Welcome to NBlog, the NoticeBored blog

Like the finer things in life, quality trumps quantity.

Aug 29, 2016

Droning on and on

In connection with an awareness module on physical security in July 2015, I blogged about the possibility of people using drones to deliver drugs and other contraband to prisons ... and sure enough they areThe same technology could be used to deliver drugs to dealers and addicts, I guess, or books, or crop sprays, or pizza and beer

Or bombs. 

We know that drones are a threat to low-flying aircraft, near airports particularly, while they are clearly being used for military purposes including surveillance and delivery platforms for weapons. The police have their eye on them too.

The big question is how the authorities plan to treat the associated risks.  

Drones can be detected using radar, radio receivers and audio location, as well as visually including infra red. Tracking them is possible by eye or using pan-and-tilt mounts and electronics similar to those used for missiles. However, small drones have tiny signatures, while military drones are presumably stealthy or come in swarms

The remote control/console facilities may be concealed, potentially far away, and relocatable though only in 2 dimensions unlike the drones' 3! Fully autonomous drones dispense with the remote control too.

Once detected, they can be shot down, lasered, microwaved, jammed on several frequencies, netted (?) or spoofed (meddling with the GPS or remote control instructions) ... but a kilogram or more of material falling out of the sky is itself hazardous, while military drones probably fight back, not least because of their value (reportedly ~$1m for a Chinese military drone, $30m for a US Reaper). 

I'm interested to see what happens next. Will we see anti-drone drones, maybe, with chase and capture, divert or destroy capabilities? Or something simple such as fine mesh nets stretched over prison yards?

Oh by the way, a driverless car (or tractor, motorbike, truck or tank) is simply a land-based drone, isn't it? Great way to deliver goods ... or drugs or bombs ... 


Aug 23, 2016

The Navy lark

The official US navy report into an embarrassing incident in the Arabian Gulf at the start of this year is well worth reading.

In short, the incident involved two US navy patrol boats straying into Iranian territorial waters around Farsi Island, one of them suffering a mechanical failure, then both being intercepted by an armed force of Iranians from the island. Without a shot being fired, the navy crews were 'captured', taken to the island, interrogated, video'd and released the next day. No big deal in the grand scheme of things ... but distinctly embarrassing for the US navy and government, as well as those directly involved.  

The lightly-redacted report was produced by an official investigation into the incident and, as usual for such things, it points the finger at a number of contributory factors, systemic issues or root causes that failed to prevent or avoid the incident. As usual, the wording is quite formalized, stilted and circumspect in places but if you read it carefully, the core messages sing out like one of Dame Kiri Te Kanewa's most powerful arias.  Here are just a few of the issues mentioned in the report (I'm paraphrasing, somewhat cynically):

  • The boat crews were new to the Gulf, not acclimatized to the heat, and poorly prepared for their new roles
  • The boats were poorly maintained, with various issues around the on-shore maintenance facilities and budget/resource constraints: they should not have set to sea in the first place
  • The mission was substantially longer than normal with a nighttime refuelling stop at sea and the crews were inexperienced in both regards - in other words, it was known to be a risky venture
  • All manner of proper procedures were not followed, with a substantial amount of miscommunication and numerous communications failures (exacerbated by the mixture of classified and nonclassified comms, a multitude of systems and technical issues)
  • Even the written logs have conflicting, missing and erroneous information, making them unreliable as formal records hence frustrating the post-incident investigation
  • Some people were certified competent without, it seems, completing the corresponding schooling and qualification, at least not to the appropriate level of assurance due in part to inadequate training
  • Genuine concerns about the mission and more generally were repeatedly dismissed or disregarded by more senior officers, thanks in large part to the predominant 'yes sir' culture and morale issues 
  • The roles and responsibilities among the boat crews (including navigation, crucially, as well as their command and control structure, hierarchy or authority) were unclear
  • The on-board GPS system was not 'loaded with crypto' ... and would presumably have reverted to the normal civilian resolution (surely good enough to identify Farsi Island?)
  • The pre-notified route through the middle of the Gulf would have been well clear of the island but having left port late due to earlier issues, the boats took a more direct straight-line route to save time and avoid bad weather, despite continuing communications issues and concerns
  • Some messages were passed to shore including several positions indicating they were well off the planned course, but they were not all passed on correctly or plotted, hence the course deviation that led to the incident was not properly flagged up as an issue
  • At one point, an on-shore navigation system was out of action as it was being rebooted, a planned daily occurrence (!)
  • As Farsi Island came into sight, the boats were essentially lost. One captain realized they must be in territorial waters but didn't know which nation (!!). The Island sighting was not reported up the line. The crews claimed they thought they were 3 to 5 miles away whereas in fact they were just 1.6 miles from the island. They did not adopt defensive positions
  • The navy crews were unable to communicate with the approaching Iranians
  • During and following their capture and interrogation (i.e. under duress), crew members only partially recalled and followed the code of conduct and training for such eventualities, perhaps reflecting a lack of clarity in the official guidance concerning the particular circumstances of this incident
The sting in the tail is that this incident could easily have been much worse. Aside from the likely injuries or deaths if the navy crews had defended themselves and resisted capture (assuming they were actually capable of using their weapons - some of which weren't properly mounted), the incident could have sparked an escalation of the conflict in the area, leading to serious military and political consequences at least. One of the navy captains reportedly thought about the possibility of sparking a US-Iran war by over-reacting to the approaching Iranian boats, repeatedly referring to the incident as a 'misunderstanding'. 

The report claims quite indignantly, repeatedly and at some length, that the navy boats should have been allowed "innocent passage" by the Iranians and had "sovereign immunity", but notes also that Iranian laws impose special conditions for military vehicles. This whiffs of sour grapes to me, perhaps an attempt by the powers that be to deflect attention from the numerous shortcomings.

The context and lead-up is far more complex than my comments imply and, despite the effort that went into the investigation and the report, there is undoubtedly much more to it than was reported - such is the nature of incident investigation and auditing, both in general and especially in such highly-charged situations, within an embarrassed military organization no less. The published report is the tip of a huge iceberg of findings, concerns and suspicions that remain largely out of sight. Only the few findings that are substantiated by credible if not undeniable evidence gathered by the investigators (the "Findings of fact", in the stilted language of the report) are officially reported, at least in theory. However, diligent investigators and experienced auditors have creative ways to put their real points across, despite the interminable 'file reviews' and private discussions that no doubt took place between them and their subjects - or rather their respective bosses. What we see in print leaves out more than it says, but gives clues as to what we're missing.

Juxtaposition for instance. In one paragraph we read very matter-of-factly that a senior navy officer denied knowing that there were any maintenance issues with the boats. The very next equally matter-o'-fact paragraph points out that the officer chaired a regular meeting about boat maintenance (clearly implying that he either did know, or should have known about the problems that led to a boat being stranded in Iranian waters). The report often gives such hints but leaves the reader to draw their own conclusion. It's not hard.

As to determining and bottoming-out the root causes, the investigation does not appear as comprehensive or effective as I would have liked. It only went a fathom or two down into a deep sea trench. Most of the issues identified in the report presumably result from issues further upstream, and additional contributory factors and decisions that were not explored, or not reported anyway. I wish the investigator/s had continued probing instead of moving on to other issues after each revelation ... but it is what it is.

Aside from the obvious value of this report to the navy, it has much wider application, raising awkward questions for all organizations such as:

  • Does our corporate culture enable and support dissent, giving people legitimate opportunities to speak up about issues and concerns, knowing that they will be investigated and taken seriously? Or do we deliberately or inadvertently stifle bad news and (inapprorpiately) 'refuse to take no for an answer'?
  • Do our people have the wherewithall to spot and report issues and concerns? Is it expected of us all, in fact? Are we encouraged and motivated, as well as enabled, to speak up?
  • Does our command structure clearly allocate responsibilities and accountabilities, to people who are in fact fully competent to fulfil their obligations even under especially challenging and stressful situations such as serious incidents or inappropriate/dangerous commands? 
  • Are our policies, procedures, training courses and exercises sufficiently clear and effective in preparing people for all the situations we may face, including special arrangements for high-risk and novel situations? Do we remember and follow our training, in fact? Are we even checking that?
  • Do we identify and manage information risks properly, with the appropriate early-warning and response mechanisms in place to escalate matters if risks are becoming unacceptable, and to strengthen and monitor key controls?
  • Do our networks, IT systems and associated processes adequately facilitate effective, timely communications, even when under intense pressure? Are they reliable and resilient, for sure? Do they enable critical messages to be prioritized and monitored (e.g. mechanisms to ensure that they are delivered, received, acted upon and closed off, rather than being ignored, with fall-back mechanisms such as out-of-band messaging)?
  • Do we have the right governance arrangements and capabilities to investigate and learn from incidents, squeezing every drop of value from situations that those involved might wish were swept under the carpet?

At least those are my take-aways. What about you? What do you think?


Aug 19, 2016

Have fun learning

The simple structure of the NoticeBored quiz belies its effectiveness as an security awareness mechanism: in the right setting with a good facilitator and (most of all) a group of willing, cheerful, fun-loving participants who are up for a laugh, the quiz can be a supremely memorable and effective learning experience.  

In awareness terms, that’s a remarkably powerful outcome.  

Really, a 'supremely memorable and effective learning experience'? That's no idle claim. This is not an empty marketing piece. Trust me, I know what I'm saying.

Every month as part of the module, we deliver to NoticeBored subscribers an awareness quiz supporting the month's information security topic ... but it's probably not what you have in mind. A conventional quiz would be a set of factual questions with the corresponding answers, the sort of thing that some mind-numingly banale TV presenter/celebrity might try to flog into life with a bit of (fake) drama and (pumped-up) audience participation.

We deliberately avoid that approach. For us, the quiz is not merely an exercise in factual recall, not even when surrounded by the glitter and razamatazz of a prime-time TV game-show. We don't particularly care how much participants knew before attending the quiz night. We aren't terribly interested in who are the winners and losers: points mean prizes, maybe, but that's not the goal. Wherever they start out from, we want everyone to go home with more knowledge and understanding than they had when they arrived. 

We care passionately about them learning.

Our approach, therefore, is to focus on promoting and facilitating group dynamics in the social situation than on the specific learning points. My mention of 'quiz night' was a massive clue. If people enjoy themselves, have a good time and (incidentally) learn stuff, they will come back for more ... and learn more in the process.

This is the adult education equivalent of the after-school club that many of us experienced as teens. Speaking personally, I had a great time learning about electronics and radio at the club, way beyond what I would ever have picked up from the textbooks and staged experiments that filled the physics lessons. "Mister Cluer" (as he was known by day) or "Graeme" (at the club) gave us just the right mix of encouragement and freedom to explore our horizons and develop our interests - essentially teaching ourselves - a learning experience that has literally stayed with me for life.

I invested my afternoon today developing a quiz for September's 'communications security' awareness topic. I hope it pays off big time for our subscribers. I must say, I wish I could be there to join in!


Aug 16, 2016

Sony still paying for the hack

The hack just under two years ago is still costing Sony money.

An article in the Hollywood Reporter notes that Sony has paid $millions already:
"After the hack, Sony has faced several lawsuits over failure to safeguard private data and most notably settled a class action from former employees in a deal worth somewhere between $5.5 million to $8 million."
That is on top of the substantial costs directly incurred in or caused by the incident, including the loss of business, inability for Sony Pictures Entertainment to operate for several weeks, penalties from the authorities due to its problems filing financial results on time, and of course the incident investigation and actions arising, clearing-up the mess.

Possibility Pictures is now claiming compensation for the loss of revenue on one of its films that Sony was supposed to be distributing. "To write love on her arms" was one of five films stolen in the hack and released onto the Internet as part of the incident. Possibility Pictures claims that Sony breached its obligation under an anti-piracy clause in their agreement due to the "entirely forseeable and avoidable failure of internal security".

'Entirely forseeable' is an interesting turn of phrase. It's not too hard for Sony to figure out what went wrong with the benefit of 20/20 hindsight, after the fact, but to claim that it was 'entirely forseeable' implies that Sony was blind to the possibility before the fact. It seems to me this was an audacious hack, unique in terms of its scale and the media coverage, so is it reasonable to expect Sony to have foreseen it? I guess that is one of many questions that will be argued out in court (if it gets that far). It's a fascinating example of information risk management.


Aug 2, 2016

Another dubious survey

According to a Vanson Bourrne survey conducted for McAfee (now part of Intel Security), specialist "cybersecurity"* professionals are in high demand.

No surprise there.

The report reveals that respondents feel their governments are not doing enough to close the skills gap:
"Respondents in all countries surveyed said cybersecurity education was deficient. Eighty-two percent of respondents report a shortage of cybersecurity skills. More than three out of four (76%) respondents believe their government is not investing enough in cybersecurity talent. "
No surprise there either. 

Apparently the shortage is worse in 'high-value skills' (isn't that simply the result of supply and demand - a shortage of supply increases the price people are willing to pay?) and is worse in cybersecurity than in 'other IT professions' (implying that the report's authors consider cybersecurity to be an IT profession):
"High-value skills are in critically short supply, the most scarce being intrusion detection, secure software development, and attack mitigation. These skills are in greater demand than soft skills in communication and collaboration. A majority of respondents (53%) said that the cybersecurity skills shortage is worse than talent deficits in other IT professions." 
Hmmm: on that last point, 53% is barely above 50%, a 3% difference that looks to me as if it might fall within the margin of error for this kind of survey. In the same vein, did you spot that comment above about 76% being "more than three out of four"? Unfortunately, the report doesn't state the margin of error, and in fact gives barely enough information about the 'materials and methods' to determine whether the results have any scientific value at all. Tucked away in a sidebar towards the end, the small print reads:
"Intel Security commissioned independent technology market research specialist Vanson Bourne to undertake the research upon which this report is based. A total of 775 IT decision makers who are involved in cybersecurity within their organization were interviewed in May 2016 across the US (200), the UK (100), France (100), Germany (100), Australia (75), Japan (75), Mexico (75) and Israel (50). The respondents were from organizations with at least 500 employees, and came from within both public and private sectors. Interviews were conducted online using a rigorous multi-level screening process to ensure that only suitable candidates had the opportunity to participate."  
OK so the survey involved a stratified/selected sample of 775 "IT decision makers who are involved in cybersecurity", again indicating a bias towards IT. The fact that Vanson Bourne describes itself as an "independent technology market research specialist", while McAfee/Intel is an IT company, are further hints.

Aside from the bald assertion, we are told nothing more about that "rigorous multi-level screening process to ensure that only suitable candidates had the opportunity to participate". On what basis were candidates deemed "suitable" or "unsuitable"? Who decided? At what point was this determination made: before they were surveyed, during the process or afterwards (perhaps according to their responses to some qualification questions)? I can barely guess what a "rigorous multi-level screening process" might be: possibly just a few simple filters (e.g. country, job title and organization size) on Vanson Bourne's database of tame respondents (which, if true, suggests yet another source of potentially significant bias: this was not a random sample). 

I have to ask: why did respondents respond? What incentives were offered? Yep, another possible bias, especially if they were required to answer certain questions in a certain way to qualify for the incentives. 

We are also told next to nothing about the survey method, other than that it was "online" (implying a web-based survey). In particular, we aren't told how the questions were framed and phrased, nor even how the online survey question and response process was designed. I guess it was probably a simple multiple-choice survey in which respondents are required to select a single option from the handful of choices on offer: such surveys are quick, easy and cheap to construct, perform and analuyse ... but there are all sorts of potential sources of bias in there. For starters, the title of the survey immediately sets a frame of reference for potential respondents. I would be surprised if the survey was not introduced to potential respondents as something along the lines of "cybersecurity skills survey", perhaps even "cybersecurity skills shortage survey" or possibly "Hacking the Skills Shortage: A study of the international shortage in cybersecurity skills" (the title of the issued report). 

Secondly, the specific wording of the question stems and answers is important, plus the number of options offered and the possibility of respondents selecting multiple or zero answers, or indicating a preference for certain answers over others, or writing in their own preferred answers. Consider the obvious difference between, for example "Do you consider cybersecurity education to be deficient?" and "Do you consider cybersecurity education to be sufficient?". While they amount to the same thing, there are distinctly different implications in each case. There is no end of possibilities for phrasing survey questions and answers, may far more subtle than my example. Even the specific order and number of both questions and answers can affect the outcome.

And then there are the questions that may have been asked and responded-to but the data were later discarded for some more or less legitimate reason. The authors could easily have come clean on that.  "The survey asked the following 25 questions ..." would have made a worthwhile annex to the report, along with the rationale for disregarding any of them e.g. legitimate concerns about the construction of the questions, ambiguity in the wording etc.

Oh yes, then there's the statistics - the analysis that generated the reported results, and the raw data that were analyzed. Aside from chucking in the odd term such as median, the report gives little indication of any statistical analysis. The more cynical of us may see that as a plus-point, but from a scientific perspective, sound statistical analysis can add value by drawing out the information and meaning lurking in any data set - like for instance whether 53% is or is not a statistically significant difference from 50% in the example I quoted earlier.

OK, enough already. The take home lesson from this survey, as with so many other marketing-led efforts of this nature, is that the report needs to be read and interpreted carefully, and largely discounted due to the inherent bias and uncertainty. I am repeatedly disappointed that such supposedly professional survey organizations seldom make much of an effort to explain their methods or convince us that the results are valid, beyond chucking in a few vague indications as to sample size. It's an integrity issue, and yes I realise he who pays the piper calls the tune so as far as I'm concerned both Vanson Bourne and McAfee/Intel Security join companies such as Ponemon on the 'dubious value' pile, at least for now. They can always change their ways with the next survey report ... but I'm not holding my breath.

Gary (Gary@isect.com)

They never do explain exactly what they mean by "cybersecurity". Presumably the respondents each interpreted it in their own way too.

Jul 30, 2016

Security awareness lessons from Pokemon

August's security awareness topic for NoticeBored subscribers is "pocket ICT security", referring to the information risks associated with portable Information and Communications Technology devices: the smartphones, laptops, tablets, USB sticks, wearables and other high-tech stuff we carry about our person.

Risks such as walking into the road and being hit by a car.

Yes, seriously. 

It is both on-topic and highly topical in the case of Pokemon Go players, young and old, being so focused on the virtual world on the smartphone screen that they neglect the real world hazards around them. The lucky ones are spotted and avoided by alert drivers. The unlucky ones are injured, perhaps even mown down by a vehicle driven by a similarly distracted driver.

Distraction is the more general information risk, a modern-day affliction. The more portable ICT we use, the more distracted we become. Wearables are the latest trend, long predicted but curiously slow to take off, perhaps because of the distraction factor? Or is it just that the Killer App has yet to appear?

August's NoticeBored module delivers another 200 Mb of fresh awareness content, almost all of it researched and prepared within the past few weeks:
  • A train-the-trainer guide with creative advice on making good use of the materials;
  • A newsletter, using recent news clippings to illustrate the risks;
  • Three awareness seminar slide decks (one each for staff, managers and professionals), mostly graphical with few words on the slides and detailed speaker notes;
  • Six high-resolution awareness posters and six diagrams (mind maps and example metrics) suitable for professional printing, or to incorporate into other materials;
  • Three security policies and a procedure;
  • Several awareness briefings explaining things that are relevant to and hopefully resonate with the intended audiences;
  • A security metrics paper proposing and discussing several relating to portable ICT - useful whether you want to prove that everything is under control or to identify and justify systematic security improvements;
  • An FAQ, word-search challenge, awareness survey, quiz and case study supporting the learning process and awareness program;
  • A comprehensive hyperlinked glossary of information risk and security terms, highlighting those that are especially pertinent to pocket ICT;
  • An ICQ (Internal Controls Questionnaire) with which to review or audit the organization’s risks and controls in this area.

NoticeBored materials are mostly plain MS Office files, supplied camera ready but unlocked (without DRM Digital Rights Management), making it simple for subscribers to tweak or customize themselves ... in fact we actively encourage them to adapt the materials to their specific requirements. That might be as straightforward as selecting a few bits-n-pieces, replacing the NoticeBored logo with their own security awareness branding and updating the 'contact us for more info' details in each of the materials, or it could involve more substantial changes (e.g. if BYOD is totally forbidden, rather than being authorized by management as appropriate). 

Either way, it's much easier and cheaper just to adapt the NoticeBored content than to research, prepare, proof-read and finalize everything from scratch, assuming a suitable technical author is immediately to hand - someone who has the qualifications, experience, competence, creartivity and track-record in security awareness. Good luck finding someone suitable and willing to step into that role for anything remotely approaching the cost of a NoticeBored subscription. Industry surveys tell us the information security jobs market is heating up rapidly as demand outstrips supply. One year's salary for an infosec awareness professional would buy the average organization a NoticeBored subscription for decades, literally.

Gary (Gary@isect.com)  <--- a="" email="" font="" for="" me="" price="">

Jul 25, 2016

ISO27k standards status update

I spent my weekend catching up with a backlog of ISO/IEC JTC1/SC 27 emails, updating ISO27001security.com to reflect my personal understanding of the current status on all the ISO27k standards. 

A few items of note: 
  1. Terminology continues to be a problem for the committee. ISO/IEC 27000 isn’t working out very well. Although there are obvious advantages in everyone agreeing on the terms and definitions, it causes dependencies between standards projects. There are lingering disagreements over the meanings of terms such as ‘information asset’ and ‘cyber’ (currently undefined), and bureaucratic delays in publishing the free version of the standard. The standard might become an online glossary but whether that will help or hinder is uncertain. [The current online glossaries are not exactly paragons of web design and functionality – take a look at the ISO Online Browsing Platform (OBP) and/or the IEC’s equivalent International Electrotechnical Vocabulary (IEV, a.k.a. Electropedia) and see what you think.]
  2. The updated versions of ISO/IEC 27003 (ISMS implementation guide) and ISO/IEC 27004 (metrics) are nearing release, possibly before 2017. Both are (in my opinion) huge improvements over the current versions, recommended reading for everyone on this Forum when they are released.
  3. The project to update ISO/IEC 27005 ('information security risk management'*) has been canned. It was a victim of its own success in that lots of creative changes were proposed, derailing the project from its core objective to update the standard to reflect the 2013 versions of ISO/IEC 27001 and ISO/IEC 27002. It ran out of time on the ISO-imposed project timescale. The update project should be restarted with a more tightly-defined scope, meaning that those ‘creative changes’ may be held over to a subsequent version, or might possibly surface in other ISO27k standards.
  4. Within ISO27k, several cloud security and eForensics standards are nearing completion, plus others on application security and incident management. The committee is as busy as ever, especially given that ISO27k is only about half of its remit (there is a parallel programme of identity management, privacy and other IT security standards). There are lots of liaisons, too, coordinating things with other ISO committees, industry bodies and specialist groups. 
This is all ‘unofficial’ info: if that matters to you, please check with ISO/IEC or your national standards body for the ‘official’ version, without my errors, cynicism and bias. And please put me right if I am wrong or off-base. I’d welcome other perspectives. Please join the free ISO27k Forum to discuss this further with more than 3,000 other fans of the ISO27k standards.

Gary (Gary@isect.com)

* It's really about the management of 'information risk' but that term is not yet used within ISO27k, unfortunately. I'm working on it.

Jul 22, 2016

Micro vs. macro metrics

Whereas "micro metrics" focus-in on detailed parts, components or elements of something, "macro metrics" pan out to give a broad perspective on the entirety. 

Both types of metric have their uses.

Micro metrics support low-level operational management decisions. Time-sheets, for example, are micro metrics recording the time spent on various activities, generating reports that break down the hours or days spent on different tasks during the period. This information can be used to account for or reallocate resources within a team or department or identify. Normally, though, its true purpose is to remind employees that they are being paid for the hours they work, or as a basis on which to charge clients. 

Macro metrics, in contrast, support strategic big-picture management decisions. They enable management to "see how things are going", make course-corrections and change speed where appropriate. The metric "security maturity", for example, has implications for senior managers that are lost on lower levels of the organization. I have a soft spot for maturity metrics: they score strongly on the PRAGMATIC criteria, enabling us to measure complex, subjective issues in a reasonably objective and straightforward fashion.

The sausage-machine metrics churned out automatically by firewalls, enterprise antivirus systems, vulnerability scanners and so forth are almost entirely micro metrics, intensely focused on very specific and usually technical details. There are vast oceans of security-related data. Lack of data is not a problem with micro metrics - quite the opposite.

Some security professionals are 'boiling the ocean' using big data analytics tools in an attempt to glean useful information from micro metrics but a key problem remains. When they poke around in the condensate, they don't really know what they're looking for. The tendency is to get completely lost in the sea of data, constantly distracted by shiny things and obsessing about the data or the analysis ... rather than the information, knowledge, insight and wisdom that they probably should have gone looking for in the first place.

It's like someone stumbling around aimlessly in the dark, hoping to bump into a torch!

Just as bad, when a respected/trusted metrics "expert" discovers a nugget and announces to the world "Hey look, something shiny!", many onlookers trust the finder and assume therefore that the metric must be Good, without necessarily considering whether it even makes sense to their organization, its business situation, its state of maturity, its risks and challenges and so forth ... hence they are distracted once more. As if that's not enough, when others chime in with "Hey look, I've polished it! It's even shinier!", the distractions multiply. 

The bottom-up approach is predicated on and perpetuates the myth of Universal Security Metrics - a set of metrics that are somehow inherently good, generally applicable and would be considered good practice. "So, what should we be measuring in security?" is a very common naive question. Occasionally we see various well-meaning people (yes, including me) extolling the virtues of specific metrics, our pet metrics (maturity metrics in my case). We wax lyrical about the beauty of our pet metrics, holding them up to the light to point out how much thy gleam and glint. 

What we almost never do is explain, in any real detail, how our pet metrics help organizations achieve their objectives. We may describe how the metrics are useful for security management, or how they address risk or compliance or whatever, but we almost invariably run out of steam well before discussing how they drive the organization towards achieving its business objectives, except for a bit of vague hand-waving, cloud-like. 

By their very nature, it is even harder to see how micro metrics relate to the organization's business objectives. They are deep down in the weeds. Macro metrics may be up at the forest canopy level but even they are generally concerned with a specific area of concern - information security in my case - rather than with the business.

I guess that's why I like the Goal-Question-Metric approach so much. Being explicit about the organizaiton's goals, its business and other high-level objectives (e.g. ethical or social responsibility and environmental protection), leads naturally into designing macro metrics with a clear business focus or purpose. 

Kind regards,

Jul 20, 2016

In the full glare

Here's a neat illustration of the challenges facing those protecting critical national infrastructures.

Take a look at this map of the UK's fuel pipelines - a massive mesh of pipes criss-crossing the country, linking refineries and fuel stores with power stations and airports. Many of the pipes are buried, carrying large volumes of volatile and energetic fuel under substantial pressure for hundreds of miles across open country, along roads, over canals and under cities, hence the need for the map, the website and the organization behind it: trust me, you don't want people accidentally digging them up, or driving piles through them. For health and safety reasons, let alone the risk of serious economic and physical fallout, people driving big yellow mechanical diggers and pile-drivers need to know if they are within striking range of the pipes. Planners, architects and builders need to know where they lie, plus the operators who use and maintain them, oh and the emergency services just in case.

Now imagine you've been tasked with protecting those same pipes against deliberate attacks by, well, anyone with a big yellow digger and a grudge for starters. The list of potential adversaries and their possible reasons is long and changeable. Some of them have serious resources and capabilities behind them, and no particular rush.

The reality of protecting critical infrastructures is rather different than the Popular Mechanics perspective.

Gary (Gary@isect.com)

Jul 15, 2016

ISO/IEC 27000:2016 available for FREE download

Title page of ISO/IEC 27000:2016

Like its predecessors, the 2016 fourth edition of ISO/IEC 27000 has been released for FREE.  It can be downloaded in both English and French.

Whereas I regret to say that ISO/IEC charges for most of the ISO27k standards, ISO/IEC 27000 is FREE in order both to spread a common understanding of information security terms, and to outline the whole family of ISO27k standards. This is not some ripped off pirated version but a legitimate publication by ISO/IEC.

The definitions in ISO/IEC 27000 apply throughout the ISO27k standards except where terms are explicitly redefined in the individual standards: generally those explicit redefinitions are refinements in the specific context of a single standard, or variations required to align with ISO standards outside the ISO27k family. 

A few of the official definitions are rather curious and narrow - for instance I believe the definition of 'integrity' as 'property of accuracy and completeness' is referring to data and system or process integrity, but not personal integrity - which is, for sure, a core concern in relation to information risk and security, for instance in fraud and insider threats. Integrity is also about trustworthiness, grit, honesty and ethics.

A few definitions are grammatically weak, and perhaps technically wrong - for instance 'authenticity' is defined as 'property that an entity is what it claims to be' whereas a fake (unauthentic) Gucci handbag doesn't "claim" anything: it is just a fake handbag. The people who made and/or sell it claim (falsely assert) that it is Gucci, but the handbag itself is merely a branded inert object, incapable of making claims as such. This is a classic example of where a conventional dictionary does a better job than ISO/IEC 27000, for such commonplace terms anyway. The editors of ISO/IEC 27000 really ought to go through the glossary, pulling out such everyday terms (and citing a suitable dictionary), leaving behind only the specialist 'terms of art', most of which I suspect will be multi-word terms or phrases.

Some important terms (such as 'information asset') are undefined, largely I suspect because the committee cannot agree on the definitions, but possibly because someone has decided that the dictionary will suffice. 'Information security risk' is another undefined and strange term, common throughout the ISO27k standards. I hope it will eventually be replaced by the much more intuitive and sensible term 'information risk' with a suitable, straightforward definition, something along the lines of 'risk involving or relating to information'.

Whereas neither 'information security risk' nor 'information risk' are defined as phrases, 'information security' and 'risk' are defined separately, along with 'information security event', 'information security incident', 'information security incident management' - oh and 'information security continuity' which apparently means the processes and procedures (both, you understand: don't go thinking one or the other is enough) ensuring the continuance of information security operations (which - yes you gessed it - remains undefined).  

Overall, though, while we (well OK, I) may bicker about specific issues, gaps and inconsistencies, it is a Good Thing that terms are consistently and formally defined.  And, hey, at least it's FREE!


PS  One other ISO27k standard is also free, namely ISO/IEC 27036-1 on information security in supplier relationships (including cloud security, sort of).