“Paid to be paranoid”

Read the first four paragraphs of this:


Forget the rest, forget that its about ‘creative writing’, just answer that question.

Bruce Schneier among other, myself included, have asked questions like that. Are you ‘paranoid’ enough to be in the security business?

Robert Slade

One of my colleagues, Rob Slade  yes *that* Rob Slade when he is teaching in Toronto, usually asks me to come along to talk for an hour to his students about “The CISSP Experience“.
The first thing I ask the class is if there are any active or ex-military or law enforcement people present. To date there never have been, and to be honest it leaves me with a bit of a “Bah Humbug!” feeling when the class is really a company stuffing its IT department through the course and exam “for the numbers”. Rob has some cynical comments to add but don’t forget for him it’s a days work and a days pay.

I’m also hit on for a variety of reasons by kids (even postgraduates) who “want to break into” — yes that’s the words they use, ironic isn’t it? — the security business. I suppose because the press makes it look more glamorous than just being a programmer or sysadmin. I keep telling them that its experience that counts, not certifications; too many, especially those from Asia, seem to think that a certification is badge that gets you work. Not so. Mind you, locally the recruiters cant seem to tell what makes InfoSec different from IT.  But that’s a subject for another time.

And hence the opening lines to Holly’s blog.
No, Holly, you’re not alone; many true security professionals, be it Infosec, military or law enforcement, think like that.

  • What is the ‘attack surface‘?
  • What are the potential threats? How to rate them?
  • How can I position myself to minimise the effect of an attack?
  • What is the ‘recovery mode’ (aka: line of retreat)?

If you can’t do this, then you shouldn’t be in “Security”. Continue reading “Paid to be paranoid”

Why Info Sec Positions Go Unfilled


There are many holes in this, but I think they miss some important points.

First is setting IT HR to look for Infosec.
That is because many people think InfoSec is a IT function as opposed to an organizational function. This goes in cycles: 20 years ago there was the debate: “Should Infosec report to IT?” The overall decision was no;. Infosec might need to ‘pull the plug’ on IT to protect the organization.Risk management sub processes

Second there is the vast amount of technology claiming to do InfoSec.
It is all network (and hence IT) as opposed to business fulfilment. This has now spread to “Governance”. You can buy governance software. What does this do for the ethical outlook of the executive, the board and management? How is Governance tied to risk management and accountability and visibility by this software?

Technology won’t solve your problems when technology *is* your problem.

InfoSec is about protecting the organization’s information assets: those assets can be people, processes or information.  Yes technology may support that just as technology puts a roof over your head (physical security) and somewhere to store the information.  Once this was typewriters, and hand-cranked calculators and filing cabinets, and copying was with carbon paper.  The technology may have changed but most of the fundamental principles have not.  In particular the ones to do with attitudes and people are the same now as they were 50 or 100 years ago.



TV kills!

I keep telling everybody that TV is injurious to your (mental) health, but does anyone listen?

Why should they?
They didn’t when Gerry Mander presented his Four Arguments for the Elimination of Television, and he was in a position to know. Continue reading TV kills!

When organizations put a lot of eggs in one basket – desktop side


This is a chicken-little story.

We’ve been putting many computer eggs in one hardware basket for a long, long time.
What do you think mainframes running MVS and VM/CMS were?
What were things like air traffic control?

The ‘desktop’ is a fuzz concept that gets confused with a GUI.
Those mainframes – think airline ticket and reservation – could handle many hundreds of remote terminals, keeping them updated.

What’s a dumb terminal if not the ultimate in ‘thin clients’? Continue reading When organizations put a lot of eggs in one basket – desktop side

Why don’t companies apply more risk analysis – Part 2

And while on that subject …

“Consult Human Resources when making disaster recovery plans”

Every DR plan I’ve seen has failed to take into account human factors.
The most basic of which is that if there is any one of a large number of disaster scenarios, how are staff going to get in to the DR site?

360-degree panorama of Toronto, Canada, as see...
Image via Wikipedia

So: here we are in Toronto and the DR site is in Arizona
what sort of disaster will take out Toronto and let all the staff here track down to Arizona in order to run the IT services to support the customers in, guess where?
Right: Toronto Continue reading Why don’t companies apply more risk analysis – Part 2

The Need for Social Engineerig in InfoSec

Communication major dimensions scheme
Image via Wikipedia

When I took my undergraduate Engineering degree the attitude of my professors was that if we had chose engineering as our career then a few things were going on.

First, technology is changing, so teach fundamentals and principles and show how to apply them but don’t get hung up on specific technologies. (Who would have guessed then that the RF theory work on transmission  lines would have an impact on writing software for PCB layout and even chip design!)

Second, that if we stayed in engineering, then within three to five years we would have “managerial” responsibilities so we better know about “managerial” things such as budgeting, logistics/supply-chain,
writing proposals and reports.

I mention this to make the point that being a CISSP is not about being a techie-geek. Knowing all there is about crypto, pen testing, or any vendor or product is inherently self limiting. You have put a cap on the authority and influence you have.

To be effective in InfoSec you need to be able to do that “social engineering” – as a recent article says,

“… the application of social science to the solution of social
problems,” he said. “In other words, it’s getting people to do
what you want by using certain sociological principles.”

What you want is for your managers to implement certain strategies that
you believe are for the good of the company and society (see our code of
ethics an associated guidelines). This means you need communication

I realise many people reading this are in fact managers, but they too have to
report to higher authorities. Some here have MBAs. Management is more than the technical skill of a MBA course – that’s another form of geekiness. (I know of one very good technical guy who saw Dilbert‘s Principle being applied in his firm an went and got a MBA. The trouble is that he never had any ‘people skills’ and the MBA course didn’t supply them!)

So we get back to a parallel thread – “Trust”‘.

Occasionally I run a workshop “Why people don’t follow Policies and what you can do about it”. Its for technical managers, those who have to enforce many policies, not least of all InfoSec ones, and manage those who are carrying out the associated Procedures. Its always a difficult workshop since its about seeing the patterns in behaviour, something technical managers are quite capable of, but have never been taught before.

Its my belief that InfoSec is meaningless unless it deal with the social and psychological issues. Right now we treat the term “social engineering” the way we do “risk”, as something that has *only* a negative meaning. That has to stop. Management don’t see “risk” as being bad and as far as threats go, we know that People are the sourceof them all! First and foremost, InfoSec practitioners need to be able to deal with People. Technology is for geeks. If you want to being
about change you have to deal with people.

“Social Engineering” – in the broadest and positive sense – is every bit as key as any other of the domains of the CBK. Its omission just shows how technology-centred the profession is, despite the threats and despite what needs to be done by practitioners to fulfil their roles.

Reblog this post [with Zemanta]