Welcome to the SecAware blog

I spy with my beady eye ...

30 Apr 2019

NBlog April 30 - tangents

As the hours evaporate before our self-imposed start-of-month delivery deadline, I'm trying to stay focused on completing and proofreading the "Working off-site" security awareness module ... but it's hard when there's a fascinating discussion in full flow on the ISO27k Forum about quantitative vs qualitative methods of information risk analysis, plus all the usual stuff going on around me.

I find myself physically on-site in the IsecT office, supposedly working flat-out, but my mind is drifting off-site. I just caught myself day-dreaming about the possibility of racing driverless cars, their algorithms competing against each other and the laws of physics. What a bizarre tangent! I think it's something the behavioural biologists call 'displacement activity'.

Anyway, back to the grindstone.  Catch you later.

26 Apr 2019

NBlog April 26 - a productive day

Leafing through our information security policy templates this morning, I couldn't find anything specifically covering off-site working, so I knuckled down and prepared one.  

It took longer than planned due to a false start: I soon realized that there are lots of potential policy matters in this area, so I refined the scope to cover just the information risk and security aspects. Following a general policy axiom, the more detailed policy statements describe 'typical examples' of the controls in three main categories (since they are likely to vary according to circumstances), plus a handful of others - about 2 sides of actual policy with the usual summary, applicability, introduction and references sections.

This afternoon, I prepared a case study for May's awareness and training module on working off-site based around an intriguing scenario. What normally happens when a home-worker (someone who always, often or occasionally 'works from home') leaves the organization? What should happen? Specifically, how should the organization deal with any work-related information/data the worker may have had at home, on portable equipment, on paper or whatever? 

And what if it turns out that the worker has not, in fact, fully complied with policy and employed all the anticipated and required security controls? Tut tut!

There are information risks in this scenario that aren't explicitly covered by the new security policy, but I would argue that they are HR and IT issues that ought to be covered by HR and IT policies - governance, oversight, supervision and compliance matters for instance. 

That situation is not at all unusual: in our experience, few 'incidents' or 'situations' are so simple and straightforward as to involve just one issue and one applicable policy. Usually, several rules and regs apply, hinting at the need for a comprehensive mesh of policies, contractual terms, procedures, guidelines, work instructions etc., and there's the rub. 

We are infosec specialists. Our products focus on infosec. Infosec is What We Do. We gather there may be one or two other, lesser matters potentially of concern to our lovely customers (!) but there's only so much we can achieve. 

Our solution to this conundrum is to refer to other types or categories of policies etc. in the reference section of our policy templates without being too specific. Other information security policies are cited more explicitly since we have the corresponding templates to hand and are familiar with what they say, having written and maintained them. In any event, customers are likely to review and customize the policy templates, adapting and merging them with other corporate policies, procedures etc. - well hopefully anyway, assuming they have the competencies and resources to do that. I suspect many don't, but at least we know the security policy templates form a reasonably coherent and consistent suite. Who knows, maybe the style and structure of our policy templates will inspire customers to review and revise their entire policy structure, bringing the whole edifice into a more professional, valid state, a valuable central element of their corporate governance arrangements. 

Dream on!

25 Apr 2019

NBlog April 25 - Teflon-coated security

An article about hackers compromising IoT things mentions that IoT manufacturers choose not to make their devices more secure because the additional security controls would create 'friction' for users - in other words, they are making explicit commercial decisions about their products that take into account usability as well as various other factors, such as security, privacy and I guess cost.

Well, who'd a thunk it? Information risk and security management is all about making compromises and trade-offs. There are numerous options and decisions to be made, plus situations that are forced upon us.

Re 'friction', it occurs to me that effective security awareness smooths the way for additional/better security. Once people such as the concerned mother in the article, and hopefully some of its readers, appreciate the need for and value of security, they are more likely to accept the cost of security - not just the slight increase in the price of things for additional security features but the effort it takes to configure, use, monitor, manage and maintain security, a bunch of additional costs that inevitably follow (inevitable for adequate security, not inevitable for manufacturers and consumers!). 

The same thing applies in a corporate setting. The reasoning goes: workers who know about and grasp the reasoning behind security are more likely to accept it. That's why our security policies include an introduction/background section with a brief explanation/justification, setting the scene for the controls documented in the main body. And it's why we continue to push security awareness and training as a valuable part of the treatment of information risks.

'Features' raises an interesting point. In a free market, consumers elect whether or not to buy certain products according to whatever criteria they set. Likewise, producers choose what products to offer, with whatever characteristics they feel will sell. It could be argued that security is not an optional feature but 'essential' or even 'mandatory' in the same way as 'safety' - but at present it generally isn't. Sensible consumers include security among their selection criteria and rank or prioritize it appropriately ... so first they need to understand what security is and why they might want it, which implies awareness. IoT vendors aren't exactly pushing product security in their advertisements: it barely merits a mention in the smallprint, overshadowed by the gee-whizz stuff top and centre. "Hey, look, you can adjust your aircon settings from your smartphone and come home to a comfortable temperature! Wow!" Even security things such as smart locks are sold on the strength of convenience and tech-whizz rather than security per se, thanks in part to the curious distinction between physical security and cybersecurity (as if cyber doesn't need physical: it does. They are complementary, not alternatives).

Bruce Schneier famously stated that, given the choice, people will choose 'dancing pigs' over 'security' every time. Security simply isn't sexy. We notice if it fails, not when it succeeds. We resent the cost without appreciating the value. We expect security to come for free, and to work perfectly every time. Right or wrong, those are tricky criteria for manufacturers (and security awareness gurus!) to satisfy.

Aside from learning from the safety field including aspects such as transparency and openness over disclosing and investigating incidents (e.g. the ongoing 737MAX scandal), I'm interested in the way cloud security is coming along. Thanks largely to the stirling efforts of the Cloud Security Alliance, security is being promoted industry-wide as an integral, essential part of cloud services - not a bolt-on optional extra 'feature' but core, not a product differentiator but a unifier. I hope the IoT Cybersecurity Alliance and Software Security Alliance are equally successful. An Operating System Security Alliance would be cool too (hint hint Microsoft, Apple, Google, IBM ...).

Meanwhile, we'll soldier on, promoting security awareness among our subscribers' workforces and blog readership, improving security month-by-month, topic-by-topic, organization-by-organization, person-by-person. 

Must dash: May's NoticeBored security awareness module on working off-site is fast approaching the end of the production line. We're preparing to add a glossy topcoat of non-stick Teflon.

[Non-stick == 100% carrot!]

18 Apr 2019

NBlog April 18 - another NSA contractor accused of schlurping

Catching up with recent infosec news, I stumbled across a piece about NSA contractor Harold T Martin III, accused of schlurping (pinching and hoarding) some 50 terabytes of secret data.  50 Tb!  Along with Julian Assange, Ed Snowden and Chelsea Manning, the US government appears to be hemorrhaging secrets by the shed-load, despite all the extraordinary security controls designed to prevent and detect it.

I say 'shed-load' advisedly: a typical page of a typical document has about 500 typical words per side i.e. 1,000 words per double-sided sheet needing about 200 kb of rich text data (e.g. a Word document). That's 5 sheets per Mb*. 50 Tb is 50 million Mb or about 250 million sheets. A typical box of printer paper contains 10 reams of 500 sheets i.e. 5,000 sheets per box, enough to print out about 1 Gb of data*. So, printing 50 Tb would take about 50,000 boxes of paper, a stack of about 37x37x37 boxes. That's a shed-load ... a big shed, a small warehouse or industrial unit*.

Modern PC disk drives hold about 1 Tb. It is possible someone might casually stroll out of work carrying 50 hard drives in a box marked "Spares", more likely a high-capacity USB thumb drive or laptop every working day for a month or three.

Alternatively, 50 Tb would take approximately forever to download at 1 Gb per hour on a typical home Internet connection ... but barely a day on a lightning-fast fiber-optic line running flat-out at 1 Gb per second*. Professionals working regularly from home, perhaps offering remote IT support, could conceivably claim the business expense of a fast fiber line ... or invest personally for geek status points.

This is relevant to next month's NoticeBored security awareness topic. IT-enabled workers are technically capable of accessing and storing vast quantities of data wherever they happen to be working, whether on- or off-site. About 20 years ago 'deperimiterization' became a nasty buzzword, referring to the dissolving boundaries around organizations, changing the information risks. Today, it seems as if those boundaries have completely evaporated: inside and outside are virtually indistinguishable.

If our organizations can't quite match the government spooks' budgets and appetites for information security (and even if they can!), where does that leave us? I'll  tell you where - firmly in the Probability Impact Graph's high-risk bright red zone.

* All the figures in this piece are vague approximations. Treat them as rough ball-parks at best ... and please let me know if you spot any errors.

14 Apr 2019

NBlog April 14 - SecAware eShop open for business

Acquiring top-quality creative security awareness and training materials is easier, quicker and cheaper than ever through our online shop at www.SecAware.com 

Browse a selection of awareness materials including policies, the InfoSec 101 orientation module and more.  

Pick, pay and download - "easy-as" as we Kiwis say.

Please let me know if there are other materials or topics you'd like us to offer through SecAware ... and please excuse the minimalist site design: it's just a starting point as we figure out how to build and maintain websites for mobiles and desktops.  

So much left to do, so much left to learn.

13 Apr 2019

NBlog April 13 - working off-site

We're rapidly spiralling-in on a scope, purpose and hence title for the next NoticeBored security awareness and training module, currently trundling its way along the production conveyor belt at IsecT HQ.

Inspired by a customer request to cover the security aspects of 'home working', we set out to complement the BYOD and business continuity topics ... but in exploring the associated information risks and controls, we've realized that there are other ways and means of working with similar issues. 

Mobile or portable working, for example, is almost the rule for managers and professionals these days, at least to the extent of being constantly in touch by cellphone, keeping up with emails and TXT messages, and using work apps on smartphones, laptops and tablet PCs. Commuters on public transport often seem totally absorbed by their screens and ear-buds, whether that's personal or work emails, podcasts, news from the city desk, Harry Potter, Game of Thrones, Bach or BoyZone we don't know.

Just as 'the office' has evolved from classrooms laid out with rank-and-file desks sporting noisy typewriters and ashtrays, to separate rooms with closed doors, through Dilbert cubicles (with partitions but without doors), to open-plan spaces, stand-up meetings, table-football, basketball hoops and flame-grilled hot-desking, so too 'the home office' has changed over time. 

Back in the 80's all-in-one beige plastic monsters such as IBM PCs and DEC VAXmates were all over the business ads, while home computers of the time looked more like unfinished industrial machines with plenty of blinkenlights and mysterious switches to catch the hobbyist's beady eye. Adverts focused on the 'powerful machine' rather than 'the workstation', 'desk' or 'office'. We had duplicators, pagers, PDAs and luggables, facsimile machines, and those first generation mobile telephones that needed their own motorized carts for the battery packs.

Do you recall when 'workstation furniture' became a thing - weird multilevel desks on caster wheels with cutouts for keyboards and cables, and plenty of depth for big heavy CRT monitors, leaving precious little leg-room for the unfortunate user. For a while, executive home offices were advertised by suited, bossy gentlemen (almost always) in high-back puffy leather chairs at expansive and expensive mahogany veneer desks the size of tennis courts (well table tennis tables anyway). Then came corner desks, filing cabinets on wheels and home stationery cupboards with roller-shutter fronts to stop the kids pinching daddy's crayons. 

Today, given the price of property, the 'home office' is more often a corner of the kitchen workbench or someone's lap. I wouldn't be surprised to learn of people replying to work emails on vertical touchscreens on their fridges and microwaves, all while cooking tea. We don't all have the Oval Office at home.

It has become socially acceptable, almost the norm to hold business meetings in cafes and restaurants, and anyone without a smartphone in easy reach, yakking loudly and laughing into their wireless headset, stands out like a sore thumb-drive.

Entire generations of business travelers have been trained to leap to their feet as the plane lurches to a stop, grabbing their phones and wondering where the Uber will lurk.

Oh and as speaking as a motorcyclist, don't get me going on texting-while-driving. Have you noticed just how many displays there are built-in to cars now, in addition to those clutched by the occupants? 

So, that outlines the physical and cultural context we have in mind for the next awareness module. Some of the associated information risks are obvious, others less so, which means quite a variety of controls, plenty to explain and discuss.

12 Apr 2019

NBlog April 12 - off-site security

Do your mobile sales reps look after the information relating to products, pricing, contracts, supplies, specifications, strategies and all that – not just the sales apps, spreadsheets and slide decks on their laptops, tablets and smartphones, but all the other sensitive and valuable corporate and personal data they carry or access? What about your roaming product/tech support and maintenance people? Your company doctor? The Board of Directors? Managers and business travelers generally? Workers catching up with email on their way home, or putting the final touches on a progress report while stretched out on the couch watching an episode of CSI?

Are they vigilant and alert? Do they have the faintest clue about the information risks around them, or what's expected of them in the way of information security and privacy? Do they care?

Portable ICT has revolutionized our lives to the point that we take it for granted these days. We've become blasé about it. No longer are we tied to the desk and landline. We can be reached almost anywhere at any time by friends, family and colleagues, including the boss, customers and associates. One-way pagers morphed into TXT messaging and SMS-RSI. Cellular telephones with power packs the size of Manhatten, the capacity of a flea and dreadful audio quality became multimedia smartphones small enough to wear on the wrist, while jogging. Embedded computing used to refer to dedicated Computer Numerical Controllers buried deep inside noisy industrial machines: now it includes subcutaneous things.

It's not just students doing homework. For some, working from home is a lifestyle choice, a way to mesh work and family lives seamlessly or at least to juggle dishwashing with helpdesking. For others, it's a necessity, squeezing a few more precious hours into the working week while being physically present and technically 'at home'. And 'home' tonight may be a bland concrete box in some anonymous city hotel, tomorrow a cab and departure lounge en route to the next bland concrete box.

Those are just some of the scenarios we have in mind for May's NoticeBored security awareness and training module. With a profusion of information risks and security controls to explore, preparing the materials involves drawing out the core themes and threading them into story lines that spark the imagination. Informing, engaging and persuading people is what we do. Must dash now: dishes to wash. 

11 Apr 2019

NBlog April 11 - the KISS approach to ISO27k

From time to time on the ISO27k Forum, someone claims that certification auditors 'like to see', 'require' or even 'insist on' or 'demand' certain information security controls. Sometimes, it is further claimed or implied that certification auditors have actually raised or might yet raise nonconformances regarding the lack of certain controls, and consequently might refuse to certify their clients.

I'm not entirely convinced that such claims are true, for starters, but if so that hints at a problem with the certification and perhaps accreditation processes.

In accordance with ISO/IEC 27006, ISO/IEC 27007, ISO 19011 (revised last year) and their own internal certification audit procedures, accredited certification auditors should be certifying an ISO27k Information Security Management System against the requirements formally specified in the main body clauses of ISO/IEC 27001. They should definitely raise major nonconformances and refuse to certify if they have evidence that an organization has not fulfilled particular requirements in the main body of '27001. However, if there are issues regarding the organization’s interpretation and/or implementation of '27001 Annex A controls, that’s a different matter because Annex A itself is not mandatory.

A (re)current example on the Forum concerns asset inventories. The main body of '27001 does not formally require that organizations prepare and maintain inventories, databases or lists of their assets. Compliant organizations are required to consider the advice in Annex A regarding inventories and other matters, but they do not have to take the advice and they are free to interpret it in whatever way happens to suit their purposes.

Arguably, if an organization has identified and evaluated its information risks and decided to implement certain mitigating controls based on Annex A, but has not in fact done so yet (at least not satisfactorily) and has no real intention, then that suggests a failure of the ISMS processes which would likely constitute a reportable nonconformance. However, if the organization acknowledges that the controls are not fully implemented yet and is in the process of addressing that (ideally with some evidence of genuine intent, such as approved projects with allocated resources), then the ISMS processes appear to be working as planned … which would be a basis to challenge a nonconformance raised by the certification auditors. One of the objectives for an ISO27k ISMS is to drive and facilitate systematic improvement and maturity in this area: that’s nothing to be ashamed of - quite the reverse!

Unfortunately a number of myths and misunderstandings persist in the field, including allegedly common practices and widespread approaches that are not entirely aligned with the ISO standards. Even if many certified organizations happen to have asset inventories, that does not mean the standard formally requires everyone to do so. The same thing applies to information classification, antivirus controls, backups and so forth – in fact, the whole of Annex A ("Reference control objectives and controls") is advisory: certified organizations are formally required to check their selection of controls against Annex A "to ensure that no necessary controls have been overlooked" [27001 cluse 6.1.3c note 1] but they are not formally required to adopt and implement the Annex A controls. They are encouraged to select whatever controls happen to best address their risk mitigation needs, from any sources they choose including controls of their own invention. 
"Organizations can design controls as required, or identify them from any source." 
[ISO/IEC 27001:2013 clause 6.1.3b (note)]
Oh and by the way, mitigation is just one of four perfectly acceptable forms of risk treatment, along with avoidance, sharing and acceptance. Again, the organization is fully within its rights to choose its approach and the auditors should not complain (with some provisos concerning how those choices were made).

This point drove our development of the ISMS mandatory documentation checklist for the ISO27k Toolkit (free!). If you analyze the wording of ‘27001 carefully and narrowly, almost like a lawyer analyzing a contract, you find that many common practices are optional, not mandatory after all. This has implications for the certification auditors: clients have a sound basis to challenge audit findings or nonconformances on options that, for whatever reason, they have chosen not to take up. Provided the process through which they evaluated and chose their options is compliant with '27001, and provided they duly complied with their own policies and procedures, the auditors should not insist that those options are in fact required.

Having said all that, there is more to this than certified compliance with '27001. It could equally be argued that Annex A constitutes good practice, hence in accordance with '27001 6.3.1d, organizations that choose not to adopt Annex A controls should at least be able to justify their decisions in a Statement of Applicability. Right or wrong, discretion is appropriate and necessary under various circumstances, in practice. 

Furthermore, while certification auditors might be going beyond their brief if they refuse to certify organizations that choose not to adopt all the controls in Annex A, they might appear negligent if they didn’t at least point out substantial information security concerns which crop up in the course of their audits … which is where minor nonconformances, ‘other findings’, ‘potential points of concern’, informal reporting and the negotiations towards the end of an audit generally come into play. 'We will certify your ISMS, but we advise you of the following issues: ...'.

ISMS management reviews, ISMS internal audits etc. probably should dig out and report concerns of this nature too: they generally have a wider brief than certification and are not necessarily constrained to compliance auditing solely against the formal requirements. Almost anything is potentially reportable internally if a competent person believes and has evidence that is in the organization’s best interests. That includes audits and reviews of the ISMS against other requirements such as quality assurance or health and safety or environmental protection or corporate strategies or whatever. Organizations have many obligations and expectations in addition to those in ‘27001, not least meeting their own business objectives and duties towards various stakeholders.

So what does this all mean? Personally, despite being a fan of good security practices, I understand the value of a minimalist KISS approach (as in Keep your ISMS Simple, Stupid) with benefits such as:
  • Ease of understanding, use, management, maintenance and auditing;
  • Focus on the essentials, and do those well, make them slick;
  • Lack of red tape and bloat - often itself a rats nest of security issues as well as the obvious costs and delays;
  • Maximize bang for buck - the core processes and an ISO/IEC 27001 compliance certificate are valuable, even if the certified ISMS is minimalist;
  • Release the organization from the constraints of overbearing security, encouraging investment and effort in other more valuable business opportunities;
  • A solid foundation on which to build appropriate extensions at some future point - meaning both maturity and the flexibility to respond to novel situations as they arise.

8 Apr 2019

NBlog April 8 - The Power of Resilience

One of my all-time top-N books, this one. Love it!

The author, Yossi Sheffi, is an expert in systems optimization, risk analysis and supply chain management. He’s a professor at MIT, the Director of the Center for Transportation & Logistics, a faculty member of the Civil and Environmental Engineering Department and Institute for Data, Systems, and Society. As well as his academic credentials, he’s a level-headed clear thinker.

Yossi’s thesis is valuable and convincing. There is no organization that would not benefit from being even more resilient, and for the vast majority even modest improvements along these lines could make a huge difference to their capabilities and capacities, both in disastrous conditions and in normality.

I particularly like the emphasis on resilience as a strategic matter, for example making organizations fit and ready to seize the business opportunities that open up when their less-resilient peers are struggling to cope with nightmare scenarios. Resilience is far more than a defensive mechanism: this book explains how to create competitive advantage by a more proactive approach.

The writing style is excellent. The book is clear, easy to read and understand, and interesting too - I really enjoyed reading and contemplating it. It is peppered with details and anecdotes from the author's research with numerous companies, not just the usual rather restricted and superficial set of case studies but a wealth of relevant info from a wide range of industries, albeit mostly large companies hence SMEs are a little underrepresented.

It's a stimulating read. Every few pages I found an angle that hadn't occurred to me before, an approach that instantly registered as something well worth considering. It's overflowing with good advice - and not just hand-waving generalities: there are plenty of clues here for bright managers to adapt and adopt.

All in all, fantastic! A cracker! A keeper!

7 Apr 2019

NBlog April 7 - time resilience

It's official - summer's over in the Southern hemisphere.  

Not only did we need to light a fire to keep warm yesterday but at 3 am last night our clocks went back an hour at the end of NZ Daylight Savings Time. We're now 12 hours ahead of UTC.

◄ My Windows PC clock reset itself automagically, dropping an information entry into the system logs 12 seconds later ▼

Consequently the normally sequential Windows system log appears out of sequence. According to the time stamps ► log entries at 02:55 and 02:56 were followed by the informational entry at 02:00. 

That's just an reporting/display artifact though. Under the covers, the operating system uses UTC. UTC didn't change by an hour at 02:00 but just kept ticking away like normal. Log entries always join the top of the heap in a strictly sequential log.

UTC does occasionally change by a second, though, to keep it in step with the Earth's rotation which is how we animals measure time - by reference to the cycle of days and nights, sunrises and sunsets.

We all know days and nights change gradually in length throughout the year. Thanks to their atomic clocks, the scientists know that the 'gradual change' is not, in fact, entirely consistent. For reasons that escape me, atomic clocks are more consistent than the Earth's rotation, hence UTC is not entirely accurate.

UTC is only ever adjusted in whole 1 second increments ... which presents a problem for computer systems and processes that depend on UTC. Loggable events occurring within the period of a step adjustment could be logged with the wrong times, so a better approach is to speed up or slow down the clock tick rate ever so slightly until the one second change is achieved. Now, log entries will be ever so slightly wrong for the period of the change, but provided 'ever so slightly' is less than the resolution of the date-time-stamps, it shouldn't matter, hopefully.

Some systems and clocks don't adjust themselves, such as Sun.exe, a neat little Windows utility that displays a yellow or blue sun icon on the task bar depending on whether it is day or night. The times shown on its pop-up message about sunrise and sunset are wrong by an hour:

After terminating and restarting Sun.exe, the times are correct:

So it looks as if Sun.exe takes its time reference as it launches, not as it calculates and displays the pop-up message and colours the task bar icon.

Along with assorted battery-powered clocks around the place, the 1 hour error in Sun.exe is a trivial issue. For forensics purposes, accuracy of date-time-stamps to the second may be important when establishing the precise sequence of events, perhaps down to millisecond levels in some business situations (such as recording the precise moment that a bargain is struck in a volatile trading market). There might be safety or other implications as a result of strictly sequential activities getting out of sequence, unless the systems involved are coordinated to change at the same rate, which I guess is the reason for 'coordinated' in Coordinated Universal Time (i.e. UTC - the acronym is based on the French version of the phrase, as if this wasn't confusing enough already). What matters there is relative time ... and no, I'm not going into relativity at this point.

Overall, though, we manage. As with the much-feared Y2K, we scrape through. We're quite resilient, you could say. It takes me maybe a couple of days to adjust my body-clock to the 1 hour changes between winter and summer time, or other stepwise changes that occur when I fly East or West through one or more time zones. Of course I could cross just one time zone at the very point the clocks change between summer and winter time to cancel out the changes but the stress of figuring out whether I should change my watch, by how much and which way, would be worse than just coping with it. I'm glad I don't schedule flights though. 

So here I sit at 0730am roughly an hour after sunrise this Sunday morning, in daylight outside. Yesterday at this clock time, I needed the desk lamp on because it was still quite dark. This evening, it will be drink o'clock an hour earlier than yesterday. Drink o'clock is more daylight- than clock-related ... so I'd better push on. Things to do while it's light.

PS  As I tagged this blog piece, I realised that the issue has numerous implications for information security. There's more to it than it seems.