Tag: Risk Management

The year of IT is no more Department

Or, once upon a long, long time ago in a land far, far away, there was IT, the hero department that ruled over all of information processing. Because information processing was a strange and dangerous thing and if you chopped off one security flaw, seven others would be introduced. So, the IT department was well-trained in keeping the architecture-and-infrastructure beast alive, with all its fresh new and old legacy body parts, fed every now and then with a fair maiden project.

Oh how things evolved. Lately (being the past couple of decades), the department was split, incompletely, between Development/Maintenance, and Operations. Things were run with ITIL and CobIT — as In Name Only as PINO was to the Prince, II.

The INO part being audited throughout (see previous post) but without anyone really caring about the outcomes of that. NO not even regulators or so, so devoid of truly understanding that the qualification ‘parasite’ isn’t too far off, even.

And now, there’s a slow but steady breakthrough of bands of liberators. Deperimetrisation, socmed, cloud, Big Data, flex work(place), hackers-contra-cyber (#ditchcyber), … the many-headed Central Scrutiniser is sprayed wth acid from all sides and is slowly shrunk. Softly wailing for mercy, some do but to not much avail. Maybe an embrace of Sloterdijk’s Part III foams may help.

Ah, I’m not positive but can be — at least, life will remain in the body that is infrastructure management (-coordination) and incident management, etc.

First, this:
6c38c8af-0c9f-406c-a57b-e892c7ee37f5-original

Then, this:
DSCN8135

[Outsourcing basic shopping to the experts at Milan]

Low standards

The compliance check-box approach is an atrocious thing for and to many things and reasons, but has been induced by the very growth of the industry. Since all margin calls at all controls and controls objectives achievement have been whipped out — and no-one dares to or has the experience for margins calls anymore. How low can your standards of professionalism dive.

Sic transit gloria mundi; the trade once was a veritable gentleman’s (M/F/~) affair, for one put up one’s honour and good name (and standing including life, liberty, welfare and happiness) for the value of the second opinion over the full width of the (opinion about subject matter) playing field.
But one’s good name is no more. Men are no longer honorable, virtue isn’t a thing anymore; pluto reigns, in particular at 1600 Penn Ave — the demise of humanity. In the coming years, the standards will follow; having deteriorated from standards to hold Men to, to straight jackets most easily escaped from by surreptitiously gaming the system, making the system the mockery of men. I repeat myself.

But ideals, values, virtue and all things principle-based will resurface; if only trivially since the now resurgent risk-management approach would not work otherwise. The value is already returning to the dare of the expert to call it not to fold on details.
Hence, new standards will emerge. Pure-principles lists, no nitty-gritty stuff. To be audited on, by knowledgeable advisors that can relate sample controls / -frameworks to the principles and back. The 27k1/2 divide, but strengthened, widened.

About the latter; the renewed gap between principles and samples, will also allow auditors more flex when determining their audit approach as in next week’s post ;-|

By the way, the Dutch may read a bit on the same issue, au fond, and some pointers to solutions, if they’d work (put hypothetically for a reason), in this here piece, released after my draft of the above.

Oh, and:
DSC_0595
[A winery, of course; Douro valley]

Cyberprevention

Just a signal, of a new movement. Which isn’t.

  • For one, the -prevention — doomed from the [ word Go | – part ]. Which becomes less and less valid. Yes, some deterrent actions may help, but one better focus on the fact of future break-ins… And act accordingly — much more efficient for almost all. Take the 1st graph of this, and weep / go / the rest of it, too.
  • For two, ‘cyber’ … #ditchcyber nails it, in the Manifesto.

Yes that’ll be all for today, including:
5a3dfc86-471d-49dd-b133-7a262a6d5ae5-medium
[So, you can #ditchcyber, too]

Oops, there it is! (now you don’t, see it)

Suddenly, there it is, almost as if it’s something new … Malware using stego, as if it might still surprise anyone whereas of course there already was this, and this, and this and this.

What next? Even smarter ad blockers ..? Will not work, as the latter are only in use with the smarter part of the bunch. And smarter ad blockers will be installed by even fewer, as the pay-off is less visible (timely enough).

No, what’s next is first an armageddon [Warning: cultural notion; propose to use the more profound Ragnarök] — of which the result hopefully … is that ads will be marginalised. A great many a socmed platform (looking at you, $FB and other (sic) unicorns) may (signifying possibility and hope) go asunder as ads are their value period

Then, hopefully, Yggdrasil will grow again. E.g., with truly egalitarian platforms; truly global (though that aspect may not have been sunk in the great flood) and free, meaning that also, the trolls can be captured and ring-fenced and not destroy some or many or the platforms / -ideas.

How philosophical one can get in dreams/dreaming, how far off today is the better-than-today’s-should-have-been.

Plus:
DSCN0241

[All sorts of meta-info (‘nothing to protect here just move on’/ Í can see you but you can’t see me’ et al); Segovia or what was it]

The CyberDarwins

As we’re nearing the end of the year (Western calendar, others not spoiling the party — learning point), we draw towards the ‘people being stupid with fireworks’ scenes that are oh so similar to ‘people managing systems’ situation. The former, focusing on the most beautiful display and/or the loudest Bang, the latter the same if you think of it.
The former, with latent recognition of ‘safety’ also re bystanders and collateral injuries possibly grave or life-, liberty- and happiness-threatening. The latter, with a desperate few considering ‘security’ and ‘privacy’, a even fewer thinking of collateral damage and implicit injuries and infractions to life, liberty and happiness — if you think that’s overrated, have you ID stolen.

The former has the Darwin Awards, for those that improve the gene pool by taking themselves out of it.
The latter, none such yet.

That’s where I aim:
Shouldn’t we instate the CyberDarwin Awards (acknowledging #ditchcyber), for the most egregious (i.e., outrageous, glaring, flarant) mindlessness in information security in the widest sense that fly in the face of basic common decent thinking?
So that by their occurence, the candidates volunteer to be taken out of the connected environment which, being their oxygen, improves what’s left (the most).

I have no idea how to pull this off; there should be some sort of portal where candidates may be proposed and results be displayed for common laughter but who will build and maintain such a thing before it can become a success, advertisers will flock in droves to sponsor for ads, and I take over again to reap all the financial benefits… #helpappreciated

And:
DSCN3684
[This has zero relevance. Toronto]

No C3PO, just PO

Section 4, article 37, 1(b) of the General Data (sic) Protection Regulation ‘of 2018’ (sic): When the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;, the instantiation of a Functionary for Data Protection is mandatory.
Yes this includes all organisations dabbling in web analytics… No there’s no threshold (that previously was) of 250 or 500 staff minimum.
But hey, there’s arrangements to hire a Functionary — Privacy Officer works better — for less than full-time or on an (on-going) assignment basis. Come to think of it; the mandatory full independence of the PO (party commissioner, anyone?) may sit better with a hired hand/consultant than with someone on the payroll.
Still, one better study the task list for such a PO. Not a C3PO… The bumbling-through-overly-decent butler is not quite the role model you’d want. Or… you’d want the PO to be such, a harmless nuisance. But then, you waste the PO and budget, and still will be vulnerable. The common anglo-saxon (hopefully -only but doubtful) approach that if something goes wrong, you fire the sitting duck scapegoat and hey presto no more worries all are done, satisfied and no damage’s done, will not work here if it ever did. On the contrary, purposeful negligence, wrongful act, et al., may easily be construed, resulting in long-term mismanagement (still a capital offense…! Oh why can’t we jail all the white collar criminals) the misfortune of all your employees, clients etc. will fall on the Board for once… last paragraph of this applies.

To return to the positive: When arranged well, some things in business may have to change but overall, both your processing will run more smoothly (sic) and you public posture will improve (leading to improved data quality, new clients, and the world is yours, right?).
So, draft a PO Charter and hire me.

Plus:
DSCN0610
[Back in the days before live-cams…]

Free standards

… How on earth is it possible that a great many dinosaurs still ‘issue’ standards — this, triggered by this — that are fully payd by tax money and still one would have to pay for a simple PDF download? What about the law; would one have to pay to know that, too??

Morons.

Apologies for the faint of complexity that might have been taken aback by my, of all decent people, use of that word that has some strength attached in its sparse use against common decency. But you get my drift.
And:
000013 (17)
[Not paying for their undeserved study trip (a lie, too); Curaçao]

Errors of Your / Machine Learning

Any progress on the front of Machine Learning, i.e., the comparison with how/what humans learn from various teaching formats, and how machines are better at rote learning et al, and how does the perfection of machines learning facts, reflect on what is data processing, what is intelligence, and what is wisdom ..? Where the latter is the area in which of course re retreat ever more, but without the foundation of a life long of learning and experience ..?

[Intermission: Anyone out there still holding on to the ‘you only learn from experience, which is making errors and surviving’? What was so many years of school all about; you’re still no further with calculus than 1+1 equals something more than one — the max you can learn from ‘ experience’ … How did you ‘experience’ History, Science ..? Apparently, there’s quite a base of facts to learn, even (or more?? contra The Shallows) in times of Google. Or, you’ll be the doofus that can not (sic) learn to be intelligent nor wise, and will make any and all rookie mistakes in all situations everywhere, over and over again.
Seems like the base of learning, grows steadily — exponentially…]

Notwithstanding the road (path) to wisdom is through experience … which would ever less be available when machines start to take over the simple, the foundations (qua operationality of work-as-labour), and then the next stage, etc. (since none will be experienced enough to succeed pensionados that still have that subsequent level of understanding). Leaving the abstract thinkers ever more loose in the sky. Hey that’s what’s happening with accountancy, if the industry doesn’t move fast. And will happen everywhere.

But back to the main point: Has Watson-class learning (AlphaGo/Deepmind/Brain (sic), … no not Siri you m.r.n) learned us anything about learning, and/or have we changed learning since machines took over parts of rote learning? Have we changed our view on learing, intelligence, wisdom?

To the disappointed, apologies go; nothing here on how machine learning could lead to the unethics of Computer Says No… Too much of a mer à boire qua research — see here.

Plus:
DSCN1270
[Steep, to enlightenment; Girona]

Retrofitting IoT Security

Pitch before I did the idea that for a while be with us will Legacy IoT be, here.
But what about stubbing around it? Developing cheap and easy (necessary since/for backwards compatible, by definition) security solutions that can be plugged onto old IoT stuff.
What ya’reckon, are we too far gone with old IoT and economically-having to keep that alive, or is there sufficiently much more recent stuff to attempt such a thing (and ring-fence the real cr.p)..?

I’m not completely sure how one would approach this thing, technically, but cannot imagine that there aren’t solution models around like, potentially, some form of hardened (lean and mean and armour-coated) enterprise IoT bus thing, possibly with security zones, et al., similar to the obvious and hopefully ubiquitous separation of office automation (why isn’t SAP dead yet? This, some time ago. Oh, might be useful to set up separate mandates to ‘run’ factories yes, which was its original purpose, right; what did E-R-P stand for ..?) from Process Automation, and within the latter, Supervisory Control from operational (close-in) control, engineering-wise, but then with subsets for safe/unsafe hardware.
The isolation stubs could then act as gatekeepers between zones, between potentially-safe and the legacy-most-probably-unsafe.

Though I suspect that the ‘zones’ will have to ‘air’gap at many network layers, including towards the physical end of OSI — meaning that higher up, the connection will have wider gaps, not less why is this so often overlooked ..?

On a separate end note: Where are the wares that should have followed the scares, i.e., we have had a couple of years (yes) now of IoT scares; have the vendors truly stepped in or was it just window dressing e.g., dole out some monitoring tools and good luck with it..?

Progress… and:
DSCN1834
[See? Engineering is beautiful; Brussels]

Temporary Awareness

A call for poignant pointers.

You may be aware that research is on-going (among other, by Yours Truly) in the area of sustained ‘security awareness’ — a misnomer for security habit change. Which is driven by psychological stuff like everyone’s individuality, everyone’s individual circumstances (not only at work, not only formal short/medium term) and everyone’s learning and operations style and preferences. And hence, habit change would also have to cater for all these differences. One-time ‘awareness training’ (sic), yeah, right on.

Still, such would be a somewhat valid approach … for perm staff.
Not for infrequent visitors, like your garden variety (IS) auditor, that would drop in every now and then and till have access to sensitive data; on purpose or not, benign or malign leakage or not.
Not for temps, interns et al., that are around too short for true awareness to sink to the back of the head, for instinct reflexes (oh ideal). Or the induction program would be a grilling drill; conter-productive.
Not, and this is where my problem is mostly, with third party staff, that primarily work for the vendor and have other KPIs than client security — at least, higher on their agendas. They come in (physically or remotely), do their thing that hooks quite deep into your operational processes (physically like cleaners and installers, logically through e.g., software and parameter updates) almost always at arms’ length control with still their other KPIs first, and then leave you possibly vulnerable or robbed, and ith full accountability without grip on actual operations taken place.

Apart from the platitudes of requiring transparent compliance with all your security policies (purely hypothetically, IF you’d be able to find and collect them, they’d be sorely outdated, and 50% or more wouldn’t be applicable but which 50% you have no clue), what about the above-mentioned change to the good sufficient habits ..?
Your input would be much appreciated…

Also:
DSC_0546
[Temp attention, eternal bliss; Syracuse]

Maverisk / Étoiles du Nord