Showing posts with label Law. Show all posts
Showing posts with label Law. Show all posts

Friday 2 June 2023

A round dozen risk treatment options



I've been thinking about the 'treatment' phase of risk management lately. These are the four conventional and generally-accepted ways of treating (addressing) identified risks:

  1. Acceptance: living with the risk, hoping that it doesn't materialise;

  2. Avoidance: steering well clear of, or stopping, risky activities;

  3. Mitigation: reducing the probability and/or impact of incidents using various types of control;
     
  4. Sharing: with others, such as business partners, insurers and communities.

    However, it occurs to me that a further eight
    risk treatment approaches are possible, whether you
    consider them alternatives, variants or complementary:

  5. Procrastination: delaying decisions and actions ostensibly in order to understand risks and possible treatment options (which, meanwhile, implies risk acceptance). Speedy decision-making is an important part of effective

Tuesday 20 December 2022

Cyber-collateral

Despite its political agenda and the usual US xenophobia, the article America's Secret Arsenal cited on RISKS-List set me thinking strategically about cyberwar. While I don't consider myself part of the 'cyberscare industrial complex', a few issues stand out for me, as an interested and concerned onlooker.

Lightning-fast escalation

When (not if) a serious offensive military cyberattack is mounted against a capable and well-prepared adversary, things look likely to escalate dramatically in the first few minutes, seconds or milliseconds, far too fast for political decision-making or even fast-track incident responses involving conventional decisions and actions by humans. Automated responses are more likely, implying a raft of associated risks, like for example the distinctly disturbing likelihood that such responses are already primed and ready to go, right here, right now. It's hard not to envisage all manner of nightmare scenarios mushrooming from that point, with automated offensive and defensive weapons slogging it out like some hellish computer game on autoplay, turbo. In a sense, we already see this effect in miniature when our computers automatically patch themselves (usually preventing but occasionally causing incidents), r when intrusion prevention systems react instinctively to identified network attacks (again, usually effectively but sometimes counterproductively) ...

Detection and analysis

... which hints at another significant issue: incidents must be identified as such to trigger active responses, although passive responses and baseline controls will presumably be in operation regardless. Delaying detection and frustrating analysis, then, is presumably a strategic objective for attackers ...

Nature of attack and response

... which would place a huge premium on widespread, stealthy infiltration of networks and systems/devices as a prelude to cybergeddon. 

Scale of impacts


Collateral damage and friendly fire



Subversion


Red-teaming

Exercises, simulations, rehearsals, tests, reviews and audits are, presumably, all part of the process of developing and refining cyber capabilities.

Capabilities and resources


Bat phones

What is the modern-day equivalent of the bat phone, the priority direct line between heads of state and other VIPS, given the near certainty that communications will be attacked hard in the very first assault? Let's hope the authorities have given due consideration to the need for truly secure (as in confidential, assured/trustworthy, and highly available i.e. robust, reliable and resilient) means of communication capable of operating even under intense cyberattack conditions, as well as thinking through the consequences of "No signal" or "Satellite out of range".

Oh and by the way, if war is largely automated, there had better be data as well as voice capabilities, with the appropriate security and messaging protocols in place as well as the strings and baked bean cans, plus of course the routine comms between and among all levels of the military establishment, all the way down to/up from those front-line robots and UAVs.

Rules of engagement

What is happening to define the rules of the game and prepare to step in when cybercombatants almost inevitably overstep the line of acceptable warfare? If not the UN, who is or should be playing the role of referee? The more I think about this, the more I see the need for CCD, the cyber-equivalent of CND. Right now is a good time to launch a global Campaign for Cyber Disarmament, before things get totally out of hand.

Tuesday 6 September 2022

Ten tips on tackling a thorny infosec issue

A member approached the ISO27k Forum this morning for advice:

"What would you recommend to do if our warnings as ISMS department specialists/auditors are not taken into account?"

What can realistically be done if management isn't paying sufficient attention to information risks that we believe are significant

This is a thorny issue and not an uncommon challenge, particularly among relatively inexperienced or naïve but eager information risk and security professionals, fresh out of college and still studying hard for their credentials. It can also afflict the greybeards among us: our passion for knocking down information risks can overtake our abilities to convince managers and clients.

Here are ten possible responses to consider: 

Sunday 10 July 2022

Complexity, simplified

Following its exit from the EU, the UK is having to pick up on various important matters that were previously covered by EU laws and regulations. One such issue is to be addressed through a new law on online safety.

"Online safety: what's that?" I hear you ask.  "Thank you for asking, lady in the blue top! I shall elaborate ... errrr ..."

'Online safety' sounds vaguely on-topic for us and our clients, so having tripped over a mention of this, I went Googling for more information. 

First stop: the latest amended version of the Online Safety Bill. It is written in extreme legalese, peppered with strange terms defined in excruciating detail, and littered with internal and external cross-references, hardly any of which are hyperlinked e.g.

Having somewhat more attractive things to do on a Sunday than study the bill, a quick skim was barely enough to pick up the general thrust. It appears to relate to social media and search engines serving up distasteful, antisocial, harmful and plain dangerous content, including ("but not limited to") porn, racist, sexist and terrorist materials. Explaining that previous sentence in the formal language more becoming of law evidently takes 230 pages, of the order of 100,000 words.

Luckily for us ordinary mortals, there are also explanatory notes - a brief, high-level summary of the bill, explaining what it is all about, succinctly and yet eloquently expressed in plain English with pictures (not). The explanatory notes are a mere 126 pages long, half the length of the original with another 40-odd thousand words. 

Simply explaining the explanatory notes takes half a page for starters:

 

So, the third bullet suggests that we read the 126 pages of notes PLUS the 230 page bill. My Sunday is definitely under threat. At this point, I'm glad I'm not an MP, nor a lawyer or judge, nor a manager of any of the organisations this bill seems likely to impact once enacted. I'm not even clear which organisations that might be. Defining the applicabilty of the law - including explicit exclusions to cater for legitmate journalism and free-speech - takes a fair proportion of those 346 pages.

Despite not clearly expressing the risk, the bill specifies mitigating controls - well, sort of. In part it specifies that OFCOM is responsible for drawing up relevant guidance that will, in turn, specify control requirements on applicable organisations (to be listed and categorised on an official register, naturally), with the backing of the law including penalties. Since drafting, promoting and enforcing the guidance is likely to be costly, the bill even allows for OFCOM to pass (some of) its costs on to the regulated organisations, who will, in turn, pass them on to users. A veritable cost-cascade.

As to the actual controls, well the bill takes a classical risk-management approach involving impact assessments and responses such as taking down unsafe content and banning users who published it. There are arrangements for users to report unsafe content to service providers, plus automated content-scanning technologies, setting the incident management process in motion.

The overall governance structure looks roughly like this:

No wonder it takes >100,000 words to specify that little lot in law ... but, hey, maybe my diagram will save a thousand, a few dozen anyway.

You're welcome.

The reason I'm blabbering on about this here is that I'm still quietly mulling-over a client's casual but insightful comment on Thursday. 

"I was wondering whether [the information security policies we have been customising for them] might be a little too in depth for our little start-up.

Fair comment! Infosec is quite involved and - as you'll surely appreciate from this very blog - I tend to focus and elaborate on the complexities, writing profusely on topics that I enjoy. I find it quite hard to explain stuff simply and clearly without first delving deep, particularly if the end product doesn't suit my own reading preferences.

Looking at the policies already prepared, I had cut down our policy templates from about 3 or 4 pages each to about 2, adjusting the wording to reflect the client's business, technology and people, and removing bits that were irrelevant or unhelpful in the context of a small tech business. But, yes, I could see how they might be considered in-depth, especially since, even after combining a few, there were 19 policies in the suite covering all the topics necessary.

So, I responded to the client's point by preparing a custom set of Acceptable User Policies to supplement the more traditional topic-based policies already prepared. I set out with our AUP templates - single-sided A4 leaflets in (for me!) a succinct style - laying out the organisation's rules for acceptable and unacceptable behaviours in topic areas such as malware, cloud and IoT. The writing style is direct and action-oriented, straight down-to-business. 

Modifying the AUP templates for the client involved trivial changes such as incorporating their company name in place of 'the organisation', and swapping-out the SecAware logo for theirs. A little trimming and adaptation of the bullet points to fit into half a side per topic took a bit more time but, overall, starting with our templates was much quicker and easier than designing and preparing the AUPs from scratch.

I took the opportunity to incorporate some eye-catching yet relevant images to break up the text and lead the reader from topic-to-topic in a natural flow.

I merged the AUP templates into one consolidated document for ease of use, and prepared additional AUPs on areas that weren't originally covered (security of email/electronic messaging and social media), ending up with a neat product that sums things up nicely in 11 topic areas. It can be colour printed double-sided on just 3 sheets of glossy A4 paper to circulate to everyone (including joiners), or published on the corporate network for use on regular desktop PCs, laptops or tablets.

So far, so good ... but then it occurred to me yesterday that if the AUPs are to be readily available and accessible by all, the client could do with a 'mobile' version for workers' smartphones. Figuring out the page size, margins and formatting for mobiles, and further simplifying/trimming the content to suit small, narrow smartphone screens with very limited navigation took me another hour or two, ending up with a handy little document that looks professional, is engaging and reads well, makes sense and provides useful guidance on important information security matters. Reeeeesult!


In recognition of the client's valuable suggestion that sparked this, we won't be charging them for the AUP work - it's a bonus. The client gets a nice set of policies well suited to their business and people, while we have new products gracing the virtual shelves of our online store, a win-win. Happy days.

A bargain at just $20!

Now, about that Online Safety Bill: would anyone like to commission a glossy leaflet version in plain English, complete with pretty pictures?