The Truth About Best Practices
An article on Linked entitled 'The Truth about Practices" started a discussion thread with some of my colleagues.
The most pertinent comment came from Alan Rocker:
I'm not sure whether to quote "Up the Organisation", ("If you must have a
policy manual, reprint the Ten Commandments"), or "Catch-22" (about the
nice "tidy bomb pattern" that unfortunately failed to hit the target), in
support of the article.
Industry-wide metrics can nevertheless be useful, though it's fatal to
confuse a speedometer and a motor.
However not everyone in the group agreed with our skepricism and the observations of the autor of the article.
One asked
And Anton aren't the controls you advocate so passionately best practices? >
NOT. Make that *N*O*T*!*!*! Even allowing for the lowercase!
"Best practices" is an advertising line of self-aggrandization invented by the Big Name Accounting Firms when operating in Consulting Mode.
The #1 Reason Leadership Development Fails
http://www.forbes.com/sites/mikemyatt/2012/12/19/the-1-reason-leadership-development-fails/
I wouldn't have though, based on the title, that I'd be blogging about this, but then again one can get fed up with fed up with purely InfoSec blogs, ranting and raving about technology, techniques and ISO27000 and risk and all that.
But this does relate somewhat to security as awareness training, sort of ...
My problem with training per se is that it presumes the need for indoctrination on systems, processes and techniques. Moreover, training assumes that said systems, processes and techniques are the right way to do things. When a trainer refers to something as “best practices” you can with great certitude rest assured that’s not the case. Training focuses on best practices, while development focuses on next practices. Training is often a rote, one directional, one dimensional, one size fits all, authoritarian process that imposes static, outdated information on people. The majority of training takes place within a monologue (lecture/presentation) rather than a dialog. Perhaps worst of all, training usually occurs within a vacuum driven by past experience, not by future needs.
An “11th Domain” book.
http://www.infosectoday.com/Articles/Persuasive_Security_Awareness_Program.htm
Gary Hinson makes the point here that Rebecca Herrold makes elsewhere: 
Awareness training is important.
I go slightly further and think that a key part of a security practitioners professional knowledge should be about human psychology and sociology, how behaviour is influenced. I believe we need to know this from two aspects:
First, we need to understand how our principals are influenced by non-technical and non-business matters, the behavioural persuasive techniques used on them (and us) by vendor salesmen and the media. many workers complain that their managers, their executives seem t go off at a tangent, ignore "the facts". We speak of decisions drive by articles
in "glossy airline magazines" and by often distorted cultural myths. "What Would the Captain Do?", or Hans Solo or Rambo might figure more than "What Would Warren Buffett Do" or "What Does Peter Drucker Say About A Situation Like This?". We can only be thankful that most of the time most managers and executive are more rational than this, but even so ...
Tight budgets no excuse for SMBs’ poor security readiness
http://www.zdnet.com/tight-budgets-no-excuse-for-smbs-poor-security-readiness-2062305005/
From the left hand doesn't know what the right hands is doing department:
Ngair Teow Hin, CEO of SecureAge, noted that smaller companies
tend to be "hard-pressed" to invest or focus on IT-related resources
such as security tools due to the lack of capital. This financial
situation is further worsened by the tightening global and local
economic climates, which has forced SMBs to focus on surviving
above everything else, he added.
Well, lets leave the vested interests of security sales aside for a moment.
I read recently an article about the "IT Doesn't matter" thread that basically said part of that case was that staying at the bleeding edge of IT did not give enough of a competitive advantage. Considering that most small (and many large) companies don't fully utilise their resources, don't fully understand the capabilities of the technology they have, don't follow good practices (never mind good security), this is all a moot point.
Social Engineering and sufficency of awareness training
Someone asked:
If you have a good information security awareness amongst
the employees then it should not a problem what kind of attempts
are made by the social engineers and to glean information from
your employees.
Yes but as RSA demonstrated, it is a moving target.
You need to have it as a continuous process, educate new hires and educate on new techniques and variations that may be employed by the 'social engineers'. Fight psychology with psychology!
Upside and downside: How I hate Journalists
And this doesn't actually stop them form making use of 'insider information' they just have to declare it within 30 days.
No, wait, sorry ... you mean that the legislators are saying that legislators shouldn't do something that is illegal anyway? Or that, if they do something that is already illegal, it is OK as long as they declare it within 30 days? ...
It gets worse:
I'd like to claim the system is rigged so 'the rich get richer' but if I did that some people who claim they are right wing would accuse me of being left wing. Indeed, this tells me that their political outlook has not progressed since 20 June 1789. This one-dimensional view fails to describe the rich variety of political attitudes in the Washington, never mind the rest of the USA and points elsewhere on the physical compass.
http://en.wikipedia.org/wiki/Pournelle_chart
http://en.wikipedia.org/wiki/Nolan_Chart
Just those two show we need more that 4 axes to describe a political stance. But as I mentioned in a previous post, journalists are simple-minded and expect the rest of the world to be as limited in outlook and understanding.
http://en.wikipedia.org/wiki/Political_spectrum
Try this test:
http://www.politicalcompass.org/
How does this all relate to InfoSec, you ask.
Well part of that Political Compass is a view of 'how authoritarian'.
And that gets back to issues we have to deal with such as Policy and Enforcement, Do We Let Employees have Access to the Internet, and the like.
Hans Eysenk pointed out that the right wing (e.g. Fascism and Nazism) had a lot in common with the left wing (communism). Both are repressive, undemocratic and anti-Semitic. So on these issues, at least, the left-right distinction is meaningless.
How many more such simplistic distinctions such as those foisted on us by journalists are equally meaningless.
Some while ago my Australian fellow ex-pat Les Bell, who apart from being a CISSP is also a pilot, pointed out to me that the method of 'root cause analysis' is no longer used in analysing plane crashes. The reality is that "its not just one thing", its many factors. We all know that applies in most areas of life.
I suspect most people know that too; its not restricted to the digerati.
There is the old ditty that explains how because of a nail an empire was lost, but no-one is proposing that we fix the failing of the "American Empire" by manufacturing more nails.
Except possibly Journalists.
Related articles
- Is your political compass OK post the election? (greenwichlib.wordpress.com)
- Political Compass: May (spinelessliberal.wordpress.com)
- The downsides of experience (cdevroe.com)
- The US Election - 2012 (www.politicalcompass.org)
He’s not Ian Paisley
Image via Wikipedia
I was at a presentation yesterday.
One of the vendor's speakers, I'm sorry to say, was a CISSP.
OK, he wasn't Ian Paisley or any other radical religious zealot.
BUT his was hectoring us and telling us that the Devil is out there gathering sinners (aka botnets) and tempting us (with web sites and spam) and just watch what he says: we must open our hearts to Christ (aka his company's products) and be SAVED by following the One True Faith (only buying his company's products) and repenting for our sins (having is company come in and do all the scans, consulting and so forth).
I was inoculated against the religious hectoring meme at a young age, but its still fascinating to watch. But like with religion, there are always people who are susceptible, and sadly, always groups willing to give such people a platform.
To be fair, that day's event also had some good speakers. It had some straight forward and 'humble' people who explained matters clearly and without drama, stated the issues and the scopes of threats and
vulnerabilities and how and why their product id what it did. All without the drama, all without the hectoring or intimidation.
Related articles
- Ian Paisley jnr: My views on gays have matured (politics.ie)
- A Paisley Affair (modedimitri.wordpress.com)
- The City: Belfast (newsweek.com)
Security and efficiency
You gotta love the low-tech solution. It's really never NOT about people, is it?
Darn tooting right!
Its always people. Any way you look at it.
Which is why I go on about The 11th Domain.
Why the CBK places so much emphasis on technology when the (ISC)2's motto is "Security transends technology" and why the "people" aspect, social structures of organizations, behavioural psychology, group psychology and lot more, all of which are "about people" and probably have a greater leverage as far as InfoSec "Getting Things Done" (Especially in a stress-free manner_.
As I said previously, I think we're doing it wrong; and I don't mean just Risk Assessment!
Are *YOU* ready to give up yet?
Apparently (ISC)2 did this survey ... which means they asked the likes of us ....
Faced with an attack surface that seems to be growing at an overwhelming rate, many security professionals are beginning to wonder whether their jobs are too much for them, according to a study published last week.
Right. If you view this from a technical, bottom-up POV, then yes.
Conducted by Frost & Sullivan, the 2011 (ISC)2 Global Information Security Workforce Study (GISWS) says new threats stemming from mobile devices, the cloud, social networking, and insecure applications have led to "information security professionals being stretched thin, and like a series of small leaks in a dam, the current overworked workforce may be showing signs of strain."
Patching madness, all the hands-on ... Yes I can see that even the octopoid whiz-kids are going to feel like the proverbial one-armed paper-hanger.
Which tells me they are doing it wrong!
Two decades ago a significant part of my job was installing and configuring firewalls and putting in AV. But the only firewall I've touched in the last decade is the one under my desk at home, and that was when I was installing a new desk. Being a Linux user here I don't bother with AV.
"Hands on"? Well yes, I installed a new server on my LAN yesterday.
No, I think I'll scrub it, I don't like Ubuntu after all. I'm putting
in Asterix. That means re-doing my VLAN and the firewall rules.
So yes, I do "hands on". Sometimes.
At client sites I do proper security work. Configuring firewalls, installing Windows patches, that's no longer "security work". The IT department does that. Its evolved[1] into the job of the network admin and the Windows/host admin. They do the hands-on. We work with the policy and translate that into what has to be done.
Application vulnerabilities ranked as the No. 1 threat to organizations among 72 percent of respondents, while only 20 percent said they are involved in secure software development.
Which illustrates my point.
I can code; many of us came to security via paths that involved being coders, system and network admins. I was a good coder, but as a coder I had little "leverage" to "Get Things Done Right". If I was "involved" in secure software development I would not have as much leverage as I might have if I took a 'hands off' roles and worked with management to set up and environment for producing secure software by the use of training and orientation, policy, tools, testing and so forth. BTDT.
There simply are not enough of us - and never will be - to make security work "bottom up" the way the US government seems to be trying We can only succeed "top down", by convincing the board and management that it matters, by building a "culture of security".
One view of Enterprise Information Security Architecure (EISA) Framework.
This is not news. I'm not saying anything new or revolutionary, no matter how many "geeks" I may upset by saying that Policy and Culture and Management matter "more". But if you are one of those people who are overworked, think about this:
Wouldn't your job be easier if the upper echelons of your organizations, the managers, VPs and Directors, were committed to InfoSec, took it seriously, allocated budget and resources, and worked strategically instead of only waking up in response to some incident, and even then just "patching over" instead of doing things properly?
Information Security should be Business Driven, not Technology Driven.
[1] Or devolved, depending on how you look at it.
Related articles
- Information Security By the Numbers (michaelpeters.org)
- Malware in Medical Equipment Poses Serious Threat to Hospital Security (eweek.com)
- Re: CISO Challenges: The Build vs. Buy Problem (1:2) (h30499.www3.hp.com)
- Information Security Awareness Through Analogy (clerkendweller.com)
Career Insights from Stephen Northcutt, CEO of SANS
http://www.bankinfosecurity.com/articles.php?art_id=2914 
Fascinating.
I get a lot of enquiries from wannabes who, as they put it, want to "break into security". I presume they see it as more interesting than the work they are doing.
They come in all varieties, from high-school kids asking about what degree they should take to people with no actual work experience asking if they should take a CISSP or CISM.
The luminaries of our profession, be they CISSPs or people like Marcus Ranum and Bruce Schneier who lack such certifications, all came up the same way that Stephen Northcut did and many of us here did - the long way. And gained the practical experience and understanding of the issues along the way.
Arrogant? Who? Us?
Talk about difficult to read! I hate sites like this, only slightly more than ones that use a completely black background.
- Image via Wikipedia
A large part of my "11th Domain" bleating is about communication - thinking in terms of the other person, their needs and views and how the 'message' you're sending will be received and interpreted.
The Need to Understand Culture
Some references for "The 11th Domain"
I'm going to respond to this as broadly as possible.
This is not a subject like "access control" that is hard and bound.
First, there's Human Communication.
Probably the best source for this is to take the Dale Carnegie course on
Public Speaking. No, really. I'm quite serious.
There are a number of books that are reading material for the course;
you can find them on Amazon:
How to Win Friends & Influence People
http://www.amazon.com/gp/product/0671723650?ie=UTF8&tag=emergentprope-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=0671723650
How to Develop Self-Confidence And Influence People By Public Speaking
http://www.amazon.com/gp/product/0671746073?ie=UTF8&tag=emergentprope-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=0671746073
The 5 Essential People Skills: How to Assert Yourself, Listen to Others,
and Resolve Conflicts
http://www.amazon.com/gp/product/1416595481?ie=UTF8&tag=emergentprope-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=1416595481
and on Google
There is also the little "Golden Book" of short adages.
The "How to win friends and influence people" has sections:
- THREE FUNDAMENTAL TECHNIQUES IN HANDLING PEOPLE
- THE SIX WAYS TO MAKE PEOPLE LIKE YOU
- THE TWELVE WAYS TO WIN PEOPLE TO YOUR WAY OF THINKING
- THE NINE WAYS TO CHANGE PEOPLE WITHOUT AROUSING RESENTMENT
Now isn't that just what I've been talking about!
While those are the books, I very strongly recommend taking the course for a number of reasons. The books are 'bare bones'. Many people find them annoying as the come across as a mix of anecdotes, pollyanna and cute phrases. The course is about the difference between the noun and the verb, as I so often put it. It puts you on the spot and makes you translate the theory of the book into the reality of action.
Its a world of difference.
The books are cheap, the experience is priceless.
OK, so I'm biased: I use to be a teaching assistant for DCC.
I'll get to Social Psychology later, but heck, why not look up the syllabus and reading lists for a college course on that or Anthropology.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=806662b3-8683-40e6-b4c1-60eb82c0ed07)
Would Bill C-285 outlaw BlackBerry in Canada?
http://www.itworldcanada.com/a/Daily-News/03b813a2-f13b-4c3e-9494-ae9064f25da3.html
"When they outlaw X only criminals will have X"
... for many values of the members of the set of Y.
There's the old saw:
People who won't quit making the same mistake over
and over are what we call conservatives.
No, they are politicians.
He added that making it easier for law enforcement to tap into wireless
transmissions will probably bring those same capabilities into the hands
of the cyber criminal community. This is certainly not the
business-friendly message you want to be sending out to encourage
investment in technology during the recession, Levy said.“Especially since the very same government has placed organizations in
the financial services, health care and public sector under increasing
regulatory scrutiny to lock down their own security infrastructure.”
In reality, judging by history, if there's going to be a way to hack into things like the Blackberry the the criminals will have it long before the LE, and the LE will probably be denied funding for it by the government.
Related articles by Zemanta
- B.C. will outlaw auto secret compartments in gang fight (calgaryherald.com)
- Copyright bill would outlaw breaking digital locks (cbc.ca)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=9798f811-8bb0-454d-9e67-5f862a407750)