The InfoSec Blog

We’re mobile addicts but we just don’t want new smartphones

Posted by Anton Aylward

For whatever value of "Mobile" is applicable in context, yes.
A lot of what I see is students in the library with their laptops or large tablets_keyboards with paper and books beside. Perhaps if students had the multi-screen displays like the one in the movie "Swordfish" AND there were more books on-line at low cost and multi-access (which isn't how many libraries work, sadly) then the marketers dream of students with ebooks rather than a knapsack of books would happen. As it is, with only one viewer, books and papers are still needed.

Confusion over Physical Assets, Information Assets in ISO-27000

Posted by Anton Aylward

I often explain that Information Security focuses on Information Assets.

Some day, on the corporate balance sheet, there will be an entry
which reads, "Information"; for in most cases the information is
more valuable  than the hardware which processes it.
   -- Adm. Grace Murray Hopper, USN Ret.

Some people see this as a binary absolute - they think that there's no need to asses the risks to the physical assets or that somehow this is automatically considered when assessing the risk to information.

The thing is there are differing types of information and differing types of containers for them.

An “11th Domain” book.

Posted by Anton Aylward

Gary Hinson makes the point here that Rebecca Herrold makes elsewhere:   Rebecca Herold
Awareness training is important.

I go slightly further and think that a key part of a security practitioners professional knowledge should be about human psychology and sociology, how behaviour is influenced. I believe we need to know this from two aspects:

First, we need to understand how our principals are influenced by non-technical and non-business matters, the behavioural persuasive techniques used on them (and us) by vendor salesmen and the media. many workers complain that their managers, their executives seem t go off at a tangent, ignore "the facts". We speak of decisions drive by articles
in "glossy airline magazines" and by often distorted cultural myths.  "What Would the Captain Do?", or Hans Solo or Rambo might figure more than "What Would Warren Buffett Do" or "What Does Peter Drucker Say About A Situation Like This?". We can only be thankful that most of the time most managers and executive are more rational than this, but even so ...

Control objectives – Why they are important

Posted by Anton Aylward

Let us leave aside the poor blog layout, Dejan's picture 'above the fold' taking up to much screen real estate. In actuality he's not that ego-driven.

What's important in this article is the issue of making OBJECTIVES clear and and communicating (i.e. putting them in your Statement of Objective, what ISO27K calls the SoA) and keeping them up to date.

Dejan Kosutic uses ISO27K to make the point that there are high level objectives, what might be called strategy[1], and the low level objectives[2]. Call that the tactical or the operational level. Differentiating between the two is important. They should not be confused. The high level, the POLICY OBJECTIVES should be the driver.

Yes there may be a lot of fiddly-bits of technology and the need for the geeks to operate it at the lower level. And if you don't get the lower level right to an adequate degree, you are not meeting the higher objectives.

Orwell: a quarter of a century late

Posted by Anton Aylward

well 28 years actually ...

So, the two-way tv sets of Orwell's novel have arrived, over a quarter of a century late!

George Orwell in Hampstead On the corner of Po...

George Orwell in Hampstead On the corner of Pond Street and South End Road, opposite the Royal Free Hospital. The bookshop has long gone. (Photo credit: Wikipedia)

It just goes to show. Science fiction things like the Star Trek communicator (Motorola flip phones) or the tricorder (some of the enhanced versions of the Newton) or the data Pad (the real world version has an extra 'i') we do pretty quickly, but if its a mainstream novel, the kind of thing that my old Eng Lit teacher would approve of (he snivelled at SF and cringed at its mention) then it seems three isn't the same enthusiasm about replicating its technology.

Enhanced by Zemanta

Please Realize That Piracy is a Service Problem.

Posted by Anton Aylward

NEW YORK, NY - JANUARY 18:  Protesters demonst...

NEW YORK, NY - JANUARY 18: Protesters demonstrate against the proposed Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) on January 18, 2012 in New York City. The controversial legislation is aimed at preventing piracy of media but those opposed believe it will support censorship. (Image credit: Getty Images via @daylife)

The full article is a bit wordy, and manages to avoid lecturing about how the media industry failed at "service" when it came to view tapes and DVDs, how they objected even those turned out to be immensely profitable. We all know that and we all know that despite the opportunity for profits that just about everyone else in the world seems able to cash in on, the RIAA etc seem to want to shut it down.

Well if they did there would be outcries not from all the people who had minor copyright infringements from quoting one another, but from all the businesses that were loosing customers, not just from direct action but from the word-of-mouth style propagation, reviews, snippets that had nothing to do with them but caused shut-downs and lockouts. A ripple effect. The Laws of Unintended Consequences doing what it always does, biting in the ass.

Yes, if the media industry provided the service that customers want piracy wouldn't be an issue. As the article says, look at the economics.

It’s not a physical product that’s being taken. There’s nothing going missing, which is generally the hallmark of any good theft.

There's a corollary to that: if the media companies were selling on the net their cost of reproduction is zero. They can sell the same movie hundreds of times over and it doesn't cost them any more.

With VHS and DVD there is the cost of production, shipping and retail mark-up. There's that for every sale. And those are costs that are going up year by year. And if there's a mistake in estimates about volume then either there are lost sales for lack of product, or waste as it gets remaindered.

But with a 'Net based distribution scheme there is only the cost of storage and bandwidth, and those are going down.

Its as if the RIAA have it exactly backwards.

So it costs, what, lets say $20 to buy a movie as a DVD.
That's my budget. If I got to the store and found the movie I wanted was $5, then I'd be inclined to buy some more. Maybe at $5 a shot I'd spend more than $20 as I found other movies that I marginally considered. Now suppose that I didn't have to drive to the store? Many people I know buy more books at Amazon than they ever did in a bricks-and-mortar store. many bricks-and-mortar bookstores are shutting down. Lower the cost of a movie to $1 and make it available on the 'Net, mail buyers about new releases and packages the way Amazon does and there will be more impulse buying. See low-res, high-res and super-high res/HD, alternate endings, have consumers write reviews ... you know how it goes, Amazon does it well.

Amazon have shifted from selling books to selling e-books. No more packaging, inventory or shipping. Instant gratification.

The RIAA are not just stupid, they are extremely stupid.

A stereotypical caricature of a pirate.

A stereotypical caricature of a pirate. (Photo credit: Wikipedia)


Enhanced by Zemanta

Your Asset is my Consumable

Posted by Anton Aylward

Separation of Duties: InfoSec, IT and Audit

Posted by Anton Aylward

A colleague who had the opportunity to restructure the role of his InfoSec department asked for advice about defining the roles and duties and how to make his department more effective.

Being very conservative in some ways I recommended a traditional Separation of Duties. It begins with what might be described, for lack of a better term as "the separation of InfoSec and IT".

In the limiting case:

- InfoSec says what it should be
- IT "makes it so"
- Audit makes sure that they did.

in other words InfoSec addresses the areas you've expressed concerns about responsibility for by setting policy, standards and requirements (?compliance?). IT is responsible for the implementation, the hardware, the software, its installation and maintenance.

It can be an easy sell if you approach it properly.

You: See that firewall?
IT: Yea, what about it?
You: Its on the network, right?
IT: Yea, where the f*** do you think it should be?
You bu**ers are always interfering.
You: And you guys take care of the network and stuff on the network?
IT: When you bu**ers don't interfere.
You: Well we're not going to. Its yours. We won't touch it.
We won't go off and buy stuff and put it on your network.
IT: Are you serious?
You: Yes.
IT: Can I have that in writing?
You: Yes. I'll copy you on the roles & responsibilities
and separation of duties documents. As well as the policies,
compliance and audit requirements.

Smile when you say that, but don't make it a predatory smile.

Yes, that makes it sound easy, but reality never is, is it?
That's why people buy books that offer the same kind of advice.
If you really want to work it through, try the books by The Harvard Negotiation Project:

* Getting to Yes: Negotiating Agreement Without Giving In
* Difficult Conversations: How to Discuss what Matters Most
* Getting Past No: Negotiating Your Way from Confrontation to Cooperation
* Getting Ready to Negotiate

Consultants, that is people with no formal authority in the hierarchy, may also appreciate

* Getting It Done: How to Lead When You're Not in Charge

(Another time I'll discuss the stupid idea that some people in the recruiting profession have that because 'consultants' don't occupy a line-management role that they have no management skills or experience.)

The technical staff in the IT department may be perturbed in a number of ways. They might feel that their 'freedoms' are being removed and they are being 'policed'. Make it clear to them that YOU are not policing them. AUDIT is policing them. That is the correct corporate role for audit.

InfoSec is writing the specs - the policy, the requirements, and they are doing it in cooperation with not only IT but also with other stakeholders in the business and to make sure that the IT department is serving the needs of the business and not just collecting expensive "Toys For Boys".

This is no different from a software or hardware development situation, or, for that mater, the original set-up and procurement that went onto IT.
Someone did a needs analysis (even if it was only guesswork and estimations on a paper napkin), wrote up a requirement and handed it over to the people with a Picard-like order to "made it so".

I appreciate that this 'formal' approach is being depreciated by 'agile' methodologies where the techies work without any of the formal management structure, without specifications or formal requirement, writing and running their own tests, all in the name of "Web 2.0".

However the original idea as to set up a formal system of division of responsibility and duties and to deal with strengths and specializations.

Many people think that by fitting in with the power of a formal system they are giving up 'freedom'. They don't see the power of having all that organization (and buying power) behind them, of having defined roles that offload from them the detailed housekeeping that slows them down. They only think in terms of the Marxist cant about oppressive 'production lines' that dumb down the worker into an automation.

This is short-sighted and they know it if they'd stop and think about it.
Lets look at an example out of IT: The compiler - a tool that takes a high level requirement and specification and converts it to the fiddly assembly code - is one they accept. But some of us are old enough to remember the arguments against compilers, that they couldn't produce the same quality code as good assembly programmer.

Perhaps: that may have been true back 30 years but its not now. Now compilers are 'expert systems' in code generation for very complex CPUs and instruction streams and branches. Programmers recognise this and accept it, often without thinking very deeply about it - they just code in the HLL and the compiler "makes it so" that it runs on the machine. But even 30 years ago compilers could produce assembly code to match a 'good' assembly programmer - but at 10 to 100 times the speed and when used by a middling programmer who understood the subject matter of the application better than he did the hardware of the computer did a very good job of delivering the application program.

This is a classic example of abstracting and encapsulating specialized knowledge and division of labour.

I have no doubt that today's programmers would be upset if you took away their compilers.

What I am suggesting in this separation of duties between InfoSec, IT and Audit is no different from a doctor writing a prescription and the patient taking it to an apothecary to be filled. The apothecary isn't doing the diagnosis or needs analysis, but he still plays an essential role.

The "You" in InfoSec, have to understand business needs, regulations, compliance issues. The "Them" in IT have to understand the details of the technology they are working with. Each have their roles to play.

Its when people start interfering with these responsibilities, these 'separation of duties', that things get upset.

Enhanced by Zemanta