Networking has played a pivotal role in the explosion of IT use in recent decades – first LANs and then WANs, most notably of course the Internet. Being an OF, I recall how it was in the dim and distant days prior to LANs, when computers were mostly accessed through directly connected teletype or green-screen terminals, and generally only by computer scientists sporting white labcoats and clipboards. Ordinary users - the lucky ones at least - interacted with Data Processing through the coding sheets for punched cards and fan-fold printouts.  Local Area Networks of various kinds were introduced to put terminals, and later PCs, directly in the hands of the users on site. Working in IT in the 80s, I saw rapid technological changes as wave after wave of networking protocols and standards rose and fell from grace. A dual-ring counter-rotating daisy-chain network from RACAL seemed cutting-edge at the time but was the bane of my life back then: supposedly it was resilient and self-healin...

Security Metric of the Week #90: proportion of business units using proven identification and authentication mechanisms This metric hinges on the meaning of "proven". Proof is a relative term. What level of proof is appropriate? It's a matter of assurance, trust and risk. ACME managers implicitly assumed* that the metric would be self-measured and reported by business units. Given a central mandate from HQ to implement specific controls, business units are obviously under pressure to confirm that the required controls are in place ... even if they actually are not. Aside from the risk of business units simply reporting whatever HQ expects to hear, there is also a distinct possibility that the business units might have misunderstood the requirement, and failed to implement the control effectively (perhaps mis-configuring their security systems). That brings us to the matter of the nature and extent of control implementation. If a business unit has the required identificati...

Having been hit twice so far, I've upped my evaluation of the risk of my credit/debit cards being compromised by online vendors' inadequate information security. The latest incident was, I suspect, a result of the Adobe hack a few months ago. Both times, the bank's fraud systems spotted and stopped the incidents and told me well before I even noticed anything awry. After the first incident, I resolved to dedicate a specific card for online purchases so at least I could carry on using my other cards if I got hit. That was a good move that made things easier after the second incident ... but I missed my chance this time around to be even more proactive. When I received an apologetic email from Adobe about their breach, or perhaps even earlier, I should have cancelled the card immediately and ordered a replacement. Next time, I won't wait for the bank to pull its finger out ... I now have a new card, once again dedicated to online purchases. This time, I have opted for a ...

In the course of catching up with a long backlog of ISO/IEC JTC 1/SC 27 emails and updating ISO27001security.com , I discovered that the third edition of ISO/IEC 27000 has just been released. Like its predecessors, ISO/IEC 27000:2014 can be downloaded legitimately free of charge through the ITTF site .  The idea of '27000 being free is to encourage the adoption of a common glossary of information security terms, and to gain an appreciation of the ISO27k standards outlined within it.  It's a shame the other ISO27k standards aren't also free as I'm sure it would markedly increase their adoption as with the excellent SP800-series security standards from NIST, but unfortunately I don't determine the pricing policies for ISO/IEC.   Although I haven't even finished reading the new edition and updating the site, I noticed already that the new version no longer defines the terms "asset" and "information asset". I suspect this was done in order to dra...

Security Metric of the Week #89: number of information security events, incidents and disasters This week, for a change, we're borrowing an analytical technique from the field of quality assurance called " N why's " where N is roughly 5 or more. Problem statement: for some uncertain reason, someone has proposed that ACME might count and report the number of information security events, incidents and disasters. Why would ACME want to count their information security events, incidents and disasters? 'To know how many there have been' is the facile answer, but why would anyone want to know that? Well, of course they represent failures of the information risk management process. Some are control failures, others arise from unanticipated risks materializing, implying failures in the risk assessment/risk analysis processes. Why did the controls or risk management process fail? Root cause analysis reveals many reasons, usually, even though a specific causative factor...

A new two-page Educause paper by  Shirley C. Payne from the University of Virginia and Stephen A. Vieira from the Community College of Rhode Island  succinctly explains the purpose and utility of information security metrics . "An information security metric is an ongoing collection of measurements to assess security performance, based on data collected from various sources. Information security metrics measure a security program’s implementation, effectiveness, and impact, enabling the assessment of security programs and justifying improvements to those programs. Effective metrics can bring visibility and awareness to the underlying issue of information security and highlight effective efforts through benchmarking, evaluation, and assessment of quantified data. This can put institutions in a proactive stance regarding information security and demonstrate support for leadership’s priorities." Although written for educational institutions, the principles are universally applic...

For an infosec pro, "impact" is a bad thing, the adverse consequences of an incident, but it has another meaning. If your security policies, standards, procedures and guidelines make a positive impact on the readers, they are more likely to change their ways - and vice versa . Nice in theory, but how do you actually achieve that?  Well, it helps to figure out a few things: Who are your audiences?   Who is it that you are trying to influence? If you can break your audience down from an amorphous blob labeled "employees" or "users" to more specific groups or types of people, you will find that they have different information needs and perspectives on information security. Salesmen, for instance, live and breathe sales and marketing. Their heads are mostly on prospects and customers, plus products and the sales process (and, of course, their commission). Most are not exactly keen to read a boring information security newsletter, or a tedious procedure for re...

Patent disputes bring the $ value of intellectual capital to the headlines - for example, over $1bn was recently awarded against Marvell Technology Group for infringing Carnegie Mellon University's patent on a technique for accurately reading data from a hard drive. IBM has consistently taken out the most US patents for 21 straight years , both to protect the proprietary technology in its own products and to force third parties into lucrative license agreements with Big Blue. In 2013, IBM took out another patent every 15 working minutes or so on average (assuming 8 hour days and 200 working days per year) and spent of the order of $6bn in the year on research and development. All ten top US patentees are IT/high tech companies. I wonder if any of those organizations cover the need to protect knowledge in their security awareness programs?

Security Metric of the Week #88: information security ascendancy level One of the most frequent complaints from information security professionals is that they don't get sufficient management support. They say that management doesn't take information security seriously enough, relative to other corporate functions. But are they right to complain, or are they just whining? There are several possible metrics in this space, for example: Survey management attitudes towards information security, relative to other concerns; Compare the information security budget (revenue and capital charges) against other functions; Assess the maturity of the organization's governance of information security; Measure the level of the most senior manager responsible for information security ("security ascendancy"). The last of these is the simplest and easiest to measure. On the organogram above, the organization presumably scores 2 since it has a Chief Information Security Officer who ...

Never mind all those new year's resolutions. The turn of a new year is an opportunity to take take a long hard look at your information security strategies, policies, procedures, guidelines, forms, awareness program, intranet website etc. including things such as your corporate Employee Rulebook, Code of Conduct and IT/network/information Acceptable Use Policy. Try to view them objectively from the perspective of an ordinary employee, perhaps someone who has recently joined the organization and hence lacks preconceptions about, and an understanding of, the corporate culture with respect to valuing and protecting information. If you acknowledge that perhaps you might be a little too close to the action to see things for what they are (particularly if you wrote the materials), ask other people about the documentation. Solicit their candid feedback. An informal survey may be perfectly adequate to flush out any issues with style, readability, meaning and impact, all of which are import...

Security Metric of the Week #87: distance separating employee from visitor parking Imagine your corporate security standards require that "Employee parking spaces must be physically distant from visitor parking spaces, separated by at least 100 paces". The rule might have been introduced in order to reduce risks such as employees covertly passing information to visitors between vehicles, or terrorists triggering vehicle bombs in the vicinity of key employees, or for some other reason (to be honest, we're not exactly sure of the basis - a common situation with big corporations and their thick rulebooks: the rationale often gets lost or forgotten in the mysts of time). Imagine also that senior management has determined that the security standards are important , hence compliance with the standards must be measured and reported across the corporation. Forthwith!  Now picture yourself in the metrics workshop where someone proposes this very metric. They painstakingly point ou...

I think it's fair to say that metrics is a "challenging" topic across all fields, not just information security. The issues are not so much with the actual mathematics and statistics (although it is all too easy for non-experts like me to make fundamental mistakes in that area!) as with what to measure, why it is being measured, and how best to measure, report and interpret/use the information. As a reformed geneticist, here's an example I can relate to: measuring and reporting health risks resulting from off-the-shelf DNA test kits . A journalist for the New York Times took three different tests and compared the results.  Underlying the whole piece is the fact that we're talking about risks or probabilities, with inherent uncertainties. The journalist identified several factors with these tests that make things even less certain for customers. For a start, the three test companies appear to be testing for their own unique batteries of disease markers, which immed...

Security Metric of the Week #86: integrity of the information asset inventory As a general rule, if you are supposed to be securing or protecting something, it's quite useful to know at least roughly what that 'something' is ... Compiling a decent list, inventory or database of information assets turns out to be quite a lot harder than one might think.  Most organizations made a stab at this for Y2K, but enormous though it was, that effort was very much focused on IT systems and, to some extent, computer data, while other forms of information (such as "knowledge") were largely ignored.  Did your organization even maintain its Y2k database?  Hardly any did. If we were able to assess, measure and report the completeness, accuracy and currency of the information asset inventory, we could provide some assurance that the inventory was being well managed and maintained - or at least that the figures are headed the right way.   How would one actually generate the measure...