Online Cyberlaw programs

People occasionally ask about InfoSec courses that cover law and cyberlaw and about schools that offer cyberlaw programs.

I’m curious about this whole thing for a slightly tangential reason.

On the one hand there’s the idea of Cyberlaw as part of a general law school curriculum.

On the other, there’s cyberlaw for InfoSec people and managers and executives.

The former will already have covered issues like criminal law, contract law, rules of evidence an so forth. Would all that be necessary for the latter group?

An in general, we do have a domain of the CISSP CBK that covers ‘law an ethics’, but I get the impression that in the effort to “internationalize” it has been gutted; the rationale being that many laws are so regional that the exam can’t address them without being very biased.

Well, I disagree. For a number of reasons.

First, there is a lot of law that is about principles.
I think its important to cover basics like CONTRACTS and LIABILITY, which I have seen one in a way that covers the variety of the western European legal codes.

Second, there is a fair bit of international or internationally recognised law. How else could trade and commerce go on? In addition there are many laws that are being applied or recognized cross-border in
one way or another, especially in the areas of cyber-related crimes such as fraud and extortion. Some of these may only be the basis for extradition, but they are examples of what happens in practice.

Finally the study of law in other jurisdictions is valuable as is the study of history; it gives us examples of the goo and the bad, how they were applied and what their successes, pitfalls and limits were.

This is more relevant that it seems at first. The impact of Sarbines-Oxley (SOX) applies to many of us outside the USA because we deal with companies in our own nation that have offices registered and trading inside the USA. On top of that, SOX has been the basis for – often better thought out – similar legislation in other countries. The same reasoning applies to things like the DMCA, CAN-SPAM and the like.

I ought to mention things like PCI as well, even though they are not “laws” in the same sense. PCI *IS* international, just as other banking standards that those of us who deal with finance InfoSec have to deal
with – BASEL, FFIEC and others.

Purely as a side issue, I think all of us need to know about matters like employment law, many of us are ‘consultants’ and need to know about contract law. Many of us are in situations where InfoSec deals with HR and that justifies knowing about employment law. We my also need to know about matters such as copyright and non-disclosure, and what contracts can and cannot bin one to.

Speaking as a “consultant”, I’d add that I’m very glad of my grounding as part of the management electives of my undergraduate degree in engineering that covered contract law. Many of the contracts I have been offered by small firms where they were drawn up by the owner (often an ‘entrepreneur’ with no business or legal background and often without guidance of a lawyer or even a CMA/accountant) were inequitable, unreasonable and full of ‘traps’ because of poor wording.

I think an understanding of the basics of criminal law, contract law and law pertaining to international trade are essential to members of our profession, regardless of their role. The CBK and exam may avoid them but as individuals we should each recognise the relevance of these and other legal and quasi-legal ‘standards’ and make them part of our ongoing education.

Where do they get these numbers?

From the Journalistic Approach to Statistics Department …
The source of this warmongering is

and Kelly Jackson Higgins uses the dramatic title

“Message From Hackers: Enjoy The Summer Break Because Winter Attacks Will Be Harsh”


Well he claims a survey of “hackers” (whatever that means) at DefCon17 carried out by Tufin Technologies leads him to believe that only one fourth of all hackers are malicious. This is according to 70% of of the unknown number of respondents, who in turn make up an unknown proportion
of the groups of people who may be called, by themselves or others, “hackers”.

In case you’re worried about taking that last-minute summer vacation and
leaving your IT staff a little short, relax (for now, anyway): Most
hackers are taking a break now, as well, as they gear up for a busy
winter season, according to a survey of hackers attending Defcon17 in
Las Vegas this month.

Malicious hackers make up less than one-fourth of the overall hacker
community, according to 70 percent of the respondents, who were surveyed
by Tufin Technologies at the world’s largest hacker conference.

Nor are we given a definition of what “malicious” means. Does this have to be unremitting evil of a fictional character like the leaders of SMERSH in the James Bond stories or the Evil Witch in “The Wizard of Oz”? How about a historically evil character like Genghis Kahn, Nero, or dare I say it, Stalin, Hitler or Saddam Hussein?

But “malicious”? Could that mean purposeful vengeance for some real or imagined (think: Fat Fredy and his cat); getting back at “The Man”, Big Government, or Big Business for some ill defined political or conspiracy theory riven reason. Or perhaps “collateral damage” arising from lack of care, lack of professionalism or simple incompetence

I’m getting sick of marketeers making use of journalists like this, for that’s the real reason for this. Read the rest of the article and you’ll see its about Michael Hamelin, chief security architect at Tufin,
advocating what we all know: that compliance doesn’t mean security. If that’s your message, then say that, don’t dress it up in nonsense that makes use of meaningless statistics.

Reblog this post [with Zemanta]

8 Dirty Secrets of the IT Security Industry –

Bill Brenner  wrote an article that covers some security consulting in general and PCI DSS in particular.

The Information Security triad: CIA. Second ve...
Image via Wikipedia

Do make note of points 1,3, and 6.
I particularly appreciated the subtext of the wording of #1.

Vendors don’t need to be ahead of the threat, just the buyer.

We all know the story of the two campers and the bear, but this is an interesting variation. We’ve just discussed Mr Carr screaming about how he wasn’t told by his security staff that there were more threats.

Yes but … Its not the security staff that set the budget or make the buying decisions. Look: it says “buyer”, not “customer”.

How often have you had your security advice over-ridden for anyone of a number of reasons? Its not you doing the BUYING is it.

And why do you think that the saleswomen wear suits and talk in that stupid language using terms like “solution” (oh-ho, watch out, here comes Les…) and “bottom line” and other stuff that has nothing to do with InfoSec.

‘Cos it isn’t YOU doing the buying.

At best they throw you a bone since you might be an ‘influencer’ – more salesman-speak. (But ‘influencer’ is too close to ‘influenza’ which is why they don’t get too close to you…)

Mean while, you’re talking to your manager about all these nasty things like threats and the possibility of embarrassment in the press and lawsuits, while that nicely dressed saleslady is talking sweetly about nice things such as profit and success and such like.

Marcus J. Ranum
Image via Wikipedia

Lets face it, the game is semantically rigged against us.

Like Marcus Ranum says,

Given a choice between dancing pigs and security, users will pick dancing pigs every time.”


“Oh look hey, that’s neat, I didn’t know they could do that….”

Enhanced by Zemanta

Significant Impact Calculation in Business Risk

My colleague Gary Hinson made the following observation on the ISO 27001 list in August:

There are numerous assumptions and estimations in the risk
assessment process, so all calculated values have quite wide margins
of error. Worse still, there are almost certainly risks or impacts
that we have failed to recognise or assess, in other words we need to
allow for contingency.

Oh,its worse than that!

The problem is that the potential perpetrators are the ones that determine “the most significant risks” of which you speak, in both frequency (when they decide to strike) and impact (how much damage they will do and what they will do with the results of their attacks), not the person performing the risk analysis.

We are debating how to value an asset, book value, replacement value or the value of the process of using it. Well that doesn’t matter; its the value to the perpetrator of the attack at counts. What you value and defend might be of no interest to him (or her). Obtaining the desired asset may result in collateral damage.

So long as you focus on a Risk Analysis model rather than a comprehensive plan of diligence and security stablemen you are going to get caught out by these false assumptions.

Face it: the Risk Analysis approach means you have no idea who and where the potential perpetrators are, rational or irrational; when and how they may strike (with a tank, an army, or with false data entry).

But act and calculate as if you do.

You have no idea of the perpetrator’s

  • skills
  • knowledge
  • resources
  • authority
  • motives
  • objectives

but the Risk Analysis approach presumes that you do.

I’m sorry, this doesn’t make sense and hence arguing about how to calculate the value of an asset doesn’t make sense in this context. Its like arguing over how many angels can dance on a pinhead when there’s war and famine going on outside.

Enhanced by Zemanta