Cyber risk in the business

The take-away that is relevant :

Cyber risk should not be managed separately from enterprise or business risk. Cyber may be only one of several sources of risk to a new initiative, and the total risk to that initiative needs to be understood.

Cyber-related risk should be assessed and evaluated based on its effect on the business, not based on some calculated value for the information asset.

A few other things in there too, but those are the leading ones that I think the techie geeks that are attracted to InfoSec need to learn is expressed well in those two phrases. Its not about the technology, its about the business. Its why I hate the term “Cyber-“. Information Security risks existed in the days of typewriters, carbon copies and filing cabinets. Security risks existed in the days of hand written messages and horse-back couriers.

Why do I say this?

Back in my banking days one officer at the bank said

The bank *IS* the computer

I saw his point but ultimately the bank is its dealings with people.
If people loose confidence in the bank, it will fail.
It has happened in the past; it can happen again, and all the
“Cyber-security” in the world won’t help.

Purpose unclear. Why are the FBI *really* trying to subvert

An earlier version of this page has a paragraph which seems to have been deleted later;

It was not immediately clear what investigators believed they might find
on Farook’s work phone or why the information would not be available
from third-party service providers, such as Google or Facebook, though
investigators think the device may hold clues about whom the couple
communicated with and where they might have travelled.

Is that “Whom” grammatically correct?

This does raise a ‘why’ in my mind.
Cant the other service providers (who would it be, AT&T, Verizon?) supply the ‘traffic analysis of who they communicated with? Isn’t this the sort of “metadata” that the government spies are supposed to be collecting?

Opening the phone won’t give the content of the messages past, they are gone like the snows of yesteryear[1]. Dead as the author of that famous quote.

So what are the FBI looking for? The address book? I’m not sure how helpful that will be and its likely to cast suspicion on innocent parties.

For example, I could have “” in my address book, but that doesn’t mean I’ve ever been in contact with POTUS.

So what are the FBI really after here?

Its much more likely to be a legal precedence than actually extracting useful information from the handset. And while this case law will only apply to the USA, its existence reinforces the case for subverting or abolishing encryption based on the needs for LE and the governmental controls in the name of the War On Terrorism in other counties.

All in all, the US government is making it hard for Apple.
There have been any number of stories, SF, social, political, in the last century, of corporate entities taking over from Governments in one way or another. Apple certainly has an asset base greater than the GNP of many counties, pays more taxes in the USA than some countries’ GNP.  There’s certainly no reason that Apple couldn’t relocate to a more
corporate-friendly nation. heck, even Canada would qualify, and we have a well educated work-force, many of the social amenities that Bernie Saunders is pressing for and more. Of course many programmers might prefer a warmer climate after California. There are many possibilities.

Apple reported a *profit* of over $53 BILLION last year. net tangible Assets are over twice that. The profits are less than the GNP of Malaysia last year according to
Well, considering the politics there, perhaps not the best alternative place for Apple to relocate 🙁
With the falling Euro, English speaking countries like Ireland become candidates.

See also for “normalised to US Dollars”.

Well you go crank the numbers. If both Apple and Microsoft were to relocate to Ireland the world economy would take a radical shift and it would not be to the benefit of the USA. lets not forget that centuries ago many individuals and business entities fled to the Americas because the governments in Europe made life too harsh for reasons of oppressive
racial, religious and business attitudes. One of the rallying cries of the American revolution was “no taxation without representation”. Mind you, many groups in the UK were being taxed more harshly than the colonies. Some of then eventually decided to emigrate.
I don’t understand why the American establishment, or that of any other country for that matter, thinks that people won’t “vote with their feet”. And that goes for corporate entities as well as people.

Right now, the USA has been living on the Military Keynesianism  of the  for so long it taken for granted. So much so that most journalists think that the economy is based on consumer acceptance of hi-tech.

Now the “war” has spilt over consumers and businesses that were never considered part of the military establishment. Apple is facing legislation in New York and California that effectively bans the sale of its handsets. From the consumer’s point of view this is about privacy and eventually government intrusion. Generally, in the past, the people USA, like those of most western democracies, have only tolerated government intrusion into their private lives under conditions of war.
Perhaps that’s why the government agencies in all those countries and more are playing up “The War On Terror”. The fact that in doing so they are actually terrorising their own populations more effectively than the “terrorists” is beside the point.

If Tim Cook decides to put Apple beyond the reach of the FBI I wouldn’t be surprised. he may get support for such a move from many unexpected quarters.

[1] The line “where are the snows of yesteryear” appears in a ballade in
the middle of François Villon’s Testament ”a long, otherwise irreverent
poem skewering French noblemen, priests, and prostitutes.
Dante Gabriel Rossetti was one of the first to translate the famous
ballade into English, coining the word “yesteryear” to capture the sense
of the French “anten” or “antan,” which means “last year” but also
“once” or “in the past.” This is just one vowel away from “Anton”, which
is how I explain its relevance when I quote it.


We’re mobile addicts but we just don’t want new smartphones

For whatever value of “Mobile” is applicable in context, yes.
A lot of what I see is students in the library with their laptops or large tablets_keyboards with paper and books beside. Perhaps if students had the multi-screen displays like the one in the movie “Swordfish” AND there were more books on-line at low cost and multi-access (which isn’t how many libraries work, sadly) then the marketers dream of students with ebooks rather than a knapsack of books would happen. As it is, with only one viewer, books and papers are still needed.

I’m seeing or being told the same by office workers, that a single screen, even the big screens, is not adequate. Really work & study requires parallel access even if the work-flow isn’t massively parallel.

My own work, such as it is, gets by because my desktop, although only one physical screen, has 6 logical screens. Even so I have a stack of papers and many books to hand, as well as my phone and tablet to hand.

Unless we get some sort of virtual projected-into-the-air display, we are going to need a form of HUD glasses that lets us do the MIT Put-That-There screen so that it doesn’t interfere with others, but still lets us look though into the real world at out books and papers. Believe me, the books and papers aren’t going to go away in the foreseeable future whatever the improvements in display technology.

The fatal flaw in IT Risk management

Is interviewing is a much better method that self-certifications and a checklist, if time and resources allow.
Two points:

In the ISO-27001 forum, my friend and colleague Gary Hinson has repeatedly pointed out, and I fully support him in this, that downloading check-lists from the ‘Net and adopting question lists from there is using a solution to someone else’s
problem. If that.

Each business has both generic problems (governments, sunspots, meteor strikes, floods & other apocalyptic threats and Acts of God) and ones specific to it way of working and configuration. Acts of God are best covered by prayer and insurance.

Gary recommends “open ended questions” during the interview rather than ones that require a yes/no answer. That’s good, but I see problems with that. I prefer to ask “Tell me about your job” rather than “Tell me how your job … can be made more efficient”.

My second point is that risk management will *ALWAYS* fail if the risk analysis is inadequate. How much of the RA should be done by interviewing people like the sysadmins I don’t know, but I have my doubts. I look to the Challenger Disaster. I started in the aviation business and we refines FMEA – failure Mode Effect Analysis. Some people think of this in terms of “impact”, but really its more than that, its also causal analysis. As Les Bell, a friend who is also a pilot and interested in aviation matters has pointed out to me, “Root Cause Analysis” no longer is adequate, failure comes about because of a number of circumstances, and it may not even be a single failure – the ‘tree’ fans both ways!

Yes, FMEA can’t be dome blindly, but failure modes that pertain to the business – which is what really counts — and the fan-in/out trees can be worked out even without the technical details. Rating the “risk”: is what requires the drill-down.

Which gets back to Donn Parker‘s point in a number of his books, though he never states it this way. The FMEA tree can be heavily pruned using diligence as he says: standards, compliance, contracts, audits, good practices, available products. The only thing he leaves out are Policy and Training. Policy gives direction and is essential to any purpose, the choice of standards and products, and identifying what training is needed.

All in all, the article at takes a lot of words to say a few simple concepts.


The 11 tiniest, most powerful computers your money can buy

I have my doubts about many things and the arguments here and in the comments section loom large.

Yes, I can see that business sees no need for an ‘arms race’ escalation of desktops once the basics are there. A few people, gamers, developers, might want personal workstations that they can load up with memory and high performance graphics engines, but for the rest of us, its ho-hum. That Intel and AMD are producing chips with more cores, more cache, integrated graphics and more, well Moore’s Law applies to transistor density, doesn’t it, and they have to do something to soak up all those extra transistors on the chips.

As for smaller packaging, what do these people think smart phones and tablets and watches are?

Gimme a brake!
My phone has more computing power than was used by the Manhattan project to develop the first nuclear bomb.

These are interesting, but the real application of chip density is going to have to be doing other things serving the desktop. its going to be

1. IoT
2. Servers
3. backbone/communications

And for #1 & #3 Windows will become if not an impediment, then irrelevant.
Its possible a very stripped down Linux can serve for #1 & #3, but somewhere along the line I suspect people might wake up and adopt a proper RTOS such as QNX much in the same way that Linux has come to dominate #2. It is, however, possible, the Microsoft will, not that Gates and Balmer are out of the scene, adopt something Linux like or
work with Linux so as to stay relevant in new markets. The Windows tablet isn’t the success they hoped for and the buyout of Nokia seemed more to take Nokia out of the market than become an asset for Microsoft to enter the phone market and compete with Apple and Samsung. many big forms that do have lots of Windows workstations are turning to running
SAMBA on Big Iron because (a) its cheaper than a huge array of Windows Servers that present reliability and administrative overhead, and (b) its scalable. Linux isn’t the ‘rough beast’ that Balmer made out and Microsoft’s ‘center cannot hold’ the way it has in the past.

Another reason to have a policy not to eat at your desk

Hackers Can Use Pita Bread to Steal Laptop Encryption Keys, Say Researchers

Embedding such devices in something edible only means it will end up in the stomach of the targeted user. Perhaps that is intentional, but I suspect not.  Better to put the device in the base of the coffee cup.


Why Silicon Valley Will Continue to Rule

The historical, cultural and economic context described here sums up why
efforts to replicate ‘the valley’ in other countries, other places,
according to governmental whims, never happens, never works, never will.

People around the world have tried to reproduce Silicon Valley. No one
has succeeded.

And no one will succeed because no place else — including Silicon Valley
itself in its 2015 incarnation — could ever reproduce the unique
concoction of academic research, technology, countercultural ideals and
a California-specific type of Gold Rush reputation that attracts people
with a high tolerance for risk and very little to lose. Partially
through the passage of time, partially through deliberate effort by some
entrepreneurs who tried to “give back” and others who tried to make a
buck, this culture has become self-perpetuating.

See also



Tracking kids via microchip ‘can’t be far off,’ says expert

Dickerson said she though one day, “I microchip my dog, why couldn’t I
microchip my son?”

I think there’s something despicable about treating a human being the same way you would treat a dog or your keys.

Its one thing to chip your keys or have one of those devices that when you whistle the keyring goes bleep-bleep to help you find it. I can imagine extending that to people who let their dogs (or cats) roam and need/want to have them in at night. Domesticated pets might not be able to cope with even urban predators such as badgers and grizzly raccoons.
If, that is, the animals aren’t smart though to come in when you call them.

But treating a human as you would a dog? Continue reading “Tracking kids via microchip ‘can’t be far off,’ says expert”

Can We Secure the ‘Internet of Other People’s Things’?

I think that title expresses the problem very well.

There are a few generalizations and ‘skating on thin ice’ in the article, never the less. Linux itself is not a lightweight OS, though there are stripped down and altered versions, such as Android. Other competing RTOS exist. Some like QNX are much more suited to small embedded devices that don’t have a GPU/GUI and comprehensive set of commands/applications.

The reality is that the inherent model of Linux is NOT real-time, it cannot guarantee a real time response that many embedded systems such as TVs and some classes of network devices demand, especially in a small controller, limited CPU, limited memory configuration.

But yes, the Internet has already shown the problems lie with “Other People”.


Cyber general: US satellite networks hit by ‘millions’

I wonder what they consider to be a hack? The wording in the in the article is loose enough to mean that if someone pinged one of their servers it would be considered a hack. Perhaps they even they count Google spider indexing as a probe into their network. It makes me wonder how many ‘real’ hack attempts are made and how many succeed. All in it, it sounds like a funding bid!

Marcus Ranum once commented about firewall logging that an umbrella that notified you about every raindrop it repulsed would soon get annoying.I suspect the same thing is going on here. Are these ‘repulsed’ probes really ‘need to know’? Are they worth the rotating rust it takes to store that they happened?

Oh, right, Big Data.

Oh, right, “precursor probes“.

Can we live without this? Continue reading “Cyber general: US satellite networks hit by ‘millions’”

U.S. Defense Secretary Carter emphasizes culture change needed to

Yes the government needs a culture change if it is to address its own and the national issues pertaining to security, technological, in general, internet related and more. But not like this.

A real culture change would involve hiring the likes of people such as Marcus Ranum, Gene Spafford, Becky Herrold., and more significantly the very vocal Bruce Schneier AND PAYING ATTENTION TO WHAT THEY SAY AND CARRYING OUT THEIR RECOMMENDATIONS.  And please note: none of this is new or radical.

But a read of Bruce’s articles blog and published articles will make it clear to any intelligent reader, even those outside the InfoSec community, that they won’t. The culture change it would require would impact too many vested interests and long held beliefs, even though Bruce — and others — have long since shown them to be in the same class as The Emperor’s New Clothes.

When the government talks of cyber-security experts it really doesn’t want people who think in terms of policy and strategy. The fact that most government agencies could do better if they carried out the recommendations that have been made to them — but consistently don’t[1] — tells you something about their innate culture. Just adopting the GAO recommendations would take a culture change. Adopting ‘uber 133z h4x0r’-wannabes for job roles that are written as what amounts to jumped-up netadmin and sysadmin positions doesn’t make for good security[2].

Yes, a culture change is needed. But the kind of changes that the ‘insiders’ — and that goes for the media too — envision don’t really amount to a meaningful change.


[2] The idiom “rearrange the deckchairs on the Titanic” comes to mind
Or perhaps the Hindenburg.


Review: “Penetration with Perl” by Douglas Berdeaux

Penetration Testing with Perl

Douglas Berdeaux has written an excellent book, excellent from quite a number of points of view, some of which I will address. Packt Publishing have done a great service making this and other available at their web site. It is one of many technical books there that have extensive source code and are good ‘instructors’.

Penetration Testing with Perl is available as both a PDF file and as an e-book in Mobi and epub formats.

It is one of over 2000 instructional books and videos available at the Packt web site.

I read a lot on my tablet but most of the ebooks I read are “linear text” (think: ‘novels’, ‘news’). A book like this is heavily annotated by differentiating fonts and type and layout. How well your ebook reader renders that might vary. None of the ones I used were as satisfactory as the PDF. For all its failings, if you want a page that looks “just so” whatever it is read on, then PDF still wins out. For many, this won’t matter since the source code can be downloaded in a separate ZIP file.

Of course you may be like me and prefer to learn by entering the code by hand so as to develop the learned physical habit which you can then carry forward. You may also prefer to have a hard copy version of the book rather than use a ‘split screen’ mode.

This is not a book about learning to code in Perl, or earning about the basics of TCP/IP. Berdeaux himself says in the introduction:

This book is written for people who are already familiar with
basic Perl programming and who have the desire to advance this
knowledge by applying it to information security and penetration
testing. With each chapter, I encourage you to branch off into
tangents, expanding upon the lessons and modifying the code to
pursue your own creative ideas.

I found this to be an excellent ‘source book’ for ideas and worked though many variations of the example code. This book is a beginning, not a end point. Continue reading “Review: “Penetration with Perl” by Douglas Berdeaux”

Should all applicable controls be mentioned in documenting an ISMS?

In my very first job we were told, repeatedly told, to document everything and keep our personal journals up to date. Not just with what we did but the reasoning behind those decisions. This was so that if anything happened to use kn knowledge about the work, the project, what had been tried and thought about was lost, if, perhaps, we were ‘hit by a bus on the way to work‘.

At that point whoever was saying this looked toward a certain office or certain place in the parking lot. One of the Project managers drove a VW bus and was most definitely not a good driver!

So the phrase ‘document everything in case you’re hit by a bus’ entered into the work culture, even after that individual had left.

And for the rest of us it entered into our person culture and practices.

Oh, and the WHY is very important. How often have you looked at something that seems strange and worried about changing it in case there was some special reason for it being like that which you did no know of?
Unless things get documented …. Heck a well meaning ‘kid’ might ‘clean it out’ ignorant of the special reason it was like that!

So here we have what appear to be undocumented controls.
Perhaps they are just controls that were added and someone forgot to mention; perhaps the paperwork for these ‘exceptions’ is filed somewhere else[1] or is referred to by the easily overlooked footnote or mentioned in the missing appendix.

It has been pointed out to me that having to document everything, including the reasons for taking one decision rather than another, “slows down work”. Well that’s been said of security, too, hasn’t it? I’ve had this requirement referred to in various unsavoury terms and had those terms associated with me personally for insisting on them. I’ve had people ‘caught out’, doing one thing and saying another.
But I’ve also had the documentation saving mistakes and rework.

These days with electronic tools, smartphones, tablets, networking, and things like wikis as shared searchable resources, its a lot easier.[2]

Sadly I still find places where key documents such as the Policy Manuals and more are really still “3-ring binder” state of the art, PDF files in some obscure[1] location that don’t have any mechanism for commenting or feedback or ways they can be updated.

Up to date and accurate documentation is always a good practice!

[2] And what surpises me is that when I’ve implemented those I get a ‘deer in the headlight’ reaction from staff an managers much younger than myself. Don’t believe what you read about ‘millennials’ being better able to deal with e-tools than us Greybeards.

This is not the IoT you want.

If I plug in an IDE drive or a SATA drive or a USB drive or device my mobo or system recognizes what it is. The connection protocol tell the mobo or system.

My digital camera uses exif to convey a vast amount of contextual information and imprint it on each photo: date, time, the camera, shutter, aperture, flash. I have GPS in the camera so it can tell the location, elevation. The exif protocol also allows for vendor specific information and is extensible and customizable.

Unless and until we have an ‘exif’ for IoT its going to be lame and useless.

What is plugged in to that socket? A fan, a PC, a refrigerator, a charger for your cell phone? What’s the rating of the device? How is it used? What functions other than on/off can be controlled?

Lame lame lame lame.

14 antivirus apps found to have security problems

Let us pass over the “All A are B” illogic in this and consider what we’ve known all along. AV doesn’t really work; it never did.
Signature based AV, the whole “I’m better than you cos I have more signatures in my database” approach to AV and AV marketing that so bedazzled the journalists (“Metrics? You want metrics? We can give you metrics! How many you want? One million? Two million!) is a loosing game. Skip over polymorphism and others.  The boundary between what actually works and what works for marketing blurs.

So then we have the attacks on the ‘human firewall’ or whatever the buzz-word is that appears in this month’s geek-Vogue magazines, whatever the latest fashion is. What’s that? Oh right, the malware writers are migrating to Android the industry commentators say. Well they’ve tried convincing us that Linux and MacOS were under attack and vulnerable, despite the evidence. Perhaps those same vendor driven – yes vendors try convincing Linux and Apple users to buy AV products, just because Linux and MacOS ran on the same chip as Microsoft they were just as vulnerable as Microsoft, and gave up dunning the journalists and advertising when they found that the supposed market wasn’t convinced and didn’t buy.

That large software production is buggy surprises no-one. There are methods to producing high quality code as NASA has shown on its deep space projects, but they are incompatible with the attitudes that commercial software vendors have. They require an discipline that seems absent from the attitudes of many younger coders, the kind that so many commercial firms hire on the basis of cost and who are drive by ‘lines of code per day’ metrics, feature driven popularity and the ‘first to market’ imperatives.

So when I read about, for example, RSA getting hacked by means of social engineering, I’m not surprised. Neither am I surprised when I hear that so many point of sales terminals are, if not already infected, then vulnerable.

But then all too many organization take a ‘risk-based’ approach that just is not right. The resistance that US firms have had to implementing chi-n-pin credit card technology while the rest of the world had adopted it is an example in point. “It was too expensive” – until it was more expensive not to have implemented it.


OpenBSD forks, prunes, fixes OpenSSL

Interesting, eh?

At the very least, this will apply a ‘many eyes’ to some of the SSL code and so long as the ssh pruning isn’t wholesale slash-and-burn that cutting it back may prove efficacious for two reasons.

Less code can be simpler code, with decreased likelihood of there being a bug due to complexity and interaction.

Getting rid of the special cases such as VMS and Windows also reduces the complexity.

POSIX I’m not sure about; in many ways POSIX has become a dinosaur. Quite a number of Linux authors have observed that if you stop being anal about POSIX you can gt code that works and a simple #ifdef can take care of portability. In the 90% case there isn’t a lot of divergence between the flavours and in the 99% case the #ifdef can take care of that.

Whether SSH fits into the 90% or the 99% I don’t know. The APIs for ‘random’ and ‘crypto’ are in the grey areas where implementations differ but also one where POSIX seems to be the most anal and ‘lowest common denominator’. I suspect that this is one where the #ifdef route will allow more effective implementations.

We shall see what emerges, but on the whole the BSD team have a reputation for good security practices so I’m hopeful about the quality.

I’d be interested to see their testing approach.


Film or digital?

Do you recall Alan Cooper‘s book “The Inmates are running the Asylum”?

He makes the case that once you put a computer in something it stops being that something and becomes a computer.

Camera + computer => computer Continue reading “Film or digital?”

What Applicants Should Ask When Interviewing For An InfoSecurity Position

Well what would you ask?

These seem to be the kind of questions that might be asked by someone with a strong technical bias. The CISSP cert is supposed to be more oriented towards security management than to the technical aspects, so what would you ask?

We should, I think, be asking about “The Tone At The Top“, the organizations attitude towards security and, but what does that mean in terms of interview questions?

My thoughts tend towards Policy and Certification, but them many of my past clients have been financial, so regulatory compliance looms large for them. I’d certainly ask about Policy, how it is formulated, how it is communicated and how it is enforced. That’s not as easy as it sounds: most people know what should be done but ask that tactlessly and other than being an opening (“Yes, I can work on that for you”) all you’ve done is embarrassed the interviewer.

So we have a refinement that the article never touched on: this is an interview not an audit.


Data on a Train

The latest intelligence on Al-Qaeda, a high profile Child Protection
report and plans for policing the London 2012 Olympics; three very
different documents with two things in common: firstly, they all
contained highly confidential information and secondly, they were all
left on a train.

Or maybe “Strangers on a Train

Our latest research reveals that two thirds of Europe’s office commuters
have no qualms about peering across to see what the person sitting next
to them is working on; and more than one in ten (14 per cent) has
spotted confidential or highly sensitive information.

Most CEOs clueless about cyberattacks
Perhaps that’s cynical and pessimistic and a headline grabber, but then that’s what makes news.

What I’m afraid of is that things like this set a low threshold of expectation, that people will thing they don’t need to be better than the herd.