Confusion over Physical Assets, Information Assets in ISO-27000
I often explain that Information Security focuses on Information Assets.
Some day, on the corporate balance sheet, there will be an entry
which reads, "Information"; for in most cases the information is
more valuable than the hardware which processes it.
-- Adm. Grace Murray Hopper, USN Ret.
Some people see this as a binary absolute - they think that there's no need to asses the risks to the physical assets or that somehow this is automatically considered when assessing the risk to information.
The thing is there are differing types of information and differing types of containers for them.
The #1 Reason Leadership Development Fails
http://www.forbes.com/sites/mikemyatt/2012/12/19/the-1-reason-leadership-development-fails/
I wouldn't have though, based on the title, that I'd be blogging about this, but then again one can get fed up with fed up with purely InfoSec blogs, ranting and raving about technology, techniques and ISO27000 and risk and all that.
But this does relate somewhat to security as awareness training, sort of ...
My problem with training per se is that it presumes the need for indoctrination on systems, processes and techniques. Moreover, training assumes that said systems, processes and techniques are the right way to do things. When a trainer refers to something as “best practices” you can with great certitude rest assured that’s not the case. Training focuses on best practices, while development focuses on next practices. Training is often a rote, one directional, one dimensional, one size fits all, authoritarian process that imposes static, outdated information on people. The majority of training takes place within a monologue (lecture/presentation) rather than a dialog. Perhaps worst of all, training usually occurs within a vacuum driven by past experience, not by future needs.
Another Java bug: Disable the java setting in your browser
http://www.kb.cert.org/vuls/id/625617
Java 7 Update 10 and earlier contain an unspecified vulnerability
that can allow a remote, unauthenticated attacker to execute arbitrary
code on a vulnerable system.
By convincing a user to visit a specially crafted HTML document,
a remote attacker may be able to execute arbitrary code on a vulnerable
system.
Well, yes .... but.
Are we fighting a loosing battle?
The New York Times is saying out loud what many of us (see Vmyths.com and Rob Rosenberger have known in our hearts for a long time. AV products don't work.
An “11th Domain” book.
http://www.infosectoday.com/Articles/Persuasive_Security_Awareness_Program.htm
Gary Hinson makes the point here that Rebecca Herrold makes elsewhere: 
Awareness training is important.
I go slightly further and think that a key part of a security practitioners professional knowledge should be about human psychology and sociology, how behaviour is influenced. I believe we need to know this from two aspects:
First, we need to understand how our principals are influenced by non-technical and non-business matters, the behavioural persuasive techniques used on them (and us) by vendor salesmen and the media. many workers complain that their managers, their executives seem t go off at a tangent, ignore "the facts". We speak of decisions drive by articles
in "glossy airline magazines" and by often distorted cultural myths. "What Would the Captain Do?", or Hans Solo or Rambo might figure more than "What Would Warren Buffett Do" or "What Does Peter Drucker Say About A Situation Like This?". We can only be thankful that most of the time most managers and executive are more rational than this, but even so ...
Marketing Is Dead – Harvard Business Review
http://blogs.hbr.org/cs/2012/08/marketing_is_dead.html
Of course you have to have a catchy title, but what this really says is
... in today's increasingly social media-infused environment,
traditional marketing and sales not only doesn't work so well, it
doesn't make sense. Think about it: an organization hires people —
employees, agencies, consultants, partners — who don't come from the
buyer's world and whose interests aren't necessarily aligned with his,
and expects them to persuade the buyer to spend his hard-earned money on
something. Huh? When you try to extend traditional marketing logic into
the world of social media, it simply doesn't work.
Yes but there are assumptions there.
Marketing WHAT to WHOM?
As opposed to just selling.
See also:
Which makes the point that book publishers have come adrift as far as
marketing in the Internet world goes.
Related articles
- Marketing Isn't Dead - Just Morphing (prweb.com)
- Are There Zombies In Your Marketing? (forbes.com)
- Frustrated with Social Media Marketing Strategies for your SMB or NPO? If You Can Sell, You Can Market. (bizcommunicator.wordpress.com)
- Social Media Marketing- the way of modern Business trend (vpssell.com)
- 5 Steps to Successful Marketing With Multiple Media (startupprofessionals.com)
Steve Wozniak: Cloud Computing Will Cause ‘Horrible Problems In The
Perhaps The Woz isn't the influence he once was, and certainly not on Wall Street and the consumer market place.
The unbounded RAH-RAH-RAH for the "Cloud" is a lot like the DotComBoom in many ways. No doubt we will see a Crash rationalization.
Related articles
- Steve Wozniak says "Cloud Nein!" (beanstalk-inc.com)
- Steve Wozniak calls Apple arrogant: 'I wish the iPhone 5 was wider' (macworld.co.uk)
- Security and Control in the Cloud (cloudcomputing.sys-con.com)
- Wozniak applies for Australian citizenship (upi.com)
Tight budgets no excuse for SMBs’ poor security readiness
http://www.zdnet.com/tight-budgets-no-excuse-for-smbs-poor-security-readiness-2062305005/
From the left hand doesn't know what the right hands is doing department:
Ngair Teow Hin, CEO of SecureAge, noted that smaller companies
tend to be "hard-pressed" to invest or focus on IT-related resources
such as security tools due to the lack of capital. This financial
situation is further worsened by the tightening global and local
economic climates, which has forced SMBs to focus on surviving
above everything else, he added.
Well, lets leave the vested interests of security sales aside for a moment.
I read recently an article about the "IT Doesn't matter" thread that basically said part of that case was that staying at the bleeding edge of IT did not give enough of a competitive advantage. Considering that most small (and many large) companies don't fully utilise their resources, don't fully understand the capabilities of the technology they have, don't follow good practices (never mind good security), this is all a moot point.
Escalation
http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/
At one level there's the old argument about disclosure of security holes, but this is also an example of 'driving' security improvement.
Related articles
- How a trio of hackers brought Google's reCAPTCHA to its knees (arstechnica.com)
- Google's reCAPTCHA briefly cracked (h-online.com)
- How Hackers Nearly Took Down Google's ReCaptcha System (gizmodo.com.au)
- How Hackers Listened Their Way Around Google's Recaptcha (tech.slashdot.org)
- How Hackers Nearly Took Down Google's reCaptcha System (gizmodo.co.uk)
Why Info Sec Positions Go Unfilled
http://www.infosecleaders.com/2012/05/career-advice-tuesday-why-info-sec-position-go-unfilled/
There are many holes in this, but I think they miss some important points.
First is setting IT HR to look for Infosec.
That is because many people think InfoSec is a IT function as opposed to an organizational function. This goes in cycles: 20 years ago there was the debate: "Should Infosec report to IT?" The overall decision was no;. Infosec might need to 'pull the plug' on IT to protect the organization.
Second there is the vast amount of technology claiming to do InfoSec.
It is all network (and hence IT) as opposed to business fulfilment. This has now spread to "Governance". You can buy governance software. What does this do for the ethical outlook of the executive, the board and management? How is Governance tied to risk management and accountability and visibility by this software?
Technology won't solve your problems when technology *is* your problem.
InfoSec is about protecting the organization's information assets: those assets can be people, processes or information. Yes technology may support that just as technology puts a roof over your head (physical security) and somewhere to store the information. Once this was typewriters, and hand-cranked calculators and filing cabinets, and copying was with carbon paper. The technology may have changed but most of the fundamental principles have not. In particular the ones to do with attitudes and people are the same now as they were 50 or 100 years ago.
Related articles
- Bruce Schneier on the mic: InfoSec 2012 (blog.bt.com)
- InfoSec Sniffs Out Security Risks (prweb.com)
- Incomplete Thought: Offensive Computing - The Empire Strikes Back (rationalsecurity.typepad.com)
- The Infosec Investment Equation: Can You Solve It?... (neirajones.blogspot.com)
- Myth or Fact? Debunking 15 of the Biggest Information Security Myths (tripwire.com)
How to get a job in security
http://www.wired.com/threatlevel/2012/05/airport-security-id-theft/
I often get hit on by wannabes who want to - as they put it - "break into security" and get a job as a security consultant. Perhaps the media has something to do with it, making it look glamorous when in fact it is tedious and requires a lot of study and self-discipline. The most often question is about which certification they should get first in order to get a job. Some people seem to view certification as a job ticket because so many job postings have various certifications as a requirement.
What these people are forgetting is that a certification is there to certify you have the experience; you need the experience to get the certification.
If course you could always fake it; there are plenty of diploma mills and no shortage of high profile people who have faked their resumes.
But this goes one step beyond that. This person got a job in security though faking an complete ID with all the supporting documentation:
Bimbo Olumuyiwa Oyewole, known to his fellow workers as “Jerry Thomas,” obtained his job as a security guard supervisor at the Newark Liberty International Airport with credentials he’d allegedly stolen in 1992 from a petty criminal who was shot and killed in New York that year, according to CBS.
Authorities say Oyewole, who entered the U.S. illegally in 1989, began using Thomas’ birth certificate and Social Security number three weeks before he was murdered, though there’s no immediate evidence that he was involved in Thomas’ death. He used these documents to obtain a New Jersey driver’s license in Thomas’ name, as well as a state security guard license, airport identification and credit cards.
He used the fraudulent documents to gain employment with several contractors at the Newark airport, most recently with FJC Security Services.
That really inspires confidence in the system, doesn't it?
So what careful vetting and though investigation by the FBI and others uncovered this threat, a threat that could have been practised by a 'sleeper' for a terrorist organization?
Think again:
Authorities discovered Oyewole wasn’t the man he said he was only after an anonymous letter was sent to the Port Authority of New York, which oversees the region’s main airports, and to the New Jersey’s inspector general’s office. The letter indicated that “Jerry Thomas” was known by other names.
Might we suspect a disgruntled ex-lover?
Good policing that, eh? It makes you wonder how many other TSA operatives and supervisors are using fake ID or whose backgrounds and origins have not been adequately investigated.
Oh, right, there are so many of them, that level of investigation is impractical.
Didn't Bruce Schneier say something about the TSA's approach being impractical, being "Security Theatre"?
Related articles
- 'Dead Man Walking' Tricks Airport into Giving Him Top Security Job (wired.com)
- Airport worker allegedly had man's ID before death (heraldonline.com)
- Illegal immigrant used stolen ID to work as airport security supervisor for 20 years (EndtheLie.com)
- Congress considers threats from airport employees (cbsnews.com)
- Nigerian Bimbo Olumuyiwa Oyewole was known by his co-workers as Jerry Thomas (luckmeister.typepad.com)
If Customers Ask for More Choice, Don’t Listen
Customers are Ignoring You (Photo credit: ronploof)
http://blogs.hbr.org/cs/2012/05/customers_arent_as_savvy_as_yo.html
Perhaps the reason that Apple is ahead with the iPod, iPhone and iPad is that the competitors are offering too much choice.
That being said, 'competitive advantage' can lead to paralysis.
In the auto world, each badge, each product line has an 'advantage'.
But what many customers want is a blend.
Suppose you had
- the hydropnumatic suspension of Citroen
- the crash survivability of Volvo
- the fantastic new six speed high efficiency automatic gearbox that Chrysler is soon to release
- the BOSE sound system of a BMW
- the capacity of a Dodge minivan
- the fuel efficiency of a Prius
- the twin camera automatic following/crash avoidance system of a Subaru
all rolled into one ....
The problem is that you can't.
For a while, the IBM-style PC chassis offered that kind of 'blend'.
As the saying went ...
Be very glad that your PC is insecure --it means that after you buy it,
you can break into it and install whatever software you want. What YOU
want, not what [content providers] want.
-- John Gilmore of the EFF
But the majority of consumers are the "lemmings". In reality its like the stage magician fanning a pack of cards and saying "pick a card, any card you want". You don't really have freedom of choice, you can only pick what's offered to you, by the stage magician or the vendor.
And sometimes the constraint of choice, as Apple is doing, says "focus, focus, focus" and play to the Big Brother Knows What's Best For You.
Sometimes it nice not to be stressed by having to make decisions, decisions that might not be optimal (even if the optimization curve is flat and the risk/return ratio is close to zero).
Related articles
- Consumption and Consumer Behavior (thinkingbookworm.typepad.com)
Surely compliance is binary?
Call me a dinosaur (that's OK, since its the weekend and dressed down to work in the garden) but ...
Surely COMPLIANCE is a binary measure, not a "level of" issue.
You are either in compliance or you are not.
As in you are either deal or alive.
Social Engineering and sufficency of awareness training
Someone asked:
If you have a good information security awareness amongst
the employees then it should not a problem what kind of attempts
are made by the social engineers and to glean information from
your employees.
Yes but as RSA demonstrated, it is a moving target.
You need to have it as a continuous process, educate new hires and educate on new techniques and variations that may be employed by the 'social engineers'. Fight psychology with psychology!
Orwell: a quarter of a century late
http://hdguru.com/is-your-new-hdtv-watching-you/7643/
well 28 years actually ...
So, the two-way tv sets of Orwell's novel have arrived, over a quarter of a century late!
George Orwell in Hampstead On the corner of Pond Street and South End Road, opposite the Royal Free Hospital. The bookshop has long gone. (Photo credit: Wikipedia)
It just goes to show. Science fiction things like the Star Trek communicator (Motorola flip phones) or the tricorder (some of the enhanced versions of the Newton) or the data Pad (the real world version has an extra 'i') we do pretty quickly, but if its a mainstream novel, the kind of thing that my old Eng Lit teacher would approve of (he snivelled at SF and cringed at its mention) then it seems three isn't the same enthusiasm about replicating its technology.
Related articles
- Books that Changed my Life: 1984 by George Orwell (caracaleo.com)
- Orwell's Nineteen Eighty-Four forecast for Hollywood remake (guardian.co.uk)
- Near-Future Fiction (madgeniusclub.com)
- Orwell vs. The U.S. House of Representatives (pubcit.typepad.com)
- And the privacy invasion award goes to ... (sgtreport.com)
- How to resist Big Brother 2.0 (blogs.reuters.com)
- Microsoft speaks on privacy following 'NUad' concerns (thenextweb.com)
- Glancee + Facebook = Orwell's Big Brother in Spades..... (tishgrier.wordpress.com)
The 19 most maddening security questions | Security – InfoWorld
http://www.infoworld.com/d/security/the-19-most-maddening-security-questions-187983
An interesting list, since it covers issues of public structural security.
I recall reading that the greatest contribution to the health of individuals came about from good public sanitation and clean water, that is civic changes (presumably enabled by legislation) that affected the public in a structural manner.
What would be on your list?
A poster for drinking water security from the EPA (Photo credit: Wikipedia)
Related articles
- Companies slow to react to mobile security threat - InfoWorld (infoworld.com)
Upside and downside: How I hate Journalists
And this doesn't actually stop them form making use of 'insider information' they just have to declare it within 30 days.
No, wait, sorry ... you mean that the legislators are saying that legislators shouldn't do something that is illegal anyway? Or that, if they do something that is already illegal, it is OK as long as they declare it within 30 days? ...
It gets worse:
I'd like to claim the system is rigged so 'the rich get richer' but if I did that some people who claim they are right wing would accuse me of being left wing. Indeed, this tells me that their political outlook has not progressed since 20 June 1789. This one-dimensional view fails to describe the rich variety of political attitudes in the Washington, never mind the rest of the USA and points elsewhere on the physical compass.
http://en.wikipedia.org/wiki/Pournelle_chart
http://en.wikipedia.org/wiki/Nolan_Chart
Just those two show we need more that 4 axes to describe a political stance. But as I mentioned in a previous post, journalists are simple-minded and expect the rest of the world to be as limited in outlook and understanding.
http://en.wikipedia.org/wiki/Political_spectrum
Try this test:
http://www.politicalcompass.org/
How does this all relate to InfoSec, you ask.
Well part of that Political Compass is a view of 'how authoritarian'.
And that gets back to issues we have to deal with such as Policy and Enforcement, Do We Let Employees have Access to the Internet, and the like.
Hans Eysenk pointed out that the right wing (e.g. Fascism and Nazism) had a lot in common with the left wing (communism). Both are repressive, undemocratic and anti-Semitic. So on these issues, at least, the left-right distinction is meaningless.
How many more such simplistic distinctions such as those foisted on us by journalists are equally meaningless.
Some while ago my Australian fellow ex-pat Les Bell, who apart from being a CISSP is also a pilot, pointed out to me that the method of 'root cause analysis' is no longer used in analysing plane crashes. The reality is that "its not just one thing", its many factors. We all know that applies in most areas of life.
I suspect most people know that too; its not restricted to the digerati.
There is the old ditty that explains how because of a nail an empire was lost, but no-one is proposing that we fix the failing of the "American Empire" by manufacturing more nails.
Except possibly Journalists.
Related articles
- Is your political compass OK post the election? (greenwichlib.wordpress.com)
- Political Compass: May (spinelessliberal.wordpress.com)
- The downsides of experience (cdevroe.com)
- The US Election - 2012 (www.politicalcompass.org)
The Death of Antivirus Software
http://www.infosecisland.com/blogview/19386-The-Death-of-Antivirus-Software.html
The real issue here isn't Ubuntu, or any other form of Linux.
Its that AV software doesn't work.
PERIOD.
There are over 50,000 new piece of malware developed and released daily. The very nature of the AV software models that John McAfee foisted on the industry simply can't cope.
This isn't news. Signature-based (and hence subscription based and hence that whole business model) AV is a wrong headed approach. As Rob Rosenberger points out at Vmyths.Com, we are addicted to the update cycle model and its business premise is very like that of drug pushers.
What's that you say? Other types of AV? Like what?
Well, you could have a front-end engine that checks all downloads and all email and all email attachments and all URL responses by emulating what would happen when they run on any PC or in any browser or any other piece of software such as any of the PDF readers you use, or any of the graphical display software you use or any of the word processors you use
or any of the spreadsheet programs you use or any music players you use ... and so on.
Many people in the industry - myself included - have proposed an alternative whereby each machine has a unique cryptographic ID and the legally and properly installed libraries are all signed with that ID, and the program loader/kernel will only load and execute correctly signed code.
Yes, Microsoft tried something similar with ActiveX, but that was signed by the vendor - which can be a good thing, and used PKI, which can also be a good thing. But both can be a problem as well: go google for details. A local signature had advantages and its own problems.
The local signature makes things unique to each machine so there is no "master key" out there. If your private key is compromised then do what you'd do with PGP - cancel the old one, generate a new one and sign all your software with the new one.
The real problem, though, is not in having the key compromised but is the problem that has always existed - its the user. Right now, we have many remote code execution blockers. Your browser might be able to block the execution of Java or JavaScript, but does it? Most people either don't bother setting their defaults to "no execution" or just say "yes" to the pop-up asking them to permit execution.
No technical measure can overcome human frailty in this regard.
Related articles
- Avira antivirus upgrade wreaks 'catastrophic' havoc on Windows PCs (techworld.com.au)
- How can We Detect Viruses Without Antivirus Software? Built In Antivirus in your Browser
(shanicomputers.wordpress.com) - Intel and McAfee unveil plans for unified security future (go.theregister.com)
- John McAfee, antivirus pioneer, arrested by Belize police (networkworld.com)
- GlobalSign Develops Free Tool to Simplify Code Signing Process (prweb.com)
- A Modest Proposal: Please Don't Learn to Code Because It Will Damage Your Tiny Brain (inventwithpython.com)
- Why Authenticity Is Not Security (leviathansecurity.com)
- Certs 4 Less Announces Support For Individual Code Signing Certificates (prweb.com)
- 'Catastrophic' Avira antivirus update bricks Windows PCs (go.theregister.com)
- Avira fixes antivirus update that crippled many PCs (neowin.net)
- Free Anti-Virus Software Fails To Charm Enterprises (informationweek.com)
- Backpack Algorithms And Public-Key Cryptography Made Easy (coding.smashingmagazine.com)
- Cryptography pioneer: We need good code (infoworld.com)
- Contrary to Popular Opinion, Encryption IS the Hard Part (blogs.gartner.com)
- Public Key Cryptography Explained (q-ontech.blogspot.com)
”My dog knows you don’t look like me”
http://www.zdnet.com/blog/identity/darpa-authentication-project-focuses-on-humans-as-secrets/157
So do my cats. But so what?
Does this mean that DARPA/USGov will finance the supply of advanced biometrics with every PC from Microsoft or Apples and every Tablet and smartphone? Perhaps eyeball recognition like in "Minority Report".
And I'm sure there are _other_ ways to hack that than the one mentioned in the movie.
Related articles
- SSL governance and implementation across the Internet (net-security.org)
- Why change VMware default self-signed SSL certs? (longwhiteclouds.com)
- Biometric apps for Kinect: Microsoft wants to avoid creeping everybody out (geekwire.com)
The real reasons for documentation – and how much
he documentation required and/or needed by ISO-2700x is a perenial source of dispute in the various forums I subscribe to.
Of course management has to define matters such as scope and applicability and the policies, but how much of the detail of getting there needs to be recorded? How much of the justification for the decisions?
Yes, you could have reviews and summaries of all meetings and email exchanges ..
But that is not and has nothing to do with the standard or its requirements.
The standard does NOT require a management review meeting.