Welcome to NBlog, the NoticeBored blog

I spy with my beady eye ...

Jul 10, 2020

NBlog July 11 - the small but perfectly formed ISMS


Consulting for small organisations lately to design and implement their ISO/IEC 27001 Information Security Management Systems, resourcing constraints often come to light, particularly the lack of information security expertise and knowledge in-house. I have previously taken this to indicate lack of understanding, support and commitment from senior management, insufficient priority relative to all the other important stuff going on, hence my abiding interest in elaborating on the business case for investing in information risk and security management. Currently, though, I’m gaining a new-found appreciation of the realities of running a small business where even IT may be done on a shoestring, leaving information security way out on a limb.

With barely enough cash-flow to sustain the business during COVID-19 and the obvious need to focus on core business activities, it’s no surprise if ISO27k implementation and certification projects take a back seat for now. That delaying tactic, however, leaves the business more exposed meanwhile, increasing the probability and impacts of incidents that should have been avoided, prevented or mitigated. It can lead to missed business opportunities and customer defections as they turn to certified competitors rather than waiting for the assurance an ISO/IEC 27001 compliance certificate would bring. It reduces trust and devalues brands. All in all, it’s a risky approach.

Putting the ISMS implementation on hold is not the only option, however. With some creative thinking, it is possible to keep the project moving along, albeit at a slower pace:
  • A bare-bones minimalist ISMS, barely adequate to satisfy the standard’s mandatory requirements, may not deliver all the business benefits of good practice information risk and security management ... but it is both certifiable and better than nothing. A small but perfectly formed ISMS demonstrates the organisation’s genuine commitment to information risk and security management, gaining the assurance value of the certificate to third parties without the investment necessary for a full-blown ISMS. Furthermore it is a perfectly valid and sensible starting point, a platform or basis from which to mature the organization’s information risk and security management practices as and when it proves its value. It's a pragmatic approach. Being a pragmatist, I like that.
  • Partnering with consultants reduces the pressure on employees, demonstrates management’s support (more than just the intention to resume the ISMS project ‘at some point’), and keeps up the momentum. Based on our practical experience and knowledge of the standards, we can generally help clients navigate the process by the shortest and most direct route, perhaps making small diversions only where it makes business sense. Speaking for myself, I’m happy to regulate my involvement according to the client’s wishes, matching their pace with mine. Having a portfolio of clients and interests on the go lets me juggle priorities, complete fill-in jobs and manage my workload (within reason! I’m merely-human, not super-human!).
  • Even if the ISMS project itself is parked, there are still things that can be done, seizing opportunities that arise elsewhere to remove roadblocks or put in place building blocks to help jump-start the project at some future point. For example, since information risk is the main driver for ISO27k, it is possible to weave a subtle but consistent emphasis on risks into routine business activities, business meetings, policies and so on. Quietly gathering details of incidents, risks, controls, compliance obligations, assurance needs etc. can be done as a background activity, preparing for the fateful day when the parking brake is released.
One of my fill-in jobs has been to prepare and release SecAware Launchpad - a coherent suite of essential template materials for those minimalist ISO27k ISMSs I mentioned. When pared-down to the bones, there’s not a vast amount of mandatory documentation for ISO/IEC 27001 certification, hence Launchpad is lightweight and cheap (a bargain at just $99, for now anyway!). I almost completely resisted the temptation to provide additional bonus content, incorporating just a few brief notes of explanation here and there where the standard itself isn’t clear.

My next fill-in job is to package-up more of that supplementary content as an optional extra add-on for organisations that need more guidance and want to build a more complete, functional and valuable ISMS. We have gigs of material already prepared through the NoticeBored service plus the experience of using the ISO27k standards since before they became ISO27k, so it’s mostly a case of deciding what is necessary, looking for it and then adapting and rebranding it into another SecAware ISMS support package. I'll announce the new package here and of course on SecAware.com when it is released.

Jul 9, 2020

NBlog July 9 - the day the Earth stopped spinning

Here's something we don't see very often, well for no more than a fraction of a second, normally, discreetly tucked away at the bottom left corner of the browser window.


Today was different. Today the message was there long enough for me to grab that little screen shot.

Meanwhile, I had to wait
s e v e r a l
l   o   n   g
m i n u t e s

for the Google search results to appear.  

Minutes I tell you, minutes! Several of them! Shock! Horror! 

My little world stood still for a moment, my online life on hold.

In an instant, I realised that not only have we grown accustomed to near instantaneous access to Google's gigantic Web catalogue, but that I am actually quite dependent on it. I do sometimes use other search engines but I always scurry back to Google because it works well, almost always. The only reason I am bloggering on about it here is that a Google service failing is so unusual, exceptional in fact. Almost unheard of.  

The technology to achieve that outstanding level of service in terms of capacity, performance and reliability is awesome in both scale and cost, and yet most Google services appear free to use (well OK, they're not really free: we provide our search terms and a fair amount of personal information in return, plus Google's commercial services are charged at commercial rates. But at least we can opt out if we choose). 

It appeared the problem wasn't in our "broad"band, as is so often the case down here in rural NZ. Other websites carried on working, including Blogger (now a Google service), allowing me to start writing this piece. The outage appeared to be limited to Google's search engine.

Beyond that superficial observation, I have no idea what actually happened. Was it maybe a break in the Internet pipes - a literal break due to some oik wielding a back hoe, a trawler snagging an undersea cable, a nasteriod smashing into a comms satellite, or a virtual break due to misrouting? Did a Google server, rack or datacentre drop offline for some reason - maybe a power cut, fire or flood somewhere? Was it a wayward comma in a scripted automatic update, or an operator accidentally leaning an elbow on a keyboard? Was it a cyber attack? A bug? A design flaw? An overheated CPU shutting itself down? A test?

As I say, no idea.

As of now it appears to be working normally. I can't tell at this point whether Google search is in a recovery mode, having automatically detected the break in service and failed over to some other server somewhere. Such is the beauty of the Web: I don't need to know where the services are provided from. I don't even need to know the IP addresses of the web servers. I simply type my search phrase into the Google.com search form, and off it goes like a diligent, super-efficient librarian.

Yes I have my tongue firmly in-cheek but this failure was unusual enough to make me ponder cyber-resilience and recovery. If an outage of a single Web service for several minutes is noteworthy, what does that say about our dependence on the Web as a whole? What if the Web stops working one da

Jul 6, 2020

NBlog July 6 - of APTs and RPTs



Do you recall when APTs were A Thing? Advanced Persistent Threats were exemplified by Stuxnet, a species of malware that was stealthy enough to penetrate the defences of an Iranian nuclear fuel processing plant ten years ago, persistent enough to undermine numerous layers of control, and sophisticated enough to over-speed and wreck the centrifuges without alerting the plant operators until the damage was done.  

We seldom hear of weapons-grade APTs these days, suggesting they are no longer newsworthy or effective. Maybe they have gone the way of the trebuchet or musket ... but I believe it's much more likely that APTs have become even more sophisticated, stealthier and more damaging now than ever before, especially given the ascendance of IoT, IIoT and 'cyber-physical systems'. Now, Things are A Thing.

Meanwhile, we are frequently constantly assaulted by ordinary, conventional, old-school malware - Retarded Persistent Threats as it were.

In contrast to APTs, RPTs are relatively crude and commonplace - more blunderbuss than sniper's rifle but every bit as devastating at close range. Despite becoming increasingly sophisticated and capable, they are presumably well behind APTs, especially given governmental investments in cyber capabilities as part of national defence spending.

RPTs 'persist' in the sense that they steadfastly refuse to go away. Bog-standard malware has dogged computer systems, networks and users since the 1980s. It has grown in prevalence at least as fast as IT, and in some ways it has driven advances in IT. The few percent of system resources needed to run today's antivirus packages and firewalls would surely have brought systems from previous decades to their little silicon knees.

Whereas most RPT incidents are, well, incidental in relation to our global society, they threaten the very large number of vulnerable systems, individuals and organisations out there. It has become painfully obvious during COVID-19 that vanishingly few organisations stand alone, immune to the global repercussions. We are all entangled in, and highly dependent upon, a global mesh of information, goods and services. Just as a single COVID case causes knock-on effects, an RPT incident creates ripples.

We're lucky that, so far, neither real-world nor cyber-world viruses have tipped us over the edge, triggering the zombie apocalypse that preppers fear. With their additional stealth and firepower, APTs may one day push things a byte too far - and then what? Perhaps those preppers aren't so loco as they may seem. Perhaps it's not such a crazy idea to build and secure our virtual bunkers to protect the information we'll need when zombies emerge from the forest. I guess I should carve this blog piece onto a rock, an information archival medium proven to last thousands of years. I wonder if these strange hieroglyphics will mean anything when the rock is dug up? 

Come to that, I wonder if they mean anything now! Are these merely the incoherent ramblings of a paranoid infosec geek, or have I struck a chord? Comments are welcome. Chisel away.

Jul 2, 2020

NBlog July 1 - SecAware ISMS LaunchPad

We have just released ISMS Launchpad, a suite of mandatory ISO27k materials - templates for each of the documents required for organisations to be certified compliant with ISO/IEC 27001:2013.

The idea is to get you past the initial staring-blankly-at-a-blank-page stage, trying to figure out what the standard really means by "Statement of Applicability", "ISMS Scope" or whatever.

We know how daunting this can be, especially for small companies that want or need to implement the ISO27k standards but lack the resources and expertise. We appreciate that it is tricky to interpret the wording of the standards and come up with documentation that will satisfy the certification auditors' expectations. 

With nobody to turn to except Alexa and maybe the ISO27k Forum, it's hard to navigate the ISO27k universe unaided.

So, this is what we set out to provide:
  1. All the mandatory docs as specified in the main body of '27001 and required of all organisations seeking certification, even those that choose not to adopt any of the Annex A controls (yes, it can be done!).
  2. Workable, realistic, pragmatic templates. We have interpreted the standard strictly, going just a little beyond the absolute bare minimum only where it makes good sense.
  3. A completely generic approach - a starting point for any organisation. Aside from the obvious differences in, say, size/complexity and industry, we appreciate that organisations vary in their information risks (e.g. contrast a SaaS cloud service provider against its customers).  
  4. A simple, solid, stable starting point. As the name suggests, Launchpad is a sound basis, a platform to build upon, regardless of where you expect to end up. Even large, complex organisations are well advised to avoid over-complicating things: the ultimate aim of the ISMS is to enable the organisation to achieve its business objectives through cost-effective information security management. Please don't construct a paper tiger!
  5. Top-quality content, naturally. We've been doing this stuff professionally for a long time, since way back when BS 7799 was conceived. 
  6. Excellent value for money. We firmly believe that cost should not be a barrier to adoption of the ISO27k standards ... so we've priced Launchpad very competitively*. 
You'll find file listings, descriptions and of course the price on the SecAware website

By all means email me for further information. Launchpad is a platform for us too: we'd love to help you design and launch a stellar ISO27k ISMS, so let's talk!

* If you have already forked-out for an "ISO27001 toolkit" only to find it is not quite what you needed, all is not lost. Launchpad can plug the gaps and replace the bits that fell off. 

Jun 26, 2020

NBlog June 26 - things an ISO27k SoA doesn't say

According to ISO/IEC 27001:2013, organisations are supposed to consider all the information security controls outlined in Annex A, confirming that they have done so by preparing a Statement of Applicability "that contains the necessary controls .... and justification for inclusions, [states] whether they are implemented or not, and [gives] the justification for exclusions of controls from Annex A".

That ineptly-worded requirement in a poorly-constructed and in fact self-contradictory clause of the standard is generally interpreted, in practice, in the form of an SoA table with a row for every Annex A control* and columns for applicability, justifications and implementation status of each control*.

Three exclusive states are generally used.  Each control* is either:
  1. Applicable and implemented; or
  2. Applicable but not implemented; or
  3. Not applicable.
... implying a simple decision tree with just two binary questions:  
  • First, is the control* applicable (yes or no)?
  • If the control* is applicable, is it implemented (yes or no)?
Hmmmm, that's all very well in theory but here are some of the options I've heard as an auditor, or thought if not expressed as an auditee:
  • Applicable under some circumstances – the control applies in specific situations only and is not generally applicable
  • Partially applicable – the control is not enough to mitigate the risk and needs to be modified and/or complemented by other controls; as described, it’s not really what we want to do
  • Applicable and partially implemented – we did this at least once
  • Applicable and allegedly implemented – someone claims to have done this at least once
  • Applicable and apparently implemented - someone genuinely but naively and perhaps inadvisedly believes they have truly nailed this one
  • Implemented but inapplicable – to pacify out auditors, we “just did it” ... even though, deep down, we regret doing it at all and suspect we should really have done something else anyway
  • Implemented for some obscure reason - someone evidently decided this would be a great idea and did it, but we’ve forgotten why or who … and now we’re afraid to turn it off
  • It’s not that simple – I challenge your right to demand such a crude response to such a complex issue
  • Go away - what gives you the nerve to meddle in my stuff?  Anyway, this is secret and you are not cleared
  • You wouldn’t understand – even if I say it in words of one syl-a-bub
  • Applicable, necessary and valid but … pull up a comfy chair, we have a litany of excuses to justify not making what a reasonable person would accept is actual progress on this
  • Implementation is intended – yes, we probably ought to do this, in a perfect world this would be jolly useful
  • Implementation is planned – someone has vaguely proposed some sort of timescale for doing this, although they are dreamin’
  • Implementation is planned and approved – management does not entirely disagree with the planned work, in principle at least, when last asked
  • Implementation is planned and approved and the resources are allocated – management is, allegedly, prioritising the work over all the other stuff that needs to be done
  • Implementation is planned and approved, appropriate resources are allocated, and they are actually available and ready to do this – now we’re getting somewhere, but it’s not actually “done”
  • Applicable and purchased – the technology is sitting in a cupboard somewhere, gathering dust (and no, it isn’t a dust filter)
  • Applicable but implementation is “on hold” for some reason – oh oh, we have a problem Houston
  • Applicable but implementation status is unknown – we neglected to track this, and we’ve forgotten who’s doing what, when and how
  • Applicable but implementation status is untrustworthy – we’re not entirely sure what’s going on, and anyway we simply don’t trust the reports we have received
  • Inapplicable if the control is interpreted literally as it is worded – our lawyers would love to argue about the punctuation
  • Applicable, implemented badly – we made a complete hash of this, so although the control is allegedly in place, it isn’t actually working
  • Applicable, implemented but unused – the control is there in theory but nobody uses it in practice, in fact they work around it
  • Applicable, implemented but disabled – someone quietly turned it off
  • Applicable, implemented but broken – something else we did has resulted in a “reduction of efficiency” of this control
  • Applicable, implemented but unreliable – it seems to work some of the time, we think
  • Applicable, implemented but unsupported – it used to work before stuff happened, and now nobody wants to touch it so it is slowly decaying
  • Applicable, implemented but out of date – the 2600 Hz tone filters on our acoustic couplers are still working fine though
  • Applicable, implemented and status unknown – who knows?  The pretty lights are blinking, the whirring noises suggest stuff is happening but we aren’t entirely convinced the risk is actually being mitigated effectively
  • Applicable, implemented and failed – we are still getting incidents despite the alleged presence of this control
  • Applicable, implemented and dubious – we don’t think we’ve had any incidents after implementing this control, but you can never be completely sure, can you? 
  • Applicable, implemented and pointless – the threats have changed and/or zero day vulnerabilities have come to light and are being actively exploited
  • Applicable, implemented and yet ineffective – the risk is inadequately mitigated but, hey, we have shown due diligence by complying with an International Standard
  • Applicable, implemented but too expensive to continue – as soon as the auditors leave, we will have to bin this one
  • Applicable, implemented, functional, effective, wonderful – but we are mistaken: something is wrong somewhere although we don’t know it
  • Applicable, implemented, functional, effective, perfect – but we plain lied to get our certificate
  • No idea – we don’t understand the risk and/or the control, or we simply haven’t considered this, yet (the default position)
This week I am busy compiling a suite of generic ISMS materials to help clients jump-start their ISO27k implementations, including an SoA spreadsheet. I fear the drop-down selector list for the cells in my SoA template may be a little tedious to use but, hey, it might make our clients smile wryly.

* Joking aside, "control" is the word used in the standard for the sake of simplicity. In fact, most of the "controls" in Annex A are far from simple. Take this classic example:

There are numerous editorial, technical, philosophical and practical issues with that, too many to go into at this point but for now I'll just point out that there are several aspects to the control as stated. Not only must backup copies be taken (regularly?) but they must also be tested regularly according to a policy which has been agreed. I count not one but four actual or atomic 'controls' there (backups taken, backups tested, policy agreed, policy complied with) with several further related controls either entirely unstated or merely alluded-to, plus lots of unanswered questions e.g.
  • Backups need to be stored securely and safely, under the right environmental conditions, with access appropriately controlled to prevent inappropriate access, disclosure, damage or substitution;
  • Testing backups is, again, more involved than it might appear. Someone needs to decide exactly what testing is necessary, perform it competently and diligently, and of course act appropriately on the findings (not just record a test failure and continue as normal!);
  • 'Regularly' is undefined in Annex A: how often is "regular"? Should there be a documented schedule, with evidence of backup tests being completed on time? Is hourly too often? Is once a decade sufficient? Is annual testing OK even though we know the technology, procedures, people and business are changing all the time? 
  • What should a "backup policy" say, exactly? Should it only cover backup testing? How should such a policy be formulated and "agreed", and by whom?  Is "agreed" the same as "approved" or "authorised" or "mandated"? 
  • If this control is deemed applicable, how should it be implemented in practice, and (how) should that be verified?
  • Even if this control is applicable and is implemented literally as described, is it sufficient to mitigate one or more unstated information risks completely?
Some of these issues are addressed in ISO/IEC 27002:2013 section 12.3.1 or elsewhere, and in myriad other standards, advisories etc.  My point is that there's a lot more complexity here than implied by that binary decision tree and the three states on the SoA.

Oh and that is just one of the 100+ "controls" listed in Annex A, a relatively straightforward and supposedly well-understood one at that.

Bear this in mind when you are shown an ISO/IEC 27001 compliance certificate, or if you are given access to the associated ISMS scope and SoA - especially if the organisation's information security status matters. If you are, say, a CEO or owner, don't be fooled by the lengthy SoA and the fancy parchment that your infosec people are so proud of. Over-reliance on ineffective assurance is, itself, an information risk.

PS  Ignoring the bad grammar, perhaps SoA really means "Should of Asked" or even "Sod off Auditor"!

PPS  My pal Ed Hodgson suggested two more SoA options:

  • Applicable but managed by head office - it's delivered by an OLA that falls under A.15
  • Applicable but limited - we have a control but we only use it in one particular instance to manage a specific risk, and not in the broad way that you might otherwise expect.

Jun 17, 2020

NBlog June 17 - phishing evolution

The Interweb drums have been beating out news of an upsurge in phishing attacks over the past month or so. I’ve certainly had more than the normal number of things along these lines lately:

  
As usual, these are relatively crude and (for most reasonably alert people) easy to spot thanks to the obvious spelling and grammatical errors, often using spurious technobabble and urgency as well as the fake branding and sender email address in an attempt to trick victims. The ‘blocked emails’ and ‘storage limit’ memes are popular in my spam box right now, suggesting that these are basic phishing-as-a-service or phishing-kit products being used by idiots to lure, hook, land and gut other idiots. They are, however, using my first name in place of “Dear subscriber” or “Hello, how are you doing?” that we used to see, implying the use of mailmerge-type content customisation with databases of email addresses and other info on potential victims*.

Moving up the scale, some current phishing attempts are more sophisticated, more convincing. Sometimes it's just a lucky coincidence e.g. when the lure glints alluringly because it just happens to mention something I am currently doing - for example if I am dealing with American Express over a credit card issue, a scattergun phisher based around the Amex branding has a better than average chance of hooking me at that point. COVID-19 is an obvious lure right now, along with associated collateral and concerns such as face masks, sanitiser, death rates, lockdown, WFH and so forth (lots of potential there for the more creative phishers).

Sometimes I notice spear phishing where the phishers appear to have done a bit of research, crafting the lure, personalising it around something about me and my activities, interests, social groups etc. ... and here the problem gets really interesting. 

Being a professionally-paranoid infosec geek, I wonder/worry about phishers sneaking under my radar, slipping quietly past my twitching whiskers. What am I missing? Have I been hooked already? Am I dangling on the line?

From a classical information risk perspective:
  • The threats are out there, ranging from numerous but crude scatter-gunners through the pistol-touting mid-range phishers up to the snipers and beyond, heading into the realm of organised crime and espionage; 
  • The vulnerabilities flow from the interconnectedness of modern life, coupled with the naivete and socio-biology that goes with being human; 
  • The personal impacts of me being phished are limited although I am more concerned about the business and third party impacts e.g. someone phishing me as a stepping stone, a means to compromise other more valuable targets in my social and professional networks.
As the phishing tools and techniques grow ever more sophisticated, our controls must keep pace but, frankly, I've seen little progress over the past decade. We're still largely reliant on anti-spam, anti-virus and vigilance. There have been advances in the technologies behind email sender authentication and message integrity, no end of 'awareness campaigns' plus a few reputation- or group-based phisher detection and response approaches. Overall, though, I have the strong feeling that we're losing ground to the baddies in respect of preventive controls, placing greater emphasis on the need for incident detection, containment, response and recovery, plus resilience. 

And judging by the continuing  slew of ransomware incidents in the headlines, we're failing in that department too. 

Bugger

It's time to review what I'm doing to protect myself, my business, family and friends against being phished. How about you? If, for instance, I had encouraged you to download a free phishing response pack or explore the realities of Business Email Compromise what are the chances you'd simply have clicked one or other of those links to take a look, without even glancing at the URLs? 

Just sayin'

Take care out there. Prevention trumps cure. Go wash your hands.

* PS  The mailmerge-type technique is obvious when it fails, leading to inept phishing emails like this: 
"I would like to discuss the possibility of your company with email address: %E-mail_address% partaking in government bulk supply contracts to Iraq over 2 year period."

May 25, 2020

NBlog May 25 - gap-and-fill




Aside from the conventional ‘gap analysis’, it is possible to do a ‘fill analysis’ to discover the things that the organization is doing successfully already – its strengths, foundations on which to build. The analytical processes are almost the same but a fill analysis aims to identify, learn from and expand upon the strengths - the positives - whereas a gap analysis involves hunting down and addressing the weaknesses - the negatives.

These are complementary not alternative approaches.

So, for instance, if the organization is poor at compliance, OK at policies and excellent at impact assessment:
  • A gap analysis would focus on closing the compliance gaps;
  • A fill analysis would focus on learning from and extending the successful approach to impact assessment;
  • A gap-and-fill analysis would look to make the best of all three areas, bringing them all up to scratch, using the best of the policy and impact assessment areas to improve compliance, policies and other aspects, taking a broader perspective.
A typical example is a SWOT analysis to identify the organisation’s Strengths and Weaknesses (in the present situation resulting from its history to date) plus its Opportunities (for future improvement, usually, but more creative approaches may be appropriate e.g. novel methods, strategies and frameworks) and Threats (really, Risks – bad stuff that may occur in future if issues are ignored or not resolved effectively). Considering all four aspects in parallel leads to a more comprehensive, well-rounded or balanced approach.

In particular, the fill analysis and Strengths and Opportunities parts of SWOT are inherently motivational. We all like to know where we are doing well and we often respond energetically when shown we could do even better, whereas being told we are doing badly and must address problems can be disheartening or demotivating. We grudgingly accept the need to improve, responding to external pressure, as opposed to willingly and freely exploiting our inner strengths.

May 16, 2020

NBlog May 16 - adjusting to the new normal


"The U.S. Government has reported that the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020:
  • Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities.
    • An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild.
    • An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors.
  • March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack.
  • Cybersecurity weaknesses—such as poor employee education on social engineering attacks and a lack of system recovery and contingency plans—have continued to make organizations susceptible to ransomware attacks in 2020."

Well whadyaknow?

  • The US government blames "sophisticated foreign cyber actors" - the usual xenophobic, somewhat paranoid and conspiratorial stance towards those filthy rotten foreigners, desperately attacking little old US of A (today's version of reds under beds I guess);
  • "Unpatched" VPNs and insecurely configured Office 365 services are being targeted, implicitly blaming customers for failing to patch and configure the software correctly, blithely ignoring the fact that it was US-based software vendors behind the systems that required patching and configuring to address exploitable vulnerabilities;
  • And finally, uneducated users (the great unwashed) receive a further gratuitous poke, along with the lack of planning on system recovery and contingency ... which is whose fault, exactly? Hmmm, I'll pick up that point another day.
Accountability and QA issues aside, the sudden en masse adoption of Working From Home has undoubtedly changed corporate information risks for all organizations - even those of us who were already routinely WFH, since we depend on ISPs, CSPs, telecomms companies, electricity suppliers, professional services companies and other third parties who are, now, WFH. COVID-19 is another obvious, dramatic change with further implications for information and other risks (e.g. mental and physical health; fragile self-sufficiency; global economic shock; political fallout ...), and it's far from over yet.

WFH is now A Thing (not in the IoT sense!) for some of us anyway, although it's not possible or suitable for everyone. As COVID-19 gradually fades from the headlines, some WFH workers will drift back to regular office work, others may continue WFH and a good proportion will do a bit of both according to circumstances and workloads. If COVID-19 returns with a vengeance, or when the next pandemic turns up, we'll presumably be WFH en masse once more. So, have you reviewed and updated your corporate risk profile lately? Have the incident management, business continuity, IT, HR, business relationship management and other controls, processes and arrangements coped brilliantly with the present situation, or are adjustments called for? Do you even know how things are going out there, the workforce now scattered, hunkered down in their caves?

May 3, 2020

NBlog May 3 - COVID-19 is like infosec because ...



... Despite the history and the experts' warnings that a pandemic was likely to happen again at some point, it turns out we were ill-prepared for it, not as resilient as we thought and should have been

... Experts disagree on the details, sometimes even the fundamentals, and love their models

... Commentary and advice is plentiful, but sound, reasoned, appropriate advice by competent advisors is at a premium and partly lost in the noise

... Whereas information is important, information integrity, quality and trustworthiness are vital, hence there is also value in assurance and other information controls, including the pundits' reputations and credibility

... Most of us are non-experts, hence it is tricky for us to distinguish fact from fiction and make sense of conflicting advice 

... Perfect, complete information is seldom available, so there are bound to be compromises and errors - and we should be ready to spot and deal with them too

... Controls against COVID-19 are imperfect, at best; some are purely for appearance sake; some are as much use as a bubble level in space; others are literally worse than useless (the cure really can be worse than the disease!); in most cases, we simply don't know how well they will work in practice

... Many people and organizations struggle to cope with a serious crisis, whereas some shine and thrive - but even the best may crumble at some point

... They are all about risk and risk management, not just protection, control, safety and security: we are where we are partly as a result of our prior decisions about priorities, resources etc. 

... We are mutually dependent and hence collectively vulnerable since total isolation is impracticable, costly or literally impossible

... Our myopic focus on the current situation takes attention from other matters that may be at least as important, and some are actively exploiting that  

... Hindsight is 20/20 but not terribly helpful right now, unless we truly acknowledge and address our failings going forward - but more likely this incident will gradually fade from our memories, task lists and strategies until the next incident, even if strenuous efforts are made to keep it on the agenda

... The metrics/statistics are complex and easily misunderstood or misused, and simple linear extrapolation isn't much use

... We were slow to recognise and respond to the incident, allowing the impacts to magnify and reducing our options

... Even now, in the thick of it, we're not entirely convinced of the value of preventive, detective and corrective measures, plus the economic damage limits further expenditure or investment

... The politicians, experts, news and social media all put their own spin on things, with everyone seemingly having an opinion

... Tactical responses vary with longer-term strategic implications that are not presently clear but may be substantial 

... Responses that buck the general trend are seen and portrayed as creative or innovative by some, crazy and ill-conceived by others, putting them under intense pressure to conform to the norm (group-think)

... The original source or root cause of the incident is difficult to establish with any certainty, leaving the door open for conspiracy theories about malicious intent and subterfuge

... While the details will undoubtedly vary (perhaps substantially) and our controls will hopefully have improved, this won't be the last such incident

... We will probably forget, discount or ignore as much as we learn

... There are cultural, national, local, familial and personal aspects, plus commercial, political, social, scientific, economic ...

... Some individuals and organizations are exploiting the situation for their own selfish benefit while some are selflessly working for the wider community, but the majority are feeling powerless

... Some people are determined to "do something", whether that actually helps or not 

... Stress levels are high, with implications on analytical capabilities, decision-making, productivity and mental health, on top of physical exhaustion for those in the front line 

... 'Management' is in the spotlight: our glorious leaders are expected not just to cope but to lead us successfully through this, while the serfs are expected to carry on slogging

... Policies and procedures are at least as important as technical and physical controls, while effective awareness is a vital part of the mix

... Compliance is critically important but tricky to achieve in practice

... The situation is changing dynamically and somewhat unpredictably

... Antivirus is not the golden bullet

Any more?  Please comment below

Apr 30, 2020

NBlog April 30 - blursday metrics


The past 6 weeks or so have been quite surreal for us, and I guess for you too. Yesterday we went shopping, leaving our property for the first time since our shopping expedition a week before NZ went into "level 4" lockdown. As of a couple of days ago, we're now at "level 3". Don't ask me what the differences are between the levels, nor what levels 2, 1 and 0 might look like. All I know is that it was a relief to see other people out and about, most of us making obvious efforts to keep our distance. The new normal isn't so bad as I imagined, certainly nothing like a zombie apocalypse or police state.

Those 6 weeks blurred into one. At some point I stopped counting up and blogging about the passing days ... and eventually started counting down to the end of "level 4", or more importantly the impending exhaustion of some of our most essential supplies: coffee, wine and chocolate. Some valuable lessons there for when we replenish our "earthquake kit"!

Meanwhile, NZ's COVID-19 numbers have apparently peaked and fallen. I say "apparently" because the metrics are dubious - again, that's not just our situation in NZ, but a global issue. Differences in the way the metrics are defined, collected and interpreted are layered on top of cultural/national differences in the populations, health systems, economies and more. In particular, there are substantial differences in the amount and quality (reliability, utility) of COVID-19 testing, which is important because COVID-19 infections are cryptic: some of us are infected but have little to no symptoms and hence we don't know it, at least not right now (during the incubation period, the virus multiplies and the symptoms may - or may not - show). Some aren't so lucky and a few are seriously, even gravely ill, at which point the infection is obvious and hard (but not impossible) to ignore or discount. There's still the issue that it appears the most vulnerable patients have other "underlying medical conditions", which is the phrase of the moment and points to yet another issue with the metrics.

Two valuable metrics in infectious disease are:
  1. The rate of spread of the infection throughout the population. This is akin to the 'probability' factor in classical risk management. Essentially, it's a gross measure of the chances of anyone becoming infected. For the reasons just stated, it is tricky to measure in practice.
  2. The proportion of infected people who become sick - more specifically, sick enough to show symptoms, affect their lives, require treatment and hospitalisation, and/or die (yes, there are several related metrics here). This is akin to the 'impact' factor in risk management terms. Again, this factor is harder than you might expect to measure since some of those "underlying medical conditions" would have led to hospitalisation and death anyway, even without COVID-19. It's hard to isolate the effects of COVID-19 from other factors. Furthermore, both COVID-19 infections and the controls now in place to limit the spread can cause illness and death.
A consequence of the measurement problems is that we are forced to rely on estimation, assumption, models, simplification and criteria, in other words there are people involved in the measurement system with all that entails. Stabilisation and standardisation of the measurement processes is tough even within a small country like NZ, let alone across the whole world, and yet measurement is an essential part of managing and getting through the pandemic. The metrics inform policy makers and have significant future implications such as the rate of economic recovery as the short-term responses fade into medium and then long-term normality.

Mentioning 'policy makers' reminds me that there is a strong political angle to all of this, laying another layer of mush over the practical measurement issues noted above. The two key metrics have implications for our governments. With NZ currently months away from another general election, politicians are of course doing their level best to slope the playing field in their favour. Thankfully most seems to be avoiding the obvious temptation to cherry-pick whichever metrics best support their cause and denigrate the opposition, but I wonder about subtler political influences on those assumptions and models that underlie the measurement processes.

For example, the Swedish government took a markedly different strategic approach to most of the rest of the world, and now finds itself in the full glare of global as well as national media interest. Was this a wise strategy, or foolhardy? The politicians and advisors concerned have personal stakes in that their careers depend on how the advice and decisions are perceived, which again largely depends on metrics - metrics that are subject to manipulation and interpretation. Aside from those accountable individuals, the Swedish people and economy are clearly affected by those decisions at the top, and are naturally subject to comparison with other countries, not least their Scandinavian neighbours ... but again the comparison is not as simple as tabulating a few key statistics, especially at this crucial stage in the pandemic when bold strategic decisions are just starting to have their effects. Later, maybe decades down the line, the consequences of different national strategies should become clearer provided the data and analysis are both sound, which is far from guaranteed. Meddling with the measurement processes is just one of the ways that politicians and advisors can attempt to secure their own future, regardless of the national and global interests. There is definitely an integrity or trust angle to metrics.

As always, I'm idly thinking about the situation during lockdown and wondering about the broader lessons to be learned here. I'll jabber about those in due course, once my head clears as the first 2 cups of decent coffee in a while chase away the ghosts of last night's wine and chocolate binge. Today I'm looking forward to another home butchery lesson, hoping to re-fill the freezer without losing control of razor-sharp knives. I need all my digits: I have water to pump, logs to chainsaw, a few km of gravel track to repair, stuff to do. Besides which, typing is awkward without fingrs ...