The InfoSec Blog

Tracking kids via microchip ‘can’t be far off,’ says expert

Posted by Anton Aylward

http://www.kens5.com/story/news/2015/05/07/tracking-kids-via-microchip-cant-be-far-off-says-expert/70986060/

Dickerson said she though one day, "I microchip my dog, why couldn't I
microchip my son?"

I think there's something despicable about treating a human being the same way you would treat a dog or your keys.

Its one thing to chip your keys or have one of those devices that when you whistle the keyring goes bleep-bleep to help you find it. I can imagine extending that to people who let their dogs (or cats) roam and need/want to have them in at night. Domesticated pets might not be able to cope with even urban predators such as badgers and grizzly raccoons.
If, that is, the animals aren't smart though to come in when you call them.

But treating a human as you would a dog?

On ‘paranoia’ – revisiting “Paid to be paraoid”

Posted by Anton Aylward

My fellow CISSP and author Walter Jon  Williams observed that

Paranoia is not a part of any mindset. It is an illness.

Ah, Walter the literalist!

Yes I agree with what you say but look at it this way

"We're paid to be paranoid" doesn't mean we're ill.
It's a job.

Now if your job is an obsession, one you take home with you and it interferes with your family life, that you can't let go, then its an illness whatever it is.

"We're paid to be paranoid"

Its a job. You don't pay us Information Security Professionals to be pollyannas, to have a relaxed attitude.

Confusion over Physical Assets, Information Assets in ISO-27000

Posted by Anton Aylward

I often explain that Information Security focuses on Information Assets.

Some day, on the corporate balance sheet, there will be an entry
which reads, "Information"; for in most cases the information is
more valuable  than the hardware which processes it.
   -- Adm. Grace Murray Hopper, USN Ret.

Some people see this as a binary absolute - they think that there's no need to asses the risks to the physical assets or that somehow this is automatically considered when assessing the risk to information.

The thing is there are differing types of information and differing types of containers for them.

Help on ISO-27000 SoA

Posted by Anton Aylward

This kind of question keeps coming up, many people are unclear about the Statement of Applicability on ISO-27000.
The  SoA should outline the measures to be taken in order to reduce risks such as those mentioned in Annex A of the standard. These are based on 'Controls'.

But if you are using closed-source products such as those from Microsoft, are you giving up control?  Things like validation checks and integrity controls are are 'internal'.

Well, its a bit of a word-play.

  • SoA contains exclusions on controls that are not applicable because the organization doesn't deal with these problems (ie ecommerce)
  •  SoA contains exclusions on controls that pose a threat (and risks arise) but cannot be helped (ie A.12.2 Correct processing in applications) and no measures can be taken to reduce these risks.

With this, a record must be present in risk assessments, stating that the risk (even if it is above minimum accepted risk level) is accepted

IBM CIO Report: Key Findings

The key to the SOA is SCOPE.

About ISO 27001 Risk Statement and Controls

Posted by Anton Aylward

On the ISO27000 Forum list, someone asked:

I'm looking for Risk statement for each ISO 27k control; meaning
"what is the risk of not implementing a control".

That's a very ingenious way of looking at it!

One way of formulating the risk statement is from the control
objective mentioned in the standard.
Is there any other way out ?

Ingenious aside, I'd be very careful with an approach like this.

Risks and controlsare not, should not, be 1:1.

Mistaken Thinking – Risk not threats

Posted by Anton Aylward

Various mobile devices creating interoperability.

Image via Wikipedia

Via a LinkedIn posting in the Infosecurity magazine forum titled
"Internet Threats Posed By Mobile Devices: How Can We Prevent Them?"
I came to
http://www.mxsweep.com/blog/bid/65075/Internet-Threats-Posed-By-Mobile-Devices-How-Can-We-Prevent-Them

OUCH OUCH OUCH!

The mobile devices don't pose threats.
The mobile devices represent risks.

Threats are external. They are not under your control.

The article title is clearly confusing THREATS with RISKS.

There are aspects of risks which ARE under your control.
You can control how EXPOSED you are to threats and how they will IMPACT you - or more specifically your assets. In this case the mobile devices.

You can't prevent threats, you can only mitigate their IMPACT.
You can instigate preventive measures.

Mobile devices and the data on them are ASSETS, not threats.

Correct terminology leads to correct thinking.
Eliminating misunderstanding and confusion leads to effective results.

Enhanced by Zemanta

Risk Models that hide important information

Posted by Anton Aylward

Some people seem to be making life difficult for themselves with risk models such as "Impact * Probability" and as such have lead themselves into all manner of imponderable ... since this model hides essential details.

I discuss the CLASSICAL risk equation in my blog
http://infosecblog.antonaylward.com/2010/05/19/the-classical-risk-equation/

There is a good reason for, no make that MANY good reasons, for separating out the threat and the vulnerability and asset rather that just using "impact".

Any asset is going to be affected by many

  • threats
  • vulnerabilities
  • controls

Any control will almost certainly address many assets and in all likelihood deal with many threats and vulnerabilities.

Any reasonable approach will try to optimise this: make the controls more effective and efficient by having them cover as many assets, threats or vulnerabilities as possible.

As such, the CLASSICAL risk equation can then be viewed as addressing residual risk - the probability AFTER applying the controls.

IT AUDIT VS Risk Assessment – 2

Posted by Anton Aylward

We were discussing which should be done first and someone said:

The first has to be risk assessment as it is foundation of information
security. You first need to know where is the risk before putting up
any controls to mitigate that risk. Putting up adhoc controls will not
make the controls effective nor will it protect the organizations
against the risk.

While I understand the intent, I think that is very prejudicial language.

Donn Parker makes a very good case that we have the cultural context - read that sophistication and awareness of the baseline risks - to see that there should be a set of baseline controls. IAM, firewall, AV, backups and so forth. We don't need to leave the assets exposed to threats while we we wait around for a Risk Analysis to tell us that these baseline protective controls are needed.

Risk Analysis

You don't need to know the specific risks any more than you need to know the specific risks to have a lock on the front door of your house and close your windows.

I certainly wouldn't call this approach "ad-hoc".

“Impact” is not a Metric

Posted by Anton Aylward

I never like to see the term 'impact'.
Its not a metric.

I discuss how length, temperature, weight, are metrics whereas speed, acceleration, entropy are derived values. In the same sense, 'impact' is a derived value - "the cost of the harm to an asset". The value of an asset can be treated as a primary metric, but how much it is "impacted" is a derived value.

This is the same kind of sloppy thinking, the same failure to identify tangible metrics as we see when people treating 'risk' as if it were something tangible, never mind a metric!

About creating Corporate IT Security Policies

Posted by Anton Aylward

As I've said before, you should not ask yourself what policies to write but what you need to control.  If you begin with a list of polices, you need to adapt the reality to the list. The risk is that you create a false sense of control of security.

The threat-risk approach is 'technical', and as we've discussed many times, the list of threats cannot be fully enumerated, so this is a ridiculous approach.

Basing policy on risk is also a fruitless approach as it means you are not going to face some important points about policy.

Policy is for people. Its not technical, its about social behaviour and expectations.
Policy can be an enabler, but if you think only about risk you will only see the negatives; your policies will all be of the form "Don't do that".
Policies should tell people what they should do, what is expected of them, give them guidance.

Policies also have to address the legal and regulatory landscape. As such they may also address issues of ethics, which again is not going to be addressed by a threat-risk approach.

All in all, if you follow Mark's advice you may write policies that seem OK, but when it comes to following them it will be like the song from the 70s by The Five Man Electric Band:

Sign Sign everywhere a signsigns, signs
Blocking out the scenery breaking my mind
Do this, don't do that, can't you read the sign

and people will feel put upon and that the company is playing Big Brother. You will have heavy-handed rules that are resented and not clearly understood by all employees.

Policies are there to control the behaviour of people in the corporate setting. Think in terms of people and behaviour, not in terms of threats and risks.
Policies are to guide and control behaviour of people, not of machines and software.

Think of policies as having these kinds of objectives and you will be on a firm footing:

  • Shift attitudes and change perspectives
  • Demonstrate management support
  • Assure consistency of controls
  • Establish a basis for disciplinary action
  • Avoid liability for negligence
  • Establish a baseline against which to measure performance and improvement
  • Coordinate activities

and of course something important to all of us toiling in InfoSec

  • Establish a basis for budget and staffing to implement and enforce the policies

Policies need to be created from the point of view of management, not as a set of techie/geek rules, which the threat/risk approach would lead to.

Not least of all because, as I'm sure Donn Parker will point out, managers don't want to hear all that bad stuff about threats; they want policies that encourage staff to contribute to the profitability of the
company.

Enhanced by Zemanta

Significant Impact Calculation in Business Risk

Posted by Anton Aylward

My colleague Gary Hinson made the following observation on the ISO 27001 list in August:

There are numerous assumptions and estimations in the risk
assessment process, so all calculated values have quite wide margins
of error. Worse still, there are almost certainly risks or impacts
that we have failed to recognise or assess, in other words we need to
allow for contingency.

Oh,its worse than that!

The problem is that the potential perpetrators are the ones that determine "the most significant risks" of which you speak, in both frequency (when they decide to strike) and impact (how much damage they will do and what they will do with the results of their attacks), not the person performing the risk analysis.

We are debating how to value an asset, book value, replacement value or the value of the process of using it. Well that doesn't matter; its the value to the perpetrator of the attack at counts. What you value and defend might be of no interest to him (or her). Obtaining the desired asset may result in collateral damage.

So long as you focus on a Risk Analysis model rather than a comprehensive plan of diligence and security stablemen you are going to get caught out by these false assumptions.

Face it: the Risk Analysis approach means you have no idea who and where the potential perpetrators are, rational or irrational; when and how they may strike (with a tank, an army, or with false data entry).

But act and calculate as if you do.

You have no idea of the perpetrator's

  • skills
  • knowledge
  • resources
  • authority
  • motives
  • objectives

but the Risk Analysis approach presumes that you do.

I'm sorry, this doesn't make sense and hence arguing about how to calculate the value of an asset doesn't make sense in this context. Its like arguing over how many angels can dance on a pinhead when there's war and famine going on outside.

Enhanced by Zemanta