The InfoSec Blog

Someone asked:

If you have a good information security awareness amongst
the employees then it should not a problem what kind of attempts
are made by the social engineers and to glean information from
your employees.

Yes but as RSA demonstrated, it is a moving target.

You need to have it as a continuous process, educate new hires and educate on new techniques and variations that may be employed by the ‘social engineers’. Fight psychology with psychology! Read the rest of this entry »

http://compliancesearch.com/compliancex/insider-trading/senate-votes-to-ban-insider-trading-by-its-members/

And this doesn’t actually stop them form making use of ‘insider information’ they just have to declare it within 30 days.

No, wait, sorry … you mean that the legislators are saying that legislators shouldn’t do something that is illegal anyway? Or that, if they do something that
is already illegal, it is OK as long as they declare it within 30 days? …

It gets worse:

http://compliancesearch.com/compliancex/insider-trading/house-republicans%E2%80%99-insider-trading-bill-accused-of-catering-to-insiders/

I’d like to claim the system is rigged so ‘the rich get richer’ but if I did that some people who claim they are right wing would accuse me of being left wing. Indeed, this tells me that their political outlook has not progressed since 20 June 1789. This one-dimensional view fails to
describe the rich variety of political attitudes in the Washington, never mind the rest of the USA and points elsewhere on the physical compass.

http://en.wikipedia.org/wiki/Pournelle_chart
http://en.wikipedia.org/wiki/Nolan_Chart

Just those two show we need more that 4 axes to describe a political stance. But as I mentioned in a previous post, journalists are simple-minded and expect the rest of the world to be as limited in outlook and understanding.

http://en.wikipedia.org/wiki/Political_spectrum

Try this test:
http://www.politicalcompass.org/

How does this all relate to InfoSec, you ask.
Well part of that Political Compass is a view of ‘how authoritarian’.
And that gets back to issues we have to deal with such as Policy and Enforcement, Do We Let Employees have Access to the Internet, and the like.

Hans Eysenk pointed out that the right wing (e.g. Fascism and Nazism) had a lot in common with the left wing (communism). Both are repressive, undemocratic and anti-Semitic. So on these issues, at least, the left-right distinction is meaningless.

How many more such simplistic distinctions such as those foisted on us by journalists are equally meaningless.

Some while ago my Australian fellow ex-pat Les Bell, who apart from being a CISSP is also a pilot, pointed out to me that the method of ‘root cause analysis‘ is no longer used in analysing plane crashes. The reality is that “its not just one thing”, its many factors. We all know that applies in most areas of life.

I suspect most people know that too; its not restricted to the digerati.
There is the old ditty that explains how because of a nail an empire was lost, but no-one is proposing that we fix the failing of the “American Empire” by manufacturing more nails.

Except possibly Journalists.

Related articles

• Is your political compass OK post the election? (greenwichlib.wordpress.com)
• Political Compass: May (spinelessliberal.wordpress.com)
• The downsides of experience (cdevroe.com)
• The US Election – 2012 (www.politicalcompass.org)

http://www.linuxfordevices.com/c/a/News/Kootol-joins-Lodsys-as-a-patent-troll/?kc=LNXDEVNL072111

The Debt ceiling crisis will pass; even if there is a crash, the USA can recover from it …

IF its core economic worth, that is its industrial productivity, is unharmed.

There are a number of ways this can be harmed, poor credit rating among them, lack of availability for investments. Read the rest of this entry »

Image via Wikipedia

I was at a presentation yesterday.
One of the vendor’s speakers, I’m sorry to say, was a CISSP.

OK, he wasn’t Ian Paisley or any other radical religious zealot.

BUT his was hectoring us and telling us that the Devil is out there gathering sinners (aka botnets) and tempting us (with web sites and spam) and just watch what he says: we must open our hearts to Christ (aka his company’s products) and be SAVED by following the One True Faith (only buying his company’s products) and repenting for our sins (having is company come in and do all the scans, consulting and so forth).

I was inoculated against the religious hectoring meme at a young age, but its still fascinating to watch. But like with religion, there are always people who are susceptible, and sadly, always groups willing to give such people a platform.

To be fair, that day’s event also had some good speakers. It had some straight forward and ‘humble’ people who explained matters clearly and without drama, stated the issues and the scopes of threats and
vulnerabilities and how and why their product id what it did.  All without the drama, all without the hectoring or intimidation.

Related articles

• Ian Paisley jnr: My views on gays have matured (politics.ie)
• A Paisley Affair (modedimitri.wordpress.com)
• The City: Belfast (newsweek.com)

You gotta love the low-tech solution. It’s really never NOT about people, is it?

Darn tooting right!
Its always people. Any way you look at it.
Which is why I go on about The 11th Domain.

Why the CBK places so much emphasis on technology when the (ISC)2′s motto is “Security transends technology” and why the “people” aspect, social structures of organizations, behavioural psychology, group psychology and lot more, all of which are “about people” and probably have a greater leverage as far as InfoSec “Getting Things Done” (Especially in a stress-free manner_.

As I said previously, I think we’re doing it wrong; and I don’t mean just Risk Assessment!

http://news.discovery.com/earth/megastorm-californias-other-big-one.html

Just in the last 15 years, since microwave technology aboard satellites
produced images of water vapor in the atmosphere, scientists have come
to realize that most major winter rainstorms over California, and
virtually all flooding episodes, are the result of the unloading of
airborne streams of tropical moisture that have come to be called
“Atmospheric Rivers.” (Hence the name, ARk – Atmospheric Rivers 1,000.)
The scenario envisions nearly a month of uninterrupted rainfall over
northern and southern California.

“The hypothetical storm depicted here would strike the U.S. West Coast
and be similar to the intense California winter storms of 1861 and 1862
that left the central valley of California impassible,” the authors
said. “The storm is estimated to produce precipitation that in many
places exceeds levels only experienced on average once every 500 to
1,000 years.”

In addition to property and “business interruption” losses of anywhere
from $725 billion to $1 trillion, the team estimated that emergency
managers would be faced with the task of evacuating 1.5 million people
during the storm and its aftermath. “The numbers that have been
presented here are shocking, no doubt about it,” observed co-author
Laurie Johnson, a private planning specialist who worked on Katrina
Hurricane recovery. Such a storm could pose “a fiscal crisis that will
cascade through every level of government.”

All that is says is that 1,000 years storms exist, and can occur. The only thing new here is they understand more about the mechanisms of these 1,000 years storms when they do happen, not that one is imminent.

I’ve got some more news for you: one day, the sun will Red Giant and engulf the entire Earth. The damages will exceed a trillion dollars.  The probability of this is 1.0 …. in astronomical time-scales.

The logic or risk analysis that equates a once in five billion years event that has an impact of trillions of dollars with monthly events that cost hundreds of dollars is lunacy.
There are many inconvenient events that do occur on a monthly basis [again with probability 1.0] that cost hundred, even thousands of dollars, and we ‘just live with them’.  If you doubt that statement look at the incidents of automobile deaths and injuries and of deaths and disabilities due to pollution.  I’m sure any insurance company or government statistics office will be happy to supply you with the details.

One thing is very clear: we are not good at recognizing where the real threats and risks are.

http://www.bankinfosecurity.com/articles.php?art_id=2914

Fascinating.

I get a lot of enquiries from wannabes who, as they put it, want to “break into security“. I presume they see it as more interesting than the work they are doing.

They come in all varieties, from high-school kids asking about what degree they should take to people with no actual work experience asking if they should take a CISSP or CISM.

The luminaries of our profession, be they CISSPs or people like Marcus Ranum and Bruce Schneier who lack such certifications, all came up the same way that Stephen Northcut did and many of us here did – the long way. And gained the practical experience and understanding of the issues along the way. Read the rest of this entry »

http://blogs.csoonline.com/problem_3_for_security_professionals_not_enough_humble_pie?source=CSONLE_nlt_update_2010-01-12

Talk about difficult to read!   I hate sites like this, only slightly more than ones that use a completely black background.

A large part of my “11th Domain” bleating is about communication – thinking in terms of the other person, their needs and views and how the ‘message’ you’re sending will be received and interpreted.
Read the rest of this entry »

Some references for “The 11th Domain”

I’m going to respond to this as broadly as possible.
This is not a subject like “access control” that is hard and bound.

First, there’s Human Communication.
Probably the best source for this is to take the Dale Carnegie course on
Public Speaking. No, really. I’m quite serious.

There are a number of books that are reading material for the course;
you can find them on Amazon:

How to Win Friends & Influence People

http://www.amazon.com/gp/product/0671723650?ie=UTF8&tag=emergentprope-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=0671723650

How to Develop Self-Confidence And Influence People By Public Speaking

http://www.amazon.com/gp/product/0671746073?ie=UTF8&tag=emergentprope-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=0671746073

The 5 Essential People Skills: How to Assert Yourself, Listen to Others,
and Resolve Conflicts

http://www.amazon.com/gp/product/1416595481?ie=UTF8&tag=emergentprope-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=1416595481

and on Google

There is also the little “Golden Book” of short adages.

The “How to win friends and influence people” has sections:

• THREE FUNDAMENTAL TECHNIQUES IN HANDLING PEOPLE
• THE SIX WAYS TO MAKE PEOPLE LIKE YOU
• THE TWELVE WAYS TO WIN PEOPLE TO YOUR WAY OF THINKING
• THE NINE WAYS TO CHANGE PEOPLE WITHOUT AROUSING RESENTMENT

Now isn’t that just what I’ve been talking about!

While those are the books, I very strongly recommend taking the course for a number of reasons. The books are ‘bare bones’. Many people find them annoying as the come across as a mix of anecdotes, pollyanna and cute phrases. The course is about the difference between the noun and the verb, as I so often put it. It puts you on the spot and makes you translate the theory of the book into the reality of action.

Its a world of difference.
The books are cheap, the experience is priceless.

OK, so I’m biased: I use to be a teaching assistant for DCC.

I’ll get to Social Psychology later, but heck, why not look up the syllabus and reading lists for a college course on that or Anthropology.

I was saddened to hear of an InfoSec colleague who met with overwhelming frustration at work:

After two years of dealing with such nonsense, I was forced to resign
within two months of discovering a serious security issue which possibly
jeopardized overseas operations. I have since found out that they are
selling the company and didn’t want any who knew the problems around.

Hmm.
Thank you.
Speaking as an auditor who occasionally does “due diligence” with respect to take-overs, you’ve just shown another use for LinkedIn – contacting ex-employees to find out about such problems.

Certainly a lot of employees leaving or being fired in the couple of years before the pending acquisition is a red flags, eh?
Read the rest of this entry »

http://www.itworldcanada.com/a/Daily-News/03b813a2-f13b-4c3e-9494-ae9064f25da3.html

“When they outlaw X only criminals will have X”

… for many values of the members of the set of Y.

There’s the old saw:

People who won’t quit making the same mistake over
and over are what we call conservatives.

No, they are politicians.

He added that making it easier for law enforcement to tap into wireless
transmissions will probably bring those same capabilities into the hands
of the cyber criminal community. This is certainly not the
business-friendly message you want to be sending out to encourage
investment in technology during the recession, Levy said.

“Especially since the very same government has placed organizations in
the financial services, health care and public sector under increasing
regulatory scrutiny to lock down their own security infrastructure.”

In reality, judging by history, if there’s going to be a way to hack into things like the Blackberry the the criminals will have it long before the LE, and the LE will probably be denied funding for it by the government.

Related articles by Zemanta

• B.C. will outlaw auto secret compartments in gang fight (calgaryherald.com)
• Copyright bill would outlaw breaking digital locks (cbc.ca)