Information Security

A rather interesting article. What I like is the description it provides of the attackers potential landscape in today’s global, verbose connected world. It does give some recommendations which I’ve summarised below:

1. Focus your efforts on those assets that could ‘ruin’ your company following a successful attack. This way the real attacks are not lost in the noise of monitoring of all systems.

2. Make your information/communication assets dynamic. Each asset should report to a  real-time inventory system. Make it graphically intuitive, so ‘alien’ systems are quick to alert.

3. Obviously to be proactive rather than reactive. Although I would say that this is more with having an InfoSec program that is trained in forensics and understands the law when it comes to ‘nailing’ down attacked coming from the ‘inside’.

images-6I’ve been thinking more about the Sony Pictures story…. it has been mentioned that it could be an insider job… what this means is that all information needs to be protected, not just within the organisation, but between each individual, identity.

Every business process in an organisation should be protected cryptographically, there should be a thread of traceability leading to the originating source. Only authorised parties involved in any digital interaction should have access to information being moved around, or as a matter of fact, information at rest. All email communications should also be encrypted.. and only the creator of the content and recipients should be able to read communications, and attachments. Creators of information should have absolute traceability in every one of their digital interactions, that could be a part of a business process.

But how to do this? Like an elephant… you know how to eat an elephant? Eat a small piece at a time so you don’t get indigestion. So the answer is that one should take, and work with one business process at a time, building piecemeal a secure water-tight shield across an organisations information assets, including their people.




anonymous___power_to_the_people__by_alleyismine-d64q904It’s been a chilling experience for Sony Pictures, and a little surreal for those observing. It could be one of their movies….

Bruce Schneier has some thoughts. The hacking incident has shocked many, although any of us in information security may not be particularly surprised.

After many years in information security I am continually disappointed by the lack of focus there is in securing an organisations information assets. This includes intellectual property (IP), and anything information that needs to be protected in generating IP. The focus on being ‘compliant’ and finding ways to get that tick-box without really being really serious about doing what is right, is worrying. I wrote a post in April this year that dives into this subject.

Of course if an organisation is not serious about protecting its IP, how can you expect it to protect your personal information, as employees, customers and partners? The lack of measures taken to secure employee personal information brings home the fact that when it comes to securing our personal data, and anything we generate, i.e. digital footprint, it is up to us all individually to take control. It seems that we can’t trust anyone else…

But how is this possible? Well take a look at Lequinox, they have turned the identity paradigm upside-down. See if you can get your head around this way of thinking? They are empowering the individual, each one of us is to take control over what belongs to us.  You control (and legally own) your digital identity and your digital footprint, and every identity in the world controls their own identity.  It is the Lequinox technology with its cryptographic black box of magic that makes this possible. If you understand this, you will see that in the future, potentially it is you that is in control…

There is a great conference coming up in Stockholm on 5th November. Apart from the fact I am speaking there, I will be in the company of a great speaker lineup. Last year was very good!

If you want to go, you can register here (
Look forward to seeing you there. I will probably be posting more on this later!

I love ticking boxes, makes me feel as though I’ve achieved something. It’s like a check list, each tick-box is a step closer to completing my list of ‘things to do’. It’s kind of satisfying. It is even more so when I get paid a good hourly fee for ticking boxes 😉

Okay, so I’m joking a little. Preparing an organisation for ISO27x certification is a little more complex than purely completing a checklist. Yet, however simple or complex it is, even when your organisation passes its audit, it does not prove it is secure. It does prove that you tried your best, i.e. demonstrated ‘due diligence’. Then if something does go terribly wrong, i.e. one of your user accounts is used to hack into the organisation and access information that if made public can ruin your business. Well you tried your best within the boundaries of your capabilities, so I guess that’s okay? Or is it? I guess not, if you go out of business, or end up spending the subsequent 12 months in a crisis mitigation mode!

The problem as I see it is multidimensional and not limited to this list:

    1. Reactive security – We are so focused on doing the security stuff that we understand, i.e. ticking boxes, that we don’t get to the core of the problem.
    2. Product-focused security – Even if we think it can be solved with a product, there are so many security product vendors out there touting the ‘magic bullet’, nobody knows who or what to believe anymore.
    3. Mis-alignment of security spend with LoB – Every security product implemented often does not address the fundamental business need. Evidence of this is when new security products/services come out of the IT budget, not from the Line of Business (LoB)
    4. BandAid security – Due to point (3), lack of LoB ownership for security spend means no sponsorship. This can result that even if security spend is approved, e.g. security mitigation effort needed to meet compliance requirements, the effort can be likened to a ‘BandAid’ approach to fixing what needs fixing.
    5. Non-contigious defense-in-depth security – Due to all of the above your security infrastructure is not contiguous. The ‘defense-in-depth’ approach to your security programme recommended by security experts maybe deep, but full of holes.
    6. Information that moves – Our digitised society has changed the parameters on how we should be doing security, however in our organisations we are still thinking as though information is static and can be contained. It cannot.

Fixing all of the above is pretty daunting, and it has become generally acknowledged today that no way can it be guaranteed that the confidentiality and integrity of information assets owned by your organisation are fully protected. So what’s my view on this?

Well it is fun clicking boxes and I’ve made a lot of money during my career in this activity 😉 But I guess you’ve figured that I feel that it is not quite as satisfying as I made out at the beginning of this post. To try and simplify things I see roughly 2 tracks in my head. The first is business security, and is the linkage from business needs to scoping. The second is how to do this from a technology perspective, and this I’ve grouped as: people-centric, device-centric, and information-centric.This is to reflect the fluid nature of information today, that cannot be contained by building a fortress around it.


    B1. LoB – What is the need?
    Firstly security needs and spend must come direct from the LoB. They know best their business, and know what needs protecting more than I do as the security expert and your IT department. The most important question to be asked is:
    1) “What can ruin your business?”,
    2) and, “What do you need to be compliant with?”.
    Clearly security spend is commiserate with what you want to achieve. For example if a vendor wants to sell you a DLP product across your whole company, think twice, and ask this question what is it needed for (1: to protect from ruin) or (2: to be compliant)?
    B2. Keep it small
    Take one business process at a time and fix it using the following 3 principles.


    T1.People-centric security
    How we do identity control today is the weakest link in the security chain. See my previous posts on this. I call it identity control not identity management, because it is about control and traceability. For your organisation, and for the identity holders. Your organisation and your employees are continually a part of digital interactions, and all of those that you share together, belong to your organisation!
    T2. Device-centric security
    Take a look at what the Trusted Computing Group is doing with the chip. I normally refer it to putting “security at the ‘chip’ level”. This is not technically accurate, but it confers a meaning around that the security is at the microprocessor level of the device rather than at the Application layer. If you liken it to a house, it means that you have walled in all your windows (Application layer), and the only way in is through the door (ground-level) with high-level security controls linked intimately to your digital identity -that of course follows the people-centric approach to identity control 😉
    T3. Information-centric security
    This is all about protecting and adding traceability to your information, wherever it is stored. Examples include your mobile workforce and their mobile devices. Then where is your critical information when at rest, in a public or shared cloud? Well this information should be encrypted using a key-fragment approach. This means, 1) your cloud provider cannot see the contents of your information in the cloud, 2) you hold the key, and 3) a fragment must be collected from a key-fragment central store, that could be owned by yourself, so you have traceability on who is accessing what information in the cloud through key-access patterns.

Now that I’ve finished with my little ‘brain-dump’ on you guys, I guess I should get back to ticking boxes 😉

Did you know that ISO 27001 was updated to ISO 27001:2013 last year? The new standard has only 119 controls, as apposed to over 130 before. Added are controls on mobility and agility. The control framework though is being expanded beyond by combined work with the Cloud Security Alliance I think its being mapped out as 270018, still uncompleted when I last checked. This is a good description of what is ISO 27001:2013, the high level process.

I’ve been digging around in my archives and found something that has sort of been lost. There is the traditional security triad, of Confidentiality, Integrity, Aviability (CIA). Which has also been revised to the following, at least 8 years ago. I found this on Bruce Schneier’s blog anyhow.

Authentication (who are you)
Authorization (what are you allowed to do)
Availability (is the data accessible)
Authenticity (is the data intact)

Also was added Admissibility because it was deemed that “this model is no longer sufficient because it does not include asserting the trustworthiness of the endpoint device from which a (remote) user will authenticate and subsequently access data. Network admission and endpoint control are needed to determine that the device is free of malware (esp. key loggers) before you even accept a keystroke from a user”.

I have been thinking a little. This keeping to 5 ‘A’s makes understanding this not straightforward. If we were to look at these again… the first 2 are to do with the identifying party, the next 2 are to do with the data, and the final one is to do with the endpoint. The first 3 ‘A’s I feel comfortable with, the last 2 feel like a workaround to keep 5 ‘A’s… hey the marketing guys would be happy with this 😉

I’ve changed Authenticity to what it was originally in the CIA triad, Integrity, and the last one to Trust, as this is basically what it is all about, do you trust the endpoint device.

Authentication (who are you)
Authorization (what are you allowed to do)
Availability (is the data accessible)
Integrity (is the data intact)
Trust (is the endpoint trusted)

So that gives us AAAIT if we go from the identity to the endpoint, or TIAAA from the endpoint to the identity.. well marketing wouldn’t like this at all, but I like it and I think it’s easy to remember 😀

Next Page »