How much Risk Assessment is needed?

In many of the InfoSec forums I subscribe to people regularly as  the “How long is a piece of string” question:

How extensive a risk assessment is required?

It’s a perfectly valid question we all have faced, along with the “where do I begin” class of questions.

The ISO-27001 standard lays down some necessities, such as your asset register, but it doesn’t tell you the detail necessary. You can choose to say “desktop PCs” as a class without addressing each one, or even addressing the different model. You can say “data centre” without having to enumerate every single component therein.

At first. Continue reading How much Risk Assessment is needed?

On the HP Printer Hack

The hack to make the HP printers burn was interesting, but lets face it, a printer today is a  special purpose computer and a computer almost always has a flaw which can be exploited.
In his book on UI design “The Inmates are Running the Asylum”, Alan Cooper makes the point that just about everything these days, cameras, cars, phones, hearing aids, pacemakers, aircraft, traffic lights … have computers  running them and so what we interface with is the computer not the natural mechanics of the device any more.

Applying this observation makes this a very scary world. More like Skynet in the Terminator movies now that cars have Navi*Star and that in some countries the SmartStreets traffic systems have the traffic lights telling each other about their traffic flow. Cameras already have wifi so they can upload to the ‘Net-of-a-Thousand-Lies.

Some printers have many more functions; some being fax, repro, and scanning as well as printing a document.   And look at firewalls. Look at all the additional functions being
poured into them because of the “excess computing facility” – DNS, Squid-like caching, authentication …

I recently bought a LinkSys for VoIP, and got the simplest one I could find. I saw models that were also wifi routers, printer servers and more all bundled onto the “gateway” with the “firewall” function. And the firewall was a lot less capable than in my old SMC Barricade-9 home router.

I’m dreading what the home market will have come IP6

I recall the Chinese curse: yes we live in “interesting security issue” times!

But in the long run of things the HP Printer Hack isn’t that serious.   After all, how many printers are exposed to the Internet.    We have to ask “how likely is that?”.
Too many places (and people) put undue emphasis on Risk Analysis and ask “show me the numbers” questions. As if everyone who has been hacked (a) even knows abut it and (b) is willing to admit to the details.

No, I agree with Donn Parker; there are many things we can do that are in the realm of “common sense” once you get to stop and think about it. Many protective controls are “umbrellas”, that its about how you configure your already paid-for-and-installed (you did install it, didn’t you, its not sitting in the box in the wiring closet) firewall; by spending the money you would have spent anyway for the model that has better control/protection — you do this with your car: air-bags, ABS and so on so why not with IT equipment? The “Baseline” is more often about proper decisions and proper configuration than “throwing money at it” the way governments and government agencies do.

Beyond the signal-to-noise

There’s a hump in the curve, way, way out beyond the six sigma point …

Shea and Wilson were almost on it when the pointed out that a ‘conspiracy’ with five vectors is more than most people can handle.  Well not any more if you use computers, have good sampling and know how
to use autocorrelation to extract signal from noise. Communication their says that you can extract energy – and by implication information – from the heat death of the universe if you do it properly. However
seeing how we usually don’t act until we are at the watershed I suspect we won’t set up that structure for political reasons. Continue reading Beyond the signal-to-noise

Unfortunately, SNMPv2 is not secure

You betcha its not!

There are GOOD practices for deploying SNMP.
The BEST practice is to avoid V2.
If you must SNMP then use v3
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1078248,00.html
http://www.snmp.com/snmpv3/v3white.shtml
or http://www.tcpipguide.com/free/t_SNMPVersion3SNMPv3MessageFormat.htm
if you are feeling geekish.

However my personal view is DON’T DO IT.
Continue reading Unfortunately, SNMPv2 is not secure

Encyclopedia of IT terms

CMP ChannelWeb have an on-line encyclopaedia of IT terms. This is a useful addition to my toolbar for composition, along with a more conventional dictionary.

The definition of ‘information security‘ seems limited to access control, which is very disappointing. The definition for ‘computer security‘ is more comprehensive. Never the less, to a security professional both these definitions are lacking.

What screams out to me, and this is very obviously my bias, is the lack of any mention of INTEGRITY in these definitions. As I keep pointing out, if you don’t have integrity, any other efforts at security, be it information security, or “Gates, Guards, Guns and Dogs” physical security, be it backup and disaster recovery, be it access control, be it 1024-bit SSL, are all going to be pointless.

Its not until we follow a few links at the Encyclopaedia do we come to a mention of Donn Parker‘s six fundamental and orthogonal attributes of security is there mention of ‘integrity’. Even so, that definition has only a like to ‘data integrity‘. There is a separate definition for ‘message integrity‘. While these specific items are important, they are details. What is lacking is a general definition of “Integrity”. Once again, Fred Cohen’s seminal 1997 article on the importance of Integrity comes to mind.

No, a much better reference is Rob Slade’sDictionary of Information Security“, which, of necessity, encompasses many IT terms.

Enhanced by Zemanta

The CISSP Forum FAQ

CISSP Logo

Its one of those bootstrap problems – the new CISSPs who need to read the information can’t get at the FAQ on how to sign up for the CISSPForum because they need to be members of the forum in order to read the instructions.

Yes, I know the information is at the (ISC)2 web site, but that’s an incredibly difficult site to navigate.

Because of this, Gary Hinson and myself, each quite independently, took the CISSP Forum FAQ and converted it to a web page, adding hyperlinks etc. The two pages are at:

Both sites are very rich, but very different in nature. Gary makes use of custom mind-maps to assisit in navigation, whereas the Wiki allows for registered members – CISSPs – to contribute.

The CISSP Forum at YahooGroups is very active. It is not a purely technical group, but an active support group for CISSPs. It handles well over 1,000 messages a month and is the kind of “social network” that some vendors would pay millions of dollars to own – if it wasn’t a closed group that spurns advertising.

The astounding thing is that so few CISSPs know about it. (ISC)2 seems to make no effort to publicise it to people as they gain their certification.
If you are a CISSP, visit either of those two pages, or better still go directly to the (ISC)2 web page for registration – https://www.isc2.org/cgi/cissp_forum.cgi – and sign up.

Technorati Tags: , , , ,

Enhanced by Zemanta