Welcome to NBlog, the NoticeBored blog

I spy with my beady eye ...

Apr 2, 2020

NBlog April 2 - NZ lockdown day 8 of N

  • Confirmed and probable cases of COVID-19
  • The number of people who have recovered
  • How many people are (and have been) in hospital
  • Cases by District Health Board, and by age and gender.

The metrics are updated daily and reported dutifully by the NZ news media, but what use are they, in fact? What information and knowledge can we glean from the data? 

Here is the current summary (snapshot at 7am on April 2nd): 

There are no detailed definitions of these data, and my beady eye spots little differences, for example whereas the headline says "how many people are (and have been) in hospital", the data actually provided are "Number of cases in hospital" showing the "Total to date" and "New in last 24 hours". If this is a cumulative total of the number of COVID-19 cases admitted to hospital each day, are they just the "confirmed" cases or does that include the "probables"? And what is a "case" anyway? What is a "hospital"? [Yes, I know, it's a place where sick people go, and that's not important right now ... but in the more remote parts of NZ where hospitals aren't, I guess COVID-19 patients may be treated at home or in makeshift facilities: do these qualify as "hospitals" or not?].

Another concern is that they are just numbers with no clear context. That 1 NZ death, for instance: is it above or below expectations? Is it significant? Are we even sure that it was a direct result of COVID-19, or merely a coincidence? And how does NZ compare to other countries? ...

... which is an important issue in these times of global comms. Aside from occasional mentions by the NZ news media of situations in China, Italy etc., vast rivers of information are flowing through the Interweb from all over the globe - some definitive, factual and reliable, some not. All the usual comms and information security issues apply e.g. integrity failures such as errors and omissions, particularly in how the information is interpreted and discussed by non-specialists (including me, no doubt!). The Web is a giant echo chamber.

There are other concerns with the "official" NZ COVID-19 metrics but I'll stop here because I have Stuff To Do, including thinking about the reasons for measuring and reporting "official" metrics at all. I'll have more to say on this tomorrow, maybe, once I've thunk.

Mar 31, 2020

NBlog March 31 - NZ lockdown day 6 of N

The NZ politicians and news media are updating us daily on selected COVID-19 statistics (metrics), particularly concerning NZ of course but also the global situation. Countries with the largest numbers (regardless of which metric) are naturally media-fodder.

It's fair to ask, though, what all these numbers mean, why we should care about them, and why they are being reported rather than others.

As with information risk and security metrics, there are various audiences of the metrics with numerous concerns, objectives, purposes, uses for or interests in them e.g.:

  • Those actually managing the national response, day-by-day, need to know how they are doing relative to their plans and intentions, and how they might improve
  • Central and local government politicians giving oversight and direction to the response ... with a keen eye on their popular standing, given that an election is in the offing (unless deferred) ... plus administrators in the civil service
  • The Treasury and Inland Revenue, overseeing the financial aspects of NZ's impacts from COVID-19, not least the costs of the controls and handouts intended to keep businesses and other organizations afloat, the national debt and tax burden on those who make it through 
  • The stock market and financial industry generally - interested for the same reasons
  • The NZ general public with a personal, familial and general interest in the situation, mostly concerned non-specialists
  • The news media - specifically journalists, editors and proprietors  
  • The social media - specifically bloggers, Twits, Facebookers, community members and influencers, commentators and assorted 'interested parties' ... including me 
  • Specialists in public health, infectious disease, virology, epidemiology, genetics, risk and incident management etc.
  • Healthcare professionals - in particular those planning for, leading and administering the public health response to COVID-19
  • The police and justice system, largely responsible for administering the lockdown and dealing with noncompliance 
  • Border authorities, responsible for diverting new arrivals into NZ into self-isolation
  • 'Foreigners' i.e. similar audiences overseas, interested in comparing NZ's approach to their own country's.

Those are the audiences, some of them anyway. Already the variety is clear. 

I'll be back to take a look at NZ's COVID-19 metrics tomorrow.

Mar 30, 2020

NBlog March 30 - NZ lockdown day 5 of N

Our "broadband" is gradually becoming narrower by the day as an increasing number of Kiwis on staycation are working from home, downloading/watching videos, playing online games or whatever.

Normally I listen to online music stations while working and I still can: thanks to bufferuffering and the relatively little bandwidth required, streaming audio still works OK ... but instead I'm listening to my music CDs for a change, figuring there are those out there who need the Interweb bandwidth more than me.

Besides which, I like my CDs and it's easy to skip the duff tracks. 

Mar 29, 2020

NBlog March 29 - NZ lockdown day 4 of N

Yesterday I wrote about exploiting/making the most of opportunities that arise in a crisis. Here's an example - using COVID-19 as an analogy to help explain a concept.

A question came up on the ISO27k Forum about how to handle 'primary and secondary assets' in the risk assessment processes described by ISO/IEC 27005. This is my response ...

“Primary assets (business processes and activities, information) … usually the core processes and information of the activity in the scope” [ISO/IEC 27005:2018 section B.1.2] are the focal point: that’s what we need to protect. However, in order to do that, we also need to take care of other matters, including the supporting/enabling information systems, networks etc. Those have some intrinsic value (e.g. used but now redundant servers can be upgraded, redeployed, sold or scrapped) but their main value relates to their roles in relation to the primary assets.

A topical analogy is “health” – an asset we all need to protect.  ]For virtually everyone, it’s clearly primary - #1, The Most Important Thing Of All. There are many threats to our health (not just coronavirus!) and we have many vulnerabilities (e.g. we need to breathe, we have mucosa, we need to interact with the world around us to gather essential supplies …), while the impacts of health incidents are many and varied (from ‘feeling a bit off colour’ to death). We can’t directly protect “health” (which is intangible and cloudy), but we can work on various related aspects that, in turn, support good health – like for instance staying out of range of coronavirus and flu sufferers coughing and sneezing; staying well nourished; exercising to maintain physical fitness; thinking about hard stuff like this to maintain mental agility; being vigilant for the symptoms of poor or deteriorating health; having the health services, docs, drugs, respirators etc. to increase our ability to survive disease etc. In infosec terms, that’s a blend of preventive, detective and corrective controls designed to protect our continued integrity and availability 😊

Figuring out and managing health risks is complex, multifaceted and dynamic. There are some things we can’t control at all (e.g. we’re all getting older!) and many that we can only partially control. The controls come with costs and drawbacks, different implications, different effectiveness and benefits. Implementing and using certain controls precludes others and may even increase the risks in other areas (e.g. “Going shopping” is allegedly soothing for some shopaholics but means interacting with the Great Unwashed). The controls have physical and behavioural aspects. There are tools and techniques, individual and societal. There are assurance aspects (“I take vitamin supplements: am I fitter/healthier or just poorer? What about these fish oils and ‘high potency’ vits?”) and snake-oil to be wary of (homeopathy, anyone? Magic crystals? Dancing naked around the standing stones as we sacrifice a goat?).

It’s the same with information risks, right? Hey, we even have computer viruses to worry about! However we have been looking after our health for millennia all the way back to the primordial soup, whereas infosec - and more pertinently information risk management - is relatively new, rough around the edges."

Mar 28, 2020

NBlog March 28 - NZ lockdown day 3 of N

With a bit of lateral thinking, there are ways to hook-in to and even exploit the COVID-19 brouhaha. More time for reflection is one of the advantages of the lockdown, for some of us at least. 

Many organizations, for instance, have sent out customer comms about what they are doing to maintain services during/despite the pandemic. Although most are matter-of-fact and boring (maybe not even branded), some are more creative and engaging, even acknowledging that COVID is not going to blow over in a couple of weeks. Most are generic, superficial and bland, often supplier-focused, whereas some are personalised, unique, detailed and customer-focused. Most appear to be one-off broadcasts, hurriedly cobbled together by teams immersed in the chaos and confusion, then slowly refined and authorized. Not many that I've seen so far even hint that there might be more to come. The odd tinge of humour is welcome.  

Unlike the vast majority of incidents and crises, a global incident such as COVID-19 or world war extends way beyond the individual organization, even its primary supply chain. The conventional incident and crisis management comms, often pre-canned as templated press releases, may not therefore be appropriate, relevant and helpful. The context, and hence the messages, are materially different. Even the anticipated modes of delivery are not guaranteed if, say, a cyberwar takes down the Internet.

I'm exploring some of the many lessons here for those of us vigilant enough to notice and think about what's going on around us, rather than being totally introspective and absorbed by dealing with the crisis. We're lucky in that we don't feel as if we are in immediate danger, we were well prepared for this and we're resilient ... which frees us from the grief and torment that others are experiencing and allows us to think clearly, but our situation could easily change if someone close to us (whether literally or figuratively) gets sick, or if the global or national crisis deepens.

More tomorrow. Hopefully.

Mar 27, 2020

NBlog March 27 - NZ lockdown day 2 of N

I said yesterday that we've identified our home essentials - things such as food, fuel, booze, the web etc. - and stocked up accordingly, like any sensible family would do. Those are the thing we all need. Pretty obvious really and not particularly interesting.

But what about the things we don't need? What would we rather not have during this pandemic, or in general? 

While painstakingly giving my chisels a long-overdue regrind and manual sharpen in the man-shed, I came up with the following A-to-Z list. These are the things I can do without:

  • Accidents
  • Aches & pains
  • Alzheimer's
  • Armed forces
  • Authorities
  • Bad backs
  • Bad breath
  • Bad debts
  • Bad decisions
  • Bad design
  • Bad dreams
  • Bad engineering
  • Bad habits
  • Bad health
  • Bad memories
  • Badges & thumbs-up
  • Badness generally
  • Bias
  • Bramble
  • Breakages
  • Briscoes sales
  • Broken promises
  • Cancer
  • Cheating
  • Classrooms
  • Climate change
  • Coffins
  • Compliance enforcement
  • Concerts
  • Constraints
  • Crappy software & patching
  • Criminals
  • Crises
  • Crowds
  • Cruises
  • Deception
  • Depression
  • Dictators
  • Disappointments
  • Disasters
  • Disrespect
  • Dramatics
  • Drought
  • Earthquakes
  • Emergencies
  • Errors
  • Ex-es
  • Excuses
  • Extremism
  • Failed commitments
  • Failure
  • Fake news
  • False hope
  • Falsies
  • Fast food
  • Fees & charges
  • Festivals
  • Final demands
  • Getting old
  • Greenhouse gases
  • Half-truths
  • Handouts
  • Hangovers
  • Health & safety gestapo
  • Heart disease
  • Human diseases (including COVID-19)
  • Idiocy
  • Ignorance
  • Illicit drugs
  • Impacts
  • In-person seminars, courses etc.
  • Inadequacy
  • Inane DJs
  • Incidents
  • Inconsiderate & antisocial behaviour
  • Indecision
  • Inefficiency
  • Inflation
  • Injuries
  • Interruptions
  • Intrusive & annoying ads
  • Jails
  • Jobsworths
  • Karaoke
  • Laws, regulations, policies, rules & restrictions
  • Lawyers
  • Letdowns
  • Lies
  • Loan sharks
  • Loo rolls
  • Lou Rawls
  • Malware
  • Meals out
  • Metal fatigue
  • Monday mornings
  • Myopia
  • Myopic perspectives
  • Nationalism
  • Opera
  • Other -isms e.g. elitism, sexism, racism, Parkinsonism, short-termism
  • Overbearing bosses
  • Overdue anything
  • Overreaction
  • Pandemics
  • Parties
  • Party politics
  • Pen-pushers
  • Pessimism
  • Pettiness
  • Piracy
  • Plagiarism
  • Police
  • Political correctness
  • Politicians
  • Poverty
  • Prejudice
  • Quality failures
  • Queues
  • Rap music
  • Rationing
  • Reality TV
  • Religion
  • Rotten weather
  • Secularism
  • Selfishness
  • Slackers
  • Smoking & vaping
  • Social engineering
  • Sports events
  • Tax
  • Team building 
  • Team games
  • Tectonic motion
  • Theft
  • Threats
  • To-do lists
  • Tribalism
  • Tsunamis
  • Unsharp tools
  • Unwise shortcuts
  • Vandals
  • Vermin
  • Viruses
  • Volcanoes
  • Vulnerabilities
  • Waiting
  • War
  • Weeds
  • Xploitation ... and the letter X in fact
  • Yesterday
  • Zealots
They are all personal: you probably disagree with me here and there. Some are contentious or obscure. Some are distinctly Kiwi and many are tongue-in-cheek. 

Coming up with the list was an entertaining way to pass the time, quite cathartic. Perhaps I should generate one of my A-to-Z awareness documents, systematically explaining each of my choices. If I can bear to get it all out, here's already more than enough angst there for at least a dozen pages. 

Meanwhile, feel free to comment on my list or by all means come up with your own. Chisel sharpening optional.

Mar 26, 2020

NBlog March 26 - NZ lockdown day 1 of N

From midnight last night, New Zealand is now at civil emergency "stage 4", which means all except essential services personnel are supposed to stay isolated at home for about a month.

The official NZ government list of essential services appears to have been finalised and published hastily. Naturally, 'the authorities' consider themselves essential as overnight we've become a police state: police and courts are working through the lockdown, albeit providing limited services, health and immigration/customs services too. What will happen as their workers are or suspect themselves to be infected with coronavirus is unclear at this point. Presumably they have contingency plans, plus controls to limit the spread of infection within police stations, court houses, hospitals, customs halls, mail sorting offices etc. ... but staffing and service problems are entirely possible as the lockdown continues.

Since they aren't entirely self-contained, there's also a second tier of organizations supporting the essential services and here the lines get blurry. For example, police cars need tyres, fuel and servicing. 

Today we will be revising our personal list of essential home services in light of the lockdown. More tomorrow. 

Mar 25, 2020

NBlog March 25 - coping with the COVID crisis

I bumped into an insightful piece by Jeff Immelt 'Lead through a crisis' yesterday. This paragraph really caught my eye: 
I agree there are material differences between us in how we react under pressure, differences that are exaggerated during a crisis. The same applies to social groups and families as well as work teams: some of us are (or at least give the appearance of being) fully on top of things, some are 'coping', some are struggling, and some are in turmoil, overwhelmed by it all.

The current situation reminds me of the Kübler-Ross grieving curve. Here's a version I've used to help explain our emotional responses to traumatic events such as information security incidents and changes:

In any group of people, there will be individual differences e.g. in the rate at which we go through the process, the depth of the 'pit of despair', and the symptoms we show of our inner turmoil. Also, the curve is figurative, not literal, so the shape and details are likely to vary (e.g. multiple peaks and troughs). However, as a general guide, it helps make sense of what's going on within and around us right now.

For me personally, the turning point came over a week ago when I read about the effectiveness of antiviral drugs: all of a sudden, my light went on. There is hope! Whether the drugs really are that effective is uncertain but my mood definitely turned positive and forward-thinking. We got on with stuff such as stocking up on essentials well before the NZ government announced the country-wide lock-down (from midnight tonight). At the same time, I appreciate that others are at different stages with many struggling to come to terms with it and function effectively plus, no doubt, some still in denial. Globally, that dark pit seems apposite.

Mar 20, 2020

NBlog March 20 - COVID-19 infosec awareness special

Today I trawled through our back catalog of information security awareness content for anything pertinent to COVID-19. The "Off-site working" security awareness module published less than a year ago is right on the button. 

"Off-site working" complements the "on-site working" awareness module, about the information risk and security aspects of working on corporate premises in conventional offices and similar workplaces. Off-site concerns the information risk and security aspects of working from home or on-the-road (e.g. from hotels or customer premises), often using portable IT equipment and working independently ... which is exactly the situation many of us are in right now.

Off-site working changes the information risks compared to working in purpose-built corporate offices. Mostly, the risks increase in line with the complexities of remote access, portability and physical dispersion … but offsetting that, off-site working can be convenient, productive and popular, and patently there are business continuity advantages in working through incidents such as COVID-19. 

Implementing appropriate security controls makes it work, on the whole, with security awareness being an essential part of the mix. People need to know about and follow the rules.

To assist organizations through the crisis and showcase our awareness materials, we're currently offering the off-site working security awareness module at just under $400 - that's half price

Several other awareness modules may also be pertinent, delving into related topics such as:
Even if you have home working security awareness covered already, there's plenty more worth saying!

NBlog March 20 - COVID-19 PIG update

Here's today's update to my COVID-19 information risk Probability Impact Graphic:

I've slightly shifted and revised the wording of some of the risks but there's nothing really new (as far as I know anyway). 

Reports of panic buying from the UK and US are concerning, given the possible escalation to social disorder and looting … but hopefully sanity will soon return, aided by the authorities promoting “social distancing” and “self-isolation”. Meanwhile, I hope those of you responsible for physically securing corporate premises have appropriate security arrangements in place. Remotely monitored alarms and CCTV are all very well, but what if the guards that would be expected to do their rounds and respond to an incident are off sick or isolated at home? Do you have contingency arrangements for physical security?

‘Sanity’ is a fragile condition: there is clearly a lot of anxiety, stress and tension around, due to the sudden social changes, fear about the infectious disease etc., which is my rationale for including ‘mental health issues’ in the middle of the PIG. There is some genuinely good news in the medical world concerning progress on coronavirus testing, antiviral drugs and vaccines, although it’s hard to spot among the large volume of dubious information and rumours sloshing around on social media (another information risk on the PIG). 

There’s even some good news for infosec pro’s. COVID-19 is a golden opportunity for those of us with an interest in security awareness and business continuity. Essentially, we are in the midst of a dramatic case study. I encourage you to think about the information risk and security aspects of this, and perhaps make little notes as reminders of the lessons to be learnt when the storm blows over. 

Here's one of mine. Toilet roll shortages are a handy leading indicator of panic buying and perhaps more substantial physical security threats ahead i.e. a predictive physical security metric. 

For some reason buried deep in the human psyche, a perceived shortage of toilet rolls and other “essentials” precedes, perhaps even triggers the cascading social disorder that we are now experiencing … so this is a gentle reminder to maintain stocks of “essentials” even in good times. Here in NZ, we are urged to maintain our earthquake kits ready for major incidents that can happen without warning. Having a sensible stock of toilet rolls, water, pasta, soup, soap etc. in the kit reduces the pressure to join the plague of locusts clearing the supermarket shelves, and frees us up for other things – not least, being able to think straight and focus on what matters: helping ourselves, our families, friends and colleagues get through this. 

I'm doing my best to maintain a sense of perspective, keeping a balanced, level-headed view of what's going on and spreading what I hope is sensible and helpful information right here.

Yet more good news: so far, the IT and comms services have held up quite well through the crisis, aside from the odd collaborative working wobble … although those ‘increased cyber risks working from home’ shown on the PIG remain a concern. I expect there will be incidents involving malware, hacking and social engineering due to weaknesses in the preventive controls, while incident detection and recovery may also be challenging. In your organization, are you on top of all of this? Do you have reliable VPNs, network security monitoring, antivirus controls, patching and backups all sewn-up for your off-site workforce using corporate kit or BYOD? Do you have the appropriate policies and procedures in place, including incident responses? What about the IT workers we rely upon to keep everything running smoothly: how are they bearing up under the strain?