ah:

How you know that you are old in infosec: you remember when you were trying to get the world to care about improving security.

— Dino A. Dai Zovi (@dinodaizovi) October 6, 2016

Oh well, blue pills everywhere …? Plus:

[Sorry to say lads and lassies of the Royal Academy of Arts, but the Gemeentemuseum did beat you, on this one]
[Edited to add: No, this post was written before the NIST October 7 ‘news’ came out that (‘end’?) users are tired of hack-warnings (security fatigue), if that were a thing. Which is also not quite what I meant above, which is worse…]

Are sw bugs taxing your resilience ..?

There would be a solution when we’d find a way to tax software makers for their product faults.

Because caveat emptor can work only if unlike in softwareland, one can duly (!) examine the product before purchase otherwise-and-anyway culpability for hidden flaws remains with the seller/licensor.

Which is impossible with shrink-wrapped stuff — and the ‘license’ claim is ridiculous, moreover the EULA is inconsistent hence null and void: Either the product is used under license hence the product quaility liability remains with the producer/licensor or the licensee is liable for damages the use of the product might cause but then invariably ownership is with the purchaser.

The software maker can’t have their cake and eat it; that would run against basic legal principles. And claiming that one’s always allowed to not use the product and choose another one or not, the Hobson’s Choice that brings about so many legal ramifications that even $AAPL’s pockets would never suffice, would invariably lead to oligopoly/cartel charges …!

Or, as this may easily be solved when taken as a societal problem just like environmental stuff like CO₂ pollution (we all need electricity): Why not tax the software makers for their ‘pollution’ of the IS environment with bugs ..? (And prohibit the use of greenhouse gases like SQL injection weaknesses?)
Like, after post-write but before release, this (Dutch) news that casual carelessness is a headache for government(s)… A bit like driving rules with no enforcement, maybe ..?

I’m not one for fighting the real windmills… hence:

[The outards of the inn(ard)s of courts; Bridget’s London obviously]

Contra Bruce, for once

For once, Bruce is not at the right end. Maybe not opposite of it, but.
As per this here blog post of his — a repeat of one of his, and others’, thread.

The argument: We make things, like, security, too difficult for users and hence (?) we shouldn’t try to change them into secure behaviour.
The contra: ‘Guns kill people’, or was it that the men (mostly) firing guns, kill people? And the many toddlers shooting their next of kin since, being at the approximate maturity of the Original gun pwner, they have no clue.

The Contra, too, and much more to the point when it comes to ‘information’ ‘security’: We should make cars run at maximum 5Mph … Since ‘users’ are waaaay too stupid to drive carefully.
Just don’t mention that ‘security’ is a quality not an absolute pass-or-fail thing, and that ‘information’ could not be more vague. [Except ‘cyber’, that’s so vacated of any meaning that it’s a black hole.] And don’t mentoin we still seem to let cars be used by any other moron that once, possibly literally decades ago before ‘chips’ were invented, passed some formal test — the American idea of the test coming very, dangerously, close to … was (sic) it the Belgian? system where one could pick up one’s driver’s license at the post office. Able, allowed, to buy cars that drive not just 5 but 250Mph, on busy roads, without protection against using socmed mid-traffic… One thing could be to introduce Finnish-style booking for unsafe behaviour (if caught, not when as per next paragraph [think that through…]), and/or huge fines for the producers of bad equipment (hw/sw) comparable to fines on car makers, or outright laws to build airbags in, etc.

And then, if we’d design ‘secure’ systems, e.g., the Apple way, we’d end up with even worse Shallows sheeple that have so much less clue than before… And all in the hands of … even in ultra-liberal countries one would suggest either Big Corp, or Big Gov’t, both options being Big Brother literally in such an atrocious Dystopia of humanity.

So, you want safe systems? You get the loss of humanity before actual safety.

[Yes I get the Humans Are The Cause Of Much Infosec Failure thing (including Human Flexibility Can (still!) Solve More Than Machines Can, Against System (!) Malfunction), but also I am completely in favour of both the Humans Must Through Tech Be Completely Shielded From Being Able To Do Anything Wrong and Humans Should Retain All Freedom To Act Responsibly solutions.]

Pick your stand. And:

[Use G Translate if you have to, from Dutch. Typifying the driver, probably, if only for picking the brand/car…; London]

You sporting against all

When sports are considered to be character-forming for later (mostly assumed to be business-)life, either by having been trained to be competitive or have learned (really?) to cooperate in teams (really?), let’s see which versions there are:

In which the You Against Natural science (No counter-actors other than nature, only personal performance counts, possibly measured against others but still, bad luck gets you), You Against One opponent (where one’s in a knock-out tournament or variant; running into the later champion in the first round doesn’t do much for your chances for second place), and Team Against Team (if you’re a champ in a bad team, fuggeddaboudit; the other way around too, like Leicester City…), are all too well known, with the ‘character formation’ mostly being: Either you win or are a loser, and Suck It Up The Other Guy(‘)s Much Better.

But in business … Be careful not to think that it’s a team-to-team competition. Yes, you may assemble, or join, a team, but you’re playing against … the Market. Not another team … Unless the very unusual situation of a duopoly, which should be breakable, legally.
Rather, you’re up against ‘everything out there’; can count only on one’s own errors, not count on the luck of anything out there working your way though they sometimes do. And the character building/application is … well, mostly about you not being Hercules.

Well, if you think you are the big Heracles himself, note that your Impostor Syndrome is no illusion. The Wonder CEO that thinks he’s in the bottom right corner, is deluded to not see that it’s not all the underlings (certainly the sycophants) in a Team against him (seldomly her), in an internal struggle much larger than any competitive fight out there. But that all those one’s up against, are the Team in the top left corner, though possibly having ousted him for displaying anti-team play morals…

Talking of big business: What sport would have massive teams of hundreds, thousands, hundred thousands of players on either side ..!? With all specialised in their own little square foot of the playing field ..? At best, one has such armies with the classical mercenaries — and even they were, are, organised much more effectively. The military discipline of the multinational überbureaucracies will fail in the murk out there, certainly when one’s not against one specific opponent, as above.
‘Normal’ teams in sports are, ballpark, smaller than 20 players, all maybe having designated tasks but always all (of the winning teams) have the flexibility to step out of their role and position, with team mates catching the blind spots. As if that ever happens in business-outside-the-startup-scene. The closest to actual normal business, would be athletics teams, all with their specialties, contributing to the total, the satisfaction of having succeeded as a team winning out over the satisfaction of personal performance over team gains.

So, what was that about through (‘high school’/university age) (team) sports, would one breed character for the real world ..? If one does sports, obviously it should‘nt be for that reason but for the joy of it. ‘Character building’ as an argument shows one has no clue.

Data Classinocation

I was studying this ‘old’ idea of mine of drafting some form of impact-based criteria for data sensitivity when, along with a couple of fundamental logical errors in some of the most formally adopted (incl legal) standards and laws, I suddenly realised:

In these times of easily provable easy de-anonymisation of even the most protective homomorphic encryption multiplied with the ease of de-anonymisation throught data correlation of even the most innocent data points, all even the most innocent data points/elements must (not should) be classified at the highest sensitivity levels so why classifiy data ..!?

This may not be a popular point, but that doesn’t make it less true.
In similar vein, in European context where one is only to process data in the first place if (big if) there is no alternative and one can process for the Original intent and purpose only,

To prevent data from unauthorised disclosure internally or externally, without tight need-to-know/need-to-use IAM implementation, one already does too little; with, enough.

That’s right; ‘internal use only’ is waaay too sloppy hence illegal — it breaks the legal requirement for due (sic) protection, and if the use of data is, ‘by negligence’ not changing a thing here, let possible, the European privacy directive (and its currently active precursors) do not allow you to even have the data. This may be a stretch but is still understandable and valid once you take the effort to think it through a bit.
Maybe also not too popular.

Needless to say that both points will not be understood the least by all the ‘privacy officer’ types that have rote learned the laws and regulations, but have no experience/clue how to actually use those in practice and just wave legal ‘arguments’ (quod non) around as if that their (song and) dance is the end purpose of the organisation but cannot answer even the most simple questions re allowablity of some data/processing with anything that logically or linguistically approaches clarity. [Note the ‘or’ is a logical one, not the sometimes interpreted xor that the too-simpletons (incl ‘privacy officers’) interpret but don’t know exists.]

OK. So far, no good. Plus:

[Not a fortress, nor a real maze once you see the structure; Valencia]