Welcome to the SecAware blog

I spy with my beady eye ...

29 Jan 2017

Samsung's $5bn cock-up

Samsung has a strong, well-respected and valuable global brand ... which is why the flaming Galaxy Note 7 debacle must be so embarrassing for Samsung. Having to recall the model after several spectacular fires was bad enough, but then releasing a flawed and similarly dangerous replacement turned a disaster into a $4bn PR nightmare, where PR = Product Recall = Public Relations. 
"The cancellation of the Galaxy Note 7 has been an unprecedented public relations disaster for Samsung, the world’s largest maker of smartphones. It has also cost the company billions of dollars and, for some critics in South Korea, even called into question the very business model that has made Samsung so successful." [NY Times]
Samsung's press conference about the incident was both useful and frustrating:

"The culprit proved to be two separate flaws with two separate batteries. One was a design flaw that led to the first recall. The second was a manufacturing error introduced after Samsung's second supplier ramped up production to meet demand as the sole Note 7 battery supplier." [Cnet]
"During the almost hourlong presentation, Samsung offered an extensive technical explanation of the problems with the battery but little insight into the breakdowns that caused the company to fail to identify the problems. Mr. Koh said the lessons the company had learned had been integrated into its processes and culture, yet offered no explanation of how the culture would change or what the problems with the culture were."  [NY Times]
Changing a corporate culture is always a tough challenge, made tougher still by the risk of inadvertently damaging those aspects of the culture that are clearly working well. This is a risky time for Samsung - they really are playing with fire. Despite Mr Koh's implication that they are already over it and moving on, I rather suspect Samsung will continue reeling from this nightmare for some years yet, suffering the occasional flashback and daymares too probably.

On the other hand, the impetus for change must be massive right now. Incidents are highly motivational improvement opportunities: the bigger they are, the stronger the impetus to 'learn the lessons', 'sort things out' and 'get back on the road'. Even for a group the size of Samsung, the incident will have caused shock-waves, hopefully strong enough to dislodge the corporate inertia that so often impedes real progress and yet not so strong that the social infrastructure crumbles away. Holding relevent parties to account for their evident failures is part of the cathartic process of dealing with the pickle they've landed themselves in, as well as moving huge blocks of concrete off the path to success. It's one very visible sign of change, not just a change of personnel (usually senior managers) but a wider acknowledgement of the issues by management as a whole. It's their way of saying "Yes, we admit it, we screwed up here. But, hey, we're on top of it."

The whole debacle makes another excellent case study - not just for Samsung but for all of us who take the trouble to find out about, consider and learn from the available information. As with the Sony hack, Ed Snowden, Challenger and many other headline incidents, the rest of us can take the gain without the pain - just a twinge maybe as we get to grips with the story, figuring out what went wrong and why, asking "Could that have been us?" and "What should we be doing to avoid becoming headline fodder?"

I wonder what Samsung, Sony, the NSA and NASA are doing in the aftermath of their Really, Really Bad Days At The Office, what probems they are facing, and how they are tackling them. In the absense of explicit and detailed post-incident reports (which would of course be very valuable but commercially and politically sensitive), we'll have to settle for the little snippets of news that we're fed, plus assorted 'expert' comments and analysis, and a job lot of trade-sized Polyfilla to fill-in-the-gaps. And that's fine since We are not Samsung or Sony or N[A]SA, in other words even with the benefit of a full expose, we'd still have to reinterpret their situation in order to apply the learning in our own corporate contexts.

Meanwhile, I'd like to thank Samsung and their flaming phones, Sony, N[A]SA, my producer and the whole production team, the media, my colleagues in the industry ...

Gary (Gary@isect.com)

PS  $4bn or 5?  What's a $bn between friends?

PPS  I trust HP is well aware of this case too as they seem to be clinging gingerly to the same rocky path

18 Jan 2017

Nuts to risk management

In all sorts of contexts, and for reasons rooted in brain biology, we often focus or obsess about the wrong things. We fear flying more than the road trip to/from the airport. We are terrified of cancer, but tolerate obesity and do our level best to ignore heart disease. We are petrified of driverless vehicles, while downplaying their safety, economic and social advantages relative to human-driven vehicles. "Foreigners" (especially Russians and Chinese, it seems) and terrorists are clearly out to get us, more so than our own governments, our friends and relatives, and just about everyone else for that matter, including ourselves! Gun-ownership is fine but guns are dangerous. Cellphone masts are patently evil (especially in/near schools), whereas the cellphones clasped to our heads or pocketed next to our crown jewels are good ...

Seems to me this is a widespread issue with risk management in general, including but going well beyond information risk management. It’s a sad indictment of our profession, too. We’re often wrong when we identify and prioritize the risks, or the constituent threats, vulnerabilities and impacts. Hence we’re often pushing the wrong controls, or ‘playing it safe’ by pushing and wasting effort & money on unnecessary controls when we perhaps ought to be focusing more on the truly necessary/critical ones. We promote IDS/IPS and SIEM and a million other shiny high-tech controls while neglecting backups, policies, awareness and training - the basics, fundamentals really.

So, on that premise, what is the alternative, the antidote? What if anything can we do about it? Here are nine non-exclusive approaches that occur to me, with a few cynical comments as I mull this over:
  1. Data-driven risk management, using data on actual incidents to assess risks and prioritize them more rationally (hmmm, this implies a historical bias, and a bias towards recognized/known incidents. And we probably lack sufficient data anyway. Oh and the Global Financial Crisis demonstrated how easy it is to get carried away by our own presumed competence)
  2. Find/invent better risk management methods … (good luck!)
  3.  … and apply the methods more rigorously (doing a fundamentally broken process well doesn’t get us anywhere much though, except that it perhaps encourages us to improve systematically and acknowledge the limitations)
  4. Baseline or standardized security: put in place the basic controls that are generally accepted as being necessary (but if we are all deluded about the risks, what help is that? I guess it relieves us of thinking about the basics, leaving more head space for the remainder)
  5. Just do the best we can, but be more realistic about our limitations. Acknowledge that our controls – including risk management as a whole - are fallible, so emphasize incident management, resilience, recovery and contingency approaches (like, errr, reliable off-line backups to recover from ransomware and Windows updates [much the same thing!]. Oh oh.)
  6. Worry or obsess about everything. Control everything. Make security so tight the business squeaks. Be genuinely shocked when something big breaks spectacularly. (Snowden!)
  7. Downplay or ignore this issue. Put head in sand. Close eyes and stick fingers in ears, chanting la-la-la. Pretend that we’re on top of things, hoping that someone else will fix this (nonexistent) issue before we get hit hard. (Prepare excuses and maintain Curriculum Vitae)
  8. Take ourselves out of the loop. Hand this over to the robots. Hope that AI trumps wetware. (Hinson tip: this is the way of the future, like it or not)
  9. Make a serious, conscious effort to identify and counteract human biases, prejudices and blind-spots, including our own. Become more self-aware. (Think on!)
And before anyone comments, I appreciate that, as an infosec pro, I too am part of the problem but at least I'm contemplating solutions.


PS This piece was prompted by a BBC article about squirrels being more of a threat to the US critical national infrastructure than terrorists and a troll on the security metrics mailing list who plaintively insists he has a cunning new risk management method but refuses to tell us anything substantive about it.

PPS  My thinking on this topic was inspired by Bruce Schneier, including "Beyond Fear" which I really should re-read ...

13 Jan 2017

Earthquake alerting app

Quake map courtesy of  GeoNet.co.nz
An idea came to me in bed this morning: smartphones have the capability to identify and measure phone movements in three dimensions, thanks to their built-in positional sensors. So, with the appropriate app, my smartphone sat on my bedside table ought to be able to recognise when it is being shaken about violently in the middle of the night, and alert me to an earthquake in progress.

I distinctly remember waking up a few minutes past midnight during the big Kaikoura earthquake last November, and being utterly befuddled about what was happening. I was still fast asleep when the inital jolt came, and it took me a little while to stir by which time we were into a period of gentler but strong rolling movements, enough to set the bedroom light swinging. I wasn't awake enough to react, as I should have done, doing the 'drop, cover, hold' thing. Instead, I just laid there in a bit of a daze, blinking up at the pendulous light and wondering what was going on.

If my phone had noticed the quake and started chanting "Drop!  Cover!  Hold" at me, maybe that would have had the right effect? Perhaps a message along the lines of "Head for the hills!" would be a worthwhile prompt for those in the tsunami zones? 

I wonder if anyone has already produced such an app. If not, I'd love to see someone take this idea forward, perhaps do some trials to clarify the specification and make it happen. Clearly, the app would need to be able to distinguish quakes from conventional phone use, perhaps using clues such as time of day, long periods of resting, no incoming call or alarm message, and maybe a "False alarm?" button on the screen.

Since it is just an alert, the conventional alert/alarm sounds could be used, or better still we could record our own messages, picking up on the cocktail party effect by having a significant other call our name at the start of the message. For bonus points, the 'head for the hills' thing could even tell me what way to go, using the phone's built-in GPS and mapping capabilities. [And, yes, this is scope creep in action!]

It occurs to me that if such an app were used widely across the country, that would effectively comprise a distributed network of semi-intelligent earthquake sensors, measuring the intensity of the shakes in real time.  It might prompt phone owners to submit subjective earthquake reports, supplementing the scientific sensors and existing web reporting system. [More creeping scope - I could go on ...].

The trouble is, I have no idea how to take this idea forward. I'm not even sure if it's novel or lame, perhaps blindingly obvious to anyone who makes the conceptual connection between smartphones and earthquakes. I'm neither a smartphone programmer nor seismologist, just someone with a brainwave that got me out of bed this morning. I don't know who might be both interested and capable of exploring and developing the idea, perhaps taking it further.

The main reason I'm blabbering on about it here is that I think it might be a patentable invention but I'm not looking to make any money out of this, and I'd much rather see it exploited for the public good than line some entrepreneur's pockets. This is a 'spoiler', deliberately disclosing the invention to prevent it being patented.


10 Jan 2017

Surveillance: awareness challenge or opportunity?

We're busy preparing February's NoticeBored security awareness module on the topic of surveillance.

As often happens, what we anticipated would be a fairly narrow and specific issue has mushroomed before our very eyes as we've delved into the writing. We're now looking at surveillance on the population by the authorities, by the organization on workers and third parties, by third party organizations on workers, and by individuals on each other ...

The awareness module covers a fascinatingly diverse patchwork of information risks e.g. industrial espionage and intelligence, health and safety, network and physical security monitoring, oversight and supervision, privacy and confidentiality, office security, things, portable devices, artificial intelligence, hacking, malware and more. We've covered all of them separately but this is our chance to bring them together - an awareness story with with a novel perspective.

The news story about a TV presenter's verbal comment allegedly triggering Alexa to order dolls houses through Amazon's Echo thing fell into our lap just a few days ago: if people haven't even bothered to configure their gizmos so they don't order stuff without their confirmation, what's the betting that they don't realize they are being silently monitored 24x7? And it's not just Alexa listening-in, not by a long chalk. Look around you right now: how many microphones and cameras can you spot? And how do we know there aren't more surveillance devices, tucked away inside the high-tech stuff that increasingly surrounds us?

If your security awareness program is tedious and ineffective, perhaps you need to get out more! If that's not an option, get in touch: we've got the boring bits covered (researching and preparing creative copy) leaving you the fun of interacting with your fellow employees, delivering and emphasizing the key messages. Surveillance is one of ~60 topics in our bulging portfolio, all designed to intrigue, inform and motivate workers to value and protect information.

Gary (Gary@isect.com)