Tuesday 20 December 2022

Cyber-collateral

Despite its political agenda and the usual US xenophobia, the article America's Secret Arsenal cited on RISKS-List set me thinking strategically about cyberwar. While I don't consider myself part of the 'cyberscare industrial complex', a few issues stand out for me, as an interested and concerned onlooker.

Lightning-fast escalation

When (not if) a serious offensive military cyberattack is mounted against a capable and well-prepared adversary, things look likely to escalate dramatically in the first few minutes, seconds or milliseconds, far too fast for political decision-making or even fast-track incident responses involving conventional decisions and actions by humans. Automated responses are more likely, implying a raft of associated risks, like for example the distinctly disturbing likelihood that such responses are already primed and ready to go, right here, right now. It's hard not to envisage all manner of nightmare scenarios mushrooming from that point, with automated offensive and defensive weapons slogging it out like some hellish computer game on autoplay, turbo. In a sense, we already see this effect in miniature when our computers automatically patch themselves (usually preventing but occasionally causing incidents), r when intrusion prevention systems react instinctively to identified network attacks (again, usually effectively but sometimes counterproductively) ...

Detection and analysis

... which hints at another significant issue: incidents must be identified as such to trigger active responses, although passive responses and baseline controls will presumably be in operation regardless. Delaying detection and frustrating analysis, then, is presumably a strategic objective for attackers ...

Nature of attack and response

... which would place a huge premium on widespread, stealthy infiltration of networks and systems/devices as a prelude to cybergeddon. 

Scale of impacts


Collateral damage and friendly fire



Subversion


Red-teaming

Exercises, simulations, rehearsals, tests, reviews and audits are, presumably, all part of the process of developing and refining cyber capabilities.

Capabilities and resources


Bat phones

What is the modern-day equivalent of the bat phone, the priority direct line between heads of state and other VIPS, given the near certainty that communications will be attacked hard in the very first assault? Let's hope the authorities have given due consideration to the need for truly secure (as in confidential, assured/trustworthy, and highly available i.e. robust, reliable and resilient) means of communication capable of operating even under intense cyberattack conditions, as well as thinking through the consequences of "No signal" or "Satellite out of range".

Oh and by the way, if war is largely automated, there had better be data as well as voice capabilities, with the appropriate security and messaging protocols in place as well as the strings and baked bean cans, plus of course the routine comms between and among all levels of the military establishment, all the way down to/up from those front-line robots and UAVs.

Rules of engagement

What is happening to define the rules of the game and prepare to step in when cybercombatants almost inevitably overstep the line of acceptable warfare? If not the UN, who is or should be playing the role of referee? The more I think about this, the more I see the need for CCD, the cyber-equivalent of CND. Right now is a good time to launch a global Campaign for Cyber Disarmament, before things get totally out of hand.

Friday 16 December 2022

'The Internet issue'

Earlier this year I wrote a retrospective on Y2K and said that I'd be back to talk about what is surely the biggest cluster of information risks facing the world over two decades on, namely those associated with the Internet.  

Well OK, so it has taken me a couple of months to get around to it but anyway here goes.

Threats

  • Malicious individuals
  • Malicious groups
  • Accidents and natural events

Vulnerabilities

  • Shared resource
  • Insecure base
  • Naivete 

Impacts

  • Extreme dependence
  • Cascading effects
  • Catastrophic outages

Preventive controls


Detective controls


Corrective controls


Technical controls


Procedural controls


Administrative controls


 

Thursday 15 December 2022

Audit/review questions


Other than the classic "Show me", here are a bunch of generic questions to consider, select and refine if you are conducting an ISMS internal audit, IT audit, ISMS management review etc. looking into 'X' (an ISMS, situation, system, process, control, incident or whatever). Hopefully these are thought-provoking, helping you consider and explore X from different perspectives. 
  • Are there any legal, regulatory or contractual compliance implications of X?
  • Are there any other things about X that I/management should know about?
  • Can I do some audit tests on X, please?
  • Compared to Y and Z, how risky/valuable/reliable is X?
  • Does anything strike you as strange or worrying about X?
  • Explain the controls relating to X …
  • Has X ever hurt anyone? What happened?
  • Have you or anyone else raised concerns about X?
  • How big is X - how wide, how heavy, how numerous, how often?
  • How come previous efforts did not fix X?
  • How costly was X?

Wednesday 14 December 2022

ISO27k ISMS metrics

Information is clearly a valuable yet fragile corporate asset that must be protected against a wide range of threats. Protecting information is complicated by its ubiquity, plus its intangible and ephemeral, dynamic nature, on top of which the information risks are also constantly changing. Furthermore, information risks have to be managed alongside all other risks facing the business, of which there are many. Information risk management is a tough challenge, made still harder if management lacks sufficient, relevant and reliable information concerning the status of information risk management activities, processes, information security etc.
 
"What should we be measuring?" is a common refrain, along with "What are the most common security metrics?". At face value, these are perfectly reasonable and sensible questions. However the first is impossible to answer without knowing more about the organization's situation, while the second is trickier still: scientifically speaking, we simply don't know what security metrics are in use ... and even if we did it would not help much since organizations differ in their:

Tuesday 13 December 2022

Yet another interpretation of 'cyber'

I have railed repeatedly at the vague and often inappropriate or misleading use of 'cyber', in particular cyber-risk and cybersecurity (inconsistently hyphenated, as shown).

Usually, cyber simply means IT - all the usual humdrum risks and controls relating to IT systems and networks. This is everyday stuff, nothing special. Plain IT covers it.

Sometimes cyber alludes to far more extreme and sinster threats associated with highly competent and resourceful adversaries sponsored by governments, organised criminals or terrorists attacking critical national or global infrastructures - the sorts of things that might be experienced during war. Those using the term in this way tend to speak in riddles, trying hard to avoid admitting or disclosing vulnerabilities while denying knowledge of any involvement in such activities. 

Friday 9 December 2022

Awareness risks & opportunities

 Security awareness program can be planned and prioritised on the basis of risks


Leave room (flexibility) to respond to opportunities that arise off-plan

Thursday 8 December 2022

Tempering professional paranoia

It goes with the territory: professionals working in information risk and related areas are, of course, highly aware of risks within our specialism. It's what we do. 

Furthermore, many of us would admit to being naturally risk-averse: people outside the profession seem to take chances that we would prefer to avoid or shy away from, whether through plain ignorance or failure to appreciate the risks.  

Risk-aversion is a personal characteristic or bias that varies from mild caution and pessimism up to extreme, debilitating paranoia. It doesn't necessarily mean that we are timid, scared or weak, rather that we tend to place more emphasis on the possibility of problems or incidents compared to non-risk-averse people.    


Wednesday 7 December 2022

Riding the waves

 


Yesterday, I wrote about preparing and promoting your budget proposal, strategy, programme of projects or an individual initiative, gaining management support and negotiating for approval. Today I'd like to emphasis a fleeting, easily overlooked step in your journey, an opportunity to do even better.

At the very moment when the negotiations are completed and management finally agrees your infosec budget, their interest, motivation and support for it is high ... so, before the dust settles, why not seize the moment: a window of opportunity has opened. Before long, the wave of enthusiasm will subside and management's focus will turn to other matters. 

Tuesday 6 December 2022

Budgeting and preparing for ISO27k

 

Are you responsible for your organisation's information risk and security or cybersecurity budget? Are you busily putting the finishing touches to your FY 2023 budget request?

Budgeting is a stressful management task, figuring out the figures and anticipating tough battles ahead leading (usually) to a disappointing outcome and yet more problems resulting from inadequate investment. With clear signs of another global recession looming (as if COVID, climate change and the war in Ukraine weren't challenging enough already), tightened belt-buckles are the order of the day*.

Monday 5 December 2022

System is ...


... “a related set of IT equipment and software used for the processing, storage or communication of information and the governance framework in which it operates” [source: New Zealand Information Security Manual]

... "all connected parts of the organisation that may be at risk of a cyber attack" [thanks Steven Os]

... a set of computers plus their software, users, administrators and managers, the associated policies and procedures, plus the links to
connected systems, plus the operating environment,
all of which are required to deliver services ...

... “a combination of interacting elements organised to achieve one or more stated purposes” [source: ISO/IEC 27036-1, notes omitted,
also 
NIST SP800-161r1 & SP800-53r5]

... a black box within which inputs are mysteriously converted to outputs

... "an integrated suite of related items and processes forming a discrete operating or functional unit, such as a management system"
[source: SecAware glossary]

... the software layer that mediates access between user applications 
and the middleware, hardware, CPU, memory, network connections,
ports and peripherals of an IT device

... a tightly coupled and synchronous set of parts working as one

... "all parts of your organisation that could provide attack paths,
especially the supply chain and cloud" [thanks Steven Os]

... the Internet, an interconnected global network-of-networks

... a carefully architected, designed and constructed suite of
technologies, people, processes, relationships etc.

... a coherent and contiguous set of interacting components

... ICT hardware plus the associated firmware and software
forming a discrete functional unit

... a computer plus its user/s and administrator/s

... a motley collection of things loosely coupled

... a unit of analysis, management and control

... the network and devices on the network
[suggested by Eric Johnson]

... more than just the sum of its parts

... something to do with ecology?

... a governance arrangement

... a computer plus its user/s

... favoured by consultants

... systematic, naturally

... a unit of analysis

... an arrangement

... a framework

... an approach

... a computer

... a device

... a thing

...

Sunday 4 December 2022

COVID information risk analysis - retrospective

Two and a half years ago in March 2020 as we were fast approaching our first lockdown, I published the following Probability Impact Graph depicting my analysis of the information risks relating to COVID:


The PIG reports the information risks I identified at the time, thinking about COVID from the general societal perspective as opposed to a personal or organisational perspective.

Friday 2 December 2022

On a mission

 


We're on a mission to convince every organisation that managing information risks properly is more than just a compliance imperative. 

It's good for business.

Is your organisation looking to raise its security game? Are managers worried about ransomware, privacy breaches and intellectual property theft, especially now with so many of us working from home? 

What about the business continuity risks with supply chains stressed to breaking point by COVID, recession and war? Are your suppliers cutting corners on privacy and security, hoping nobody will notice? Are desperate competitors taking advantage of the disruption to undermine your cyber-defences?

Worse still, is management blissfully unaware of the issues, with everyone heads-down, rowing hard, too busy to notice the icebergs dead ahead?

... Or is there a strong drive to secure and exploit information as an integral part of operations? Does being trusted by customers and stakeholders equate to brand value, new and repeat business, opening up strategic opportunities?

This is a great opportunity to
take the first step on your mission!

Thursday 1 December 2022

ISO/IEC 27001:2022 pros and cons
















I can think of eight key advantages and opportunities in adopting the new third edition of ISO/IEC 27001 as opposed to the second edition nearly a decade old:

Tuesday 29 November 2022

Information risks a-gurgling

There are clearly substantial information risks associated with the redaction of sensitive elements from disclosed reports and other formats, risks that the controls don't necessarily fully mitigate.

Yes, controls are fallible and constrained, leaving residual risks. This is hardly Earth-shattering news to any competent professional or enlightened infidel, and yet others are frequently shocked. 

A new report* from a research team at the University of Illinois specifically concerns failures in the redaction processes and tools applied to PDF documents. The physical size of redacted text denoted (covered or replaced) with a variable-length black rectangle may give clues as to the original content, while historically a disappointing number of redaction attempts have failed to prevent the original information being recovered simply by removing the cover images or selecting then pasting the underlying text. Doh!

Monday 28 November 2022

ISO27k is ...



... a cluster of international standards on information security management and related topics

... derived from British Standard BS 7799, itself based on an information security manual generously donated to the UK government's Department of Trade and Industry by the fuel company Shell International


Thursday 24 November 2022

Exciting news: extension ladders, stubby snakes!


Having done, seen and learnt a lot in the course of working with the ISO27k standards and precursors since the mid-90's, I'm keen to share my accumulated knowledge with those of you who are relatively new to the field, just setting out and perhaps struggling to get to grips with it all.

You needn't learn everything the hard way like I did: I can help you move ahead smartly, avoiding tar pits, finding taller ladders and shorter snakes.

Tuesday 22 November 2022

SHOUTY vs ambient infosec

Like ambient music (muzak, elevator tunes), ambient information security blends into the background.  The idea is that infosec controls are subtle, seamless, integral parts of whatever is going on, as opposed to blatant in-yer-face shouty SECURITY.

Of course it's not always possible, and there are circumstances where the visibility of security is itself a valuable part of the controls - deterrents, for example, warning signs, distinct boundaries and the menacing presence of beefy security guards, with guns, dogs and attitude.  

Personal identification and authentication processes that require user interaction are hard to miss e.g. security passes/tokens, passwords, PIN codes, SMS codes and all that rigmarole. Nevertheless, there are choices for system/security architects when designing login mechanisms that affect the amount of time and effort required from each user.  

Those are the exceptions. A majority of security controls go largely unnoticed. Federated identity/social media systems, for instance, slim down subsequent logins to little more than an extra click. Network traffic encryption and message integrity controls use sophisticated cryptography under-the-hood, automatically correcting minor transmission errors or flagging more serious issues such as potentially fake websites with dubious, invalid or missing digital certificates. Antivirus scans, backups and software updates mostly take place quietly in the background, or wait for quiet periods to spring into action. 

Once logged-in to some systems, they quietly monitor your activities for indications that it really is you, doing more or less what you normally do, at your normal pace, from your normal device/s and location/s, showing your normal preferences, quirks and errors - or not, in which case as the anomalies stack up, Big Brother takes an increasing interest in what you are up to, perhaps blocking dubious or risky transactions pending further investigation. 

Monday 21 November 2022

Governance gardening

Prompted by a random podcast comment and inspired by a productive day in the garden, here's an analogy between governance and gardening. 

Governance is ...


... "strategic frameworks, organisational structures, policies and processes used
to guide/direct, oversee/monitor and to some extent control the organisation, ensuring that it fulfils its strategic objectives and complies with internal and external obligations" [source: SecAware glossary]

... applicable to corporations, organisations, nations, the globe, industries, business units, finance, the environment, governments, projects, land, health,
steam engines, watches, IT, information, information risk and security ...

... for the benefit of stakeholders, owners, regulators, authorities, society

... designing and implementing appropriate corporate structures

Tuesday 15 November 2022

Fractal ISMS changes


'6.3 Planning of changes' is a succinct new clause in ISO/IEC 27001:2022, one accidentally omitted from the contents listing (oops).

Simply put, changes to the Information Security Management System must be planned, rather than simply happening haphazardly.

What kinds of ISMS changes would this cover? Without further clarification, it could be argued that any and every change to the ISMS has to be "carried out in a planned manner", begging further questions about the intended purpose and scope of the clause, and of the ISMS itself. 

If we add a new topic-specific information security policy on IoT, for instance, or update the risks list, would such changes need to be planned? How about simply renaming the organisation's list of risks to, say, Information Risk Register - should that be planned? Would correcting a little typo in an ISMS procedure or awareness item count as an ISMS change that has to be planned? 

Monday 14 November 2022

Impact is ...

... "adverse change to the level of business objectives achieved"
[source: 
ISO/IEC 27000]

... the inertial energy imparted by a moving mass impinging upon an object

... "the adverse outcome or consequences caused by or arising from an
information security incident, leading to direct and/or indirect
(consequential) losses/costs to the
organisations and/or
the individuals concerned" [source: SecAware glossary]

... the point when probability functions collapse

... when possibility becomes reality

... when threat meets vulnerability

... short, medium and long-term

... loss of control over an asset

... too late to prevent or avoid

... being smacked in the head

... when p(occurrence) hits 1

... when gloved fist hits chin

... what we tried to prevent

... what we sought to avoid

... an impressive entrance

... the resonance of a bell

... when risk eventuates

... when shit meets fan

... not too late to react

... being compromised

... a successful attack

... the point of failure

... adverse outcome

... the after-effects

... hard to quantify

... inconsequential

... career-limiting

... a wake-up call

... loss of control

... consequences

... being harmed

... consequential

... unanticipated

... ramifications

... a pivot point

... motivational

... the moment

... open-ended

... unexpected

... anticipated

... predictable

... memorable

... an incident

... a dull thud

... percussion

... disastrous

... dispersed

... an exploit

... negligible

... bad news

... predicted

... expected

... dramatic

... being hit

... a breach

... a failure

... a crater

... a driver

... focused

... harmful

... gradual

... striking

... serious

... a crash

... sudden

... general

... moving

... a miss

... severe

... shared

... crunch

... a dent

... costly

... trivial

... oh oh

... a flop

... hurty

... costs

... bang

... ouch

... a hit

...

Monday 7 November 2022

Vulnerability is ...

... "an inherent and potentially exploitable weakness in an information asset, system, process, organisation etc." [source: SecAware glossary]

... exposed by one or more missing, ineffective or inadequate controls

... “a security weakness in a computer” [source: NIST SP800-114 rev1]

... “a weakness, susceptibility or flaw of an asset or control
that can 
be exploited by one or more threats”
[source: Financial Stability Board 
Cyber Lexicon]

... "weakness of an asset or control that can be exploited
by one or more 
threats” [source: ISO/IEC 27000]

... "weakness in a system, system security procedures,
internal controls, or implementation that could be
exploited or triggered by a threat"
[source: 
NIST SP 1800-17b]

... a chink in the armour

... a gap in our defences

... revealed in incidents

... asking for trouble

... taking a chance

... misplaced trust

... the weak link

... unprotected

... an opening

... exploitable

... a soft spot

... deficiency

... endearing

... weakness

... inevitable

... inherent

... pathetic

... a flaw

... latent

... a bug

...

Thursday 3 November 2022

Tuesday 1 November 2022

Putting policies under pressure


A note on LinkeDin led me to an intriguing scientific research study that tested the following five hypotheses:

  1. People who receive instructions via a written policy about rules will have better knowledge of these rules than those that do not. 

  2. People who receive a shorter form version of policy about the rules with less text will have better knowledge of the rules than those who receive a longer training form. 

  3. People who receive a written policy outlining the rules in a more vernacular and less legal technical language will have better knowledge of the rules than those presented with a more formal-legal-styled training text. 

  4. People with better knowledge of rules will also comply more with such rules.

  5. The more legal rules align with people’s personal and social norms, the higher people score in their knowledge of these legal rules.  

Monday 31 October 2022

Threat is ...


... "any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through
an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service" 
[source: NIST SP800-30r1]

... "a person, situation or event (whether deliberate or accidental, targeted
or generic in nature) that is hazardous or dangerous, capable of causing
an information security incident" [source: SecAware glossary]

... "potential cause of an unwanted incident, which can result in
harm to a system or organization" [source: ISO/IEC 27000:2018]

... a competitor's unexpected shift of tactics

... an ominous promise to cause harm

... an accident waiting to happen

... the cause of a really bad day

... nature red in tooth and claw

... storm clouds on the horizon

... an active component of risk

... an unfortunate coincidence

... sometimes hard to detect

... intended to provoke fear

... advanced and persistent

... go ahead, make my day

... mitigated by deterrents

... a laser dot on the torso

... a stated intent to harm

... the catalyst for change

... a burst of testosterone

... external to the system

... all mouth and trousers

... retarded and tentative

... not always recognised

... what might go wrong

... part of the landscape

... dark and foreboding

... obvious in hindsight

... economic downturn

... when luck runs out

... bad consequences

... competitive intent

... a ransom demand

... coming tooled-up

... potential to harm

... marauding gangs

... an implied attack

... easily discounted

... over-emphasised

... impending doom

... adverse weather

... lack of oversight

... a nasty promise

... a nasty surprise

... static discharge

... unpredictability

... a show of force

... not when but if

... not if but when

... something bad

... hard to control

... a warning sign

... Freddy Kruger

... worth ducking

... the unknown

... a probability

... best avoided

... an oversight

... a possibility

... a prediction

... provocative

... a likelihood

... xenophobia

... generalised

... unintended

... a certainty

... intentional

... theoretical

... the enemy

... hazardous

... bad actors

... existential

... accidental

... a warning

... deliberate

... menacing

... or else ...

... uncertain

... fearsome

... outsiders

... expected

... criminals

... technical

... for show

... ominous

... coercion

... volatility

... left-field

... demonic

... violence

... physical

... directed

... mythical

... genuine

... looming

... bravado

... a worry

... a pitfall

... insiders

... disease

... a bomb

... obvious

... a scowl

... a tactic

... assault

... human

... spooky

... feared

... failure

... 'them'

... anger

... death

... social

... scary

... fake

...

Monday 24 October 2022

Oversight is ...

... "various forms of supervision and inspection used to ensure that important information security activities and controls are operating properly, and to identify any anomalies" [source: SecAware glossary]

... "forgetfulness, carelessness, neglect or incompetence, typically leading to errors, omissions and other information security incidents"
[source: SecAware glossary]

... absent from ISO/IEC 27002 except for one measly mention (clause 5.16)

... maintaining a watching brief

... an opportunity to review

... the four eyes principle

... the act of overseeing

... the prompt to revisit

... keeping a close eye

... hands off, eyes on

... something missed

... a sign of distrust

... an opportunity

... a vulnerability

... a sign of trust

... incompetence

... management

... carelessness

... an omission

... an accident

... an override

... supervision

... inspection

... ineptitude

... a problem

... assurance

... a mistake

... authority

... guidance

... a control

... checking

... freedom

... a threat

... skipped

... neglect

... caring

... a risk

... audit

...


Monday 17 October 2022

Assurance is ...

... "provision of a certain level of trust, confidence, confirmation or proof of something, typically by reviewing, checking, testing, certified compliance or auditing it" [source: SecAware glossary]

... knowing when to stop climbing the ladder

... the absence of anxiety and doubt

... a necessary part of management

... the result of testing - pass or fail

... swimming out of the shark cage

... an integral governance function

... stepping into the shark cage

... packing your own parachute

... a friendly hand reaching out

... engineering the shark cage

... an underappreciated goal

... an undervalued objective

... certifying the shark cage

... welding the shark cage

... confidence in another

... an independent view

... holding all the cards

... a measure of power

... plausible deniability

... taking a space walk

... stacking the deck

... hitting the mark

... being confident

... a winning hand

... self-confidence

... not insurance

... being certain

... confirmatory

... bearing it all

... unnecessary

... nice to have

... checking-up

... baring it all

... naïve belief

... mandatory

... knowledge

... comforting

... reassuring

... being sure

... necessary

... insurance

... oversight

... essential

... checking

... a control

... valuable

... optional

... security

... a game

... testing

... costly

... audit

... valid

... trust

...

Security awareness month


Since October is cybersecurity awareness month in the USA, we've seized the opportunity to update SecAware.com with additional information on our security awareness material. 

SecAware's information security awareness modules explore a deliberately wide variety of individual topics in some depth: