Showing posts with label Incidents. Show all posts
Showing posts with label Incidents. Show all posts

Thursday 28 March 2024

An evolutionary revolution?


"Mitigation and adaptation are required together to reduce the risks and impacts of climate change, including extreme weather events. Mitigation refers to actions taken to limit the amount of greenhouse gas emissions, reducing the amount of future climate change. Adaptation refers to actions taken to limit the impacts of a changing climate. Mitigation and adaptation together provide co-benefits for other environmental and social goals."

That paragraph by Lizzie Fuller, Climate Science Communicator for the UK's Met Office, plucked from another excellent digest of lessons learned from various UK resilience exercises and initiatives, obviously concerns climate change ... but it occurs to me that 'mitigate and adapt' might be a novel approach to information risks and impacts as well.

Tuesday 12 March 2024

A nightmare on DR street


A provocative piece on LinkeDin by Brian Matsinger caught my beady eye and sparked my fertile imagination today. I'm presently busy amplifying the disaster recovery advice in NIS 2 for a client. When I say 'amplifying', I mean generating an entire awareness and training piece on the back of a single mention of 'disaster recovery' in all of NIS 2. Just the one. Blink and you'll miss it.

Oh boy.

Anyway, Brian points out that recovering from disasters caused by 'cyber attacks' requires a different DR approach than is usual for physical disasters such as storms, fires and floods. Traditional basic DR plans are pretty straightforward: essentially, the plans tell us to grab recent backups and pristine systems, restore the backups onto said systems, do a cursory check then release services to users. Job's a good 'un, off to the pub lads.

Tuesday 27 February 2024

Mil-spec management lessons

 

"A calamity can often strike without warning. Whether it be generated by humans or a natural disaster, leaders need to be ready to direct their teams in the aftermath. In order to be ready for crisis, leadership skills, like any others, must be practised over and over beforehand. So the way you lead in the quiet times helps to build the skills you need when you have to dig deep."

That paragraph plucked from this month's impressive NZ Airforce newsletter about the military response to the devastating flooding caused by cyclone Gabrielle here in Hawkes Bay caught my beady eye this morning. 

The idea of practicing incident management as well as incident handling or operations on relatively small incidents makes perfect sense.

Monday 26 February 2024

27001 & climate change

Like other ISO management systems standards, ISO/IEC 27001:2022 has just been amended to incorporate two small wording changes:

  • “The organization shall determine whether climate change is a relevant issue” (clause 4.1);

  • “NOTE: Relevant interested parties can have requirements related to climate change.” (clause 4.2).

So, it is fair to ask what has climate change got to do with information risk and security? Is it even relevant? Having been been mulling that over for quite some while now, I've come up with a dozen points of relevance:



For more on those twelve, read "Secure the Planet".

The clock in that image is a reminder that time is pressing, so here are half-a-dozen things information risk and security professionals can do to help.

Friday 9 June 2023

Risk quantification - other factors (UPDATED)


The conventional focus of risk analysis is to examine the probability of incidents occurring, and their likely impacts if they do - and fair enough, those are obviously key factors ... but not the only ones. Additional factors to consider include:

  • Quality of information and analysis: risks that are commonplace and conventional are generally better understood than those which are novel or rare (such as AI risks, right now);

  • Volatility: if the threats, vulnerabilities and business are reasonably stable, the risks are more easily determined/predicted than if they are volatile, changing unpredictably;

  • Complexity: ugly, horrendously complicated risks are more likely to involve unrecognised interactions;

Friday 2 June 2023

A round dozen risk treatment options



I've been thinking about the 'treatment' phase of risk management lately. These are the four conventional and generally-accepted ways of treating (addressing) identified risks:

  1. Acceptance: living with the risk, hoping that it doesn't materialise;

  2. Avoidance: steering well clear of, or stopping, risky activities;

  3. Mitigation: reducing the probability and/or impact of incidents using various types of control;
     
  4. Sharing: with others, such as business partners, insurers and communities.

    However, it occurs to me that a further eight
    risk treatment approaches are possible, whether you
    consider them alternatives, variants or complementary:

  5. Procrastination: delaying decisions and actions ostensibly in order to understand risks and possible treatment options (which, meanwhile, implies risk acceptance). Speedy decision-making is an important part of effective

Tuesday 30 May 2023

BCM for WFH

Hurricane-damaged house

Since home and mobile workers rely on IT to access critical business systems and corporate data, and to communicate with others, organisations need a robust IT network infrastructure that extends to workers' homes or wherever they hang out. If, in reality, the infrastructure turns out to be fragile and unreliable, business activities are likely to be equally fragile and unreliable, leading to frustration and grief all round. In other words, the extended IT infrastructure is quite likely business-critical.

Working From Home or on the road can increase various information risks relative to conventional office-based work, due to factors such as:
  • Use of cloud computing services*;

  • Workers using their own or shared devices and internet connections for work purposes, raising questions about their suitability and security, ownership of and access to any intellectual property or personal information on them;

Thursday 25 May 2023

Novel insider threat

A post on LinkeDin this morning led me to a news piece about an IT professional's attempt to divert/steal his employer's payoffs for a ransomware infection, back in 2018.

According to the article, his attempt ultimately failed, largely due to his inept and naive execution ... but I have not come across this particular insider threat before. It was a new one on me, a man-in-the-middle attack layered on top of the ransomware.

Tuesday 23 May 2023

Incident notification procedure [UPDATED x2]

I have developed a generic procedure documenting the incident notification process for sale through SecAware

I'm surprised how involved, complex, time-boxed and fraught the disclosure process turned out to be - depending, of course, on the nature and scale of the incident (perhaps a ransomware or malware infection, privacy breach, hack or fraud), who needs to be informed about it, and how to do so.

Wednesday 10 May 2023

eWaste safety hazards and information risks


A warning in the New Zealand Information Security Manual caught my beady eye yesterday:
“Electrical and electronic equipment contains a complex mix of materials, components and substances, many which can be poisonous, carcinogenic or toxic in particulate or dust form. Destruction and disposal of WEEE [Waste from Electrical and Electronic Equipment] needs to be managed carefully to avoid the potential of serious health risk or environmental hazard.”
Disposing of eWaste presents environmental and safety hazards arising from noxious/toxic/carcinogenic chemicals such as gallium arsenide (GaAs) and polychlorinated biphenyls (PCBs), plus the obvious dangers when handling sharp-edged metal or plastic chassis fragments, wires, printed circuit boards and CD/DVD discs plus leaky electrolytic capacitors and old batteries. While there may be money to be made by extracting and recycling valuable metals and reusable componentssubsystems and modules, that's really a job for specialists with the requisite knowledge, tools, safety gear and market.

Oh, and the appropriate security controls. 

Wednesday 26 April 2023

Using ChatGPT more securely

Clearly there are some substantial risks associated with using AI/ML systems and services, with some serious incidents having already hit the news headlines within a few months of the release of ChatGPT. However, having been thinking carefully and researching this topic for couple of weeks, I realised there are many more risks than the reported incidents might suggest, so I've written up what I found.

This pragmatic guideline explores the information risks associated with AI/ML, from the perspective of an organisation whose workers are using ChatGPT (as an example).  

Having identified ~26 threats, ~6 vulnerabilities and dozens of possible impactful incident scenarios, I came up with ~20 information security controls capable of mitigating many of the risks.

See what you make of it. Feedback welcome. What have I missed? What controls would you suggest? 

Saturday 25 March 2023

Black hawk down ... but not out




I've long been fascinated by the concept of 'resilience', and surprised that so many people evidently misunderstand and misrepresent it ... so please bear with me as I attempt to put the record straight by explaining my fascination.

Resilience is not simply: 

  • Being secure
  • Being strong
  • Recovering effectively, efficiently or simply recovering from incidents
  • Avoiding or mitigating incidents
  • Any specific technical approach or system
  • Any particular human response, action or intent
  • A backstop or ultimate control
  • Heroic acts
  • A construct, something we design and build
  • Something that can simply be mandated or demanded
  • Specific to particular circumstances, situations or applications
It's bigger than any of those - in fact bigger than all of them, combined. Resilience is all of those, and more ...

Resilience is:

  • A general concept, a philosophy, a belief
  • An engineering and architectural approach

Friday 3 March 2023

The power of power measurement


Electrical power consumption by a computer cupboard, IT room, tech suite, data centre or facility is one of my favourite [pet!] metrics for several reasons:

  • It is readily measured using a wattmeter, watt-hour meter or ammeter on the main supply line/s;

  • Compared to more technical metrics, power is simple to plot, report, explain and understand;

  • As the installed IT equipment and usage gradually changes, so does the power consumption. It is straightforward to track and predict the overall trends without necessarily measuring and controlling every single item and change; 

  • Step changes in power consumption indicate substantial changes in the IT equipment or usage. Marked decreases are welcome but quite rare (e.g. as older equipment is retired from service or replaced by more modern, energy-efficient stuff), whereas marked increases in consumption - especially if unexpected - may be cause for concern;

  • The first law of thermodynamics tells us that all the input energy has to go somewhere i.e. heat which can be costly to remove, increases global warming, increases fire risks and decreases equipment lifetimes. 

In more detail, a high PRAGMATIC score (~77%) indicates that IT power consumption is a valuable metric, well worth considering:

Thursday 2 March 2023

Information risk management, a business imperative

Information risk management is a crucial business issue in the digital age. This piece describes a systematic and proactive approach to information risk management with a healthy dose of pragmatism.

It is obvious that serious incidents such as ransomware can disrupt operations, severely damaging an organisation's reputation, brands and customer trust, threatening its financial stability and longevity ... but that's not all. Even relatively minor incidents can accumulate significant costs over time, starving other important business activities of resources. Given that practically everything depends on information, the starting point is to embed information risk management fully into the organisation's business strategy and routine operations.

Most organisations have basic information security controls in place. However, a strategic approach is less common, while a truly comprehensive business-oriented approach to information risk management remains quite rare. 

Information risk management focuses on identifying, evaluating and treating risks to the organisation's valuable business information including: 

Thursday 23 February 2023

Unnecessary control example

A couple of days back, I said I'd offer an example of an 'unnecessary control' in the context of ISO/IEC 27001. So here goes.

Picking one at random, I'll lay into ISO/IEC 27001:2022 control A.5.28 "Collection of evidence". 

The control text reads "The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events".

How can anyone possibly justify excluding such an eminently sensible control from their ISO27001 Information Security Management System?

Reading and interpreting that control literally, word-by-word, one could certainly argue that:

Saturday 28 January 2023

Why get ISO 27001 certified?

If you have designed and implemented an Information Security Management System based on ISO/IEC 27001, you should be realising a variety of business benefits through improved information risk and information security management. 

Fantastic!

The international standard specifies a framework, a rational structure with which to identify, evaluate and treat the organisation's information risks systematically. The framework is a tool that enables senior management to govern and manage the information risk and security activities in ways that align with and support the achievement of business objectives, plus obligations to or expectations of third parties.

Through strategies, policies and procedures, plus measurement and assurance processes, management has the levers to direct, organise and oversee a more efficient and effective approach to information risk and security. Information risks are systematically prioritised for treatment using suitable security controls (technological, physical, procedural and others). With appropriate controls in place, incidents grow less frequent and are identified and resolved sooner causing less disruptive and costly consequences. Appropriate security metrics, reviews and audits enable management to direct corporate resources effectively, gaining confidence in the organisation's ability to handle information risks.

Saturday 21 January 2023

Handling ISMS nonconformities reported by audit

A new member of the ISO27k Forum asked how long they have to resolve a minor nonconformity reported by the certification auditors.

I didn't know the answer so I looked it up in ISO/IEC 27006. Clause 9.6.3.1 says (in part):
"The time allowed to implement corrective action shall be consistent with the severity of the nonconformity and the associated information security risk." 
Significant risks should be addressed as a priority, whereas minor risks may be addressed 'in due course', perhaps as part of other planned changes or when the opportunity arises. Furthermore, complex issues are bound to take some time to resolve, whereas simple things may be resolved more or less on the spot. 

I suggested the reported nonconformity should be addressed in the normal way, using the organisation's documented ISMS processes along these lines:

Tuesday 10 January 2023

Two dozen data centre fire controls


Fire is clearly a significant risk to any data centre given that a major incident (disaster!) is reported globally roughly every quarter year on average plus an unknown number of smaller/unreported ones. Limited public disclosure of data centre fire investigation reports makes it tough, even for experienced professionals, to assess and quantify the risk.  However, s
ince the likely impacts and costs of such major incidents are obviously non-trivial and the number of incidents is definitely not zero, it would be negligent to ignore the risks.

Controls to avoid, mitigate or share data centre/IT facility fire risks include:
  1. Governance and management arrangements taking due account of information risks including physical security aspects when designing and procuring information services such as commercial cloud services and data centre/co-location facilities - which, by the way, don't automatically reduce

Sunday 4 December 2022

COVID information risk analysis - retrospective

Two and a half years ago in March 2020 as we were fast approaching our first lockdown, I published the following Probability Impact Graph depicting my analysis of the information risks relating to COVID:


The PIG reports the information risks I identified at the time, thinking about COVID from the general societal perspective as opposed to a personal or organisational perspective.

Tuesday 29 November 2022

Information risks a-gurgling

There are clearly substantial information risks associated with the redaction of sensitive elements from disclosed reports and other formats, risks that the controls don't necessarily fully mitigate.

Yes, controls are fallible and constrained, leaving residual risks. This is hardly Earth-shattering news to any competent professional or enlightened infidel, and yet others are frequently shocked. 

A new report* from a research team at the University of Illinois specifically concerns failures in the redaction processes and tools applied to PDF documents. The physical size of redacted text denoted (covered or replaced) with a variable-length black rectangle may give clues as to the original content, while historically a disappointing number of redaction attempts have failed to prevent the original information being recovered simply by removing the cover images or selecting then pasting the underlying text. Doh!