How-to – The InfoSec Blog

The fatal flaw in IT Risk management

Is interviewing is a much better method that self-certifications and a checklist, if time and resources allow.
Two points:

In the ISO-27001 forum, my friend and colleague Gary Hinson has repeatedly pointed out, and I fully support him in this, that downloading check-lists from the ‘Net and adopting question lists from there is using a solution to someone else’s
problem. If that.

Each business has both generic problems (governments, sunspots, meteor strikes, floods & other apocalyptic threats and Acts of God) and ones specific to it way of working and configuration. Acts of God are best covered by prayer and insurance.

Gary recommends “open ended questions” during the interview rather than ones that require a yes/no answer. That’s good, but I see problems with that. I prefer to ask “Tell me about your job” rather than “Tell me how your job … can be made more efficient”.

My second point is that risk management will *ALWAYS* fail if the risk analysis is inadequate. How much of the RA should be done by interviewing people like the sysadmins I don’t know, but I have my doubts. I look to the Challenger Disaster. I started in the aviation business and we refines FMEA – failure Mode Effect Analysis. Some people think of this in terms of “impact”, but really its more than that, its also causal analysis. As Les Bell, a friend who is also a pilot and interested in aviation matters has pointed out to me, “Root Cause Analysis” no longer is adequate, failure comes about because of a number of circumstances, and it may not even be a single failure – the ‘tree’ fans both ways!

Yes, FMEA can’t be dome blindly, but failure modes that pertain to the business – which is what really counts — and the fan-in/out trees can be worked out even without the technical details. Rating the “risk”: is what requires the drill-down.

Which gets back to Donn Parker‘s point in a number of his books, though he never states it this way. The FMEA tree can be heavily pruned using diligence as he says: standards, compliance, contracts, audits, good practices, available products. The only thing he leaves out are Policy and Training. Policy gives direction and is essential to any purpose, the choice of standards and products, and identifying what training is needed.

All in all, the article at https://blog.anitian.com/flawed-it-risk-management/ takes a lot of words to say a few simple concepts.

Marketing Is Dead – Harvard Business Review

http://blogs.hbr.org/cs/2012/08/marketing_is_dead.html

Of course you have to have a catchy title, but what this really says is

… in today’s increasingly social media-infused environment,
traditional marketing and sales not only doesn’t work so well, it
doesn’t make sense. Think about it: an organization hires people —
employees, agencies, consultants, partners — who don’t come from the
buyer’s world and whose interests aren’t necessarily aligned with his,
and expects them to persuade the buyer to spend his hard-earned money on
something. Huh? When you try to extend traditional marketing logic into
the world of social media, it simply doesn’t work.

Yes but there are assumptions there.
Marketing WHAT to WHOM?

As opposed to just selling.

How to build an asset inventory for 27001

How do you know WHAT assets are to be included in the ISO-27K Asset Inventory?

This question and variants of the “What are assets [for ISO27K]?” comes up often and has seen much discussion on the various InfoSec forums I subscribe to.

Perhaps some ITIL influence is need. Or perhaps not since that might be too reductionist.

The important thing to note here is that the POV of the accountants/book-keepers is not the same as the ISO27K one. To them, an asset is something that was purchased and either depreciates in value, according to the rules of the tax authority you operate under, or appreciates in value (perhaps) according to the market, such as land and buildings.

Here in Canada, computer hardware and software depreciates PDQ under this scheme, so that the essential software on which you company depends is deemed worthless by the accountants. Their view is that depreciable assets should be replaced when they reach the end of their accounting-life. Your departmental budget may say different.

Many of the ISO27K Assets are things the accountants don’t see: data, processes, relationships, know-how, documentation. Continue reading How to build an asset inventory for 27001

How to get a job in security

http://www.wired.com/threatlevel/2012/05/airport-security-id-theft/

I often get hit on by wannabes who want to – as they put it – “break into security” and get a job as a security consultant. Perhaps the media has something to do with it, making it look glamorous when in fact it is tedious and requires a lot of study and self-discipline. The most often question is about which certification they should get first in order to get a job. Some people seem to view certification as a job ticket because so many job postings have various certifications as a requirement.

What these people are forgetting is that a certification is there to certify you have the experience; you need the experience to get the certification.

If course you could always fake it; there are plenty of diploma mills and no shortage of high profile people who have faked their resumes.

But this goes one step beyond that. This person got a job in security though faking an complete ID with all the supporting documentation:

Bimbo Olumuyiwa Oyewole, known to his fellow workers as “Jerry Thomas,” obtained his job as a security guard supervisor at the Newark Liberty International Airport with credentials he’d allegedly stolen in 1992 from a petty criminal who was shot and killed in New York that year, according to CBS.

Authorities say Oyewole, who entered the U.S. illegally in 1989, began using Thomas’ birth certificate and Social Security number three weeks before he was murdered, though there’s no immediate evidence that he was involved in Thomas’ death. He used these documents to obtain a New Jersey driver’s license in Thomas’ name, as well as a state security guard license, airport identification and credit cards.

He used the fraudulent documents to gain employment with several contractors at the Newark airport, most recently with FJC Security Services.

That really inspires confidence in the system, doesn’t it?

So what careful vetting and though investigation by the FBI and others uncovered this threat, a threat that could have been practised by a ‘sleeper’ for a terrorist organization?

Think again:

Authorities discovered Oyewole wasn’t the man he said he was only after an anonymous letter was sent to the Port Authority of New York, which oversees the region’s main airports, and to the New Jersey’s inspector general’s office. The letter indicated that “Jerry Thomas” was known by other names.

Might we suspect a disgruntled ex-lover?

Good policing that, eh? It makes you wonder how many other TSA operatives and supervisors are using fake ID or whose backgrounds and origins have not been adequately investigated.

Oh, right, there are so many of them, that level of investigation is impractical.

Didn’t Bruce Schneier say something about the TSA’s approach being impractical, being “Security Theatre“?

‘Dead Man Walking’ Tricks Airport into Giving Him Top Security Job (wired.com)
Airport worker allegedly had man’s ID before death (heraldonline.com)
Illegal immigrant used stolen ID to work as airport security supervisor for 20 years (EndtheLie.com)
Congress considers threats from airport employees (cbsnews.com)
Nigerian Bimbo Olumuyiwa Oyewole was known by his co-workers as Jerry Thomas (luckmeister.typepad.com)

How to decide on what DVD backup software to use

You do do backups don’t you? Backups to DVD is easy, but what software to use?

– How are you managing the backup archives?
Do you need a specific dated version of a file or directory?
Would a VCS be more appropriate than a backup system?

Sometimes you need both. I maintain changes to config (mainly in /etc/) with a VCS – AND take periodic snapshots.

Ultimately its not about making backups, even if that seems to be the
most of the work, but the ability to restore.

A client found it easier to take whole image backups but once when having to restore a single file there was a finger-slip and he restored the complete machine state of three years previously, loosing all that days work plus the next day when the machine was out of service being restored to the last (previous) backup. The moral here is that your RESTORE strategy, as determined by your normal business functions and NOT by the convenience of the IT department, should determine your backup strategy.

– How “automated” do you want this backup to be?
Sometimes you’ll find the automation tail wags the normal operation dog.

My use of K3B means I do disk-to-disk-to-DVD. (Using LVM’s snapshots)
It also means I structure my file systems so that they can be imaged onto a DVD. It means I can retrieve single files or mount the DVD and use it in place of the file system. It also means that I can create arbitrary backups, cherry-picking the files and folders to backup.

I realise this is going to be inappropriate for many sites and business functions.

This is why I STRONGLY suggest that instead of simply asking for suggestions you work through what are the key, the critical and the nice-to-have features of your backup AND RESTORE functionality.

Any package you might choose is going to have constraints and assumptions about The Way Things Are. You need to be aware of those and need to consider if they fit in with The Way You Work. A backup system that works well for a data center of ISP might be totally inappropriate and troublesome for a SMB.

[1] Once upon a long time ago systems were shutdown or all jobs
suspended for the backup. This has disrupted projects for me a number
of times.

Backup Programs (wiki.archlinux.org)
Call for back up (johnlewis.com)
O&O DiskImage 7 Professional review (betanews.com)
Why use Online Backup? (safedatastorage.wordpress.com)

http://blogs.zdnet.com/BTL/?p=17459&tag=nl.e589

A short while ago I read an article that tried to present both sides of the issue of whether companies should shut down their desktop machines at night.

The ‘pro’ was of course the saving of electricity – all good and “Green“.

The ‘con’ was that this saving would be offset by the cost in time as employees waited for the machines to book and waited while they shut down – the latter to make sure that they didn’t hang.

The article didn’t discuss home users. I’m sure home users would appreciate the savings and be willing to devote the time 🙂 While many people work from home and many children use computers from home, I don’t think there is a need for an ‘always on‘ computer in the home.
(Unless you count the fridge or the microwave or the VCR clock ..)

Would turning those computers off affect that botnet? Perhaps. I’ve certainly met people who when they learn I’m involved with IT ask me why their computer runs slower than when they bought it. I ask if they run AV or other anti-malware software, purge adware … I rarely hear from them again but when I do its to say that some tool like “Search-and-destroy” told them they had gazillions of malware. And they ask me where it comes from.

I don’t know, I run Linux.

But that argument against turning off corporate machines is specious at many levels. Most of the staff at my clients seem to use laptops rather than desktop machines. They take them to meetings and presentations, sometimes they take them home. All this involves turning off and on. If they don’t take them home at night those laptops have to be locked away, not left on the desk top. That’s been policy everywhere I’ve worked this last decade.

The limiting case was one year I worked in a port-a-kabin.
The sub-zero overnight temperatures meant none of the workstations were operative. So we turned on the cabin heating all the electrics, all the machinery and went to get a coffee (aka “breakfast”). Half an hour later the cabin was warm enough for the electronics to operate. We were not allowed to leave the cabin powered up overnight.

Would shutting down the home machines each night reduce the level of spam? Perhaps. That’s an incentive over and above the Green one of saving electricity. Perhaps some service provider service technician should recommend this over and above regular ‘purges’.

The McAfee report doesn’t make a clear distinction between commercial and residential hosts for the botnets, though it does mention some government agencies and banking institutions in Russia are
malware-laden. The large corporations that make up my clients have always had IT departments that support good front-end filtering and making sure that the workstations have up to date AV software. That being said, I see a lot of people who turn off their AV software. Myth or not, many still believe it affects performance.

Of course I run Linux and I don’t have to worry about rogue ActiveX, and I don’t run attachments I get in the mail and there are many sites I simply don’t visit!

And I turn my home machines off at night.

How to Detect and Prevent Psyb0t, the Linux Router Worm (slumpedoverkeyboarddead.com)
McAfee: Enabling Malware Distribution and Fraud (readwriteweb.com)
Spam ‘produces 17m tons of CO2’ (news.bbc.co.uk)
OS X ‘pirate’ trojan resurfaces (vnunet.com)
Conficker virus begins to attack PCs (canada.com)

M	T	W	T	F	S	S
« Nov
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30

Category: How-to

The fatal flaw in IT Risk management

How to build an asset inventory for 27001

How to decide on what DVD backup software to use

Which Risk Framework to Use: FAIR, FRAP, OCTAVE, SABSA …

The Decline of the Physical Desktop

Security and efficiency

The Classical Risk Equation

The U.S. has 18 percent of its machines controlled by botnets

OWASP Top Ten is really the OWASP Top 6.5

Ten (+1) reasons to treat network security like home security

Intel Sets McAfee Free …

… becoming what Intel bills as one of the world’s biggest “pure-play cybersecurity companies.”

Related articles

Related articles

Related articles

Related articles

Related articles

Related articles by Zemanta