antonaylward – The InfoSec Blog

The fatal flaw in IT Risk management

Is interviewing is a much better method that self-certifications and a checklist, if time and resources allow.
Two points:

In the ISO-27001 forum, my friend and colleague Gary Hinson has repeatedly pointed out, and I fully support him in this, that downloading check-lists from the ‘Net and adopting question lists from there is using a solution to someone else’s
problem. If that.

Each business has both generic problems (governments, sunspots, meteor strikes, floods & other apocalyptic threats and Acts of God) and ones specific to it way of working and configuration. Acts of God are best covered by prayer and insurance.

Gary recommends “open ended questions” during the interview rather than ones that require a yes/no answer. That’s good, but I see problems with that. I prefer to ask “Tell me about your job” rather than “Tell me how your job … can be made more efficient”.

My second point is that risk management will *ALWAYS* fail if the risk analysis is inadequate. How much of the RA should be done by interviewing people like the sysadmins I don’t know, but I have my doubts. I look to the Challenger Disaster. I started in the aviation business and we refines FMEA – failure Mode Effect Analysis. Some people think of this in terms of “impact”, but really its more than that, its also causal analysis. As Les Bell, a friend who is also a pilot and interested in aviation matters has pointed out to me, “Root Cause Analysis” no longer is adequate, failure comes about because of a number of circumstances, and it may not even be a single failure – the ‘tree’ fans both ways!

Yes, FMEA can’t be dome blindly, but failure modes that pertain to the business – which is what really counts — and the fan-in/out trees can be worked out even without the technical details. Rating the “risk”: is what requires the drill-down.

Which gets back to Donn Parker‘s point in a number of his books, though he never states it this way. The FMEA tree can be heavily pruned using diligence as he says: standards, compliance, contracts, audits, good practices, available products. The only thing he leaves out are Policy and Training. Policy gives direction and is essential to any purpose, the choice of standards and products, and identifying what training is needed.

All in all, the article at https://blog.anitian.com/flawed-it-risk-management/ takes a lot of words to say a few simple concepts.

Another reason to have a policy not to eat at your operations

I’ve worked in places where the policy was that you’re not allowed to bring a camera in; that was before cell phones, I admit, but I imagine there are places where such is enforced today. My current cell phone doesn’t have the resolution of a spy-era Minox, but there are better available, and a phone has a lot more storage and fair bit of image processing power.

Embed from Getty Images

Continue reading Another reason to have a policy not to eat at your operations

Another reason to have a policy not to eat at your desk

Hackers Can Use Pita Bread to Steal Laptop Encryption Keys, Say Researchers

Embedding such devices in something edible only means it will end up in the stomach of the targeted user. Perhaps that is intentional, but I suspect not. Better to put the device in the base of the coffee cup.

Cyber general: US satellite networks hit by ‘millions’

http://www.forensicmag.com/news/2015/04/cyber-general-us-satellite-networks-hit-millions-hacks

I wonder what they consider to be a hack? The wording in the in the article is loose enough to mean that if someone pinged one of their servers it would be considered a hack. Perhaps they even they count Google spider indexing as a probe into their network. It makes me wonder how many ‘real’ hack attempts are made and how many succeed. All in it, it sounds like a funding bid!

Marcus Ranum once commented about firewall logging that an umbrella that notified you about every raindrop it repulsed would soon get annoying.I suspect the same thing is going on here. Are these ‘repulsed’ probes really ‘need to know’? Are they worth the rotating rust it takes to store that they happened?

Oh, right, Big Data.

Oh, right, “precursor probes“.

Can we live without this? Continue reading Cyber general: US satellite networks hit by ‘millions’

Steve Wozniak: Cloud Computing Will Cause ‘Horrible Problems In The

http://www.businessinsider.com/steve-wozniak-cloud-computing-will-cause-horrible-problems-in-the-next-five-years-2012-8

Perhaps The Woz isn’t the influence he once was, and certainly not on Wall Street and the consumer market place.

The unbounded RAH-RAH-RAH for the “Cloud” is a lot like the DotComBoom in many ways. No doubt we will see a Crash rationalization.

Steve Wozniak says “Cloud Nein!” (beanstalk-inc.com)
Steve Wozniak calls Apple arrogant: ‘I wish the iPhone 5 was wider’ (macworld.co.uk)
Security and Control in the Cloud (cloudcomputing.sys-con.com)
Wozniak applies for Australian citizenship (upi.com)

On the HP Printer Hack

The hack to make the HP printers burn was interesting, but lets face it, a printer today is a special purpose computer and a computer almost always has a flaw which can be exploited.
In his book on UI design “The Inmates are Running the Asylum”, Alan Cooper makes the point that just about everything these days, cameras, cars, phones, hearing aids, pacemakers, aircraft, traffic lights … have computers running them and so what we interface with is the computer not the natural mechanics of the device any more.

Applying this observation makes this a very scary world. More like Skynet in the Terminator movies now that cars have Navi*Star and that in some countries the SmartStreets traffic systems have the traffic lights telling each other about their traffic flow. Cameras already have wifi so they can upload to the ‘Net-of-a-Thousand-Lies.

Some printers have many more functions; some being fax, repro, and scanning as well as printing a document. And look at firewalls. Look at all the additional functions being
poured into them because of the “excess computing facility” – DNS, Squid-like caching, authentication …

I recently bought a LinkSys for VoIP, and got the simplest one I could find. I saw models that were also wifi routers, printer servers and more all bundled onto the “gateway” with the “firewall” function. And the firewall was a lot less capable than in my old SMC Barricade-9 home router.

I’m dreading what the home market will have come IP6

I recall the Chinese curse: yes we live in “interesting security issue” times!

But in the long run of things the HP Printer Hack isn’t that serious. After all, how many printers are exposed to the Internet. We have to ask “how likely is that?”.
Too many places (and people) put undue emphasis on Risk Analysis and ask “show me the numbers” questions. As if everyone who has been hacked (a) even knows abut it and (b) is willing to admit to the details.

No, I agree with Donn Parker; there are many things we can do that are in the realm of “common sense” once you get to stop and think about it. Many protective controls are “umbrellas”, that its about how you configure your already paid-for-and-installed (you did install it, didn’t you, its not sitting in the box in the wiring closet) firewall; by spending the money you would have spent anyway for the model that has better control/protection — you do this with your car: air-bags, ABS and so on so why not with IT equipment? The “Baseline” is more often about proper decisions and proper configuration than “throwing money at it” the way governments and government agencies do.

His Bipolar made him do it

http://compliancesearch.com/compliancex/current-affairs/his-bipolar-made-him-do-it/

An accused hedge fund fraudster’s mother is showing support, by claiming her son is not to blame for defrauding investors out of over $2.3 million, its his bipolar’s fault.

Well, its better than “The Dog Ate My Homework”.

Keep taking the tablets, Mr Klatch!

The Question of Residual Risk value

People keep asking questions like

If the risk equation I use is Impact * Probability, when it comes to
calculating the residual risk value do I still need to consider the
impact of Loss of confidentiality, integrity and availability of the
asset afterwards ?
My understanding us that the probability value may decrease
after applying some controls to mitigate the risk,  but how does
does the impact change?

Personally I don’t like the use of the generalization “Impact“. It hides details and it hides seeing where the control is being applied. Assets are often affected by more than one threat or more than one vulnerability. You really need to recalculate the whole thing over again after the controls have been applied – don’t try for short cuts.

I’d further suggest looking at
http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/

I discuss this kind of over-simplification at
http://infosecblog.antonaylward.com/2010/02/28/fbi-risk-equation/

Planning means planning for success and for not-success (herdingcats.typepad.com)

Congressman blames U.S. unemployment crisis on iPad

http://www.zdnet.com/blog/apple/congressman-blames-us-unemployment-crisis-on-ipad/9968?tag=nl.e539

In it U.S. Representative Jesse Jackson Jr (D-IL) blasts Apple and Steve
Jobs claiming that the iPad is responsible for killing thousands of
American jobs.

Image by Socialdemokrater via Flickr

In the rambling manifesto Jackson claims that the iPad is to blame
because it enables anyone to easily download books and newspapers. Thus
everyone who works at bookstores (i.e. Borders) or the publishing
industry will lose their jobs to workers making iPads in China.

Over the top?

Well, he is a politician.

However, there is this:

Yet, last week, the president met with eight CEOs such as the heads of
Xerox and American Express to ask what he could do that would give them
confidence to invest in the United States. But these are precisely the
wrong people with whom to consult and the question is precisely the
wrong question. They are the wrong people because they have benefited
enormously from offshoring and from the distortions built into the
global system. Their interest is not the same as that of the United
States but rather that of their shareholders and, in some cases, of the
authoritarian governments of the countries to which they have moved much
of the production capacity. The question is wrong because rather than
trying to bribe them the president should, a la The Godfather, be making
them “offers they can’t refuse.”

In South Carolina, Governor Perry emphasized that he would make
Washington disappear from the lives of the people in his audience. That
did not strike me as the comment of a person using all his power to find
jobs.

But think about it for just a moment. There will be no more significant
fiscal stimulus for the economy. The emphasis is all on debt reduction,
cutting expenditures, and retrenching. Not only will the federal
government be cutting back, but the state and municipal governments are
already slashing and burning. All of this will result in further job
reduction, less consumer spending, and declining stimulus which in turn
will lead to reluctance on the part of business to invest. In these
circumstances, the only possible source of jobs is a reduction of the
trade deficit.

He or she who wakes up to this fact first is likely to be the next president.

That’s my emphasis in red.

These executives are responsible to the shareholders, though the board. If the economic climate and system of taxation – that is the employment costs, make it favourable to employ foreign workers rather than American workers than that is what these people will do. If they do otherwise then they are clearly not acting in the best interests of their corporations and will be dismissed and replaced by someone who will. This is basic corporate economics, and any politician who fails to recognise it may popular for crowing about “America First” but is displaying woeful ignorance.

The other way to look at it is that US workers have priced themselves out of the market.

Image via Wikipedia

A people that values its privileges above its principles soon loses both.
— Dwight D. Eisenhower, Inaugural Address, January 20, 1953

The Biggest Problem With iPads (tomrippon.wordpress.com)
The first restaurant to rely completely on iPads in New York City (thenextweb.com)
Controversial Congressman Plays Outsized Role In 2012 Race (huffingtonpost.com)

About Social Networking policy

Policy development is one of my areas of practice, so when a colleague on a mailing list asked about how to phrase policy to deal with the social networks (Facebook, Twitter, Myspace, etc.) and what the “best practices” are, I came out of my shell to reply.

(We’ll skip over the oxymoron “best practices” since “Context is Everything“.)

The phrase

“Use of corporate resources …”

is a wonderful one to use to prefix just about any policy statement or justification. In one workshop on policy development that I ran someone pointed out that it applied to access to the company parking lot!

The issue here isn’t “social networking”, no matter how much the media and ZDNet would have you believe. It boils down to a few very clear and easy to enumerate issues: Continue reading About Social Networking policy

A Ralph Nader for the 21st Century?

http://www.chron.com/disp/story.mpl/business/steffy/6666406.html

[…]

Hanni, who lives in California, is the founder of the Coalition for an
Airline Passengers Bill of Rights, the group that’s spearheading efforts
in Congress to prevent airlines from imprisoning passengers on delayed
flights.

In a lawsuit filed in Houston Tuesday, she claims that Delta Air
Lines was behind the hacking, accusing the world’s largest carrier
of conspiracy and invasion of privacy.

Hanni believes Delta wants to crush her attempts to force better
customer service on the airline industry, which has fought mightily
to ensure it can treat passengers shabbily.

Perhaps this isn’t on the same scale as cars that are designed to explode and kill the passengers, but the model is the same. Can we see Hanni standing for the Presidency in a couple of decades? No, seriously, there does seem to be some skulduggery here that impacts privacy.
Continue reading A Ralph Nader for the 21st Century?

Judges Punish Wall Street as Regulators Just Talk About Reform

http://www.bloomberg.com/apps/news?pid=20601109&sid=a5wZ95KdSuJQ

This is something we should *ALL* be aware off, not least those that think legal and world economic stuff is off topic.

We all have to face standards; or the most part those are dictated by industry groups and we can, if we choose, partake of those.
I’ve been involved in technical standards groups in the past[1].

We have also, recently, had to face a lot of ‘regulations’, that is requirements with legal backing. Its easy to say that those are all very regional, which is why they don’t (any longer) appear in the CBK.

Personally I think this is a weak argument. SOX may only have been ‘legal’ in the USA, but many companies in other countries trade in or have offices in the USA and need to be aware of US laws and regulations.
In addition, SOX has been the model for regulations in other countries (and some of those have corrected deficiencies[2]).

Never the less the legal principle that is addressed in this article hold for many countries: while the politicians dither the people who have to deal with the details and actualities of making the legal system happen are getting on with it.

Free from the pressures of lobbyists, judges typically refrain from showing emotion or expressing opinions during court proceedings to appear impartial. During sentencings in criminal cases, they sometimes let their hair down about their feelings about the damage Wall Street firms or their executives did.

However, I don’t know it its the journalist or the judges that are being facetious:

In sentencing imprisoned con man Bernard Madoff June 29 to the maximum penalty of 150 years in prison, U.S. District Judge Denny Chin described Madoff’s crimes as “extraordinarily evil.”

What?
“Evil” compared to what? Continue reading Judges Punish Wall Street as Regulators Just Talk About Reform

Where do they get these numbers?

From the Journalistic Approach to Statistics Department …
The source of this warmongering is
http://www.darkreading.com/security/intrusion-prevention/showArticle.jhtml?articleID=219401410

and Kelly Jackson Higgins uses the dramatic title

“Message From Hackers: Enjoy The Summer Break Because Winter Attacks Will Be Harsh”

Right.

Well he claims a survey of “hackers” (whatever that means) at DefCon17 carried out by Tufin Technologies leads him to believe that only one fourth of all hackers are malicious. This is according to 70% of of the unknown number of respondents, who in turn make up an unknown proportion
of the groups of people who may be called, by themselves or others, “hackers”.

In case you’re worried about taking that last-minute summer vacation and
leaving your IT staff a little short, relax (for now, anyway): Most
hackers are taking a break now, as well, as they gear up for a busy
winter season, according to a survey of hackers attending Defcon17 in
Las Vegas this month.

Malicious hackers make up less than one-fourth of the overall hacker
community, according to 70 percent of the respondents, who were surveyed
by Tufin Technologies at the world’s largest hacker conference.

Nor are we given a definition of what “malicious” means. Does this have to be unremitting evil of a fictional character like the leaders of SMERSH in the James Bond stories or the Evil Witch in “The Wizard of Oz”? How about a historically evil character like Genghis Kahn, Nero, or dare I say it, Stalin, Hitler or Saddam Hussein?

But “malicious”? Could that mean purposeful vengeance for some real or imagined (think: Fat Fredy and his cat); getting back at “The Man”, Big Government, or Big Business for some ill defined political or conspiracy theory riven reason. Or perhaps “collateral damage” arising from lack of care, lack of professionalism or simple incompetence
(http://www.theregister.co.uk/2009/08/25/rsa_accidental_security_breach_survey/#).

I’m getting sick of marketeers making use of journalists like this, for that’s the real reason for this. Read the rest of the article and you’ll see its about Michael Hamelin, chief security architect at Tufin,
advocating what we all know: that compliance doesn’t mean security. If that’s your message, then say that, don’t dress it up in nonsense that makes use of meaningless statistics.

GOP vs James Bond (blogs.cqpolitics.com)
You Say That Like There’s A Conflict (eschatonblog.com)
Man, the U.S. had a crazy cyberwar plan against Iraq (that it didn’t execute) (crunchgear.com)
Literate Housewife Seal of Approval (literatehousewife.com)

8 Dirty Secrets of the IT Security Industry – CSO.com

Bill Brenner wrote an article that covers some security consulting in general and PCI DSS in particular.

The Information Security triad: CIA. Second ve... — Image via Wikipedia

Do make note of points 1,3, and 6.
I particularly appreciated the subtext of the wording of #1.

Vendors don’t need to be ahead of the threat, just the buyer.

We all know the story of the two campers and the bear, but this is an interesting variation. We’ve just discussed Mr Carr screaming about how he wasn’t told by his security staff that there were more threats.

Yes but … Its not the security staff that set the budget or make the buying decisions. Look: it says “buyer”, not “customer”.

How often have you had your security advice over-ridden for anyone of a number of reasons? Its not you doing the BUYING is it.

And why do you think that the saleswomen wear suits and talk in that stupid language using terms like “solution” (oh-ho, watch out, here comes Les…) and “bottom line” and other stuff that has nothing to do with InfoSec.

‘Cos it isn’t YOU doing the buying.

At best they throw you a bone since you might be an ‘influencer’ – more salesman-speak. (But ‘influencer’ is too close to ‘influenza’ which is why they don’t get too close to you…)

Mean while, you’re talking to your manager about all these nasty things like threats and the possibility of embarrassment in the press and lawsuits, while that nicely dressed saleslady is talking sweetly about nice things such as profit and success and such like.

Lets face it, the game is semantically rigged against us.

Like Marcus Ranum says,

“Given a choice between dancing pigs and security, users will pick dancing pigs every time.”

“Oh look http://pics4.city-data.com/cpicc/cfiles34082.jpg hey, that’s neat, I didn’t know they could do that….”

InfoSec In The Supply Chain (blogs.forrester.com)

The Need for Social Engineerig in InfoSec

: Image via Wikipedia

When I took my undergraduate Engineering degree the attitude of my professors was that if we had chose engineering as our career then a few things were going on.

First, technology is changing, so teach fundamentals and principles and show how to apply them but don’t get hung up on specific technologies. (Who would have guessed then that the RF theory work on transmission lines would have an impact on writing software for PCB layout and even chip design!)

Second, that if we stayed in engineering, then within three to five years we would have “managerial” responsibilities so we better know about “managerial” things such as budgeting, logistics/supply-chain,
writing proposals and reports.

I mention this to make the point that being a CISSP is not about being a techie-geek. Knowing all there is about crypto, pen testing, or any vendor or product is inherently self limiting. You have put a cap on the authority and influence you have.

To be effective in InfoSec you need to be able to do that “social engineering” – as a recent article says,

“… the application of social science to the solution of social
problems,” he said. “In other words, it’s getting people to do
what you want by using certain sociological principles.”

What you want is for your managers to implement certain strategies that
you believe are for the good of the company and society (see our code of
ethics an associated guidelines). This means you need communication
skills.

I realise many people reading this are in fact managers, but they too have to
report to higher authorities. Some here have MBAs. Management is more than the technical skill of a MBA course – that’s another form of geekiness. (I know of one very good technical guy who saw Dilbert‘s Principle being applied in his firm an went and got a MBA. The trouble is that he never had any ‘people skills’ and the MBA course didn’t supply them!)

So we get back to a parallel thread – “Trust”‘.

Occasionally I run a workshop “Why people don’t follow Policies and what you can do about it”. Its for technical managers, those who have to enforce many policies, not least of all InfoSec ones, and manage those who are carrying out the associated Procedures. Its always a difficult workshop since its about seeing the patterns in behaviour, something technical managers are quite capable of, but have never been taught before.

Its my belief that InfoSec is meaningless unless it deal with the social and psychological issues. Right now we treat the term “social engineering” the way we do “risk”, as something that has *only* a negative meaning. That has to stop. Management don’t see “risk” as being bad and as far as threats go, we know that People are the sourceof them all! First and foremost, InfoSec practitioners need to be able to deal with People. Technology is for geeks. If you want to being
about change you have to deal with people.

“Social Engineering” – in the broadest and positive sense – is every bit as key as any other of the domains of the CBK. Its omission just shows how technology-centred the profession is, despite the threats and despite what needs to be done by practitioners to fulfil their roles.

The One Minute MBA. Get Yours Here. (frontofficebox.com)

Security Posture Assessment resources

No, I don’t think this is a good start.
Its ignores such fundamentals as policy, change management, awareness, management reporting, risk assessment and risk tolerance …

And much like that. Continue reading Security Posture Assessment resources

Why applications have security bugs

http://blogs.msdn.com/aaron_margosis/archive/2008/03/03/why-apps-have-security-bugs-attempted-humor.aspx

It was this comment to the posting that caught my attention:

Some of us idiots used to think that any devs who weren’t aware of buffer overflow before the Morris worm would be aware of it after the Morris worm. But in fact, your posting almost points out why many devs remain blissfully unaware:

“we developers were trained to focus on and typically only ever focused
on how legitimate users will use the product”

Close. Developers who want to have good jobs have to get trained to focus on how their managers pretend the product will be used. Anyone who thinks as far out as actual end users will get canned for not being
a team member. Anyone who thinks even further out about actual end misusers will be sued for being a hacker. But yeah, you explained it.
Thank you.

Long time readers will know that the Morris worm is my poster-boy for complaining that modern schools don’t teach defensive programming.

It seems I’m not alone.

Conficker: How a Buffer Overflow Works (wired.com)
Microsoft’s Banning Memcpy() Functions in the Name of Security [Microsoft] (gizmodo.com)
Crypto hash boffins trip on buffer overflow (theregister.co.uk)
Nasty Java bug could lead to attack (infoworld.com)
Software Bugs A Software Architect Point Of View (slideshare.net)
Experts reboot list of 25 most dangerous coding errors (go.theregister.com)
The 25 Most Dangerous Programming Errors (developers.slashdot.org)

May 2018
M	T	W	T	F	S	S
« Nov
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

Related articles

Related articles

Related articles

Related articles by Zemanta

Related articles

Related articles by Zemanta

Related articles by Zemanta