Canada’s counter terrorism strategy
https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/trrrst-thrt-cnd/index-eng.aspx
Here in Kanukistaniland, Vic Toews (remember him? Check back to February of last year to see an example of him being idiotic in his role as Minister of Pubic Safety) has published a "2013 Public Report on the Terrorist Threat to Canada"
You can read it at the above URL.
I ask you, would you buy a used Huawei router from someone who looks like that?
The map/infographic has, you will note, a large number of grey areas. There is no legend referring to that colour. Are we to take it that grey means 'zero'? In which case having Indonesia grey is very interesting. Of course China is grey, the authorities will not permit any terrorist activity since that would mean people are acting out grievances against the state. As opposed to, say, foreign cartels that are employing under-age workers, which is against Chinese law.
Do note that in Canada terrorist activity or affiliation is an offence under the CRIMINAL code. Unlike many InfoSec-bad-things.
On ‘paranoia’ – revisiting “Paid to be paraoid”
My fellow CISSP and author Walter Jon Williams observed that
Paranoia is not a part of any mindset. It is an illness.
Ah, Walter the literalist!
Yes I agree with what you say but look at it this way
"We're paid to be paranoid" doesn't mean we're ill.
It's a job.
Now if your job is an obsession, one you take home with you and it interferes with your family life, that you can't let go, then its an illness whatever it is.
"We're paid to be paranoid"
Its a job. You don't pay us Information Security Professionals to be pollyannas, to have a relaxed attitude.
Many of us come from a military or law enforcement background, some having served at the sharp edge of confrontations. The sharp edge isn't always the "mud and guns", sometimes its watching a screen or sifting
through intelligence reports or forensics or after action reports or ...
But if you don't have (a) a suspicious mind and (b) 20-20 peripheral vision about threats and contingencies and (c) a complete lack of silo-ization, then you can't be doing a good job in those roles.
Perhaps there are "pen testers" who know everything about breaking in to a network. Ranum and others have written on why such people are not really "security professionals": part of that is their silo mind-set.
We see similar rants about "jumped-up system administrators".
Many of us here are engineers or have an engineering background or education. Engineers, I've found, often operate on the expectation that things *will* go wrong, stuff *will* break, it *won't* perform to manufacturers specs. Not all of that is experience, a good part is education since they are tight how to build indefinitely reliable stuff
out of unreliable parts - given the budget and opportunity. And if Engineers are sceptical about anything, its Budget.
So when it comes down to a quick description of this "suspicious" mindset, one that is not confined to a narrow silo but covers all the domains of the CBK and possibly more (perhaps you too read Risks Digest and GrandPaRob's book reviews, one that would qualify you for various TLA organizations of which we choose to discuss only in unfavourable terms, _what_ word or phrase are you going to use?
I agree, Walt, the definition of 'PPD' in DSM-IV is unpleasant and not one that I would like to be applied to me:
Paranoid Personality Disorder
-----------------------------
A pervasive distrust and suspiciousness of others such that their
motives are interpreted as malevolent, beginning by early adult-
hood and present in a variety of contexts, as indicated by four (or
more) of the following:
- Suspects, *without sufficient basis*, that others are exploiting, harming, or deceiving him or her.
- Is preoccupied with *unjustified doubts* about the loyalty or trustworthiness of friends or associates.
- Is reluctant to confide in others because of *unwarranted* fear that the information will be used maliciously against him or her.
- Reads hidden demeaning or threatening meanings into benign remarks or events.
- *persistently bears grudges* (i.e., is unforgiving of insults, injuries, or slights).
- Perceives attacks on his or her character or reputation that are not apparent to others and is quick to react angrily or to counter-attack.
- Has recurrent suspicions, *without justification*, regarding fidelity of spouse or sexual partner
My Emphasis.
I'd note on reading the above that if that definition were to be applied to a nation state or its security apparatus then many countries of the Western World and quite a few of the ones in the Eastern World can be clinically diagnosed as being 'paranoid'.
That page I reference goes on to define 'Schizoid Personality Disorder'.
The 'solitary' and the 'religious' parts seem contradictory, but one wonders.
The point I think is key to what you say, Walter, we need a better way and yes what we are doing is Risk Analysis. I think that Risk - the probabilistic aspect - is important and differentiates from the think-tank prophets of doom,
even though the latter grab headlines and produce responses from politicians - vis Global Warming and many such in the past.
Good managers understand risk.
Perhaps this is why the ISO-31000 people talk of 'risk' in terms of uncertainty and allow for an upside. They see a risk of winning a lottery.
The "paid to be paranoid" view is important. A lot of the time in my career I've been paid not to be paranoid but to find controls and opportunities. Perhaps this is the ISO-3100 aspect.
That being said, I think the ISO-31000 people have twisted the language a fair bit and become obsessional in their won way. You don't insure against success. Much of our culture is really about controls and safety nets. That doesn't - shouldn't - destroy hope and progress.
In my DatabaseOfDotSigQuotes is this
If a better system is thine, impart it;
if not, make use of mine.
-- Horace
The phrase "Paid to be paranoid" is succinct and catchy -- and no that doesn't mean your objections are wrong, Walt. But not everyone lives & dies by DSM-IV. And yes I agree with the rest of you post about what we should be projecting as an image.
But can you or anyone else come up with something better, something still succinct and still catchy?
I'd be glad to hear it an make use of it.
The Truth About Best Practices
An article on Linked entitled 'The Truth about Practices" started a discussion thread with some of my colleagues.
The most pertinent comment came from Alan Rocker:
I'm not sure whether to quote "Up the Organisation", ("If you must have a
policy manual, reprint the Ten Commandments"), or "Catch-22" (about the
nice "tidy bomb pattern" that unfortunately failed to hit the target), in
support of the article.
Industry-wide metrics can nevertheless be useful, though it's fatal to
confuse a speedometer and a motor.
However not everyone in the group agreed with our skepricism and the observations of the autor of the article.
One asked
And Anton aren't the controls you advocate so passionately best practices? >
NOT. Make that *N*O*T*!*!*! Even allowing for the lowercase!
"Best practices" is an advertising line of self-aggrandization invented by the Big Name Accounting Firms when operating in Consulting Mode.
Confusion over Physical Assets, Information Assets – Part Two
So I need to compile a list of ALL assets, information or otherwise,
NO!
That leads to tables and chairs and powerbars.
OK so you can't work without those, but that's not what I meant.
Physical assets are only relevant in so far as they part of information processing. You should not start from those, you should start from the information and look at how the business processes make use of it. Don't confuse you DR/BC plan with your core ISMS statements. ISO Standard 22301 addresses that.
This is, ultimately, about the business processes.
Confusion over Physical Assets, Information Assets in ISO-27000
I often explain that Information Security focuses on Information Assets.
Some day, on the corporate balance sheet, there will be an entry
which reads, "Information"; for in most cases the information is
more valuable than the hardware which processes it.
-- Adm. Grace Murray Hopper, USN Ret.
Some people see this as a binary absolute - they think that there's no need to asses the risks to the physical assets or that somehow this is automatically considered when assessing the risk to information.
The thing is there are differing types of information and differing types of containers for them.
Does ISO 27001 compliance need a data leakage prevention policy?
On one of the ISO-27000 lists I subscribe to I commented that one should have a policy to determine the need for and the criteria for choosing a Data Loss Prevention mechanism.
I get criticised occasionally for long and detailed posts that some readers complain treat them like beginners, but sadly if I don't I get comments such as this in reply
Anton
Data Loss is something you prevent; you enforce controls to prevent data
leakage, DLP can be a programme, but , I find very difficult to support
with a policy.
Does one have visions of chasing escaping data over the net with a three-ring binder labelled "Policy"?
Let me try again.
Policy comes first.
Without policy giving direction, purpose and justification, supplying the basis for measurement, quality and applicability (never mind issues such as configuration) then you are working on an ad-hoc basis.
“Paid to be paranoid”
Read the first four paragraphs of this:
http://hollylisle.com/shoes-and-handbags/
Forget the rest, forget that its about 'creative writing', just answer that question.
Bruce Schneier among other, myself included, have asked questions like that. Are you 'paranoid' enough to be in the security business?
One of my colleagues, Rob Slade yes *that* Rob Slade when he is teaching in Toronto, usually asks me to come along to talk for an hour to his students about "The CISSP Experience".
The first thing I ask the class is if there are any active or ex-military or law enforcement people present. To date there never have been, and to be honest it leaves me with a bit of a "Bah Humbug!" feeling when the class is really a company stuffing its IT department through the course and exam "for the numbers". Rob has some cynical comments to add but don't forget for him it's a days work and a days pay.
I'm also hit on for a variety of reasons by kids (even postgraduates) who "want to break into" -- yes that's the words they use, ironic isn't it? -- the security business. I suppose because the press makes it look more glamorous than just being a programmer or sysadmin. I keep telling them that its experience that counts, not certifications; too many, especially those from Asia, seem to think that a certification is badge that gets you work. Not so. Mind you, locally the recruiters cant seem to tell what makes InfoSec different from IT. But that's a subject for another time.
And hence the opening lines to Holly's blog.
No, Holly, you're not alone; many true security professionals, be it Infosec, military or law enforcement, think like that.
- What is the 'attack surface'?
- What are the potential threats? How to rate them?
- How can I position myself to minimise the effect of an attack?
- What is the 'recovery mode' (aka: line of retreat)?
If you can't do this, then you shouldn't be in "Security".
Information Gathering and Risk Assessment
On the ISO2700 forum one user gave a long description of his information gathering process but expressed frustration over what to do with it all all, the assets, the threats and so forth, and trying to make it into a risk assessment.
It was easy for the more experienced of us to see what he was missing.
He was missing something very important -- a RISK MODEL
The model determines what you look for an how it is relevant.
The #1 Reason Leadership Development Fails
http://www.forbes.com/sites/mikemyatt/2012/12/19/the-1-reason-leadership-development-fails/
I wouldn't have though, based on the title, that I'd be blogging about this, but then again one can get fed up with fed up with purely InfoSec blogs, ranting and raving about technology, techniques and ISO27000 and risk and all that.
But this does relate somewhat to security as awareness training, sort of ...
My problem with training per se is that it presumes the need for indoctrination on systems, processes and techniques. Moreover, training assumes that said systems, processes and techniques are the right way to do things. When a trainer refers to something as “best practices” you can with great certitude rest assured that’s not the case. Training focuses on best practices, while development focuses on next practices. Training is often a rote, one directional, one dimensional, one size fits all, authoritarian process that imposes static, outdated information on people. The majority of training takes place within a monologue (lecture/presentation) rather than a dialog. Perhaps worst of all, training usually occurs within a vacuum driven by past experience, not by future needs.
Another Java bug: Disable the java setting in your browser
http://www.kb.cert.org/vuls/id/625617
Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
system.
Well, yes .... but.
Are we fighting a loosing battle?
The New York Times is saying out loud what many of us (see Vmyths.com and Rob Rosenberger have known in our hearts for a long time. AV products don't work.
How much Risk Assessment is needed?
In many of the InfoSec forums I subscribe to people regularly as the "How long is a piece of string" question:
How extensive a risk assessment is required?
It's a perfectly valid question we all have faced, along with the "where do I begin" class of questions.
The ISO-27001 standard lays down some necessities, such as your asset register, but it doesn't tell you the detail necessary. You can choose to say "desktop PCs" as a class without addressing each one, or even addressing the different model. You can say "data centre" without having to enumerate every single component therein.
At first.
An “11th Domain” book.
http://www.infosectoday.com/Articles/Persuasive_Security_Awareness_Program.htm
Gary Hinson makes the point here that Rebecca Herrold makes elsewhere: 
Awareness training is important.
I go slightly further and think that a key part of a security practitioners professional knowledge should be about human psychology and sociology, how behaviour is influenced. I believe we need to know this from two aspects:
First, we need to understand how our principals are influenced by non-technical and non-business matters, the behavioural persuasive techniques used on them (and us) by vendor salesmen and the media. many workers complain that their managers, their executives seem t go off at a tangent, ignore "the facts". We speak of decisions drive by articles
in "glossy airline magazines" and by often distorted cultural myths. "What Would the Captain Do?", or Hans Solo or Rambo might figure more than "What Would Warren Buffett Do" or "What Does Peter Drucker Say About A Situation Like This?". We can only be thankful that most of the time most managers and executive are more rational than this, but even so ...
Marketing Is Dead – Harvard Business Review
http://blogs.hbr.org/cs/2012/08/marketing_is_dead.html
Of course you have to have a catchy title, but what this really says is
... in today's increasingly social media-infused environment,
traditional marketing and sales not only doesn't work so well, it
doesn't make sense. Think about it: an organization hires people —
employees, agencies, consultants, partners — who don't come from the
buyer's world and whose interests aren't necessarily aligned with his,
and expects them to persuade the buyer to spend his hard-earned money on
something. Huh? When you try to extend traditional marketing logic into
the world of social media, it simply doesn't work.
Yes but there are assumptions there.
Marketing WHAT to WHOM?
As opposed to just selling.
See also:
Which makes the point that book publishers have come adrift as far as
marketing in the Internet world goes.
Related articles
- Marketing Isn't Dead - Just Morphing (prweb.com)
- Are There Zombies In Your Marketing? (forbes.com)
- Frustrated with Social Media Marketing Strategies for your SMB or NPO? If You Can Sell, You Can Market. (bizcommunicator.wordpress.com)
- Social Media Marketing- the way of modern Business trend (vpssell.com)
- 5 Steps to Successful Marketing With Multiple Media (startupprofessionals.com)
How to build an asset inventory for 27001
How do you know WHAT assets are to be included in the ISO-27K Asset Inventory?
This question and variants of the "What are assets [for ISO27K]?" comes up often and has seen much discussion on the various InfoSec forums I subscribe to.
Perhaps some ITIL influence is need. Or perhaps not since that might be too reductionist.
The important thing to note here is that the POV of the accountants/book-keepers is not the same as the ISO27K one. To them, an asset is something that was purchased and either depreciates in value, according to the rules of the tax authority you operate under, or appreciates in value (perhaps) according to the market, such as land and buildings.
Here in Canada, computer hardware and software depreciates PDQ under this scheme, so that the essential software on which you company depends is deemed worthless by the accountants. Their view is that depreciable assets should be replaced when they reach the end of their accounting-life. Your departmental budget may say different.
Many of the ISO27K Assets are things the accountants don't see: data, processes, relationships, know-how, documentation.
A cautionary tale about the dangers of keeping everything in the Cloud
"Once the hacker gained access to Honan's iCloud account, he or she
was able to reset his password, before sending the confirmation email
to the trash. Since Honan's Gmail is linked to his .mac email address,
the hacker was also able to reset his Gmail password by sending a
password recovery email to his .mac address.Minutes later, the hacker used iCloud to wipe Honan's iPhone, iPad
and Macbook Air remotely. Since the hacker had access to his email
accounts, it was effortless to access Honan's other online accounts
such as Twitter."
Every new technology has people, the pioneers, who buy into the vendors hype ... and pay a price for that.
We should learn from them.
Related articles
- Hard-Learned Lessons from the Honan Hack (lumension.com)
- 60-minute Security Makeover: Prevent Your Own 'Epic Hack' (pcworld.com)
- Former Gizmodo writer Mat Honan's hacked iCloud password leads to nightmare (nextlevelofnews.com)
- Apple Flooded with iCloud Password Reset Requests Amid Tightened Account Security Controls (macrumors.com)
- How Secure Is the Cloud, Really? (technewsworld.com)
Identity Management in the extreme!
Investigators say Antigua tried to pass himself off as an Air Force veteran, a member of NASA's Space Shuttle crew, even a doctor complete with hospital ID's and his own medical bag. He also had blue police-style flashing lights for his black Escalade
"We are going to go to whatever lengths that we need to travel to find out, is he really a threat or is he somebody living a very involved fantasy life," said Chief James Steffens.
Taking Cosplay too seriously?
Steve Wozniak: Cloud Computing Will Cause ‘Horrible Problems In The
Perhaps The Woz isn't the influence he once was, and certainly not on Wall Street and the consumer market place.
The unbounded RAH-RAH-RAH for the "Cloud" is a lot like the DotComBoom in many ways. No doubt we will see a Crash rationalization.
Related articles
- Steve Wozniak says "Cloud Nein!" (beanstalk-inc.com)
- Steve Wozniak calls Apple arrogant: 'I wish the iPhone 5 was wider' (macworld.co.uk)
- Security and Control in the Cloud (cloudcomputing.sys-con.com)
- Wozniak applies for Australian citizenship (upi.com)
Tight budgets no excuse for SMBs’ poor security readiness
http://www.zdnet.com/tight-budgets-no-excuse-for-smbs-poor-security-readiness-2062305005/
From the left hand doesn't know what the right hands is doing department:
Ngair Teow Hin, CEO of SecureAge, noted that smaller companies
tend to be "hard-pressed" to invest or focus on IT-related resources
such as security tools due to the lack of capital. This financial
situation is further worsened by the tightening global and local
economic climates, which has forced SMBs to focus on surviving
above everything else, he added.
Well, lets leave the vested interests of security sales aside for a moment.
I read recently an article about the "IT Doesn't matter" thread that basically said part of that case was that staying at the bleeding edge of IT did not give enough of a competitive advantage. Considering that most small (and many large) companies don't fully utilise their resources, don't fully understand the capabilities of the technology they have, don't follow good practices (never mind good security), this is all a moot point.