The InfoSec Blog

I hope somebody’s thinking seriously about the implications of this:

http://www.theregister.co.uk/2010/12/14/us_army_smartphones_4_all/

Israel has already seen some consequences of soldiers with cellphones.

Here in Toronto we have a law against driving and using a hand-held cell phone. I note that researchers are reporting that even hands-free pones are distracting enough to be a major risk. never the less, I have stood back fro the kerb at an uptown intersection and seen drivers turn against the lights and narrowly miss pedestrians because they were on the phone. The drivers, that is.  (I’m still on the look out for pedestrians using phones and being oblivious to their surroundings causing accidents.)  Perhaps I need to use my own phone and make videos of this and upload the to YouTube

So I’m very cynical about the use of distracting technology in the battlefield. Use of the smartphones ‘in barracks’ is one thing; using them in the field is another.

There seems to be a big mental hole here.
The idea of a coms system that has a central control or the cell/tower model is inherently vulnerable; no less so than GPS if you think about it, and probably more so; you don’t need a rocket launch and EMP capability to take out cell phone towers and the phone system.

But the kind of Wifi system that allows the nodes to mesh and forward and heal (WiMax) is just the kind of thing the cell phone companies don’t want.

WiMax – http://www.open-mesh.com/ – may assume an internet backbone
connecting the various meshes, but in a battlefield scenario the local mesh would be adequate. Its simply uses different “smartphones” and software. Maybe there is a back haul WAN, maybe it can download satellite or surveillance images or the front-line commanders.

But OTS cellphones … I can see too many high risk scenarios in a military setting.

Related articles

• Cell Phones Responsible for Traffic Deaths (cellphones.org)
• Cell Phones Significant Part Of Traffic Deaths (informationweek.com)
• Do Cell Phones Cause Cancer? (everydayhealth.com)
• Vietnam: Cell phones and students (textually.org)
• Do You Have These Cell Phone Accessories Yet? (socyberty.com)
• Cell phone concept phones blow, kiss and touch to make talking intimate (textually.org)

One list I subscribe I saw this outrageous statement:

ISO 27001 requires that you take account of all the relevant threats
(and vulnerabilities) to every asset – that means that you have to
consider whether every threat from your list is related to each of
your assets.

“All”? “Every”?
I certainly hope not!
Unless you have a rule as to where to stop those lists – vectors that you are going to multiply – are going to become indefinitely large if not infinite. Its a problem in set theory to do with enumberability.

See
http://infosecblog.antonaylward.com/2010/05/19/the-classical-risk-equation/
for a more complete discussion of this aspect of ‘risk’.

See
http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/
in which Jeff Lowder has a discussion of the “utility value” approach to controls

Because its the controls and their effectiveness that really count.

The issue of infinite, finite or even reasonable and usable enumberability means there _HAS_ to be a rule as to when to stop.
Its frightening in one way, you never know that the next item, the one you’ve stopped before, might actually be critical in some particular combination. But there _HAS_ to be a halting condition or you die from analysis paralysis.

If we call this rule “common sense” or “reasonableness” or some such then what we are really doing is admitting that Donn Parker was right with his “diligence” approach (See ISSA Journal articles via Google) and that is more effective as a means of determining controls than any of the formal Risk Analysis methods.

Because its the controls and their effectiveness that really count.

But ISO27K says you HAVE to do a RA, even if its impossible to do it properly and if it is the wrong method or if its not as effective as a non-RA approach to developing controls.

Because its the controls and their effectiveness that really count.

Or is it? Is having the certification because you’ve followed the process more important?

Related articles

• Amazon, ISO 27001 and Deception (flyingpenguin.com)
• Medgate Completes ISO 27001 Audit (prweb.com)
• Hacker Group is One of the First ISO 27001 Certified Ad Agencies and Appeals to Industry to Follow Suit in Protecting Client Data (eon.businesswire.com)
• ISO 27001 Annex A controls (iso27001standard.com)
• How to learn about ISO 27001 and BS 25999-2 (iso27001standard.com)
• Four key benefits of ISO 27001 implementation (iso27001standard.com)