Welcome to the SecAware blog

I spy with my beady eye ...

31 Mar 2020

NZ lockdown day 6 of N

The NZ politicians and news media are updating us daily on selected COVID-19 statistics (metrics), particularly concerning NZ of course but also the global situation. Countries with the largest numbers (regardless of which metric) are naturally media-fodder.

It's fair to ask, though, what all these numbers mean, why we should care about them, and why they are being reported rather than others.

As with information risk and security metrics, there are various audiences of the metrics with numerous concerns, objectives, purposes, uses for or interests in them e.g.:
  • Those actually managing the national response, day-by-day, need to know how they are doing relative to their plans and intentions, and how they might improve
  • Central and local government politicians giving oversight and direction to the response ... with a keen eye on their popular standing, given that an election is in the offing (unless deferred) ... plus administrators in the civil service
  • The Treasury and Inland Revenue, overseeing the financial aspects of NZ's impacts from COVID-19, not least the costs of the controls and handouts intended to keep businesses and other organizations afloat, the national debt and tax burden on those who make it through 
  • The stock market and financial industry generally - interested for the same reasons
  • The NZ general public with a personal, familial and general interest in the situation, mostly concerned non-specialists
  • The news media - specifically journalists, editors and proprietors  
  • The social media - specifically bloggers, Twits, Facebookers, community members and influencers, commentators and assorted 'interested parties' ... including me 
  • Specialists in public health, infectious disease, virology, epidemiology, genetics, risk and incident management etc.
  • Healthcare professionals - in particular those planning for, leading and administering the public health response to COVID-19
  • The police and justice system, largely responsible for administering the lockdown and dealing with noncompliance 
  • Border authorities, responsible for diverting new arrivals into NZ into self-isolation
  • 'Foreigners' i.e. similar audiences overseas, interested in comparing NZ's approach to their own country's.

Those are the audiences, some of them anyway. Already the variety is clear. 

I'll be back to take a look at NZ's COVID-19 metrics tomorrow.

30 Mar 2020

NZ lockdown day 5 of N

Our "broadband" is gradually becoming narrower by the day as an increasing number of Kiwis on staycation are working from home, downloading/watching videos, playing online games or whatever.

Normally I listen to online music stations while working and I still can: thanks to bufferuffering and the relatively little bandwidth required, streaming audio still works OK ... but instead I'm listening to my music CDs for a change, figuring there are those out there who need the Interweb bandwidth more than me.

Besides which, I like my CDs and it's easy to skip the duff tracks. 

29 Mar 2020

NBlog March 29 - NZ lockdown day 4 of N

Yesterday I wrote about exploiting/making the most of opportunities that arise in a crisis. Here's an example - using COVID-19 as an analogy to help explain a concept.

A question came up on the ISO27k Forum about how to handle 'primary and secondary assets' in the risk assessment processes described by ISO/IEC 27005. This is my response ...

“Primary assets (business processes and activities, information) … usually the core processes and information of the activity in the scope” [ISO/IEC 27005:2018 section B.1.2] are the focal point: that’s what we need to protect. However, in order to do that, we also need to take care of other matters, including the supporting/enabling information systems, networks etc. Those have some intrinsic value (e.g. used but now redundant servers can be upgraded, redeployed, sold or scrapped) but their main value relates to their roles in relation to the primary assets.

A topical analogy is “health” – an asset we all need to protect.  ]For virtually everyone, it’s clearly primary - #1, The Most Important Thing Of All. There are many threats to our health (not just coronavirus!) and we have many vulnerabilities (e.g. we need to breathe, we have mucosa, we need to interact with the world around us to gather essential supplies …), while the impacts of health incidents are many and varied (from ‘feeling a bit off colour’ to death). We can’t directly protect “health” (which is intangible and cloudy), but we can work on various related aspects that, in turn, support good health – like for instance staying out of range of coronavirus and flu sufferers coughing and sneezing; staying well nourished; exercising to maintain physical fitness; thinking about hard stuff like this to maintain mental agility; being vigilant for the symptoms of poor or deteriorating health; having the health services, docs, drugs, respirators etc. to increase our ability to survive disease etc. In infosec terms, that’s a blend of preventive, detective and corrective controls designed to protect our continued integrity and availability 😊

Figuring out and managing health risks is complex, multifaceted and dynamic. There are some things we can’t control at all (e.g. we’re all getting older!) and many that we can only partially control. The controls come with costs and drawbacks, different implications, different effectiveness and benefits. Implementing and using certain controls precludes others and may even increase the risks in other areas (e.g. “Going shopping” is allegedly soothing for some shopaholics but means interacting with the Great Unwashed). The controls have physical and behavioural aspects. There are tools and techniques, individual and societal. There are assurance aspects (“I take vitamin supplements: am I fitter/healthier or just poorer? What about these fish oils and ‘high potency’ vits?”) and snake-oil to be wary of (homeopathy, anyone? Magic crystals? Dancing naked around the standing stones as we sacrifice a goat?).

It’s the same with information risks, right? Hey, we even have computer viruses to worry about! However we have been looking after our health for millennia all the way back to the primordial soup, whereas infosec - and more pertinently information risk management - is relatively new, rough around the edges."

28 Mar 2020

NZ lockdown day 3 of N

With a bit of lateral thinking, there are ways to hook-in to and even exploit the COVID-19 brouhaha. More time for reflection is one of the advantages of the lockdown, for some of us at least. 

Many organizations, for instance, have sent out customer comms about what they are doing to maintain services during/despite the pandemic. Although most are matter-of-fact and boring (maybe not even branded), some are more creative and engaging, even acknowledging that COVID is not going to blow over in a couple of weeks. Most are generic, superficial and bland, often supplier-focused, whereas some are personalised, unique, detailed and customer-focused. Most appear to be one-off broadcasts, hurriedly cobbled together by teams immersed in the chaos and confusion, then slowly refined and authorized. Not many that I've seen so far even hint that there might be more to come. The odd tinge of humour is welcome.  

Unlike the vast majority of incidents and crises, a global incident such as COVID-19 or world war extends way beyond the individual organization, even its primary supply chain. The conventional incident and crisis management comms, often pre-canned as templated press releases, may not therefore be appropriate, relevant and helpful. The context, and hence the messages, are materially different. Even the anticipated modes of delivery are not guaranteed if, say, a cyberwar takes down the Internet.

I'm exploring some of the many lessons here for those of us vigilant enough to notice and think about what's going on around us, rather than being totally introspective and absorbed by dealing with the crisis. We're lucky in that we don't feel as if we are in immediate danger, we were well prepared for this and we're resilient ... which frees us from the grief and torment that others are experiencing and allows us to think clearly, but our situation could easily change if someone close to us (whether literally or figuratively) gets sick, or if the global or national crisis deepens.

More tomorrow. Hopefully.

27 Mar 2020

NZ lockdown day 2 of N

I said yesterday that we've identified our home essentials - things such as food, fuel, booze, the web etc. - and stocked up accordingly, like any sensible family would do. Those are the thing we all need. Pretty obvious really and not particularly interesting.

But what about the things we don't need? What would we rather not have during this pandemic, or in general? 

While painstakingly giving my chisels a long-overdue regrind and manual sharpen in the man-shed, I came up with the following A-to-Z list. These are the things I can do without:

  • Accidents
  • Aches & pains
  • Alzheimer's
  • Armed forces
  • Authorities
  • Bad backs
  • Bad breath
  • Bad debts
  • Bad decisions
  • Bad design
  • Bad dreams
  • Bad engineering
  • Bad habits
  • Bad health
  • Bad memories
  • Badges & thumbs-up
  • Badness generally
  • Bias
  • Bramble
  • Breakages
  • Briscoes sales
  • Broken promises
  • Cancer
  • Cheating
  • Classrooms
  • Climate change
  • Coffins
  • Compliance enforcement
  • Concerts
  • Constraints
  • Crappy software & patching
  • Criminals
  • Crises
  • Crowds
  • Cruises
  • Deception
  • Depression
  • Dictators
  • Disappointments
  • Disasters
  • Disrespect
  • Dramatics
  • Drought
  • Earthquakes
  • Emergencies
  • Errors
  • Ex-es
  • Excuses
  • Extremism
  • Failed commitments
  • Failure
  • Fake news
  • False hope
  • Falsies
  • Fast food
  • Fees & charges
  • Festivals
  • Final demands
  • Getting old
  • Greenhouse gases
  • Half-truths
  • Handouts
  • Hangovers
  • Health & safety gestapo
  • Heart disease
  • Human diseases (including COVID-19)
  • Idiocy
  • Ignorance
  • Illicit drugs
  • Impacts
  • In-person seminars, courses etc.
  • Inadequacy
  • Inane DJs
  • Incidents
  • Inconsiderate & antisocial behaviour
  • Indecision
  • Inefficiency
  • Inflation
  • Injuries
  • Interruptions
  • Intrusive & annoying ads
  • Jails
  • Jobsworths
  • Karaoke
  • Laws, regulations, policies, rules & restrictions
  • Lawyers
  • Letdowns
  • Lies
  • Loan sharks
  • Loo rolls
  • Lou Rawls
  • Malware
  • Meals out
  • Metal fatigue
  • Monday mornings
  • Myopia
  • Myopic perspectives
  • Nationalism
  • Opera
  • Other -isms e.g. elitism, sexism, racism, Parkinsonism, short-termism
  • Overbearing bosses
  • Overdue anything
  • Overreaction
  • Pandemics
  • Parties
  • Party politics
  • Pen-pushers
  • Pessimism
  • Pettiness
  • Piracy
  • Plagiarism
  • Police
  • Political correctness
  • Politicians
  • Poverty
  • Prejudice
  • Quality failures
  • Queues
  • Rap music
  • Rationing
  • Reality TV
  • Religion
  • Rotten weather
  • Secularism
  • Selfishness
  • Slackers
  • Smoking & vaping
  • Social engineering
  • Sports events
  • Tax
  • Team building 
  • Team games
  • Tectonic motion
  • Theft
  • Threats
  • To-do lists
  • Tribalism
  • Tsunamis
  • Unsharp tools
  • Unwise shortcuts
  • Vandals
  • Vermin
  • Viruses
  • Volcanoes
  • Vulnerabilities
  • Waiting
  • War
  • Weeds
  • Xploitation ... and the letter X in fact
  • Yesterday
  • Zealots
They are all personal: you probably disagree with me here and there. Some are contentious or obscure. Some are distinctly Kiwi and many are tongue-in-cheek. 

Coming up with the list was an entertaining way to pass the time, quite cathartic. Perhaps I should generate one of my A-to-Z awareness documents, systematically explaining each of my choices. If I can bear to get it all out, here's already more than enough angst there for at least a dozen pages. 

Meanwhile, feel free to comment on my list or by all means come up with your own. Chisel sharpening optional.

26 Mar 2020

NZ lockdown day 1 of N

From midnight last night, New Zealand is now at civil emergency "stage 4", which means all except essential services personnel are supposed to stay isolated at home for about a month.

The official NZ government list of essential services appears to have been finalised and published hastily. Naturally, 'the authorities' consider themselves essential as overnight we've become a police state: police and courts are working through the lockdown, albeit providing limited services, health and immigration/customs services too. What will happen as their workers are or suspect themselves to be infected with coronavirus is unclear at this point. Presumably they have contingency plans, plus controls to limit the spread of infection within police stations, court houses, hospitals, customs halls, mail sorting offices etc. ... but staffing and service problems are entirely possible as the lockdown continues.

Since they aren't entirely self-contained, there's also a second tier of organizations supporting the essential services and here the lines get blurry. For example, police cars need tyres, fuel and servicing. 

Today we will be revising our personal list of essential home services in light of the lockdown. More tomorrow. 

25 Mar 2020

NBlog March 25 - coping with the COVID crisis

I bumped into an insightful piece by Jeff Immelt 'Lead through a crisis' yesterday. This paragraph really caught my eye: 
I agree there are material differences between us in how we react under pressure, differences that are exaggerated during a crisis. The same applies to social groups and families as well as work teams: some of us are (or at least give the appearance of being) fully on top of things, some are 'coping', some are struggling, and some are in turmoil, overwhelmed by it all.

The current situation reminds me of the Kübler-Ross grieving curve. Here's a version I've used to help explain our emotional responses to traumatic events such as information security incidents and changes:

In any group of people, there will be individual differences e.g. in the rate at which we go through the process, the depth of the 'pit of despair', and the symptoms we show of our inner turmoil. Also, the curve is figurative, not literal, so the shape and details are likely to vary (e.g. multiple peaks and troughs). However, as a general guide, it helps make sense of what's going on within and around us right now.

For me personally, the turning point came over a week ago when I read about the effectiveness of antiviral drugs: all of a sudden, my light went on. There is hope! Whether the drugs really are that effective is uncertain but my mood definitely turned positive and forward-thinking. We got on with stuff such as stocking up on essentials well before the NZ government announced the country-wide lock-down (from midnight tonight). At the same time, I appreciate that others are at different stages with many struggling to come to terms with it and function effectively plus, no doubt, some still in denial. Globally, that dark pit seems apposite.

20 Mar 2020

COVID-19 infosec awareness special

Today I trawled through our back catalog of information security awareness content for anything pertinent to COVID-19. The "Off-site working" security awareness module published less than a year ago is right on the button. 

"Off-site working" complements the "on-site working" awareness module, about the information risk and security aspects of working on corporate premises in conventional offices and similar workplaces. Off-site concerns the information risk and security aspects of working from home or on-the-road (e.g. from hotels or customer premises), often using portable IT equipment and working independently ... which is exactly the situation many of us are in right now.

Off-site working changes the information risks compared to working in purpose-built corporate offices. Mostly, the risks increase in line with the complexities of remote access, portability and physical dispersion … but offsetting that, off-site working can be convenient, productive and popular, and patently there are business continuity advantages in working through incidents such as COVID-19. 

Implementing appropriate security controls makes it work, on the whole, with security awareness being an essential part of the mix. People need to know about and follow the rules.

To assist organizations through the crisis and showcase our awareness materials, we're currently offering the off-site working security awareness module at just under $400 - that's half price

Several other awareness modules may also be pertinent, delving into related topics such as:
Even if you have home working security awareness covered already, there's plenty more worth saying!

NBlog March 20 - COVID-19 PIG update

Here's today's update to my COVID-19 information risk Probability Impact Graphic:

I've slightly shifted and revised the wording of some of the risks but there's nothing really new (as far as I know anyway). 

Reports of panic buying from the UK and US are concerning, given the possible escalation to social disorder and looting … but hopefully sanity will soon return, aided by the authorities promoting “social distancing” and “self-isolation”. Meanwhile, I hope those of you responsible for physically securing corporate premises have appropriate security arrangements in place. Remotely monitored alarms and CCTV are all very well, but what if the guards that would be expected to do their rounds and respond to an incident are off sick or isolated at home? Do you have contingency arrangements for physical security?

‘Sanity’ is a fragile condition: there is clearly a lot of anxiety, stress and tension around, due to the sudden social changes, fear about the infectious disease etc., which is my rationale for including ‘mental health issues’ in the middle of the PIG. There is some genuinely good news in the medical world concerning progress on coronavirus testing, antiviral drugs and vaccines, although it’s hard to spot among the large volume of dubious information and rumours sloshing around on social media (another information risk on the PIG). 

There’s even some good news for infosec pro’s. COVID-19 is a golden opportunity for those of us with an interest in security awareness and business continuity. Essentially, we are in the midst of a dramatic case study. I encourage you to think about the information risk and security aspects of this, and perhaps make little notes as reminders of the lessons to be learnt when the storm blows over. 

Here's one of mine. Toilet roll shortages are a handy leading indicator of panic buying and perhaps more substantial physical security threats ahead i.e. a predictive physical security metric. 

For some reason buried deep in the human psyche, a perceived shortage of toilet rolls and other “essentials” precedes, perhaps even triggers the cascading social disorder that we are now experiencing … so this is a gentle reminder to maintain stocks of “essentials” even in good times. Here in NZ, we are urged to maintain our earthquake kits ready for major incidents that can happen without warning. Having a sensible stock of toilet rolls, water, pasta, soup, soap etc. in the kit reduces the pressure to join the plague of locusts clearing the supermarket shelves, and frees us up for other things – not least, being able to think straight and focus on what matters: helping ourselves, our families, friends and colleagues get through this. 

I'm doing my best to maintain a sense of perspective, keeping a balanced, level-headed view of what's going on and spreading what I hope is sensible and helpful information right here.

Yet more good news: so far, the IT and comms services have held up quite well through the crisis, aside from the odd collaborative working wobble … although those ‘increased cyber risks working from home’ shown on the PIG remain a concern. I expect there will be incidents involving malware, hacking and social engineering due to weaknesses in the preventive controls, while incident detection and recovery may also be challenging. In your organization, are you on top of all of this? Do you have reliable VPNs, network security monitoring, antivirus controls, patching and backups all sewn-up for your off-site workforce using corporate kit or BYOD? Do you have the appropriate policies and procedures in place, including incident responses? What about the IT workers we rely upon to keep everything running smoothly: how are they bearing up under the strain?

18 Mar 2020

NBlog March 18 - COVID-19 PIG update

I've updated the PIG showing information risks relating to COVID-19, originally published here five days ago: 

Two additional information risks now feature in the middle:

  • Mental health issues arising from the sudden widespread introduction of work-from-home, social distancing, cancellation of many leisure activities etc., on top of the stress of potentially being infected and becoming sick. Laid-off workers are basically cast adrift, placing them under immense personal stress at this difficult time because of the scale of COVID-19: they are unlikely to walk directly into their next contract or permanent role with some other organisation if everyone is in crisis. Remaining workers may have 'survivor guilt', and fear also being laid off - hardly conducive to productive working. It may increase 'insider threats'. Also, this risk may increase over time once we get beyond the honeymoon period as workers settle in to their more isolated workspaces, and face up to the realities of being largely self-directed.
  • I brought up the increased information risks associated with working-from-home four days ago. Scrambling to get workers set up for home working probably means corner-cutting here and there, for example making do with whatever comms and IT technology people already have, rather than the organization providing suitable new equipment pre-configured for security and perhaps dedicated for work purposes.  Another tech risk here relates to our suddenly increased reliance on comms and collaborative working tools: the Internet and cloud service providers so far seem to be coping quite well but things could change quickly - for example if they are hit by ransomware ... which in turn begs questions about their customers' readiness to cope with service issues and incidents.
I'll stress once again that IANAV and my assessment is focused on risks pertaining to information.

I'll have more to say about treating these information risks soon (still contemplating!). Meanwhile, there is quite a lot of advice already circulating on social media such as LinkeDin. We've seen outpourings of sympathy before following natural disasters, but the global real-time sharing of pragmatic advice on dealing with a health crisis in progress is unprecedented. See it's not all bad news!

17 Mar 2020

NBlog March 17 - COVID-19 BCM

From my narrow perspective as a practitioner, manager and consultant in the field, some 20-30 years ago, Business Continuity Planning revolved around IT Disaster Recovery which generally involved (at the time) either powering up an alternative data centre or hiring a few servers on the back of a truck and plugging them in to restore services taken out when the data centre was flooded/burnt. It was almost entirely IT focused, expensive, and could cope with very few disaster scenarios (there still had to be somewhere for the truck to park up and plug in, while the backups to be restored had to have survived miraculously, plus of course the rest of the organization - including the alternative data centre plus the people and associated essential services).

From that primitive origin, BCP started to get better organised, with scenario planning and tabletop exercises, and actual 'management' instead of just 'planning' - leading to Business Continuity Management. The scenarios expanded, and before long organisations realised that they couldn't reasonably plan and prepare playbooks for every possible situation, every single risk. Also, the process linkages with incident management grew stronger, including the shortcuts necessary to escalate serious incidents, authorise and initiate significant responses quickly etc. Oh and warm-site and hot-site concepts appeared, along with Recovery Time Objective, Recovery Point Objective and a few other basic metrics.

Then, about 10 to 15 years ago, resilience popped out of the ether as a supplement for IT DR and other recovery approaches, the idea being to do whatever it takes to maintain essential services supporting essential business processes. Even today, some organisations struggle with this concept, and yet "high availability" systems and networks, dual-live/distributed systems, load-sharing, multi-sourced supplies, customer diversity etc. are reasonably straightforward and generally-accepted concepts. I guess they have trouble joining the dots - particularly in the area of workforce resilience, and the cultural aspects of "We WILL get through this: now, what can I do to help? Here, hold my beer ..." 

During the past 10 years or so, true contingency approaches have appeared, in some organizations at least, partly in recognition of/reaction to the limitations of scenario planning and playbooks. There are all sorts of scenarios that cannot be foreseen or predicted, hence no specific plans can be pre-laid ... but the resources needed to evaluate the situation and do whatever is necessary contingent (depending) on the situation - to cope with it - can be prepared.

In our security awareness materials, we've often used duct tape as an example of something worth having in the cupboard just-in-case, with the Apollo 13 story illustrating the points very graphically - including the management foresight to allow all those extra extremely costly grams of weight to be flown into space just-in-case such a situation arose. This takes the resilient culture up a notch, with HR departments talent-spotting people who are good in crisis, capable, quick-thinking, resourceful, energetic and motivational leaders etc. - creative risk takers, too, willing to go off-piste, ignore the now redundant playbook and cobble together an effective response from the remaining resources at hand, given the contemporaneous priorities and constraints, and dynamic objectives. Not just individuals, but whole teams of them, working through the initial scared-stiffness and pulling things together.

That's a rather different set of skills and competencies to the traditional compliant "company man".

During the past 5 years or so, in line with cloud, we've seen the whole BCM thing gradually extend to take in entire supply chains or rather supply networks: the organization doesn't exist in a vacuum but relies on several others, and in turn others rely on it, so the resilience of the whole means identifying and strengthening/working around/cutting out/replacing the weakest links. We've also seen the Business Continuity Management System approach find its feet, with ISO 22301 promoting a more structured approach to managing the whole shebang, with documentation, stability and measurement of the processes and activities allowing management control and systematic improvement - in other words, proper governance. This is a modern take on the "co-opetition" theme in the business world: there are business situations where it is in the organization's best long term interests to support or enable its competitors. Winner-takes-all cutthroat business strategies are not the only way, nor necessarily the most appropriate. The keiretsu and other industrial conglomerates and diversified groups demonstrate the power of collaboration that extends beyond each of the individual players ... and in awareness terms, sports leagues are a classic illustration: members of any league are not just competing with each other, but actively collaborating to promote the entire league. A bank is not just a cash-store, but is an integral component part of the global financial industry ... which is in turn an integral component part of the global economy and human civilisation.

Whereas we have had numerous more isolated disasters (mostly natural e.g. earthquakes, tsunamis and eruptions), COVID-19 is a fascinating global case study: we shall see how individuals, organizations, industries and nations fare. It already appears as if the airline, tourist and sports industries are having a hard time, plus of course healthcare. Our governments are scrambling to respond, and the financial industry is facing yet another global meltdown: will they need to be baled out, again? Will weaker players and insurers go to the wall? Or will the response this time be sufficient to prevent disaster? 

Most intriguingly, will well-prepared organizations, leaders, politicians, industries and nations arise triumphant from this mess, seizing the opportunities that inevitably arise as their less-well-prepared competitors fall gasping in a heap?

And from the awareness and management perspective, what will we learn this time around that will help us post-COVID-19? Key to that is watching and thinking about what's going on around us right now, and considering its appropriateness for future/impending disasters (such as climate change). Hard to do when survival is at stake but that's the point really.

Fascinating times! 

14 Mar 2020

NBlog March 14 - COVID-19 information risk update

Further to yesterday's assessment of the information risks associated with the coronavirus pandemic and the discussion arising, here are a few more aspects.

An increased number of knowledge workers are now working from home, some of them for the first time. What equipment and services are they using? What are the information risks and security arrangements? Who knows? Larger organizations tend to have in place suitable policies plus structured, systematic approaches towards home and other off-site working, with controls such as management authorization, remote security management of end user devices (corporate or BYOD), VPNs, network security monitoring, network backups, automated patching, antivirus etc. Hopefully they have all scaled easily to cope with the changing proportions of off-siters. Medium and especially small organizations, however, may be less well prepared ... and all of them are likely to be feeling the strain of changed working practices and social interaction. The managers, supervisors, network security pro's and others who are meant to be keeping an eye on all this are also more likely to be working off-site, relying more on automation and information through the systems. 

That smells like a green or borderline amber information risk to me, redder for those ill-prepared SMEs maybe, or for larger organizations that for some reason were not on top of this already. Given that managers and execs generally have been working off-site for years, they really have no excuse for failing to identify, evaluate and treat the associated information risks. If they now deserve to be called to account, so be it. 

Which reminds me, another bit of good news is that organizations are running and hopefully proving the adequacy of their business continuity arrangements, including the resilience aspects of keeping the information flowing more or less normally. This is better than the normal business continuity exercise in that everyone is participating (like it or not!) ... but as to whether everyone is coping well, we shall see. Some supply chains/networks are clearly under stress (toilet rolls, for instance!), and others probably too. If they fail due to inadequate resilience, the consequences may ripple outwards, meaning that some organizations will also get to use and prove their contingency arrangements. 

There are some more green/amber information risks in there, judging largely by what we see today i.e. nothing significantly amiss so far, no dramatic failures or industry collapses (except perhaps for the financial industry - a red risk already on the chart). 

Oh and there's more good news: most of the population now knows the basics of personal hygiene such as covering their sneezes and washing their hands. These aren't totally effective controls, but they are better than nothing [the scientist in my head made me say that]. Hopefully we will find that human behaviours have changed as a result of coronavirus, thanks to information about modes of transmission, with benefits for other infectious diseases. There are information risks in this area but nothing worth bringing up here and now. 

That's enough for today. It's Saturday morning here in NZ and I have Things To Do. Maybe over the weekend I'll update the PIG. Maybe not. 

Comments are still welcome!

13 Mar 2020

COVID-19 information risk analysis

I'll kick off with a disclaimer: IANAV*. I have a scientific background in microbial genetics but left the field more than 3 decades ago. I have far more experience in information risk management, so what follows is my personal assessment of the information risks ('risks pertaining to information') associated with the Coronavirus pandemic.

Here's my initial draft of a Probability-Impact-Graphic showing what I see as the main information risk aspects right now, today, with a few words of explanation below:

Top left, the reported shortages of toilet rolls, facemasks, hand sanitiser and soap qualify as information incidents because they are the result of panic buying by people over-reacting to initial media coverage of shortages. The impacts are low because most people are just not that daft. 

Fear, Uncertainty and Doubt, however, is largely what drives those panic buyers. To an extent, I blame the media (mostly social media but also the traditional news media, desperate for their next headline) for frenziedly whipping up a storm of information. There are potentially significant personal and social consequences arising from FUD that I'll cover later.

In amongst the frenzied bad news, there are a few good things coming out of this incident. The global scientific, medical and public services communities are quietly sharing information about the virus, infections, symptoms, morbidity, treatments, contributory factors, social responses etc. There is excellent work going on to characterise the virus, understand its morphology and genetics, understand the disease progression, understand the modes of transmission etc. It's a shame this isn't as widely reported as the bad news but I think I understand why that is: scientists, generally, are reluctant to publish information they aren't reasonably sure about, and "reasonably sure" means if a reporter asks for a categorical statement of fact, most scientists will at least hesitate if not refuse. An example of this is the face mask issue: good quality face masks are designed to trap small particles but not as small as viruses. They help by impeding airborne particles and so reducing the spread of airborne viruses, but do not totally prevent them spreading, hence it would be inaccurate to claim that. The way masks are used also affects their effectiveness. In risk management terms, most controls are the same: they reduce but do not eliminate risk. The problem comes when people naively mistake a scientist's 'not totally effective' for 'ineffective', and then go on to make bad decisions and biased statements. It's much the same issue that leads to a fascinating social phenomenon known as outrage.

Another positive outcome is the flow of resources into scientific and medical research associated with virology, infectious disease, disease reduction, healthcare, public health management etc. In my own infinitesimal way, I'm investing a few brain cycles into this issue and spending a merry hour or three documenting and sharing my thoughts. It's an insignificant contribution but beats doing nothing. Allegedly.

Next comes a group of 4 risks all relating to the large volumes of information circulating right now. "Coronavirus Update" is the top search term on Google US at the momentReddit's coronavirus channel is replete with content from around the world, streaming forth like a snotty nose. Social media are overflowing with the stuff, and it's the topic of offline conversations everywhere. The information risks include:
  • Large volumes of poor or dubious quality information spreading rapidly like Chinese whispers;
  • Accidental misinformation and bad advice, spread inadvertently by naive if genuinely concerned people who misinterpret things, modify or elaborate on them, and pass them on**;
  • So much information, in fact, that it is crowding out other stuff - not literally (I'm reasonably sure the Internet and assorted media have more capacity although they too must be suffering from people falling sick, believing they have the virus, scared of interacting with work colleagues or just "pulling a sickie"), but rather diverting attention from other matters;
  • Smaller volumes of deliberately misleading information, promising miracle cures and priority access to limited resources, or opinion pieces and fake news promoting some agenda other than simply spreading factual information, exploiting the chaos to further hidden agendas.
And finally for today, there's one information risk which eclipses the others, that of the snowball effect as good, bad and ugly information about the pandemic spreads, leading people to worry and back off, reducing productivity and consumption, making investors fearful and sparking a stock market dive leading to yet another global recession. Globally, stock markets are inherently prone to overreacting to bad news. It looks, to me, like an example of a positive feedback control loop, with a curious bias to the negative. Whereas we seem to dive headlong into recessions, the journey back towards normality is a slow clamber, whereas market peaks tend to be short-lived. I rate this as a more significant risk because there are clear signs of it already happening (stock markets in freefall) and the impacts of past recessions have been widespread and dramatic (real-world social effects follow from the economics): in risk terms, that's a bad combination. The other information risks I've discussed vary in probability but, in comparison, their impacts are lower.

So, that's my information risk assessment of COVID-19 for now. What do you think? What important, relevant factors have I missed? Is there anything I have materially misreported or misinterpreted? I plan to update this assessment in due course and welcome further inputs and comments if you have anything to say - critical or constructive, I don't mind which. Perhaps next time I'll explore the threats, vulnerabilities and controls, again from the information risk perspective. But for now I have Things To Do, COVID or no COVID.


* I Am Not A Virologist

** I sincerely hope I am helping not harming by publishing this piece ... but it's up to YOU, dear reader, to consider my credentials and motivations as much as my words: read it critically and make of it what you will. And remember, IANAV. I'm also not a sociologist, medic, public policy or economics expert etc. Just an ordinary guy with a brain, a keyboard and an interest in information risk, security, metrics, resilience and all that jazz.

12 Mar 2020

NBlog March 12 - reflecting on privacy

Anyone who read Orwell's masterpiece or saw the film "1984" appreciates the threat of mass surveillance by the state a.k.a. Big Brother. Anyone who has followed Ed Snowden's revelations knows that mass surveillance is no longer fanciful fiction. There are clearly privacy impacts from surveillance with implications for personal freedoms, assurance and compliance. At the same time, surveillance offers significant social benefits too, in other words, pros and cons which vary with one's perspective. Big Brother sees overwhelming benefits from mass surveillance and has the power, capability and (these days) the technology to conduct both overt and covert mass or targeted surveillance more or less at will. 

The same thing applies to other forms of surveillance and other contexts: many of us gleefully carry surveillance devices with us wherever we go, continuously transmitting information about our activities, conversations, locations, contacts and more. We may call them 'smartphones' but is that really a smart thing to do? Drug dealers and other criminals appreciate the value of burner phones, essentially buying a modicum of privacy. What about the rest of us? Are we wise to rely on the technologies, the phone companies and the authorities not to invade our privacy? 

Some of us are introducing IoT things into our homes, seduced by the convenience of being able to tell our smart TV to order a pizza without even getting up from the sofa. Evidently people either don't even consider the privacy implications, or accept them presumably on the basis that they own and chose to introduce the surveillance devices, and could just as easily stop and remove them (fine in theory, doesn't happen in practice).

Then there are the surveillance devices we use to monitor, track or snoop on various others: baby monitors, nanny-cams, commercial and home CCTV systems, webcams, dashcams, audio bugs, covert cameras, spyware, keyloggers and more. Surveillance tech is big business, both retail, commercial and governmental/military. 

Need to know where a recent arrival from China has been? Simply collect the surveillance jigsaw pieces into a credible sequence and despatch the hazmat teams.

Overt surveillance in the form of obvious CCTV camera installations are just the tip of the iceberg. Covert cams and bugs are already snooping on us in changing rooms, toilets, video-conference facilities, courts and more. Essentially any areas where the general public have access at some point are highly vulnerable - cabs and public transport (including Ubers and hire cars, plus used cars and commercial fleets), hotels, guest houses/rooms (including AirBnB), meeting rooms, lobbies/reception areas, waiting rooms (and GP surgeries plus A&E), cafes and restaurants, gyms and other leisure/spots facilities, beaches, pools and more. Google's Street View demonstrated the awesome capability to capture, process and publish 360-degree photography from a global fleet of spy-cars, while military and private drones, news and police helicopters, surveillance satellites and spy-planes fly eyes in the skies. There are myriad opportunities to install and monitor electronic surveillance devices, all the way back up the supply chain to the silicon. Aside from burglars and spies, owners, workers, maintenance people, security guards, cleaners, visitors and opportunists can access and optionally bug supposedly private areas too, and geo-tagging vehicles, people, clothing and goods (not just IT devices) is already happening.

Online services, cloud, networks and comms generally are all vulnerable to traffic analysis and metadata if not content snooping, despite encryption, while social media disclosures (such as this very blog) flow forth like the Amazon in flood. 

We haven't - yet - seen the same obvious meteoric rise of counter-surveillance but I presume that will follow once the personal implications of ubiquitous surveillance become clearer to the average person, or indeed the average business person and information security pro. It's already home turf for the spooks of course.

And then there's counter-counter-surveillance techniques, for example carefully placing crude bugs that are designed to be found and removed relatively easily from the boardroom, leaving the more sophisticated ones undetected and operational (at some point - network triggering is trivial these days). Deliberate misinformation or deception is another one (fake news), plus obfuscation or 'hiding in plain sight'. 

Blending in with the crowd is not so easy as surveillance capabilities become more widespread and, well, capable, including facilities for storing, organising and searching for items of interest among the big data. So another possible response is to let it all hang out - being deliberately open, living life as if there is no privacy (cue Carly Simon's "We have no secrets") ... a ploy favoured equally by those who do have something to hide. That's why politicians refer to 'public policy': it's not just about policy matters that affect the general public, it's also about the things they are prepared to reveal or claim openly, as opposed to ...

Looking back over what I've just written, I'm struck by the distinctly sinister, underhand, duplicitous undercurrent. Maybe that's just a consequence of my professional infosec background and paranoia, but what do you think? Do you yearn for privacy lost? Do the hacker group Anonymous have a good point? Is  "oversight" an ironic term for a broken control? Is Snowden hero or traitor? Does GDPR even matter, in the grand scheme of things? Or is this all blah - move along, nothing to see here?

8 Mar 2020

NBlog March 8 - meshy policies [UPDATED]

I'm reviewing and revising our information security policy templates, again. At the moment I'm systematically compiling a cross-reference matrix in Excel showing how each of the 65 policies relates to others in the set - quite a laborious job but it will result in greater consistency. The objective is to make the policies knit together coherently, without significant overlaps or gaps in coverage - less mess, more mesh.

All our policies include a reference section noting other relevant policies, procedures, guidelines etc. but only the main ones: the information risk management policy, for instance, is relevant to all the others but there's no point listing it as a reference in all of them, nor listing all of them in it.

I have shortened the titles of a few policies for readability, and need to check/update the formatting then generate new screenshots for the website. Once that is all done, I will be checking coverage: a couple of policies are similar enough that they might perhaps be combined, and I'm always on the lookout for gaps that need plugging.

In all of this, it helps enormously that I wrote them all in the first place, and have maintained them all through the NoticeBored monthly updates. Organisational policies usually accumulate over time from a variety of sources and authors, with different writing styles and mind-sets. Conflicts and holes are not uncommon, creating problems for awareness and compliance. Hot issues tend to have current, up-to-date policies, whereas policies covering longstanding aspects tend to go stale, unless someone takes the time to review and update the entire suite as I am doing now. Even something as simple as using a common MS Word template with styles for headings and text makes a huge difference to the readability and consistency, but the template itself has evolved over the years I've been doing this, and is changing again now. It takes concentration to work systematically through the whole suite, updating them to the same standard.

The end result is worth it though. The policy suite is already a polished, professional product at a good price (a fraction of the cost of developing this much content from scratch). It sells well and I'm proud of it! We are using it to develop custom, branded policies for clients and would love to do the same for you, so if your infosec policies are looking a bit shabby, messy, the worse for wear, let's talk. I'm just as keen to help you develop a 'policy management process' to maintain your policies going forward, avoiding the need to have me back in a few years' time ...

PS  The updated policy suite is on sale now at www.SecAware.com   I haven't updated all the individual policies on the site yet but it's on my list of Things To Do When I Get A Moment.