Is interviewing is a much better method that self-certifications and a checklist, if time and resources allow.
In the ISO-27001 forum, my friend and colleague Gary Hinson has repeatedly pointed out, and I fully support him in this, that downloading check-lists from the 'Net and adopting question lists from there is using a solution to someone else's
problem. If that.
Each business has both generic problems (governments, sunspots, meteor strikes, floods & other apocalyptic threats and Acts of God) and ones specific to it way of working and configuration. Acts of God are best covered by prayer and insurance.
Gary recommends "open ended questions" during the interview rather than ones that require a yes/no answer. That's good, but I see problems with that. I prefer to ask "Tell me about your job" rather than "Tell me how your job ... can be made more efficient".
My second point is that risk management will *ALWAYS* fail if the risk analysis is inadequate. How much of the RA should be done by interviewing people like the sysadmins I don't know, but I have my doubts. I look to the Challenger Disaster. I started in the aviation business and we refines FMEA - failure Mode Effect Analysis. Some people think of this in terms of "impact", but really its more than that, its also causal analysis. As Les Bell, a friend who is also a pilot and interested in aviation matters has pointed out to me, "Root Cause Analysis" no longer is adequate, failure comes about because of a number of circumstances, and it may not even be a single failure - the 'tree' fans both ways!
Yes, FMEA can't be dome blindly, but failure modes that pertain to the business - which is what really counts -- and the fan-in/out trees can be worked out even without the technical details. Rating the "risk": is what requires the drill-down.
Which gets back to Donn Parker's point in a number of his books, though he never states it this way. The FMEA tree can be heavily pruned using diligence as he says: standards, compliance, contracts, audits, good practices, available products. The only thing he leaves out are Policy and Training. Policy gives direction and is essential to any purpose, the choice of standards and products, and identifying what training is needed.
All in all, the article at https://blog.anitian.com/flawed-it-risk-management/ takes a lot of words to say a few simple concepts.
How do you know WHAT assets are to be included in the ISO-27K Asset Inventory?
This question and variants of the "What are assets [for ISO27K]?" comes up often and has seen much discussion on the various InfoSec forums I subscribe to.
Perhaps some ITIL influence is need. Or perhaps not since that might be too reductionist.
The important thing to note here is that the POV of the accountants/book-keepers is not the same as the ISO27K one. To them, an asset is something that was purchased and either depreciates in value, according to the rules of the tax authority you operate under, or appreciates in value (perhaps) according to the market, such as land and buildings.
Here in Canada, computer hardware and software depreciates PDQ under this scheme, so that the essential software on which you company depends is deemed worthless by the accountants. Their view is that depreciable assets should be replaced when they reach the end of their accounting-life. Your departmental budget may say different.
Many of the ISO27K Assets are things the accountants don't see: data, processes, relationships, know-how, documentation.
You do do backups don't you? Backups to DVD is easy, but what software to use?
What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level? I'm asking about a true risk assessment framework not merely a checklist.
Yes, this is a bit of a META-Question. But then its Sunday, a day for contemplation.
When does something like these stop being a check-list and become a framework?
COBIT is very clearly a framework, but not for risk analysis and even the section on risk analysis fits in to a business model rather than a technology model.
ISO-27K is arguably more technology (or at least InfoSec) focused that COBIT, but again risk analysis is only part of what its about. ISO-27K calls itself a standard but in reality its a framework.
The message that these two frameworks send about risk analysis is
Context is Everything
(You expected me to say that, didn't you?)
I'm not sure any RA method works at layer 8 or above. We all know that managers can read our reports and recommendations and ignore them. Or perhaps not read them, since being aware of the risk makes them liable.
Ah. Good point.
On LinkedIn there was a thread asking why banks seem to ignore risk analysis .. presumably because their doing so has brought us to the international financial crisis we're in (though I don't think its that simple).
The trouble is that RA is a bit of a 'hypothetical' exercise.
What's interesting here is that this isn't preaching "The Cloud" and only mentions VDI in one paragraph (2 in the one-line expanded version).
Also interesting is the real message: "Microsoft has lost it".
Peter Drucker, the management guru, pointed out that the very last buggy-whip manufacturer in the age of automobiles was very efficient in its processes - it *HAD* to be to have survived that long. (One could say the same about sharks!)
"Keeping desktop systems in good working order is still a labour of Sysiphus .."
Indeed. But LinuxDesktop and Mac/OSX seem to be avoiding most of the problems that plague Microsoft.
A prediction, however.
The problem with DOS/Windows was that the end user was the admin and could fiddle with everything, including download and install new code. We are moving that self-same problem onto smart-phones and tablets. Android may be based on Linux, but its the same 'end user in control' model that we had with Windows. Its going to be a malware circus.
- eWEEK Review: Unidesk Simplifies VDI Deployment and Management (prweb.com)
- Dell Delivers Desktop-as-a-Service (informationweek.com)
- Zenk GmbH to Distribute Unidesk VDI Management Software in Germany (prweb.com)
- The key questions you must ask to save your virty desktop dream (go.theregister.com)
- 6 Common Desktop Virtualization Mistakes (informationweek.com)
- 5 Best Alternatives of Windows 8 (indianbloggist.com)
You gotta love the low-tech solution. It's really never NOT about people, is it? 🙂
Darn tooting right!
Its always people. Any way you look at it.
Which is why I go on about The 11th Domain.
Why the CBK places so much emphasis on technology when the (ISC)2's motto is "Security transends technology" and why the "people" aspect, social structures of organizations, behavioural psychology, group psychology and lot more, all of which are "about people" and probably have a greater leverage as far as InfoSec "Getting Things Done" (Especially in a stress-free manner_.
As I said previously, I think we're doing it wrong; and I don't mean just Risk Assessment!
What we had drilled into us when I worked in Internal Audit and when I was preparing for the CISA exam was the following
RISK is the
PROBABILITY that a
THREAT will exploit a
VULNERABILITY to cause harm to an
R = f(T, V, A)
Why do you think they are called "TVAs"?
More sensibly the risk is the sum over all the various ..
This isn't just me sounding off. Richard Bejtlich says much the same thing and defends it from various sources. I can't do better that he has.
A short while ago I read an article that tried to present both sides of the issue of whether companies should shut down their desktop machines at night.
The 'pro' was of course the saving of electricity - all good and "Green".
The 'con' was that this saving would be offset by the cost in time as employees waited for the machines to book and waited while they shut down - the latter to make sure that they didn't hang.
The article didn't discuss home users. I'm sure home users would appreciate the savings and be willing to devote the time 🙂 While many people work from home and many children use computers from home, I don't think there is a need for an 'always on' computer in the home.
(Unless you count the fridge or the microwave or the VCR clock ..)
Would turning those computers off affect that botnet? Perhaps. I've certainly met people who when they learn I'm involved with IT ask me why their computer runs slower than when they bought it. I ask if they run AV or other anti-malware software, purge adware ... I rarely hear from them again but when I do its to say that some tool like "Search-and-destroy" told them they had gazillions of malware. And they ask me where it comes from.
I don't know, I run Linux.
But that argument against turning off corporate machines is specious at many levels. Most of the staff at my clients seem to use laptops rather than desktop machines. They take them to meetings and presentations, sometimes they take them home. All this involves turning off and on. If they don't take them home at night those laptops have to be locked away, not left on the desk top. That's been policy everywhere I've worked this last decade.
The limiting case was one year I worked in a port-a-kabin.
The sub-zero overnight temperatures meant none of the workstations were operative. So we turned on the cabin heating all the electrics, all the machinery and went to get a coffee (aka "breakfast"). Half an hour later the cabin was warm enough for the electronics to operate. We were not allowed to leave the cabin powered up overnight.
Would shutting down the home machines each night reduce the level of spam? Perhaps. That's an incentive over and above the Green one of saving electricity. Perhaps some service provider service technician should recommend this over and above regular 'purges'.
The McAfee report doesn't make a clear distinction between commercial and residential hosts for the botnets, though it does mention some government agencies and banking institutions in Russia are
malware-laden. The large corporations that make up my clients have always had IT departments that support good front-end filtering and making sure that the workstations have up to date AV software. That being said, I see a lot of people who turn off their AV software. Myth or not, many still believe it affects performance.
Of course I run Linux and I don't have to worry about rogue ActiveX, and I don't run attachments I get in the mail and there are many sites I simply don't visit!
And I turn my home machines off at night.
Related articles by Zemanta
- How to Detect and Prevent Psyb0t, the Linux Router Worm (slumpedoverkeyboarddead.com)
- McAfee: Enabling Malware Distribution and Fraud (readwriteweb.com)
- Spam 'produces 17m tons of CO2' (news.bbc.co.uk)
- OS X 'pirate' trojan resurfaces (vnunet.com)
- Conficker virus begins to attack PCs (canada.com)
This is somewhat dated, but so what? Most of the points raised still hold valid.
CIO/CSO: "I just went to a very important luncheon meeting. First, they bought me steak, then they showed me powerpoint about this new security list, then we got to watch STAR WARS! I want our websites to be OWASP Top Ten certified by then end of the week!"
... and it goes on with the sad-but-true
Consultant: "Hello, I just completed CISSP boot camp. I am here to run OWASP Top Ten security scanning software and install a web application firewall! Cookies?
Sorry, I'm diabetic."
Speaking of which:
Dilbert "Maybe we should first start with password protecting the website? Or fixing our expired SSL certificate?"
How true; how poignant! And we all know the response to that:
Seriously, though: a while ago I read an article suggesting that how you title you posts or blogs was very important and used examples from magazines such as Cosmopolitan to illustrate that: "The top 10 ways ...", "10 things you should know" and such like were going to attract more readers.
Well heck, who wants to read an article titled:
"Six and a half ways to secure your web site".
Maybe those into reverse psychology perhaps?
But please, do fix those expired SSL certificates.
Its a good week at TechRepublic for security articles.
In the light of a number of threads this last month in the various forums I'm invovled with I found this article particularly interesting.
The real problem with the ROI debate is that it is about convincing management that spending money on InfoSec protection is worth while. The "B-school mentality" of management is that everything can be reduced to numbers, and many people 'speak' that language and have troubles with anything not reduced to numbers. I hope they compartmentalise and and their home life s not "by numbers". (Imagine justifying the cost effectiveness of peanut butter sandwiches in the kids lunchbox!)
But a lot of InfoSec is too abstract for people.
In my presentations I've often given the example of the 1950s office: typewriters, ribbons, carbon paper, hanging file cabinets, copies, and mapped them to modern technology like PC terminals, keystroke recorders, hard drives and file file servers, and thumb drives, and shown that the same principles apply to protecting the information whatever the technology.
So I found this a very useful article. People can easily relate to the physical, to their own home situation. We have many centuries legacy of houses, thieves and door locks and once people can map from something they know to to abstract their understanding is easier, and so our justification of InfoSec measures is also easier.
It seems that people usually have logical thinking when they discuss physical security. This is not the case when they discuss logical security.
There are hundreds of companies that have invested heavily into intrusion detection systems but they have a total lack of incident response or policies associated with what to do when there is an incident detected.
When you ask them if they would buy an home alarm system that does not have a siren and does not alert the police they always respond "No way", however they do this on a day to day basis with their logical security.
There are many other very good follow-ups to this article and I recommend reading though them.