A nightmare on DR street

A provocative piece on LinkeDin by Brian Matsinger caught my beady eye and sparked my fertile imagination today. I'm presently busy amplifying the disaster recovery advice in NIS 2 for a client. When I say 'amplifying', I mean generating an entire awareness and training piece on the back of a single mention of 'disaster recovery' in all of NIS 2. Just the one. Blink and you'll miss it.

Oh boy.

Anyway, Brian points out that recovering from disasters caused by 'cyber attacks' requires a different DR approach than is usual for physical disasters such as storms, fires and floods. Traditional basic DR plans are pretty straightforward: essentially, the plans tell us to grab recent backups and pristine systems, restore the backups onto said systems, do a cursory check then release services to users. Job's a good 'un, off to the pub lads.

Checklust security

"Seventy Questions to Assess Cybersecurity Risk on a Rapidly Changing Threat Landscape" is an ISACA 'industry news' article by Patrick Barnett. 

Whereas normally I give 'industry news' and checklists a wide berth, Patrick is (according to the article) highly qualified and experienced in the field, so I took a closer look at this one. The prospect of condensing such a broad topic to a series of questions intrigued me. I'm not totally immune to the gleaming allure of well-conceived checklists.

Patrick says:

"There are 70 questions that can be asked to determine whether an enterprise has most defensive principles covered and has taken steps to reduce risk (and entropy) associated with cybersecurity. If you can answer “Yes” to the following 70 questions, then you have significantly reduced your cybersecurity risk. Even so, risk still exists, and entropy must be continuously monitored and mitigated. There is no specific number of layers that can remove all risk, just as there is nothing in the physical universe that does not experience entropy."

Hmmm. OK. Despite the definitive initial statement, I take that introduction as an implicit acknowledgement that there may be more than 70 questions ... and indeed many of the 70 are in fact compound/complex questions, such as "35. Do you prevent the disclosure of internal IP address and routing information on the Internet?" Most of us would instinctively answer "Yes" to that ... but look more closely: the question concerns "IP address" and "routing information", meaning both not either part. What qualifies as "routing information" anyway? And what about other network traffic apart from IP? What is 'disclosure'? What does Patrick mean by 'prevent'? And are we only concerned about 'the Internet'? If you are serious about addressing the information risks relating to NAT and all that (all that), you surely appreciate the naivete of question 35. If this is all Greek to you, maybe not. 

Internet security guidance

The second edition of ISO/IEC 27032 "Cybersecurity - Guidelines for Internet security" has just been published.

The introduction to the new edition commences:

"The focus of this document is to address Internet security issues and provide guidance for addressing common Internet security threats, such as:

— social engineering attacks;

— zero-day attacks;

— privacy attacks;

— hacking; and

— the proliferation of malicious software (malware), spyware and other potentially unwanted software."

Notice the standard is focused on "Internet security issues" which, in practice, means it covers active attacks perpetrated via the Internet. However:

Memories of an O.F.

I freely admit to being an Old Fart, old and plenty farty enough to remember a time even before the DTI Code of Practice was released and then in 1995 became BS7799, making information security A Thing.

OK so I'm not quite so old as to remember when computers were women in rank and file, studiously calculating missile trajectories, but I've read about them and I remain fascinated by the early mechanical, electro-mechanical and then electronic computers - initially single-purpose tools such as that nice Mr Babbage's difference engine, then machines capable of various tasks using toggle switches, punched tape and cards to program their instructions.

Back in the 80's when I escaped the genetics lab to become a net/sysadmin, computer security was just becoming important: people (particularly managers, few of whom had a clue about IT) were vaguely concerned about these new fangled, complicated, mysterious and expensive computers. Securing data processing hardware was seen as important given its book value and fragility. Even clueless managers could appreciate the need for physical security controls for physical computers - locks and keys, Halon, computer rooms and computer pros in white lab coats jealously guarding their big beige babies. 

Well, most could. Some managers didn't get it even then.

ISO 27001 templates and services on sale

For organisations planning to implement ISO/IEC 27001 for the first time, the standard's requirements can be confusing, especially given the amount of dubious advice available on the web. For instance, one issue that crops up frequently on the ISO27k Forum and here on the blog is that the information security controls in Annex of the standard A are not required - in fact, they are not even recommended or suggested, despite what some non-experts advise. Annex A is provided as a checklist, a prompt to ensure we have considered a wide range of information risks. 

The standard's main body clauses, in contrast, formally specify the functional requirements for an Information Security Management System. In order for an organisation to be certified, the ISMS must be designed to fulfil the specified requirements, and must be operational, managing whatever information security controls and other treatments are appropriate given the organisation's information risks. 

In short, implementing '27001 is not a simple box-ticking compliance exercise. 

This Easter, we are offering:

• ISMS Launchpad - a complete set of templates for all the essential ISMS documents such as the scope, Risk Treatment Plan, Statement of Applicability and a corporate information security policy (on sale at US$239, normally $399). Every certified organisation needs these docs, at least.

New year sale: security templates

Kick-off 2023 with a bang!  

Visit SecAware for special deep discount deals on our information security policies, ISO 27001 ISMS templates and more.

Happy new year! 

Cyber-collateral

Despite its political agenda and the usual US xenophobia, the article America's Secret Arsenal cited on RISKS-List set me thinking strategically about cyberwar. While I don't consider myself part of the 'cyberscare industrial complex', a few issues stand out for me, as an interested and concerned onlooker.

Lightning-fast escalation

When (not if) a serious offensive military cyberattack is mounted against a capable and well-prepared adversary, things look likely to escalate dramatically in the first few minutes, seconds or milliseconds, far too fast for political decision-making or even fast-track incident responses involving conventional decisions and actions by humans. Automated responses are more likely, implying a raft of associated risks, like for example the distinctly disturbing likelihood that such responses are already primed and ready to go, right here, right now. It's hard not to envisage all manner of nightmare scenarios mushrooming from that point, with automated offensive and defensive weapons slogging it out like some hellish computer game on autoplay, turbo. In a sense, we already see this effect in miniature when our computers automatically patch themselves (usually preventing but occasionally causing incidents), r when intrusion prevention systems react instinctively to identified network attacks (again, usually effectively but sometimes counterproductively) ...

Detection and analysis

... which hints at another significant issue: incidents must be identified as such to trigger active responses, although passive responses and baseline controls will presumably be in operation regardless. Delaying detection and frustrating analysis, then, is presumably a strategic objective for attackers ...

Nature of attack and response

... which would place a huge premium on widespread, stealthy infiltration of networks and systems/devices as a prelude to cybergeddon. 

Scale of impacts

Collateral damage and friendly fire

Subversion

Red-teaming

Exercises, simulations, rehearsals, tests, reviews and audits are, presumably, all part of the process of developing and refining cyber capabilities.

Capabilities and resources

Bat phones

What is the modern-day equivalent of the bat phone, the priority direct line between heads of state and other VIPS, given the near certainty that communications will be attacked hard in the very first assault? Let's hope the authorities have given due consideration to the need for truly secure (as in confidential, assured/trustworthy, and highly available i.e. robust, reliable and resilient) means of communication capable of operating even under intense cyberattack conditions, as well as thinking through the consequences of "No signal" or "Satellite out of range".

Oh and by the way, if war is largely automated, there had better be data as well as voice capabilities, with the appropriate security and messaging protocols in place as well as the strings and baked bean cans, plus of course the routine comms between and among all levels of the military establishment, all the way down to/up from those front-line robots and UAVs.

Rules of engagement

What is happening to define the rules of the game and prepare to step in when cybercombatants almost inevitably overstep the line of acceptable warfare? If not the UN, who is or should be playing the role of referee? The more I think about this, the more I see the need for CCD, the cyber-equivalent of CND. Right now is a good time to launch a global Campaign for Cyber Disarmament, before things get totally out of hand.

Yet another interpretation of 'cyber'

I have railed repeatedly at the vague and often inappropriate or misleading use of 'cyber', in particular cyber-risk and cybersecurity (inconsistently hyphenated, as shown).

Usually, cyber simply means IT - all the usual humdrum risks and controls relating to IT systems and networks. This is everyday stuff, nothing special. Plain IT covers it.

Sometimes cyber alludes to far more extreme and sinster threats associated with highly competent and resourceful adversaries sponsored by governments, organised criminals or terrorists attacking critical national or global infrastructures - the sorts of things that might be experienced during war. Those using the term in this way tend to speak in riddles, trying hard to avoid admitting or disclosing vulnerabilities while denying knowledge of any involvement in such activities. 

Cyber is ...

... "the science of communication and control theory that is concerned especially with the comparative study of automatic control systems"
[source: Mirriam-Webster]

... "a jargon prefix/buzz-word, much abused by marketers, journalists,
politicians and widely misinterpreted" [source: SecAware glossary]

... robotics, artificial intelligence and machine learning

... remaining operational despite serious incidents

... a muddle of paradoxes and contradictions

... protecting critical corporate infrastructure

... protecting critical national infrastructure

... whatever the speaker/writer thinks it is

... information risk, security and control

... only part of the problem space

... more than just technology

... recovering from incidents

... nation-state weaponry

... short for cybersecurity

 ... the modern battlefield

... only about technology

... a solid-gold buzzword

... unknown unknowns

... conveniently vague

... smoke and mirrors

... computer security

... six-figure salaries

... Internet security

... outsider threats

... cool as dry ice 

... deadly serious

... disinformation

... being resilient

... a sexy prefix

... data security

... where IT's at

... where it's at

... a hot button

... propaganda

... untargeted

... a diversion

... technology

... misleading

... IT security

... pentesting

... distracting

... newspeak

... superficial

... undefined

... defensive

... sabotage

... offensive

... targeted

... malware

... insiders

... hackers

... serious

... budget

... spooks

... scary

... spies

... deep

... hype

...

 

... all of the above, and more

... none of the above: something else entirely

... who cares?  Watch the hands, follow the ball, concentrate 

CISO workshop slides

A glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning.

The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):