I blogged about the Crowdstrike incident on July 21st  while it was still playing out. Now, having  d rained the swamp and let the d ust settle, I'm  d ue to d raw out, d econstruct and d ecide what to d o about the Crowdstrike d isaster, so here goes: Design, build and test systems for resilience, where 'systems' means not just IT systems but the totality of interdependent technologies, organisations, people, information flows and other resources necessary to deliver and support critical business activities. Hinson tip : "be prepared" is not just for  boy scouts ! Those dependencies are p otential p inch p lus  p ain p oints. Test software before release. Sounds easy, right? It isn't. There is an infinite amount of testing that could be performed, only a fraction of which realistically should be, while the amount and quality of testing actually performed is resource-constrained and time-boxed for business and uncertainty (risk!) reasons (delaying secu...

NIST has just released SP 1314 Risk Management Framework (RMF) Small Enterprise Quick Start Guide  as a lightweight form/introduction to the full RMF. ... and, despite having said the steps are not necessarily sequential ... It's interesting to compare and contrast the NIST RMF against the  Adaptive SME Security  approach we released just last week: 

We find ourselves in the midst of a classic social response to a significant incident - a heady blend of technobabble, confusion and hyperbole, with a sprinkling of genuinely helpful information, grief and support for those right in the thick of it, and warnings about the likelihood of further exploitation ... of ... the classic social response to a significant incident.  That's a positive feedback loop, amplified by the echo chambers of social media, and traditional news reporters whose job is (in part) to stir the pot and sell papers. "This is HUGE !" they tell us, breathlessly. "Bigger than a really big thing, and still growing!"  According to the din just on LinkeDin over the weekend, the Crowdstrike incident is "a major global outage", a " mass global outage and major impact to services",  "carnage", "cataclysmic", "global chaos", the "patchpocalypse", "digital catastrophe", "the bi...

As if on cue, along comes a golden opportunity to consider what the Adaptive SME security  approach has to say regarding the Crowdstrike incident: That's not 20/20 hindsight but foresight: I've picked out the most relevant rows from the security controls table published in the guide 24 hours before the incident.  Although Crowdstrike primarily supplies much larger enterprises than SMEs, the incident could equally have afflicted other security software, or indeed operating systems such as Windows and assorted cloud apps commonly used by SMEs. Regardless of the details, it is a wake-up call, an opportunity to consider and respond to the information risks ... and to adapt , accordingly.

ISO/IEC 27403 " Cybersecurity – IoT security and privacy – Guidelines for IoT-domotics " was published at the very end of last month. “Domotics” is a neologism for smart homes. This  new   standard  covers the cybersecurity and privacy aspects of thing -to- thing interactions ( e.g. home hubs and entertainment subsystems) as well as human-to- thing  plus  thing -to-sensors/actuators that physically interact with the home ( e.g . smart door locks and thermostats) and networking both within the home ( e.g . WiFi, Bluetooth) and beyond ( e.g . fibre or wireless broadband). The  standard  is aimed squarely at guiding the designers, manufacturers and security or privacy assessors of IoT domotics, as oppoed to retail customers and users. It provides examples of information risks that should (in theory at least) have been identified, evaluated and addressed by IoT suppliers baking-in suitable security controls to protect their valued customers' interests. I...

Selecting the wrong controls - controls that are inappropriate, ineffective, too costly, impracticable, fragile, unnecessary, counterproductive or whatever, often as a result of blind faith in fads and fashions of the day and FOMO e.g. MFA, AI, cyber Failing to select the right controls - controls that are ideal for the particular situation, both now and in perpetuity, for whatever reason - mostly ignorance and prejudice Selecting and implementing controls at the wrong time or in the wrong way (where 'wrong' includes ineffective, inappropriate, sub-optimal e.g. bolting on controls rather than designing and building them in) Inept and inaccurate identification, analysis and quantification of risk, including reliance on p oor quality (incomplete, inaccurate, out of date, misleading, unreliable ...) information about actual risks, particularly subtle and emerging risks plus those involving deliberate concealment and misdirection e.g. fraud, misinformation, disinfor...