Tag: Risk Management

AVG is the Law

If you wondered whether (if?) I’ve gone besirk and declare some little anti-malware tool to be officially authorised: No. What then? A Yes. Because whenever you read ‘AVG’ related to the Netherlands, you’ll find it’s the Law indeed. Being a fumbled translation of the GDPR. And full of the lawyers’ stuff on detail, demonstrating incapacity to understand the issues that the GDPR was originally trying to tackle. Of course, these got watered down to ineffectiveness before even being officially issued (and that’s not per 25/5/2018 but already behind us ..!!). So we find ourselves now in a struggle on all sides for clarity and practically viable interpretations – vis-à-vis some specific law. From a legal perspective, this might work; just wait for jurisprudence (authoritative-case law) and all will become clear. From every other of the asymptotically-infinite number of sides (don’t even try to explain that to the eager beavers among various parties), jurisprudence means the death of their organisation and of all employment that goes along with, is built upon that including the livelihoods and perspectives for a decently doable pursuit of happiness of employees and their (extended) families invloved.
So NO, you cannot leave things to jurisprudence, to case law. Modern society has moved far beyond that, leaving all trailing in understanding that, in the dust of ignomy and ridicule. We the People (of the EU++, and of the world affected) need clarity upfront.

Awwww this is turning into a rant. Which wasn’t the purpose, which was   just to point out the irony of one antimalware-maker’s name being now wringed into something laughing-stock [ with an ? or an ! ].
Oh, plus:

[(From analog to digital when the latter wasn’t much good yet) sinking into the landscape, this time perfectly as intended, not out of shame; Melvyn Maxwell and Sara Stein Smith House, Bloomfield Hills MI]

New nav skills

Was reading this article about how some people (men, much, too) just can’t get their brains to function normally decently function in the navigation area. I.e., some just can’t ‘automatically’ find their way around familiar streets and areas of their home town/city, wrestle with maps (you know, the real deal, on paper, by definition: the easiest/best way to re-fold them is differently), and get lost.

Which is (not!) funny in its own right, as it is funny to laugh about people with less capabilities in other mental areas – not. Why do such people positively pride themselves, often, in their failures? Essay question for ten points, in 100 words or less: explain why that sollicits and causes the ridicule.

But here (sic; know where…), my question is: Does such variance in spatial capabilities translate to variance in navigational capabilities on-line..? And how would you measure that; how to a. translate spatial, Euclidian sense of direction and place to the virtual 0D world and b. measure it in the virtual world ..?

Awaiting your answers, I’ll surf to better turf and enjoy not be lost ..! Plus:

[Mock transparency; Barça]

No news is not good news

Anyone know why we haven’t heard too much about Bellingcat lately ..? You know, the so ultimately objective that all sides may have gripes against and uses for them and their analysis ..?
I wondered because there’s so much going on around the world where their analysis would give better insights – and there is all sorts of new stuff on their site – that it is surprising to see no news channels pick that up.

Or is the world so full of itself and of fake news that the masses are utterly numbed ..?

Plus:

[For a calm life, go here; Toronto]

Compare the innovation fruits apples and oranges, please

How is it that long-standing discussion-stoppers persist ..? Take, for the sake of argument and for reason of being the raison d’être of this post, the common “One shouldn’t compare apples and oranges”. Or ‘with’, or ‘to’.
What fun is there in comparing apples to apples ..? Since various species are still very much alike, the attention will go to the, certainly relatively, minor differences, losing the bigger picture. Even when including crabapples, mostly it isn’t worth the trouble. Except for a few experts.
Entrat oranges.
They are so different (Well, overall; there’s also many commonalities like being in your fruit salad with other fruits like tomatoes oh wait) that at once, both the main lines and subtleties of differences can be discussed. Because one compares to discuss, right? If not, just don’t compare anything and sit there like a plant.

Actually, this whole post is about the realisation that in business or other organisational life, we should do both when it comes to innovation. There, tradition has it that one competition in the apples-only markets. Slight differences are sought out, and marketed, as significant whereas usually, they’re not.
Until some orange disruptor appears. Then suddenly, the picture changes – for proper anaylsis, one should compare the apples and oranges, to see how they fit market demand including substitutes et al. And do follow that link to see at which touch points the surprise element rests. Or so.

Just sayin’. And:

[A morning’s comparison of premier cru and grand cru grapes, from Ludes towards Reims, is definitely worth the fine nuance ..!]

Extra, extra! A Fine!

It was bound to happen: Fines! For privacy violations! Oh how do the Frightful Five shudder at the thought of these economic penalties that will down their businesses. Not so much. Is there anyone that thinks the fines will do better under the GDPR regime ..?

Kindergarten dreams. If all people are nice to each other there will be no more war and world peace. If GDPR kicks in …

Plus:

[An air of nice, just the air; not Nice but 4711 Cologne]

AI Blue-on-Blue

We keep on hearing these great things about how AI will help us in the battle against no-gooders qua information security. Like, in hunting for bugs in software (as asked for here, borne out in various much more recent cases or rather, news items hinting at pilot prototype vapourware) or hunting for fraudsters, possibly hiding in plain sight (superrrintelligent anomaly detection; unsure how false positives / false negatives are handled…).
Where on the Other side, great strides are also feared to be made. Deploying AI to improve (better fuzzify) attack vectors, and help with improvements in evasion and intelligence gathering in various other ways.

Pitted against each other …
When you know what Blue On Blue stands for (first of this), you will now see it coming, inevitably. What if autonomous (for speed of response!) retaliation kicks in …?

Never mind. I’ll like the fireworks show. Plus:

[Yeah, yeah, ships are safe in harbour but that’s not what they’re made for – I’ll just enjoy this view from a truly excellent restaurant; Marzamemi Sicily]

Stochastic culture (change)

This ‘personal research’ hobby of mine had taken me into the ‘From Security Awareness all the way to Behavioural Change’ alley(s).
Where it got stuck. Among others, through the realisation that ‘culture’ as such doesn’t exist, certainy not within larger organisations. Local cultures, yes. Overall cultures … maybe as the most degenerate common denominator; the more numbers you throw in a basket, asymptotically but very fast the common denominator will come crashing down to 1.

In infosecland, it’s worse. To actually adress and change the oft unconscious parts of personal culture (behaviour), one has to move away from organisation-wide awareness training ouch if you call it that, all are lost – into the realms of individual coaching, for each and every employee.

But then the stochastic cooling of particle physics rears its head, as a phrase that is. Can we somehow differentiate the to-be-learned from one-size-fits-all into separate sets of behaviours to be rote trained (in practical use; experienced) so the sets become unconscious behaviour(s), and then overlay these transparent sets [Remember, the ‘sheets’ you could stack on an overhead projector? You don’t – even know from a museum what an overhead projector is… Oh. ed.] over the organisation populace, according / in relation to the expectance to need such behaviour ..?

I’m rambling, as usual. Anyway:

[Not all grapes are evenly grown, still great wine is made without stochasctics…; Valle dell’Acate]

Nationalistic AI fuzzing

No his is not about fuzzing data. It is about accidentally giving away that you don’t understand a subject, and not the stats involved.
It is about this report. That was reacted on in various press – though not nearly enough and I don’t even have shares – by some boiler room country-by-country comparison, even without much of conclusional calls to action, for all…

Also, hardly anyone notices the gross error in it all. Which is the lack of proper definition of ‘AI’, or more expectedly, the widespread panicking brainfreezes of the interviewed.
Which, summa summarum for brevity, created such massive distortions that the figures are grey noise at best.

“Isn’t that harsh ..?” Nope. I did some asking around, for a different purpose, and when even 1% of organisations would do anything with AI yet, that 1% would be rounded up. Ppl were just too afraid to tell the interviewers / pollsters that they had (have, probably) no. single. clue., and babbled their way out of it.

So, what was this title again of the infamous Public Enemy hit ..?
And:

[A prettified prison is your ASI future; Zuid-As Ams]

Deviate for Resilience

Well there’s an imperative. Deviate for resilience. Which goes waaay beyond mere ITCM or its linkage into BCM. What I mean here, though, is a reflection from the B side into the IT side.
Once encountered when it was still supposedly somewhat ‘cool’ (as it was called in the grandpa’s days) or so to work on … can you believe it, $AAPL infra. Where the Infosec staff had carved a corner for themselves: That they’d actually need to deviate from corp policies (the devolved kind) of using M$ stuff for alibi reasons of needing in ITsec par excellence, a fall-back that would actually work when all of the M$ infra would’ve collapsed due to some class breaking glitch exploit. Yeah. That meant that you did need a substantial budget to your own discretion without much transparency towards effectiveness of spend and no gadget and toys buying, right?
Nowadays, the coolness if ever it truly was (stupid sheeple), has worn off totally and is a tell for no comprendre qua cost/benefits analysis, sufficient tech-savviness to cut it in today’s world, and forward compatibility even to the cable mess (costing you tons). Predicting which unicorns will succeed, or fail, is easy; the former are on M$, the latter on … you guessed correctly. Nevertheless, the resilience argument still holds.

Which goes beyond the mere platform choice. It goes for global/local deviations as well. IF yes that’s a big if, if done right, not for NIH purposes (both ways ..!) but for resilience purposes. It’s not efficient to the max, but if you strive for that, you’ve done so much wrong already it might be irrecoverable. E.g., mission, organisational culture, risk management (incl analysis), control choices and implementations (case in point: multiple malware scanners), etc.

But remember: When done right, you very probably do need to deviate all over the place for resilience…

Just remember that to defend yourself, OK? And:

[If telecom fails due to clock synchro errors, it’s still a sun dial (really it is); Barça]

Your security policy be like …

The theme of your security policy and how good it is (not), is of course a recurring one. The recurring one, annual cycle (Is that still frequent enough? Yes if it’s truly a policy like here) included, with an all else follows attached. But then, it’s only Bronze when only a top-10 bulleted list extracted from … ISO2700x, mostly. It’s Silver when actually compliant in all directions, which includes serious ‘local’ adaptations…
And it’s Gold, when over and above that, it looks like this.

Not even kiddin’, really. Since your information security policy, next to the other security policies …, covers all of information of any kind and medium processed anywhere in the business. Which means that the from-IT angle will very probably not suffice.
But which also means that it helps when it rocks, in ways that interests all of your audience which is all of your colleagues including all colleagues at outsourced, cloudsourced and what have you processes and lines of business. Transparency, right ..? Runs all the way down the food/supply chain.

Indeed, the maturity of a company may be gleaned from the maturity (rocks’iness) of the information security policy. Get that right, and all else need not follow since it has gone before.

And oh, did I mention that in the implementation, resilience should be built in and not only be through formal (for-) BCM practices ..? I’ll return to that tomorrow. Plus:

[Lightning (-) rocks (pavement), too; Ottawa]

Maverisk / Étoiles du Nord