Posts

Showing posts from 2023

Categorised plans

Image
Prompted by a thread on the ISO27k Forum, I've been contemplating the categorisation planning process I mentioned in yesterday's blog . This is just a rough diagram to illustrate the concept.  Very rough.  "Rough as" as we say down here on the Far Side.

Assessing upstream supply chain information risks

Image
Yesterday, someone sought guidance from the ISO27k Forum on categorising vendors by risk. Here's my coffee-fueled early-morning response, lightly edited for this blog. Risk assessment criteria In the context of an ISO 27001   I nformation S ecurity M anagement S ystem, information risk in the upstream supply chain/network, viewed from the customer organisation's business perspective, is the primary concern in relation to vendors.  Breaking that down, the kinds of factors that may affect the information risk levels include:

Checklust security

Image
" Seventy Questions to Assess Cybersecurity Risk on a Rapidly Changing Threat Landscape "  is an ISACA 'industry news' article by Patrick Barnett.  Whereas normally I give 'industry news' and checklists a wide berth, Patrick is (according to the article) highly qualified and experienced in the field, so I took  a closer look at this one. The prospect of condensing such a broad topic to a series of questions intrigued me. I'm not totally immune to the gleaming allure of well-conceived checklists. Patrick says: "There are 70 questions that can be asked to determine whether an enterprise has most defensive principles covered and has taken steps to reduce risk (and entropy) associated with cybersecurity. If you can answer “Yes” to the following 70 questions, then you have significantly reduced your cybersecurity risk. Even so, risk still exists, and entropy must be continuously monitored and mitigated. There is no specific number of layers that can remove...

Hyperglossary published!

Image
Having declared it officially 'done', the SecAware information security hyperglossary is finally self-published as an eBook in PDF format. More than three thousand terms-of-art are defined in the areas of: Information risk  Information security  Cybersecurity (IT/Internet security) ICS/SCADA/OT security Artificial Intelligence Privacy, data protection, personal information Governance Conformity and compliance Incidents  Business continuity and more.  It has taken me three decades so far to compile the glossary, initially just as a reference for my personal use, then for our security awareness clients, and now for anyone with a little cash to spare and an interest in the field.

Using security enquiries by customers as a security metric

Image
On CISSPforum, Walt Williams suggested a novel security metric: "If your organization has customers that ask you to complete questionnaires before engagement, track those against logos added or better revenue brought in. You’re now tracking your return on investment and a key risk of if your security is not good enough, those are the businesses you loose.Do the same with each customer that asks for your ISO certification or SOC 2 report. You have an excellent metric that allows you to track that return on investment and shows security as a revenue generating part of the organization. My organization’s last quarter internal company meeting had the Senior Revenue officer publicly acknowledge and thank InfoSec for our role in landing their biggest customer. It doesn’t get much better than that." So, inspired by Walt's intriguing idea, I prepared a conventional metric specification using a combination of the G oal- Q uestion- M etric approach (as ably described by Lance Hayd...

Hyper-glossary nearing completion (?)

Image
My next book will be a 'hyper-glossary' of terms relating to information security, including closely related aspects such as information risk management, governance, compliance ... and more ... and there's the rub: I'm struggling to catch up/keep up with developments in the field, not least because of the rate at which novel concepts are introduced and new terms are coined. Here's an example of a definition originally added a couple of years ago and most recently amended today: There I've defined "Deep fake", one of several terms washed up in the AI tsunami. The underlined terms are hyperlinked to their definitions ... and so on forming an extensive web within the document.

The biology of bias

Image
'Bias' is generally considered a negative human trait with both practical and ethical implications. Paradoxically, however, that negativism can itself be considered a form of bias. Bias can - sometimes - be positive, beneficial, even necessary, and is to some extent an inevitable consequence of our biology. BoardOfInnovation blog In Darwinian terms, 'cognitive bias' comprises a fairly diverse set of behavioural traits that have evolved over the millennia, such as: Confirmation bias : a tendency to seek out and place greater emphasis on information that appears to confirm what we already believe, while avoiding, ignoring or downplaying contradictory information; Anchoring bias : initial information (no matter how accurate) provides a basis for comparing and evaluating further information; Observation bias : the mere fact that something is being observed, investigated, discussed, measured, focused-on  etc . increases its apparent importance or value; Balance bias : human...

Pro services under attack

Image
Among all the other bad news in the excellent Cy-Xplorer 2023 report from Orange Cyberdefense , this nugget of threat intelligence poked me in the eye: I've become increasingly concerned about the information risks relating to professional services in recent years. They seem obvious targets for malicious cyber attacks, given:

Internet security guidance

Image
The second edition of ISO/IEC 27032 "Cybersecurity - Guidelines for Internet security" has just been published. The introduction to the new edition commences: "The focus of this document is to address Internet security issues and provide guidance for addressing  common Internet security threats, such as: — social engineering attacks; — zero-day attacks; — privacy attacks; — hacking; and — the proliferation of malicious software (malware), spyware and other potentially unwanted  software." Notice the standard is focused on " Internet security issues " which, in practice, means it covers active attacks perpetrated via the Internet. However:

A pragmatic alternative to the SuperCISO [L O N G]

Image
Yet again this morning, something on the ISO27k Forum caught my imagination, firing-up my sleepy caffeine-deprived neurons.  We have been chatting lately about what is expected of the C hief I nformation S ecurity O fficer role - namely an exceptional mixture of knowledge, skills and competences possessed by  the 'SuperCISO'.  Today, Nigel Landman referred us to an interesting article by JC Gaillard at Medium.com .    JC's repeated assertions that 'cybersecurity is not purely technical' caught my beady eye: the 'cyber' bit clearly suggests that it  is  100% purely tech ... but those of us who have swallowed the ISO27k pill recognise that  information  security requires more than just securing the bits-n-bytes. This is yet another example of the confusing use of language - specifically 'cyber'. Many professionals immersed in the field take 'cyber ' implicitly to include technology  plus  other aspects but the general perceptio...

What do auditors do, and for whom? [L O N G]

Image
Once again, my day kicked off with a stimulating and fruitful debate on the ISO27k Forum as members responded to a request for help to find accredited I nformation S ecurity Management S ystem certification auditors who will add value to the organisation above and beyond the ISO/IEC 27001 conformity certificate. The original poster copped some grief from the forum in appearing to seek certification auditors who would be kind on the organisation, supporting its business objectives more strongly than its conformity with the standard ... but a follow-up message clarified the position. Aris confirmed to us that he sought:  "advice on where (in cases of an ISO audit) and how (in cases of an Internal audit) our ISMS could/should be improved, but I need that advice to be meaningful, grounded, and delivered in a way that has the best probability it will be absorbed by the business. In other words, I would like this process to offer real value to the business, besides just bein...

Reading between the lines of ISO27001 [L O N G]

Image
ISO/IEC 27001 is a succinct, formally-worded standard for two key reasons: It is deliberately generic, being applicable to all manner of organisations regardless of difference in location/s, size, industry, maturity, structure, information risk and security status ... and so on. In effect, it specifies the lowest common denominator - the things that ALL organisations should be doing to manage their information security controls, as a minimum. The hurdle is set low enough that every organisation ought to find value in designing, implementing and operating an I nformation S ecurity M anagement S ystem as laid out in the standard. It is a certifiable standard, explicitly specifying the characteristics that every certified organisation's ISMS is expected to have. Again, it is a minimal specification with no concept of typical, average or maximum security: that is entirely down to the organisations themselves to determine, following the information risk management processes minimally de...

ISO/IEC 27001 and the other ISO27k standards

Image
ISO/IEC 27001 is an international standard specifying the requirements for Information Security Management Systems, in a succinct, formalized style that makes the standard amenable to conformity auditing and certification. The standard is generic and hence can be applied to all types and sizes of organization, in any industry, anywhere in the world. A ‘management system’ is described by ISO as “the way in which an organization manages the interrelated parts of its business in order to achieve its objectives.” The approach is designed to feed managers the information they need to oversee, and the governance/management levers necessary to direct, the organization’s activities. As such, the standard stops short of mandating specific information security controls, leaving that to management’s discretion according to its determination of the organization’s information risks. ISO’s standardized approach is common across its management systems standards such as ISO 9001 (quality management)...

Security control categories and attributes

Image
On LinkeDin this morning, Morten Ingvard asked: "As part of updating and reshaping some parts of our information security management system (ISMS), I'm not convinced that the new categorization of controls in ISO/IEC 27002:2022 (Organizational, people, physical and technical), is the best suit for our organization to rationally identify relevant controls for their work. I understand there is an increased focus on the use of attribution - so controls can be selected based on different perspectives, but I want to have a "default view" that the organization can read and understand, and currently, I'm strongly considering sticking with a categorization structure looking more like the older 2013-version in ISO/IEC 27001." Here's my response to Morten: "The categories are primarily a convenient way to sequence the controls in the standard. It was the 'default view' selected by ISO/IEC JTC1/SC27.

Squeezing more value from certification audits

Image
Finding weaknesses/concerns and improvement opportunities in the organisation's information risk, security and related arrangements is a valid and potentially valuable outcome of an ISO/IEC 27001 certification audit. Arguably, however, that is what the management reviews and internal audits are supposed to achieve.   Certification auditing is primarily intended to provide assurance for the organisation and third parties that the organisation has correctly interpreted and implemented the standard, a specific key objective. One way to resolve this conundrum is for certification auditors to distinguish: " Major nonconformities " - demonstrable and substantial failures to fulfil any of the mandatory requirements of 27001; from " Minor nonconformities " - insubstantial failures and/or failures against the discretionary requirements of 27001; and  " Observations " - anything else noted in the audit that the auditor believes is worth bringing to management...

Risk quantification - other factors (UPDATED)

Image
The conventional focus of risk analysis is to examine the probability of incidents occurring, and their likely impacts if they do - and fair enough, those are obviously key factors ... but not the only ones. Add itional factors to consider include : Quality of information and analysis : risks that are commonplace and conventional are generally better understood than those which are novel or rare (such as AI risks, right now); Volatility : if the threats, vulnerabilities and business are reasonably stable, the risks are more easily determined/predicted than if they are volatile, changing unpredictably; Complexity : ugly, horrendously complicated risks are more likely to involve unrecognised interactions;

Order from chaos from order

Image
Towards the end of last year, I wrote a series of blog entries expanding on 20 terms of art, mostly for fun, partly for education, and partly as an exercise in creative thinking ... and today I'm doing it again. As a recap, here are the original 20: Accountability  is ... Assurance  is ... Audit  is ... Authorisation  is ... Control  is ... Cyber  is ... Fragility  is ... Governance  is ... Impact  is ... Information  is ... ISO27k  is ... Oversight  is ... Resilience  is ... Responsibility  is ... Risk  is ... Security  is ... System is ... Threat  is ... Trust  is ... Vulnerability  is ... Today, I'm nose-to-the-grindstone, writing my book on information risk management, doing my best to 'tell a good story'. I'm trying to make sense of the jumble of concepts and thoughts in my head, hopefully expressing things clearly enough for readers to understand and be inspired to think and do things di...

A round dozen risk treatment options

Image
I've been thinking about the 'treatment' phase of risk management lately. These are the four conventional and generally-accepted ways of treating (addressing) identified risks: Acceptance : living with the risk, hoping that it doesn't materialise; Avoidance : steering well clear of, or stopping, risky activities; Mitigation : reducing the probability and/or impact of incidents using various types of control;   Sharing : with others, such as business partners, insurers and communities. However, it occurs to me that a further eight risk treatment approaches are possible, whether you consider them alternatives, variants or complementary: Procrastination : delaying decisions and actions ostensibly in order to understand risks and possible treatment options (which, meanwhile, implies risk acceptance). Speedy decision-making is an important part of effective

Responding to security questionnaires

Over the past decade or so, 'supplier questionnaires' have become A Big Thing in the business world. Organizations have long appreciated that there are risks associated with doing business (well, fancy that!) and most quite reasonably wish to mitigate those risks, particularly in business-to-business relationships. Increasingly that involves checking out prospective suppliers' information security and privacy arrangements* as part of the supplier evaluation, selection and contracting process. A common approach is to ask prospective and current suppliers to complete security/privacy questionnaires. Being self-assertions by organizations with an obvious interest in securing the business, the assurance value of questionnaires is limited although it may be reinforced by suitable legal wording in the contracts and agreements arising: essentially, the suppliers formally confirm that their questionnaire responses are accurate, complete and valid, and/or formally accept their secur...

BCM for WFH

Image
Since home and mobile workers rely on IT to access critical business systems and corporate data, and to communicate with others, organisations need a robust IT network infrastructure that extends to workers' homes or wherever they hang out. If, in reality, the infrastructure turns out to be fragile and unreliable, business activities are likely to be equally fragile and unreliable, leading to frustration and grief all round. In other words, the extended IT infrastructure is quite likely business-critical. W orking F rom H ome or on the road can increase various information risks relative to conventional office-based work, due to factors such as: Use of cloud computing services*; Workers using their own or shared devices and internet connections for work purposes, raising questions about their suitability and security, ownership of and access to any intellectual property or personal information on them;

Novel insider threat

Image
A post on LinkeDin this morning led me to a news piece  about an IT professional's attempt to divert/steal his employer's payoffs for a ransomware infection, back in 2018. According to the article, his attempt ultimately failed, largely due to his inept and naive execution ... but I have not come across this particular insider threat before. It was a new one on me, a man-in-the-middle attack layered on top of the ransomware.

Incident notification procedure [UPDATED x2]

Image
I have developed a generic procedure documenting the incident notification process  for sale through  SecAware .  I'm surprised how involved, complex, time-boxed and fraught the disclosure process turned out to be - depending, of course, on the nature and scale of the incident (perhaps a ransomware or malware infection, privacy breach, hack or fraud), who needs to be informed about it, and how to do so.

Metrics episode 3

Lately, I've read a couple of articles complaining that metrics are driving things inappropriately, either stating or implying that metrics should be abandoned. It's pretty obvious (if you think about it) that measuring the wrong things is - at best - a pointless waste of effort, and potentially harmful if it leads things in the wrong directions, taking attention from the things that truly matter.   Likewise, measuring the right things in the wrong way leads to disappointment and frustration.   However, neither of those issues is a valid argument to stop measuring. They are good reasons to measure the right things competently, easier said than done maybe but surely better than the alternative. I've already mentioned which are the right things to measure: the Things That Truly Matter. Of course that is context-dependent, and changes over time ... so one approach is to consider the organisation's long-term (strategic), mid-term (tactical) and short-term (operational) o...

Metrics episode 2

In the management context, measuring requires that we consider aspects such as: What is important : what do we need to achieve/avoid and, by implication, what is not [so] important, the stuff we can afford to ignore or perhaps monitor passively. Score bonus points for determining importance specifically in relation to achievement of the organisation's business objectives , goals, aims, purposes, visions, missions, targets, strategies, plans, future state or whatever, given that I'm talking about measuring in the corporate management context. There is clearly a strong emphasis on the future here, although where we are now and how we got here may also have some relevance ( e.g. if the organisation has done particularly well in innovation or market penetration  or resilience or whatever, management should probably retain and protect those capabilities, ideally enhance and build upon them - avoid inadvertently harming them anyway).    What does 'success' look like : develo...

eWaste safety hazards and information risks

Image
A warning in the New Zealand Information Security Manual  caught my beady eye yesterday: “Electrical and electronic equipment contains a complex mix of materials, components and substances, many which can be poisonous, carcinogenic or toxic in particulate or dust form. Destruction and disposal of WEEE [Waste from Electrical and Electronic Equipment] needs to be managed carefully to avoid the potential of serious health risk or environmental hazard.” Disposing of eWaste presents environmental and safety hazards arising from noxious/toxic/carcinogenic chemicals such as gallium arsenide (GaAs) and polychlorinated biphenyls (PCBs), plus the obvious dangers when handling sharp-edged metal or plastic chassis fragments, wires, printed circuit boards and CD/DVD discs plus  leaky electrolytic capacitors and old batteries . While there may be money to be made by extracting and recycling valuable metals  and reusable components ,  subsystems and modules , that's really a jo...

Memories of an O.F.

Image
I freely admit to being an Old Fart, old and plenty farty enough to remember a time even before the DTI Code of Practice was released and then in 1995 became  BS7799 , making information security A Thing. OK so I'm not quite so old as to remember when computers were women in rank and file, studiously calculating missile trajectories, but I've read about them and I remain fascinated by the early mechanical, electro-mechanical and then electronic computers - initially single-purpose tools such as that nice Mr Babbage's difference engine, then machines capable of various tasks using toggle switches, punched tape and cards to program their instructions. Back in the 80's when I escaped the genetics lab to become a net/sysadmin, computer security was just becoming important: people (particularly managers, few of whom had a clue about IT) were vaguely concerned about these new fangled, complicated, mysterious and expensive computers. Securing data processing hardware was seen ...

Using ChatGPT more securely

Image
Clearly there are some substantial risks associated with using AI/ML systems and services, with some serious incidents having already hit the news headlines within a few months of the release of ChatGPT. However, having been thinking carefully and researching this topic for couple of weeks, I realised there are many more risks than the reported incidents might suggest, so  I've written up what I found. This pragmatic guideline explores the information risks associated with AI/ML,  from the perspective of an organisation whose workers are using ChatGPT (as an example) .   Having identified ~26 threats, ~6 vulnerabilities and dozens of possible impactful incident scenarios, I came up with ~20  information security controls capable of mitigating many of the risks. See what you make of it. Feedback welcome. What have I missed? What controls would you suggest? 

Hinson tip on ChatGPT

Image
When using ChatGPT and its ilk, d on't forget that the AI robot's contribution  is generic and not necessarily smart, accurate, sufficient or appropriate, despite the beguiling use of language that makes it  appear  logical, credible and reasonable at face value ... but is it, really? Or is it short on integrity? When, for instance, a real-world client reads a human expert advisor's report or consultant's recommendation, they are generally: Thinking critically about it, c onsidering what is and what is not stated and how it is expressed; Posing additional questions for clarity ( e.g. "On what basis do you believe we can achieve all that in 8 months, given that there's only one of me and I'm stretched thin as steam-rollered chewing gum?") or credibility ("How long did your last client take for this?") and perhaps a rguing the toss ("8 months? You're kidding, right? We only have 4!"); Taking advantage of knowledge and experience w...

ISMS management reviews vs ISMS internal audits

Image
Over on the ISO27k Forum  this week, Ray asked us for  "guidance on conducting and documenting 'Management Reviews' that include the agenda items required by the standard in 9.3. Any templates shall be much appreciated."  Forumites duly offered advice and agendas. So far so good! However, I made the point that  ISO/IEC 27001 does not require/insist that management reviews take the form of periodic management meetings, specifically, although that is the usual approach in practice.  Personally, since they are both forms of assurance, I advise clients to plan and conduct their ISMS management reviews and ISMS internal audits similarly, with one critical and non-negotiable difference: auditors   must  be independent of the ISMS, whereas management reviews   can  be conducted by those directly involved in designing, operating or managing the ISMS. This is not merely a compliance matter or protectionist barrier: auditor independence bri...

mmmmmm, More Meaningful Management Metrics

Image
For about a week, I've enjoyed following and participating in an expansive discussion thread on LinkeDin about the value of measurement and metrics for management , debating various issues that can occur both in theory and in practice. One straw-man argument is that 'managing by the numbers' can imply a myopic focus on commonplace business metrics such as stock price or annual profit, both of which can be manipulated to some extent by managers even at the expense of long term resilience and commercial success, let alone other business objectives. Despite Taylor's outmoded 'scientific management' experiments having been debunked a century ago, some LinkeDinners in the thread evidently still believe that science (in the form of numeric data) and management are poles apart.  I beg to differ. That's so last century! Management is complex, dynamic and nuanced, hence I accept that simplistic or crude metrics can't possibly address the entire practice. For exam...

Ailien beacons warn of rocks ahead

Image
Lately, I've been contemplating how the widespread availability and use of AI might affect humankind - big picture stuff. We are currently awash in a tidal wave of commentary about AI innovation, the information risks of AI and its naive users, the tech, the ethics and compliance aspects, the inevitable grab by greedy big tech firms, misinformation, disinformation, jailbreaking and so on. Skimming promptly past well-meaning advisories about prompt engineering from people excited to share their discoveries, I've been reading pieces about how AI can support or will supplant all manner of expert advisors on any topic sufficiently well represented in the models and datasets. The likelihood (near certainty!) of AI-generated content feeding back into AI-data sets and hence the potential consequences of runaway hallucinations, coupled with deliberate manipulation by those with private agendas, is quite scary - but equally the possibility of AI generating new knowledge (valid and usefu...

To what extent do you trust the robots?

Image
This Sunday morning, fueled by two strong coffees, I'm cogitating on the issue of workers thoughtlessly disclosing all manner of sensitive personal or proprietary information in their queries to AI/ML/LLM systems and services run by third parties, such as ChatGPT. This is clearly topical given : (1) the deluge of publicity and chatter around ChatGPT right now, coupled with  (2) our natural human curiosity to explore new tech toys, plus  (3) limited appreciation of the associated information risks, and  (4) the rarity of controls such as policies and Data Leakage Protection technologies.  Furthermore, even if we do persuade our colleagues (and, let's be honest, ourselves!) to be more careful and circumspect about whatever we are typing or pasting into various online systems, the possibility remains that the general nature of our interests and queries is often sensitive.

ISO 27001 templates and services on sale

Image
For organisations planning to implement ISO/IEC 27001 for the first time, the standard's requirements can be confusing, especially given the amount of dubious advice available on the web. For instance, one issue that crops up frequently on the ISO27k Forum and here on the blog is that the information security controls in Annex of the standard A are not required - in fact, they are not even recommended or suggested, despite what some non-experts advise. Annex A is provided as a checklist, a prompt to ensure we have considered a wide range of information risks.  The standard's main body clauses, in contrast, formally specify the functional requirements for an I nformation S ecurity M anagement S ystem. In order for an organisation to be certified, the ISMS must be designed to fulfil the specified requirements, and must be operational, managing whatever information security controls and other treatments are appropriate given the organisation's information risks.  In short,...

Black hawk down ... but not out

Image
I've long been fascinated by the concept of 'resilience', and surprised that so many people evidently misunderstand and misrepresent it ... so please bear with me as I attempt to put the record straight by explaining my fascination. Resilience is not simply:  Being secure Being strong Recovering effectively, efficiently or simply recovering from incidents Avoiding or mitigating incidents Any specific technical approach or system Any particular human response, action or intent A backstop or ultimate control Heroic acts A construct, something we design and build Something that can simply be mandated or demanded Specific to particular circumstances, situations or applications It's bigger than any of those - in fact bigger than all of them, combined. Resilience is all of those, and more ... Resilience is : A general concept, a philosophy, a belief An engineering and architectural approach