Stresses and strains

Well, that's another deadline hit, an awareness module completed and published.   

The stress built to a crescendo mid-morning before rapidly subsiding as the final proofreading was completed, the last bit of polish applied and everything came together nicely, albeit just in the nick of time. We're cutting it fine this time!

It's our version of a just-in-time production process. The product is as fresh and topical as it could possibly be, short of near-real-time delivery to customers as events unfold anyway, a service that is already available from a plethora of news sites, aggregators, search engines and blogs just like this one. That's fine except that infosec incidents don't happen in a nice tidy sequence, one topic at a time!

I'm not expecting sympathy, really. The end-of-month deadline and monthly cycle are our choices. We have a degree of control although our subscribers have signed up for the regular monthly service as described, so naturally we are compelled to do what we promised. To be honest, though, it suits us just fine: after a month-long slog on any topic, we're over it. After an appropriate break to de-stress (avoiding di-stress!), we're looking forward to moving on to the next topic, the next thrilling installment.

So, there will now be a short interlude before I blog about June's completed module. We have a long weekend ahead with the Queen's birthday on Monday. I must just check the post to see if we've been invited to the party ...

Physical security culture

The corporate security culture is something we absorb gradually through various encounters or interactions with an organization and its people. Specifically regarding the physical aspects of an organization's security culture, hundreds of installation security audits have taught me to open my eyes wide whenever I approach an organization's premises for the first time, starting well before I reach the visitor parking area, guard house, foyer or reception.

Some organizations' buildings are proudly lit up with the company name in neon. Some are simply so large that everyone for miles around knows exactly who they are and has a pretty good idea what they are doing. I used to work for an electricity generator company: most - but not all - of the power stations are landmarks, some would say blots on the landscape. 

In contrast, some organizational premises are more discreet, perhaps hard to find without an address and maybe a glance at Google's satellite images (hmmm, now there's a vulnerability).

A few seem to have done their very best to disappear, with no signs, sometimes not even windows. As I write these words, I have in mind a particularly forbidding concrete building in a city commercial area that screams "Sensitive!". Paradoxically, it attempts to be so discreet relative to all the ordinary commercial buildings in the area that it stands out a mile. I'm intrigued but it's not my business to find out who they are and what they do, nor to point them out so I'm not going to say any more about them.

That advice quoted above from the NZ PSR is pertinent, especially the emphasis on security culture. In fact, if workers are sufficiently clued-up to be vigilant and responsive, then even a tailgater, a wandering maintenance engineer or a "lost" interviewee allegedly searching for the toilets, is likely to catch someone's attention ... at some point. The duration of an intrusion might make a good security metric if it could be measured, although there are many complicating factors so the data would be noisy. On top of that, the most successful intrusions will never be identified as such, let alone timed!

Those physical installation audits I mentioned are a more reliable and less risky way to generate useful metrics, provided the auditor has sufficient expertise and experience anyway. It's one of many areas where the auditor's independence comes to the fore: a good, vigilant auditor will spot and point out issues that most workers either fail to notice at all, or simply ignore just as they and everyone else has always done. Repeated exposure makes them blind to stuff, especially if the prevailing opinion is "It's nothing" or "Don't worry about it: it's not even your responsibility". 

We'll be tackling those ignorant and dismissive attitudes head-on in our next awareness module, as we always do. Compared to the cybersecurity topics, it's relatively easy to explain physical security issues, persuading workers to see stuff and react accordingly. Hopefully promoting vigilance, responsiveness and resilience on physical security will have benefits across the board in terms of the corporate security culture overall. It's a good start anyway.

Physical infosec

As we plummet rapidly towards our usual end of month deadline to deliver the next security awareness and training module, the scope is finally stabilizing. June's module will cover these four aspects:

1. Physical information assets meaning the hardware processing, communicating and storing information in all forms;
2. Physical information risks involving tangible, real-world threats, vulnerabilities and/or impacts;
3. Physical information security controls protecting various information assets;
4. Management of the above physical issues within the broader context of managing information risk and security, business management, compliance, corporate governance and so on.

Balanced delicately on the very edge of our scope is a fifth aspect: health and safety. It is our contention that workers, especially 'knowledge workers', qualify as valuable yet vulnerable information assets just as much as, say, databases. Workers receive, process and output information, in some cases generating and expressing new information (e.g. intellectual property such as creative concepts and designs). As such, protecting workers' health and safety is an information security issue, not merely a matter of ethics, compliance, productivity or whatever. 

In particular, workers' mental health is, we feel, directly relevant and well worth addressing. In practice, it's generally an issue for the workers themselves, plus corporate functions such as HR and/or Health And Safety, plus 'management' as a whole. 

Our intent in raising health and safety within the awareness materials is not to trigger corporate turf wars but to raise awareness, set people thinking and encourage collaboration. There are information risks here, so let's take a closer look to see what, if anything, we ought to be doing to understand, evaluate, treat and manage them, or to help/guide those who are responsible.

Management == risk management

I'm intrigued by the idea that management is risk management, hence today's blog. 

Management primarily involves dealing with possibilities and uncertainties, determining objectives and influencing or guiding things in the preferred directions, driving things along unclear paths towards uncertain goals.

Man-management (or, to be politically-correct, personnel or human resources management) is about herding the organization's cats, guiding and motivating people in order to get the best out of them, gaining their loyalty, productivity and creativity - lots of risks and uncertainties there! 

Despite the intent of clear management instructions, policies, rules and directives ("Do this" and "Don't do that", or "Make it so!"), there's a degree of vagueness and complexity in how things actually turn out in practice. In particular, the future is inherently uncertain. Things don't always go to plan, but planning is essential.

On that basis, therefore, managers should be familiar with the concepts underpinning risk and risk management. It's not unreasonable to assume they grasp the basics anyway, hence 'information risk management' should not be entirely alien to any manager. 

It’s not all plain sailing, though, as there are differences in the terminology, emphasis and approach in different fields:

• Financial risk concerns the upside as well as downside, opportunities to profit as well as the possibility of loss. The common unit of analysis is currency, hence everything gets reduced to dollars and cents. Volatility is an important aspect, along with systemic risk and dependencies;
• Health and safety risk and environmental risk both concern ‘hazards’ i.e. dangerous situations that may cause physical harm, injury or death, either to individual workers or more broadly to the biosphere;
• Strategic risk concerns big-picture stuff affecting the organization’s overall objectives and survival – existential ‘bet the farm’ risks in some cases – over the medium to long term. Again, it's about risk and reward, taking calculated risks, gambling with a loaded deck;
• Commercial risk takes a wider perspective on supply chains/networks including the relationships with competitors, peers, partners, suppliers, customers etc. and their predicted future actions including responses to our moves and vice versa. It involves collaboration as well as competition and factors such as branding and positioning, products and markets, pricing and profitability, quality and price, creativity and innovation, reliability and dependability ...;
• Compliance risk takes account of the probability of being caught out, hence downplaying or even deliberately concealing incidents is a legitimate (if unethical) approach: it's not just about being "fully compliant"!;
• Privacy risk is myopically focused on preventing the inappropriate disclosure or corruption of personal information, while at the same time using (exploiting!) it for business purposes, a delicate balance;
• Engineering risk is mostly about the laws of physics e.g. how far can we go in terms of reducing material strength, weight, thickness, resilience etc. without breaching safety margins or commercial objectives. It includes comparing and contrasting different approaches such as production methods and techniques, evaluating and choosing between designs, optimization of various parameters for continuous improvement and quality assurance.

Q. Are those differences risks or opportunities? 

A.  No, they are both - risks and opportunities. 

Information risk management can benefit from the different emphases, broadening the scope of analysis. Assembling a diverse team of managers to explore information risks, for example may lead to additional insight and novel approaches, beyond what the information risk and security management professionals alone might achieve - identifying additional risks, perhaps, grouping risks in different ways, altering the priorities or plans for risk treatment. A significant advantage derives simply from involving managers from across the organization, with first-hand knowledge of business situations, pressures and concerns, constraints and objectives. At the same time, the various interpretations and approaches for managing risk may be disconcerting for any participants with narrow perspectives based on years of experience in their fields of expertise ... suggesting the value of first raising awareness across the board, clarifying expectations and spending a little time discussing these aspects when organizing information risk workshops. 

Leaving a digital legacy

Yesterday morning, I checked the ISO27k Forum messages as usual. Among the ping-pong of ongoing conversations was a sad request to stop emailing a Forum member who died just last week. His widow sent a few polite messages through his email account to the whole list, replying to an assortment of recent Forum emails. Presumably she didn't read or comprehend the 'unsubscribe' instructions from Google at the bottom of every message, and given the circumstances, it's entirely understandable - not least because I think she is Spanish, while the Forum and its instructions are in English.

Unsubscribing someone from an email list is a simple example – something that’s easy for those of us who frequently use managed mailing lists (or groups or reflectors or Special Interest Groups or whatever they are called) but is not necessarily obvious to those who don’t, especially when they are in turmoil, grieving and overloaded with a million difficult tasks all at once. It’s an extraordinarily stressful time. Thinking logically is an effort.

The same thing applies to other forms of social media, both professional and casual, plus various work systems, plus online banking, tax systems and so forth – online systems that our loved ones may need to access when we’re unable. And the same again for local accounts including boot passwords. These are our ‘digital footprints’.

Both pre-and post-mortem information security issues cover the whole CIA gamut:

• Confidential passwords, passphrases, account numbers, IDs etc. may be (and jolly well should be!) hard or impossible for someone to retrieve on our behalf – password vaults being a classic example. Don’t forget that super-strong passwords/passphrases and biometrics are useless without the key person;
• Integrity concerns mean we can’t simply demand access to someone else’s affairs: there are procedures to be followed, things to prove, legal and administrative hoops to jump through, which takes time and effort, plus there are trust aspects to this (to what extent should we trust those tasked with dealing with our affairs? What if they turn out to be unable, or unsuitable?);
• Availability of information assets is certainly an issue: recall the recent story about the death of a Canadian CEO for a cryptocurrency exchange business with sole access to the vault containing $millions of customer as well as corporate assets? Without the essential key, the crypto did exactly what it was meant to do. The inability to access someone’s smart phone or tablet or safety deposit box without their access PIN code are everyday examples, and can be a distinct challenge even for the spooks.

It is generally possible for our survivors (or rather, ‘executors’ with the legal right to manage our affairs) to gain access and control of, say, our bank and investment accounts, pensions and insurance etc. through official mechanisms, but for obvious reasons the authorization and control transfer process is formal, tedious and can be slow … which can be a massive problem if there is a desperate need for cash to pay for household and funeral expenses etc. 

A pragmatic approach is to think ahead. Make sure we don’t take all our super-duper passwords with us to the grave, for starters … which may mean writing them into our wills, sharing them with our nearest-and-dearest or lawyers or trusted colleagues, or at least leaving behind sufficiently strong clues for someone who knows us very well (and isn’t totally consumed with grief) to figure out the secret phrase that opens our password vault. Simply letting someone know that we use a particular password vault is a good start, ideally showing them how it works. 

Making escrow arrangements for our source code is another example – a delicate subject that I need to broach, again, with a talented programmer friend. 

By the way, our simply forgetting a password or whatever can cause real problems. It’s not just about death. Forgetfulness, stress, overload, mental illness and old age can put us in the same spot. The sheer number of passwords and their complexity is the main reason that password vaults rock.

Giving someone we trust ready access to our email accounts is another tip, especially as so much revolves around email – including ‘lost password’ retrieval mechanisms for instance. 

That’s why hackers and social engineers are so keen to gain access to a victim’s email account/s. Aside from simply impersonating them and exploiting their social networks, the ability to reset their passwords on other systems extends the identity fraud. Federated identity management can make this issue even worse: imagine all the mischief someone can do with control of your Google, Facebook, government or work ID!

There are other practical things we can do to prepare for our incapacity and ultimate demise, such as writing a will (in a proper, legally valid manner – not as easy as it may appear), maintaining/updating it (e.g. whenever we change our vault passwords), nominating and informing suitable executors (including ‘digital executors’ if that means anything to you and your legislature), arranging insurance, clearing our debts and so on. Those of us lucky enough to have investments ranging from savings accounts, houses and businesses to golf clubs, vintage motorbikes and priceless collections of antique Star Wars figures (still sealed in their original boxes, naturally) can help by preparing written lists and descriptions of our assets with approximate “fire-sale” values and either instructions for their disposal or who to contact for help …

… And that leads to my final Hinson tip for those of you still reading and thinking about this dark and depressing topic: we can help each other. Aside from ourselves, what about our relatives, friends, colleagues and acquaintances. Are they on top of this? Do they need a hand to understand the issues and make preparations while they are still able? Would they welcome our assistance post-mortem? What about organ donation: is that something they'd consider?

This is a tough topic to raise and address, taboo for some, but the alternative is even tougher. 

If I’ve set you thinking, there are loads of resources on the web. If you find anything particularly helpful and interesting Out There, or have anything you’d like to add or modify in what I’ve said here, please comment below. This is NOT a taboo topic. It deserves a good airing.


PS  Further suggestions from friends and colleagues:

• "I have a file in my desk labeled Death. It leaves instructions for those that will survive me, and includes the password to my password safe." [Not so useful if you die in a house fire though ...]
• "I have a password vault with a password that uses an algorithm that needs to be derived using some obscure documented rules that only people very close to me would know." [A little puzzle, what fun!]
• "Someone I know has a two part password to a password vault where his wife has one half and a close friend who lives abroad has the other half." [That's fine if they both survive your friend, and can both be contacted!]
• "My password vault also has instructions on what do with each account e.g. 'Log onto this hotel booking site and cancel any bookings'" [... or opt for a late check-in maybe] 
• "As with all business continuity plans you need to tell people about it and test it from time to time. Every so often I get one of my children to “test” my BCP to make sure they can get at my passwords. This is one of those kinds of BCP that you are 100% certain will need to be invoked at some point and where the key objective is to minimise the impact on your loved ones. Don’t underestimate the importance of doing something like this." [True. It's so sad to hear about grieving family and friends facing additional nightmares due to the departed's lack of foresight and prep. Denial is a fifth form of risk treatment after avoidance, mitigation, sharing and acceptance.]

Close to home

For additional background and insight, we will once again be encouraging subscribers (through the train-the-trainer guide in June's awareness module) to take a close look at their information security metrics, incident reports, Help Desk tickets etc., specifically in the realm of physical information security. We'll urge them to dig out relevant data and anecdotes to pep-up their awareness programs.

Rhetorical questions worth considering: 

• What are the most common kinds or causes of physical security incidents? Why would that be? Does that suggest an issue worth exploring further? Is management already on to it?
  
  
• Which are the most disruptive, costly or worrying incidents? What makes them so troublesome? Who is or should be concerned enough to take action? What has been the worst recorded incident (so far!) and what prevents it happening again?
  
  
• Roughly how much are physical incidents costing the organization per year/month/day? Is that acceptable?
  
  
• Do the incidents vary markedly between departments, business units, locations etc.? Why is that? Is there anything worth learning from the best or indeed the worst performing parts? 
  
  
• Are physical security incidents being (a) reported routinely and promptly, and (b) addressed efficiently and effectively? If not (e.g. if you know of any physical incidents that were not reported and tackled in the correct manner), why not?
  
  
• Are there any persistent/longstanding root-cause issues blocking real and sustained progress (such as lack of awareness and interest at management level)?

While some of these questions specifically concern June's awareness topic (physical information security), the approach is much more widely applicable: anecdotes, data/statistics, reports, findings etc. directly concerning the organization are an excellent source of material for awareness purposes.

The point is that we are not just concerned with information risk and security from a theoretical or academic perspective. There are genuine issues right here in practice, incidents occurring and problematic situations close at hand.

This stuff is real ... so sit up and pay attention.

Cyber-blinkers and cyber-bling

Security Tip ST19-001 Best Practices for Securing Election Systems - an advisory from the US government - is fascinating for the things it leaves out, more than those few it includes.

At least five substantial omissions occurred to me literally as I was skim-reading the piece for the very first time:

1. Physical security for voting systems and associated paraphernalia;
2. Application design of voting software;
3. Social media and voter coercion (the elephant in the room);
4. Information risk management - a systematic approach to identify, evaluate and address the information risks as a whole (not just a few items seemingly plucked out of thin air);
5. Assurance - clearly a crucial concern for elections, underpinning the entire democratic process (a raging herd of angry elephants here!). 

Items 3, 4 and 5 on my little list concern the bigger picture. It's pointless securing the computer systems alone, even if that could be achieved which would take a lot more than is implied by this astonishingly basic advisory ("best practices" - yeah right!). Thanks in large measure to the US government, "cybersecurity" is a solid gold buzzword, despite decades of experience with information security. This advisory is a classic illustration of what happens when the cyber-blinkers are firmly applied. 

So what's really going on here? Are the US government, DHS and CISA unbelievably naive? Do they really need to offer such basic advice in such an important area? Do they truly believe that 'notice and consent banners' are priority matters worth bringing to attention?

Or is this just more cyber-bling, another cynical attempt to divert attention from those bigger issues I mentioned? Does this advisory itself qualify as fake news, part of a political agenda to manipulate public opinion by placing the blame superficially on IT for issues that run much deeper?

Either way, I find this quite remarkable, astonishing even. I'm incredulous.

Real-world physical impacts

At the moment, as currently scoped, June's awareness module primarily concerns physical security measures protecting information, data and IT systems, including health and safety protection for workers ... but there's another aspect that potentially falls in scope: IT incidents with physical real-world impacts.

Thus far, fortunately, such incidents have been very rare, mostly proof-of-concept demonstrations that hacking, say, the IT systems controlling an electricity generator could indeed cause it to liberate the smoke. The potential is very real and scary however once you appreciate just how much of modern life is controlled by vulnerable computers, often Internetworked, with design flaws and bugs mostly tucked out of sight, lurking in the extreme technical complexities under the hood. There be dragons, as the Iranians discovered.

The proliferation and interconnectedness of IT systems has reached epic proportions lately with Internet-connected lightbulbs, air conditioners, bicycles and nuclear fuel reprocessors. Wirelessly-configurable smart pacemakers may only directly and mortally concern a tiny, vulnerable proportion of the population, but those and a million other IoT and IIoT crazies are the canaries in the coal mine. Humankind is building itself a house of cards at an alarming rate, recklessly in fact. It'll end in tears.

I'm far from the only person genuinely concerned at the prospect of driverless vehicles for instance, even taking into account the extraordinary efforts being made to develop, improve and prove the technology with the overt aim of making driverless vehicles safer than those driven by competent, careful drivers.  

Not 'secure from hackers and malware', notice, but 'safer than competent, careful drivers'. 

Spot the difference.

Even competent, careful drivers can be hacked in the sense of being duped by fake road signs then pulled over by fake cops, or led astray by optical illusions and cognitive issues, some brought on by alcohol and other drugs, or stress or tiredness. Bottom line: the bar is not even remotely high enough for my liking. I won't even mention pilotless planes and autonomous weapons (oh look, I just did).

Well, OK, I'm scaring myself now, plummeting into uncharted territory. It's a fascinating if dark area well worth exploring again, but not in June. I'll continue pondering and researching this for a future awareness topic, though. For now, it's perched delicately on the edge of a shelf in the IsecT office labeled "Dragons".

PS  After drafting this blog piece, I enjoyed watching Robocop again: no shortage of very physical impacts there!

The value of visuals

Whereas tangible information assets and physical security are different to the intangibles we normally address, the process of managing the information risks is essentially the same:

Variations on that diagram feature in many of our security awareness materials since the information risk management process is central to information security. 

In June, we'll elaborate on it in the particular context of physical information assets and risks thereto, using typical assets, incidents and situations to help people understand what we're concerned about. 

In subsequent modules, we'll pick out different aspects according to the monthly topic, and occasionally we'll zoom-in to explore certain parts of the process in more depth - risk identification, for instance, or incident management. 

We may tweak the layout here and there but, over time, our awareness audiences gradually become familiar with the process - one of a handful of core concepts underpinning the field. These are themes linking individual information security awareness and training messages together into a coherent story or picture that plays out during the years.

The formatting/style of the process flow diagram is another aspect that we aim to keep reasonably consistent from month-to-month. Once you've been shown and talked through any one of them, other processes are easier to understand since they are described in familiar terms. We consistently use visual cues to highlight specific parts of the diagrams (e.g. the deep red "Incidents and close shaves" box) while red-amber-green coloring features in every module (e.g. in our Probability Impact Graphics).

Diagrams are an invaluable tool for awareness and training purposes, flexible and expressive, supplementing and enhancing the written and spoken word. For instance, those six numbered blobs on the diagram will link to a process description laying out, explaining and elaborating on the six key activities in words.

The diagrammatic approach is quite straightforward, obvious and natural but, in our experience, many information security and technology professionals struggle to prepare and utilize decent diagrams: they can sketch things out on paper but (short of scanning the scraps!) converting rough drawings into more presentable and useful formats is challenging. It takes time, effort and skills. Despite our decades of practice, we invest a lot of time and creative energy in both figuring out and presenting concepts, processes, relationships etc. visually every month because it pays off. Better still, it's fun.

Physical infosec

Sorry for the pause: among other things, I've been busy exploring a new subject for next month's security awareness and training materials.

June's topic is physical information security, something we've covered a number of times previously. Physically protecting computer systems and storage media against threats such as intruders and thieves, fires, floods and power problems is an essential part of information security for all sorts of reasons that we'll soon be elaborating on.

This time around, however, we'll also pick up on protection of another category of tangible information assets, specifically our people.

Workers are definitely assets (otherwise, why would we pay them?) but do they qualify as 'information assets'? I'd argue yes for the reason that we value their brains at least as much as their brawn. Whereas brawn can generally be replaced by machinery, it's much harder to replace a competent person's knowledge, experience, expertise and so forth, advances in robotics and artificial intelligence notwithstanding.

Protecting workers, then, takes us into the realm of health and safety, hence why I'm busy researching at the moment. I'll have more to say on this so tune back to this station soon for the next exciting episode.

Security awareness for off-site workers

Hot off the production line comes May's security awareness and training module about working off-site.

The 69th topic in our portfolio was inspired by a subscriber asking for something on home working.

It ended up covering not just working at home but the information risk and security implications of working on the road (digital nomads), in hotels, on supplier or customer sites and so forth, touching on online collaboration and other related areas along the way.

Module #193 is 95% brand new, prepared from scratch during April and blended-in with a little updated content recycled from previous modules on workplace security and portable ICT security, plugging the gap, as it were.

I'm proud of the guideline (item #04), part of the staff awareness stream. At 16 pages, it is lengthier than normal due to the sheer variety. With the odd touch of humor and stacks of pragmatic security tips for home and mobile workers, it would make a neat little awareness booklet or eDoc for people to leaf through as they wait for planes and buses, or “work” in front of the TV. It's a good read.

The module's management stream has quite a bit to say about achieving balance. There are clearly business and personal benefits to working off-site, provided the associated risks and costs are managed and kept in check. Compliance is particularly challenging as the workforce escapes the confines of the office, powerful ICT devices in hand, dispersing valuable yet vulnerable information assets across the globe. Resilience and flexibility are substantial plus-points.

Extending the working day or week can increase productivity to a point, beyond which over-stressed workers (staff and management!) plummet toward exhaustion and burn-out. In strategic terms, senior management has to make the right choices in order for the organization to reach the peak but not overdo it - and, for that matter, so do individual workers. Just because we can stay constantly in-touch doesn't mean we have to. There are further strategic and governance implications of the evolving nature of work, hence quite a bit of sociology in May's module.

The professional/specialist awareness materials get further into the IT or cyber security aspects such as security administration of mobile devices. Recent news about the discovery of exploitable flaws in WPA3 has risk implications for mobile workers using Wi-Fi, particularly in potentially hostile environments such as busy shopping areas, stations and cafes. On the other hand, anyone who has followed the sorry tale of Wi-Fi security woes since the beginning should not be surprised. WEP, WPA and WPA2 have their vulnerabilities too, as do Bluetooth, cellular networks, Ethernet and the rest.

If off-site working is becoming or has become the norm for your organization, let's tease out and tackle the associated information risks through creative security awareness and training materials, helping you strike the balance between risk and opportunity, pain and gain. Over to you!