Welcome to the SecAware blog

I spy with my beady eye ...

14 Nov 2016

Infosec awareness lessons from NZ quakes

A big earthquake at midnight last night on the Northern end of South Island New Zealand was a major incident with various implications for incident/disaster management. I'd like to pick up on a few security awareness aspects while the incident is fresh in my mind and still playing out on the NZ media as I write this.
  1. There is a lot of effort put into preparedness for such events, across the whole country. For instance, the central safety message "Drop, cover, hold" is simple, widely repeated and used consistently in a variety of media and situations. Even the iconic images and colours (lots of black-and-yellow, warning colours with a strong biological basis) are consistent. Schools run classroom teaching on it. Websites and public safety demonstrations repeat it, frequently. There are flyers and leaflets, plus local, regional and national exercises to practice the actions, with extensive media coverage. "Get ready, get thru" is a strong theme. Full marks!  [I have a slight concern about tourists and visitors new to NZ: how are they informed? I appreciate the mixed messages in "Welcome to NZ. Learn how to survive your trip ..." but public safety must be a high or top priority, surely?].
  2. The preparedness includes an extensive monitoring infrastructure to identify and analyze quakes in near-real-time. The location and severity of the quakes was known in short order, triggering various warnings and analyses that have continued throughout the day. However, there was no pre-warning: notice the flat line on the seismometer image above, prior to the main event. Also, the geology is complex, so early news was uncertain and confusing. [I'm not sure it helped, in fact, other than to know that the scientists are busy examining the evidence. Some filtering and coordination of the messages would be good.]
  3. The preparedness also includes a variety of disaster communications arrangements, using multiple media and mechanisms both for broadcasting and for person-to-person comms between the authorities, emergency services, geophysical experts, MPs etc. The awareness message "Text don't call" is widely repeated (albeit without really explaining why). The information flowing today through the news media has been impressive in terms of both the volume and clarity. As reported by RNZ and Checkpoint, 'Christchurch Mayor Lianne Dalziel tells John Campbell people most affected by the earthquake want information. “It’s an absolute necessity to be completely open with people” she says. [Trustworthy official information about an incident just passed or still in progress, confidently expressed by the People In Charge, helps put minds at rest. Simply knowing that the authorities, agencies, utilities and emergency services are fully engaged in dealing with the situation is very calming, compared to either not being told, or worse still strongly suspecting that the response is inadequate. It's an assurance issue.]
  4. Communications in the immediate area of the quake were not so robust. Failure of landlines and cellphones, coupled with road and rail blockages, made it difficult to establish the situation and coordinate the response. While the telcos are fixing things, portable emergency radios were flown into the area by the military. Meanwhile, some people were unreachable (causing obvious concern for their families and friends) and it was difficult for the emergency services to assess and respond to the situation. [Lessons here concerning the need for emergency shortwave and satellite radios, I think, plus more generator backups for cell sites, and perhaps a tech facility to pass priority messages preferentially (if it isn't already in place). Also, on a personal note, we need to nominate a few contacts that we can inform following an incident so friends and family can confirm we're OK without going frantic.]
  5. The civil defence and emergency services are well planned, coordinated and practiced e.g. tsunami experts have been meeting every 30 minutes from an hour after the midnight quake, providing a remarkably consistent if cautious series of tsunami warnings. [Excessive caution is a concern: beyond some point, people who think the warnings are excessive "cry wolf" tend to ignore them, perhaps placing themselves in danger. The frequency and nature of warnings is a delicate balancing act. Some adjustment is called-for, I think, although I appreciate that an onshore quake gives little to no time to issue tsunami warnings.]
  6. The preparedness extends to a nation-wide resilience, a cultural aspect. People are genuinely concerned for each other and willing - in fact keen to help out. The news reporting naturally and genuinely emphasizes the human angles as well as factually describing the situation. Today we've heard from farmers worried about damage to their stock water supplies and milking sheds, civil defence and insurance people talking about what to do now, and MPs talking about their families - a broad spectrum. We are still getting occasional stories about people patiently waiting for their quake-damaged Christchurch properties and services to be repaired, and there is genuine concern about the traumatic effects of the latest quake and aftershocks on survivors of the Christchurch quake in 2011.
  7. The period shortly after the incident, while everybody is still thinking and talking about it, is an opportune time for further awareness messages, intermingling warnings and preparedness messages (such as "A good time to check emergency kits this evening as aftershocks continue to roll on.") with news of the event. [Personally, I think more could be done on this. If your organization suffered a major privacy breach, ransomware attack, hack or whatever, would you be in a position to blend-in related awareness messages with your planned incident/disaster comms, or would resources be stretched to breaking point already? If so, could you draft in additional helpers.]
  8. This was not a single point event: aftershocks are continuing (roughly every 3 minutes for the first few hours) and may continue for months or years yet. A small tidal wave of water on a river near Kaikoura this afternoon (released when a blockage cleared) was hot news a few minutes ago. There's also bad weather on the way, placing even more urgency on the emergency responses in the epicenter region since choppers may soon be grounded. [Infosec incidents also drag on and on, especially the big ones that hit the public news media. Managing the incident and the associated comms is therefore an issue well beyond the immediate period and aftermath.]
Gary (Gary@isect.com)

PS  Even Google is playing its part.  I've just noticed the red message at the top of a query I did to find links for this very blog piece.  Good work Google!

7 Nov 2016

Exploiting the privacy-infosec overlaps

We're working hard on the next NoticeBored awareness module concerning privacy, in particular we're exploring the changes coming with GDPR (the EU General Data Protection Regulation).  

Two concepts from article 23 of GDPR caught my beady eye this afternoon:

  • Privacy by design is the idea that privacy should be an integral or inherent part of the design of a new system, service or process, from the outset (as opposed to being tacked-on later, with all the compromises and drawbacks that normally entails); and
  • Privacy by default - where there are options or alternative paths, the ones offering the greatest privacy should be selected automatically unless the user or data subject explicitly chooses otherwise.  

It occurs to me that conceptually those are not a million miles from 'secure by design' and 'secure by default', two strategic approaches with substantial benefits for information security as a whole, including most of privacy ... which hints at the intriguing possibility of using the forthcoming GDPR implementation to drive improvements to both privacy and information security.

Several other obligations in GDPR are also directly relevant to information security, such as the ability for organizations to demonstrate or prove their compliance (implying an assurance element) and to ensure that all employees are aware of the privacy obligations.  In my opinion, privacy, information risk security, and compliance, substantially overlap as illustrated by the scope blobs above: the overlaps are not complete but the parts of privacy that do not involve information risk and security (e.g. 'personal space' and a person's right to determine how their personal information is used and disclosed), while important, are relatively minor.