The fatal flaw in IT Risk management
Is interviewing is a much better method that self-certifications and a checklist, if time and resources allow.
Two points:
In the ISO-27001 forum, my friend and colleague Gary Hinson has repeatedly pointed out, and I fully support him in this, that downloading check-lists from the 'Net and adopting question lists from there is using a solution to someone else's
problem. If that.
Each business has both generic problems (governments, sunspots, meteor strikes, floods & other apocalyptic threats and Acts of God) and ones specific to it way of working and configuration. Acts of God are best covered by prayer and insurance.
Gary recommends "open ended questions" during the interview rather than ones that require a yes/no answer. That's good, but I see problems with that. I prefer to ask "Tell me about your job" rather than "Tell me how your job ... can be made more efficient".
My second point is that risk management will *ALWAYS* fail if the risk analysis is inadequate. How much of the RA should be done by interviewing people like the sysadmins I don't know, but I have my doubts. I look to the Challenger Disaster. I started in the aviation business and we refines FMEA - failure Mode Effect Analysis. Some people think of this in terms of "impact", but really its more than that, its also causal analysis. As Les Bell, a friend who is also a pilot and interested in aviation matters has pointed out to me, "Root Cause Analysis" no longer is adequate, failure comes about because of a number of circumstances, and it may not even be a single failure - the 'tree' fans both ways!
Yes, FMEA can't be dome blindly, but failure modes that pertain to the business - which is what really counts -- and the fan-in/out trees can be worked out even without the technical details. Rating the "risk": is what requires the drill-down.
Which gets back to Donn Parker's point in a number of his books, though he never states it this way. The FMEA tree can be heavily pruned using diligence as he says: standards, compliance, contracts, audits, good practices, available products. The only thing he leaves out are Policy and Training. Policy gives direction and is essential to any purpose, the choice of standards and products, and identifying what training is needed.
All in all, the article at https://blog.anitian.com/flawed-it-risk-management/ takes a lot of words to say a few simple concepts.
Marketing Is Dead – Harvard Business Review
http://blogs.hbr.org/cs/2012/08/marketing_is_dead.html
Of course you have to have a catchy title, but what this really says is
... in today's increasingly social media-infused environment,
traditional marketing and sales not only doesn't work so well, it
doesn't make sense. Think about it: an organization hires people —
employees, agencies, consultants, partners — who don't come from the
buyer's world and whose interests aren't necessarily aligned with his,
and expects them to persuade the buyer to spend his hard-earned money on
something. Huh? When you try to extend traditional marketing logic into
the world of social media, it simply doesn't work.
Yes but there are assumptions there.
Marketing WHAT to WHOM?
As opposed to just selling.
See also:
Which makes the point that book publishers have come adrift as far as
marketing in the Internet world goes.
Related articles
- Marketing Isn't Dead - Just Morphing (prweb.com)
- Are There Zombies In Your Marketing? (forbes.com)
- Frustrated with Social Media Marketing Strategies for your SMB or NPO? If You Can Sell, You Can Market. (bizcommunicator.wordpress.com)
- Social Media Marketing- the way of modern Business trend (vpssell.com)
- 5 Steps to Successful Marketing With Multiple Media (startupprofessionals.com)
How to build an asset inventory for 27001
How do you know WHAT assets are to be included in the ISO-27K Asset Inventory?
This question and variants of the "What are assets [for ISO27K]?" comes up often and has seen much discussion on the various InfoSec forums I subscribe to.
Perhaps some ITIL influence is need. Or perhaps not since that might be too reductionist.
The important thing to note here is that the POV of the accountants/book-keepers is not the same as the ISO27K one. To them, an asset is something that was purchased and either depreciates in value, according to the rules of the tax authority you operate under, or appreciates in value (perhaps) according to the market, such as land and buildings.
Here in Canada, computer hardware and software depreciates PDQ under this scheme, so that the essential software on which you company depends is deemed worthless by the accountants. Their view is that depreciable assets should be replaced when they reach the end of their accounting-life. Your departmental budget may say different.
Many of the ISO27K Assets are things the accountants don't see: data, processes, relationships, know-how, documentation.
How to get a job in security
http://www.wired.com/threatlevel/2012/05/airport-security-id-theft/
I often get hit on by wannabes who want to - as they put it - "break into security" and get a job as a security consultant. Perhaps the media has something to do with it, making it look glamorous when in fact it is tedious and requires a lot of study and self-discipline. The most often question is about which certification they should get first in order to get a job. Some people seem to view certification as a job ticket because so many job postings have various certifications as a requirement.
What these people are forgetting is that a certification is there to certify you have the experience; you need the experience to get the certification.
If course you could always fake it; there are plenty of diploma mills and no shortage of high profile people who have faked their resumes.
But this goes one step beyond that. This person got a job in security though faking an complete ID with all the supporting documentation:
Bimbo Olumuyiwa Oyewole, known to his fellow workers as “Jerry Thomas,” obtained his job as a security guard supervisor at the Newark Liberty International Airport with credentials he’d allegedly stolen in 1992 from a petty criminal who was shot and killed in New York that year, according to CBS.
Authorities say Oyewole, who entered the U.S. illegally in 1989, began using Thomas’ birth certificate and Social Security number three weeks before he was murdered, though there’s no immediate evidence that he was involved in Thomas’ death. He used these documents to obtain a New Jersey driver’s license in Thomas’ name, as well as a state security guard license, airport identification and credit cards.
He used the fraudulent documents to gain employment with several contractors at the Newark airport, most recently with FJC Security Services.
That really inspires confidence in the system, doesn't it?
So what careful vetting and though investigation by the FBI and others uncovered this threat, a threat that could have been practised by a 'sleeper' for a terrorist organization?
Think again:
Authorities discovered Oyewole wasn’t the man he said he was only after an anonymous letter was sent to the Port Authority of New York, which oversees the region’s main airports, and to the New Jersey’s inspector general’s office. The letter indicated that “Jerry Thomas” was known by other names.
Might we suspect a disgruntled ex-lover?
Good policing that, eh? It makes you wonder how many other TSA operatives and supervisors are using fake ID or whose backgrounds and origins have not been adequately investigated.
Oh, right, there are so many of them, that level of investigation is impractical.
Didn't Bruce Schneier say something about the TSA's approach being impractical, being "Security Theatre"?
Related articles
- 'Dead Man Walking' Tricks Airport into Giving Him Top Security Job (wired.com)
- Airport worker allegedly had man's ID before death (heraldonline.com)
- Illegal immigrant used stolen ID to work as airport security supervisor for 20 years (EndtheLie.com)
- Congress considers threats from airport employees (cbsnews.com)
- Nigerian Bimbo Olumuyiwa Oyewole was known by his co-workers as Jerry Thomas (luckmeister.typepad.com)
How to decide on what DVD backup software to use
You do do backups don't you? Backups to DVD is easy, but what software to use?
- Do you want the DVD backup 'mountable'?
If it is then you can see each file and selectively restore using the normal file management tools (cp, rsync etc)
If you use some sort of 'dump' format (tar, cpio, zip or proprietary) then you will need the corresponding tool to access the backup - Why not simply k3b?But if it some down to it, there's a decision tree you can and should work though.
My choice, based upon both K.I.S.S. and bitter experience is to go with the mountable.
- - How are you 'snapshoting' your files?
If you are backing up a live system[1] then there is the risk that the backup is out of phase with itself as files get changed during the time it takes to make the backup.
My solution to this is to use the snapshot mechanism of LVM.
Logical Volume Management
- - How are you managing the backup archives?
Do you need a specific dated version of a file or directory?
Would a VCS be more appropriate than a backup system?
Sometimes you need both. I maintain changes to config (mainly in /etc/) with a VCS - AND take periodic snapshots.
- Ultimately its not about making backups, even if that seems to be the
most of the work, but the ability to restore.
A client found it easier to take whole image backups but once when having to restore a single file there was a finger-slip and he restored the complete machine state of three years previously, loosing all that days work plus the next day when the machine was out of service being restored to the last (previous) backup. The moral here is that your RESTORE strategy, as determined by your normal business functions and NOT by the convenience of the IT department, should determine your backup strategy.
- - How "automated" do you want this backup to be?
Sometimes you'll find the automation tail wags the normal operation dog.
My use of K3B means I do disk-to-disk-to-DVD. (Using LVM's snapshots)
It also means I structure my file systems so that they can be imaged onto a DVD. It means I can retrieve single files or mount the DVD and use it in place of the file system. It also means that I can create arbitrary backups, cherry-picking the files and folders to backup.
I realise this is going to be inappropriate for many sites and business functions.
This is why I STRONGLY suggest that instead of simply asking for suggestions you work through what are the key, the critical and the nice-to-have features of your backup AND RESTORE functionality.
Any package you might choose is going to have constraints and assumptions about The Way Things Are. You need to be aware of those and need to consider if they fit in with The Way You Work. A backup system that works well for a data center of ISP might be totally inappropriate and troublesome for a SMB.
[1] Once upon a long time ago systems were shutdown or all jobs
suspended for the backup. This has disrupted projects for me a number
of times.
Related articles
- Backup Programs (wiki.archlinux.org)
- Call for back up (johnlewis.com)
- O&O DiskImage 7 Professional review (betanews.com)
- Why use Online Backup? (safedatastorage.wordpress.com)
Which Risk Framework to Use: FAIR, FRAP, OCTAVE, SABSA …
What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level? I'm asking about a true risk assessment framework not merely a checklist.
Yes, this is a bit of a META-Question. But then its Sunday, a day for contemplation.
When does something like these stop being a check-list and become a framework?
COBIT is very clearly a framework, but not for risk analysis and even the section on risk analysis fits in to a business model rather than a technology model.
ISO-27K is arguably more technology (or at least InfoSec) focused that COBIT, but again risk analysis is only part of what its about. ISO-27K calls itself a standard[1] but in reality its a framework.
The message that these two frameworks send about risk analysis is
Context is Everything
(You expected me to say that, didn't you?)
I'm not sure any RA method works at layer 8 or above. We all know that managers can read our reports and recommendations and ignore them. Or perhaps not read them, since being aware of the risk makes them liable.
Ah. Good point.
On LinkedIn there was a thread asking why banks seem to ignore risk analysis .. presumably because their doing so has brought us to the international financial crisis we're in (though I don't think its that simple).
The trouble is that RA is a bit of a 'hypothetical' exercise.
The Decline of the Physical Desktop
http://www.eweek.com/c/a/IT-Management/As-Foretold-by-Desktop-Managment-Tools-588370/
What's interesting here is that this isn't preaching "The Cloud" and only mentions VDI in one paragraph (2 in the one-line expanded version).
Also interesting is the real message: "Microsoft has lost it".
Peter Drucker, the management guru, pointed out that the very last buggy-whip manufacturer in the age of automobiles was very efficient in its processes - it *HAD* to be to have survived that long. (One could say the same about sharks!)
"Keeping desktop systems in good working order is still a labour of Sysiphus .."
Indeed. But LinuxDesktop and Mac/OSX seem to be avoiding most of the problems that plague Microsoft.
A prediction, however.
The problem with DOS/Windows was that the end user was the admin and could fiddle with everything, including download and install new code. We are moving that self-same problem onto smart-phones and tablets. Android may be based on Linux, but its the same 'end user in control' model that we had with Windows. Its going to be a malware circus.
Related articles
- eWEEK Review: Unidesk Simplifies VDI Deployment and Management (prweb.com)
- Dell Delivers Desktop-as-a-Service (informationweek.com)
- Zenk GmbH to Distribute Unidesk VDI Management Software in Germany (prweb.com)
- The key questions you must ask to save your virty desktop dream (go.theregister.com)
- 6 Common Desktop Virtualization Mistakes (informationweek.com)
- 5 Best Alternatives of Windows 8 (indianbloggist.com)
Security and efficiency
You gotta love the low-tech solution. It's really never NOT about people, is it? 🙂
Darn tooting right!
Its always people. Any way you look at it.
Which is why I go on about The 11th Domain.
Why the CBK places so much emphasis on technology when the (ISC)2's motto is "Security transends technology" and why the "people" aspect, social structures of organizations, behavioural psychology, group psychology and lot more, all of which are "about people" and probably have a greater leverage as far as InfoSec "Getting Things Done" (Especially in a stress-free manner_.
As I said previously, I think we're doing it wrong; and I don't mean just Risk Assessment!
The Classical Risk Equation
What we had drilled into us when I worked in Internal Audit and when I was preparing for the CISA exam was the following
RISK is the
PROBABILITY that a
THREAT will exploit a
VULNERABILITY to cause harm to an
ASSET
R = f(T, V, A)
Why do you think they are called "TVAs"?
More sensibly the risk is the sum over all the various ..
This isn't just me sounding off. Richard Bejtlich says much the same thing and defends it from various sources. I can't do better that he has.
The Need to Understand Culture
Some references for "The 11th Domain"
I'm going to respond to this as broadly as possible.
This is not a subject like "access control" that is hard and bound.
First, there's Human Communication.
Probably the best source for this is to take the Dale Carnegie course on
Public Speaking. No, really. I'm quite serious.
There are a number of books that are reading material for the course;
you can find them on Amazon:
How to Win Friends & Influence People
http://www.amazon.com/gp/product/0671723650?ie=UTF8&tag=emergentprope-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=0671723650
How to Develop Self-Confidence And Influence People By Public Speaking
http://www.amazon.com/gp/product/0671746073?ie=UTF8&tag=emergentprope-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=0671746073
The 5 Essential People Skills: How to Assert Yourself, Listen to Others,
and Resolve Conflicts
http://www.amazon.com/gp/product/1416595481?ie=UTF8&tag=emergentprope-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=1416595481
and on Google
There is also the little "Golden Book" of short adages.
The "How to win friends and influence people" has sections:
- THREE FUNDAMENTAL TECHNIQUES IN HANDLING PEOPLE
- THE SIX WAYS TO MAKE PEOPLE LIKE YOU
- THE TWELVE WAYS TO WIN PEOPLE TO YOUR WAY OF THINKING
- THE NINE WAYS TO CHANGE PEOPLE WITHOUT AROUSING RESENTMENT
Now isn't that just what I've been talking about!
While those are the books, I very strongly recommend taking the course for a number of reasons. The books are 'bare bones'. Many people find them annoying as the come across as a mix of anecdotes, pollyanna and cute phrases. The course is about the difference between the noun and the verb, as I so often put it. It puts you on the spot and makes you translate the theory of the book into the reality of action.
Its a world of difference.
The books are cheap, the experience is priceless.
OK, so I'm biased: I use to be a teaching assistant for DCC.
I'll get to Social Psychology later, but heck, why not look up the syllabus and reading lists for a college course on that or Anthropology.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=806662b3-8683-40e6-b4c1-60eb82c0ed07)
About creating Corporate IT Security Policies
As I've said before, you should not ask yourself what policies to write but what you need to control. If you begin with a list of polices, you need to adapt the reality to the list. The risk is that you create a false sense of control of security.
The threat-risk approach is 'technical', and as we've discussed many times, the list of threats cannot be fully enumerated, so this is a ridiculous approach.
Basing policy on risk is also a fruitless approach as it means you are not going to face some important points about policy.
Policy is for people. Its not technical, its about social behaviour and expectations.
Policy can be an enabler, but if you think only about risk you will only see the negatives; your policies will all be of the form "Don't do that".
Policies should tell people what they should do, what is expected of them, give them guidance.
Policies also have to address the legal and regulatory landscape. As such they may also address issues of ethics, which again is not going to be addressed by a threat-risk approach.
All in all, if you follow Mark's advice you may write policies that seem OK, but when it comes to following them it will be like the song from the 70s by The Five Man Electric Band:
Sign Sign everywhere a sign
Blocking out the scenery breaking my mind
Do this, don't do that, can't you read the sign
and people will feel put upon and that the company is playing Big Brother. You will have heavy-handed rules that are resented and not clearly understood by all employees.
Policies are there to control the behaviour of people in the corporate setting. Think in terms of people and behaviour, not in terms of threats and risks.
Policies are to guide and control behaviour of people, not of machines and software.
Think of policies as having these kinds of objectives and you will be on a firm footing:
- Shift attitudes and change perspectives
- Demonstrate management support
- Assure consistency of controls
- Establish a basis for disciplinary action
- Avoid liability for negligence
- Establish a baseline against which to measure performance and improvement
- Coordinate activities
and of course something important to all of us toiling in InfoSec
- Establish a basis for budget and staffing to implement and enforce the policies
Policies need to be created from the point of view of management, not as a set of techie/geek rules, which the threat/risk approach would lead to.
Not least of all because, as I'm sure Donn Parker will point out, managers don't want to hear all that bad stuff about threats; they want policies that encourage staff to contribute to the profitability of the
company.
Related articles
- How to create an effective social-media policy for your company (smartblogs.com)
- 6 Tips For Great IT Security Policies (itexpertvoice.com)
- Helping Employees Get Corporate Security Policy (pcworld.com)
- Creating an Enterprise Employee Social Media Policy (itexpertvoice.com)
The U.S. has 18 percent of its machines controlled by botnets
http://blogs.zdnet.com/BTL/?p=17459&tag=nl.e589
A short while ago I read an article that tried to present both sides of the issue of whether companies should shut down their desktop machines at night.
The 'pro' was of course the saving of electricity - all good and "Green".
The 'con' was that this saving would be offset by the cost in time as employees waited for the machines to book and waited while they shut down - the latter to make sure that they didn't hang.
The article didn't discuss home users. I'm sure home users would appreciate the savings and be willing to devote the time 🙂 While many people work from home and many children use computers from home, I don't think there is a need for an 'always on' computer in the home.
(Unless you count the fridge or the microwave or the VCR clock ..)
Would turning those computers off affect that botnet? Perhaps. I've certainly met people who when they learn I'm involved with IT ask me why their computer runs slower than when they bought it. I ask if they run AV or other anti-malware software, purge adware ... I rarely hear from them again but when I do its to say that some tool like "Search-and-destroy" told them they had gazillions of malware. And they ask me where it comes from.
I don't know, I run Linux.
But that argument against turning off corporate machines is specious at many levels. Most of the staff at my clients seem to use laptops rather than desktop machines. They take them to meetings and presentations, sometimes they take them home. All this involves turning off and on. If they don't take them home at night those laptops have to be locked away, not left on the desk top. That's been policy everywhere I've worked this last decade.
The limiting case was one year I worked in a port-a-kabin.
The sub-zero overnight temperatures meant none of the workstations were operative. So we turned on the cabin heating all the electrics, all the machinery and went to get a coffee (aka "breakfast"). Half an hour later the cabin was warm enough for the electronics to operate. We were not allowed to leave the cabin powered up overnight.
Would shutting down the home machines each night reduce the level of spam? Perhaps. That's an incentive over and above the Green one of saving electricity. Perhaps some service provider service technician should recommend this over and above regular 'purges'.
The McAfee report doesn't make a clear distinction between commercial and residential hosts for the botnets, though it does mention some government agencies and banking institutions in Russia are
malware-laden. The large corporations that make up my clients have always had IT departments that support good front-end filtering and making sure that the workstations have up to date AV software. That being said, I see a lot of people who turn off their AV software. Myth or not, many still believe it affects performance.
Of course I run Linux and I don't have to worry about rogue ActiveX, and I don't run attachments I get in the mail and there are many sites I simply don't visit!
And I turn my home machines off at night.
Related articles by Zemanta
- How to Detect and Prevent Psyb0t, the Linux Router Worm (slumpedoverkeyboarddead.com)
- McAfee: Enabling Malware Distribution and Fraud (readwriteweb.com)
- Spam 'produces 17m tons of CO2' (news.bbc.co.uk)
- OS X 'pirate' trojan resurfaces (vnunet.com)
- Conficker virus begins to attack PCs (canada.com)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=0fa2053e-01cf-4ccc-b7dd-7b711ecaeffc)
OWASP Top Ten is really the OWASP Top 6.5
- Image via Wikipedia
http://secureme.blogspot.com/2005/10/owasp-top-ten-is-really-owasp-top-65.html
This is somewhat dated, but so what? Most of the points raised still hold valid.
It opens:
CIO/CSO: "I just went to a very important luncheon meeting. First, they bought me steak, then they showed me powerpoint about this new security list, then we got to watch STAR WARS! I want our websites to be OWASP Top Ten certified by then end of the week!"
... and it goes on with the sad-but-true
Consultant: "Hello, I just completed CISSP boot camp. I am here to run OWASP Top Ten security scanning software and install a web application firewall! Cookies?
Sorry, I'm diabetic."
Wasn't there a Dilbert strip about that? "Invoking the awesome power of certification"?
Speaking of which:
Dilbert "Maybe we should first start with password protecting the website? Or fixing our expired SSL certificate?"
How true; how poignant! And we all know the response to that:
Consultant: "I'm sorry that is not on the list! hmm what to do? I will use the consultants Top Ten Scarry Word List!" Sarbanes-Oxley, HIPAA, PCI..."
Seriously, though: a while ago I read an article suggesting that how you title you posts or blogs was very important and used examples from magazines such as Cosmopolitan to illustrate that: "The top 10 ways ...", "10 things you should know" and such like were going to attract more readers.
Well heck, who wants to read an article titled:
"Six and a half ways to secure your web site".
Maybe those into reverse psychology perhaps?
But please, do fix those expired SSL certificates.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=ff27b3b5-4fb8-4da6-a9ee-e110bff553e4)
Ten (+1) reasons to treat network security like home security
http://blogs.techrepublic.com.com/security/?p=274
Its a good week at TechRepublic for security articles.
In the light of a number of threads this last month in the various forums I'm invovled with I found this article particularly interesting.
The real problem with the ROI debate is that it is about convincing management that spending money on InfoSec protection is worth while. The "B-school mentality" of management is that everything can be reduced to numbers, and many people 'speak' that language and have troubles with anything not reduced to numbers. I hope they compartmentalise and and their home life s not "by numbers". (Imagine justifying the cost effectiveness of peanut butter sandwiches in the kids lunchbox!)
But a lot of InfoSec is too abstract for people.
In my presentations I've often given the example of the 1950s office: typewriters, ribbons, carbon paper, hanging file cabinets, copies, and mapped them to modern technology like PC terminals, keystroke recorders, hard drives and file file servers, and thumb drives, and shown that the same principles apply to protecting the information whatever the technology.
So I found this a very useful article. People can easily relate to the physical, to their own home situation. We have many centuries legacy of houses, thieves and door locks and once people can map from something they know to to abstract their understanding is easier, and so our justification of InfoSec measures is also easier.
My fellow CISSP Clement Dupuis posted a very good response to this article, and I'm sure he won't mind me quoting him:
It seems that people usually have logical thinking when they discuss physical security. This is not the case when they discuss logical security.
There are hundreds of companies that have invested heavily into intrusion detection systems but they have a total lack of incident response or policies associated with what to do when there is an incident detected.
When you ask them if they would buy an home alarm system that does not have a siren and does not alert the police they always respond "No way", however they do this on a day to day basis with their logical security.
There are many other very good follow-ups to this article and I recommend reading though them.