Tag: IRM

Let’s celebrate (with) a contest for the dumbest security

On this celebration day (for me/us), let’s instate an annual contest — over the most precise prediction of the dumbest information security breach of the upcoming year.
So, the following:

  • Your prediction, storified (½ – 1 page, at most slightly formatted);
  • Realistic, i.e., a combination of dumb and dumber, and stupid and worse, of (non)actions and responses, on the attack and ‘defense’ sides. Realistic, but keep it realistic…;
  • Hence, do include lots of cyberhere, cyberthere, cybereverywhere and only a little bit of #ditchcyber …;
  • Deadline: 1 January 2016;
  • The predictive element means that no sign of the thing actually occuring yet, may be found in the (whatever medium) press already;
  • Prize… ah, there you go. I’ll try to figure out a way to ship a bottle of the finest champagne to the winner;
  • No discussions about my judgement.

Well, off for now. Have fun:
DSC_0161
[Shaky ground (huh, just photographer’s lack of proper alignment due to hurry);
 somewhat relevant, in the opposite (of today)]

Cyber ‘Nam

OK… As you know I wouldn’t be the war monger re ‘cyber’ warfare. And don’t have the answers — neither do you! — but have searched and asked for them; see past posts (numerous).
This one is more about how the campaigns and battles are fought. Full cyberstatefulfirewallcomplexmonitoringNOCSOC jacket style, out there in the field. (Privacy) protesters at home, safely away from the danger. Some top brass (‘generals die in bed’) ordering your data forward, hardly trained/hardened or crypto protected and blaming shoddy execution and wily counterparts. The traumatised demobilised db admin not wanting to shoot down even a deer-like referential integrity violation. Et cetera. Feel free to add to the comparison. E.g., how things will develop. Or– how thing would have to work out if, huge if, for once history is learnt from.

Oh well. @CyberTaters and @cyberXpert will have their way. And #ditchcyber. And this:
DSC_0122
[Will be.]

A sobering thought

Actually, not one but a great many sobering thoughts, in this great piece: What They Don’t Teach You in “Thinking Like the Enemy” Class. In a high-quality series.

To which one might add … not too much. Maybe the 100%-is-infeasible line, and Schneier’s Return of the Security (is..?) Theatre trope. Oh, and the one that has still taken far too little root; the deperimetrisation-means-you-need-to-focus-on-information-not-the-fortress aspect that has been around for a decade already but still has hardly been implemented properly.

Or, we redesign the world. Somehow, we need to get into the mindsets of the global populace – that so far hasn’t been standardised to any degree; happily! for cultural diversity hence overall societal flexibility, development and progress … – to accept that after human development was pushed by physical wars for all of its existence so far, we have arrived at a new round of warfare innovation. After the man-to-man (sic) manual combat, and the ethically despicable practice of not even seeing the Other in the eye individually that gunpowder brought on – glossing over the trebuchet-and-others long-distance hurtling and archers’ reach –, we are now engaging not only in drone-led warfare (distance being even greater), but also in this: humans not being the soldiers anymore; that part being taken over by the robot. By which I don’t mean humanoid robots – why even bother – nor masses of stand-alone AI. But rather, unembodied A(S)I that operates on any platforms together, creating resilience not by numbers of clones but by moving swiftly over servers by having been virtualised at various levels of conceptuality, as they are compounded-mem complexes battling each other evolutionarily. And still aiming at humans.

…? Well, what’s the purpose, otherwise ..!?

Which is far off from where this post started. And foregoing the intermediary step I wanted to write up; where ideas cleverly capture (numb, dumb?) people and ‘ideologies’ fight each other for global dominance. With all sorts of ‘neat’ (quod non) tricks. But [w|h]ell… and this:
DSCN8626cut
[All humans removed from picture. Naturally]

Short post: Offense on the Defense

Apart from love, here too all is fair. Hence, the offense may be pushed into defense every once in a while. Yes, think that one through.
Or, that is misinterpreting it. Offense and defense do a danse macabre while the content fights out at higher abstraction levels. Think that one through ..!

[Edited to add: this link, and this one. Others apply as well.]

OK, ’nuff for now, and this:
DSC_0705
[Not even unique, as a NY wedgie; only just (…) the prettiest]

Preventing detection

At last, there’s a resurgence of non-preventative infosec (#ditchcyber) efforts. As, e.g., here (in Duts though the orig would be Engrish ..?) and here (a decent one, almost making the right point; co-typical ..? and on second reading, a bit empty of actual actionable advice). Hinting at leaving the Prevention Imperative and refocusing on Resilience.
Because ‘deperimetrisation’ may have clouded the longer-term, more strategic failure of locking oneself in and shooing away the so grossly underestimated enemies by one’s own utterly ridiculous overestimation of … authority, power, capabilities and competences, considered-self-evident importance (quod non…). The dumb not realising how dumb they actually are…

We’ve said this before, over and over again. And we’ll say it again. Because the Laggards (hey remember yesterday’s post?) still haven’t got it, deeply enough into their veins.

But, we have a start of that at last. Why only now? Because even the most conservative (sic) can no longer hold the fort (sic) of box-shipping at all levels? Anyway:
DSC_0804
[Rebound into the heavens!]

Why ‘cyber’s still a dud

[Oh yes @CyberTaters will warp the pings re this post. And #ditchcyber!]

For one, all (sic) of ‘cybersecurity’ (quod non) is incomprehensible to those that consider themselves ‘leaders’ in one way or another in practices where actual infosec should be top of mind. Since the (for quite too large a part) despicable mice (of this story) don’t see their own folly, these kindergarten emperors will be found to wear their new clothes well… but not ‘get’ what it takes to start developing ideas how to actually lead in the infosec field. Starting with debunking Internet myths and hype-FUD but also starting the sea changes needed to achieve something (if maybe not everything).

For another, since all the hype-FUD only leads to Technology focusing, where those that would still not have thus-focused houses on order should be fired; decades of developments would have to have been easily dealt with – though it is rocket science, it’s hence not that hard. Hey, designing and building a probe to Pluto, isn’t there an app for that?
Leaving the other 99.9% (well…) of work in the area of People (and don’t start me on Process..! see my posts over the past couple of weeks). Which, even if it would be understood what needs to be done in that field, would be known to be near impossible to pull off, let alone in the short term.

Hence by simple (?) logic, ‘cyber’whatever is a dud.

Sobering:
DSCN2508
[You know where, or not; every corner needs to be beautiful…]

Scaling ‘security’

Availability: 99.9% (per year).
‘Security’ (the C, the I) … nothing. Or, the infeasible 100.0% XOR nothing.

We may have a major issue here…

Well, we do have OSSTMM on one hand, and the seriously innovative, very important Secrecy stuff on the other.
But can we answer the question “How secure are we“..? Indeed, OSSTMM gives us a number – for the operational and technical elements. How ’bout integrating the tactical, strategic, and non-tech stuff like hooman behaviour ..? And still make it somewhat understandable to the clueless (Csomethings and other involved in the utterly useless nonsensical area designated by the pejorative joke label ‘governance’; all with the exceptions acknowldged of course); other than the above % per year estimates that are interpreted so badly..!
Oh and things like failure rates from e.g., FMAE, as presented like ‘dam can stand a one-in-a-thousand-year flood’ also don’t work – dam can break today, and tomorrow, and the statistic may very well still be valid!

Maybe it’s key to first find how to whack the notion of “1-in-1000yrs means I don’t have to worry for another 999 years” fallacy. Psychology it is but so security should be..! As many of Bruce Schneier-et-al’s posts prove (?), FUD and other angle fail so miserably.

The time (decades) we’ll need to turn around the psychos, allow us some leeway to develop suitable Scale(s?) of Security. But let’s not wait for the end of those decades before embarking on the exploratory first steps of that. You suggestions, please, today.

[Edited ahead of posting, to add: This here piece on the (declining) half-life of secrets; definitely something to include in the above ‘metrics’. ..?]

For the eye candy:
DSCN4499
[Zurenborg again, slightly edited – who’ll do the colour corrections for me?]

The need for a new security framework

… I feel the need for it. A new security framework.

Because what we have, is based on outdated models. Of security. Of organisations. Of how the world turns.
Bureaucracy doesn’t cut it no more. The very idea of hierarchically stacked framework sets (COSO/CObIT/ISO27k1:2013/…) likewise, is stale.
And the bottom-up frameworks en vogue, e.g., OSSTMM (if you don’t know what that is all (sic) about, go in shame and find out!) and core work like Vicente Aceituno Canal’s, haven’t found traction enough yet, nor are they integrated soundly enough (yet!!) into further bottom-up overarching approaches. Ditching the word ‘framework’ as that is tainted.

But what then? At least, OSSTMM. And physical security. And SMAC. And IoT. And Privacy (European style, full 100.0%, mandatory). And business-organising disruption, exploded labour markets, geopolitics, et al.

OK. Who of you has pointers to such an Utopia ..? [Dystopian angles intended]

Unrelated:
DSCN6146
[Your guess. Not Nancy. But is it Reims ..?]

I am not me. Myself: nope, neither.

Now that infosec has become to lean so much on the People side of things – as in theory all things Tech have been solved, for decades already just not implemented to any degree of seriousness..! and ‘process’ having been exposed as utter nonsense ‘management’ babble – it is strange to see that psychology hasn’t come to the fore much, much more. Even when pundits and others, and the minions like Yours Truly even, have posted over and over again that no tech system however perfect can stand the assault of through, e.g., casual negligence and unattentive error let alone gullibility and other vices.

E.g., in the area of IAM. Where I, the construct, the behind-the-persona ego I recognise as such, is constantly changing. In my case, developing fast, forward, up. In your case… well, let’s be nice to one another so I’ll remain silent.
And all sorts of avatars are developing as substitute for you and me within systems. See, with AI mushrooming lately, avatar ‘development’ may quite easily, soon, surpass ‘you’ in being ..?

Back to the story line: It’s just not userIDs anymore; context-aware and -inclusive, capability- and rights-attached constructs they are, and integrating with the Avatar Movement (Rise of the Machines, yes) to morph into actual beings that might soon pass Turing for comparability to/with humanoid identities. We’ll be on equal footing, then, or soon after, bland dumbed-down versions of personas/egos.

But How Is This Relevant … Ah, the clue of today’s post: Because social engineering, phishing etc. play on the weaknesses of humans to be able to impersonate. So, either stop the weaknesses (as vulnerabilities; eternally impossible) logical-OR stop the impersonation (the assumption of avatars/personas by attackers; taking down their masks). The latter, by at least being aware that the avatar, the persona, isn’t the actual person. How to get that into systems, and at the same time recognising ‘actual’ avatars/personas i.e., the link between those and the right real persons behind the masks even when considering through human weakness the persona has been ‘compromised’ …? That will solve so many infosec troubles…
But heyhey, I don’t have a clue like you do. Or do you ..? Very much would like to hear ..!

[Edited to add before publishing: Hold Press; include this on behavioural stuff]

DSCN2608
[“Riga”..? Aptly French?]

Maverisk / Étoiles du Nord