Cross Post – The Human Element

Leave a comment March 12, 2014 Thom Langford

(Originally posted on the Iron Mountain Information Advantage Blog, November 20 2013.)

Leaving things on the train or in a restaurant, or in fact anywhere is an unpleasant fact of life for many of us. I would guess that almost all the readers of this blog have at some point left their keys, wallet, shopping, hat, gloves, children, scarf or phone somewhere or other. On occasion, such lapses in concentration can be upsetting, costly, or embarrassing and in some rare instances even dangerous. But in most cases what we leave behind is either easily replaceable (gloves), insured/covered (bank cards) or worth the cost to change and replace (keys). It’s very rare that we leave and lose something irreplaceable (presumably you found the kids!). This is because the items we treasure often have significant intrinsic and/or emotional value. A good example would be family heirlooms, passed down from generation to generation; we treasure them and therefore take care to protect them, storing them in a safe (or at least a safe place) to be taken out only on special occasions.

What about leaving data somewhere? It wasn’t so long ago, that civil servants and the MOD were criticised frequently in the media for leaving highly sensitive and valuable data exposed in public places. Rarely, it seemed, did a day go by without the Daily Mail bemoaning the inability of the public sector to protect our data. Headlines called for heads to roll. And yet, invariably, these were just the kind of simple, human mistakes that every one of us have made in one way or other. These days, however, the vast majority of data is (or at least should be) encrypted, both when it is on the move and when it’s at rest. Consequently, the loss or theft of encrypted data may now raise fewer eyebrows.

Printed matter, however, is another thing entirely. You can’t encrypt paper documents, and paper is very difficult to secure during transport, without somehow physically attaching it to your person. Taking sensitive documents from one location to another, so often a necessity, quickly becomes a thing of peril. Conceptual drawings, designs, technical drawings, mock ups etc. will often need to be taken to a client site or a manufacturer, and sometimes cannot be sent electronically. After a successful pitch and a few celebratory drinks afterwards those documents could all too easily be left on the night bus to Neasden, unprotected and full of intellectual property and sensitive information. A breach like that can so easily turn a night of celebration into a morning of embarrassment and apologies, followed by the inevitable search for new clients.

Protecting printed documents is difficult, probably more difficult than electronic information, and yet we seem to put all of our efforts into the very latest and best encryption, protected USB keys, and expensive data loss prevention (DLP) initiatives. It’s easier to put in place a technology, especially a “transparent” one than it is to change behaviours.

I would suggest that the information security community needs to address this disparity; the paperless office hasn’t transpired, the digital documents are secured, but paper has been left behind. How can we address this without handcuffing briefcases to people? As usual, it has to come down to awareness, we need to drive home the message that paper should be transported with the same care as electronic records, observing sensible procedures such as ensuring there are always two people present when travelling with paper (to act as more of a reminder than as a physical protection) or even only couriering them with a specially selected and reviewed vendor.

I don’t want to turn the Chief Information and Security Officer into a George Smiley type character, but I do want all of our sensitive records to be treated with the same level of protection irrespective of format.

An Englishman Abroad – Securi-Tay3

Leave a comment January 29, 2014 Thom Langford

Gavin Holt, who I was fortunate enough to be mentor to for last years BSides London Rookie track, invited me to submit a talk for Securi-Tay3, the third annual security conference hosted by the University of Abertay and run by the Abertay Hackers Society. He is the Vice President of that society and responsible for drumming up trade for the conference. Securi-Tay has a reputation for being Scotland’s biggest security conference, and this year attracted something like 170 people putting it well on a par with many ‘professional’ conferences.

I duly did as I was told and submitted into the CFP.

The day was great; the conference was well managed and run, there were always plenty of volunteers in distinctive blue (and not black for once!) T-shirts who were friendly and willing to help. Vitally there was always a cup of tea available in the reception area, throughout the day, something so many conferences miss when you are working the hallway track rather than the advertised tracks. This is one Englishman who has traditional standards…

As expected there was a very strong technical slant to the presentations (many of them given by people called Rory it seems as well) and some of them were beyond me. In fact I tweeted the following day saying that the one downside to the conference was that I often felt like the dumbest person in the room.

I was able to present on “Throwing Shapes for Better Security Risk Management”, a wholly revamped version of a talk I did at the IT Security Forum late last year. When I first gave it I had some great feedback from Jitender Arora which I tried to address, as well as the formal feedback from the session (basically “good content but not what was promised”). Securi-Tay kindly recorded the talk which I will post shortly, although with the microphone cutting out there is only so much you can hear. Feedback afterwards was very positive, and I had some great conversations with people not just about risk management but presentation style generally.

Two other presentation also stood out for me; Ritesh Sinha and Paco Hope‘s “The Colour of Your Box: The Art and Science of Security Testing” and Rory McCune’s “Crossing the Mountains of Madness – How to Avoid Being a Security Cultist”. These will also be available at the Securi-Tay YouTube channel shortly.

This was a great conference, attended by people who truly wanted to learn and engage rather than just get out of the office for the day, and who are actively pursuing a career in the infosec industry. What did surprise me though was the number of people from the day who wanted to get more involved with risk management as a career option rather than the more technically focussed, ethical hacking option which at first glance would appear to be the defacto choice. The honesty and passion of all of the students there was very refreshing, and I thoroughly enjoyed chatting to everyone at the after party, all the way through the inevitable kebab on the way back to the hotel.

A big thank you to Gill Chalmers, Gavin Holt and all of the members of the Abertay Ethical Hacking Society for running an educational and excellent day.

An Approach to Risk Decision Making – a Review

1 Comment January 24, 2014 Thom Langford

Public expenditure

I decided to write a review of a paper submitted to wired.com on the subject of “An Approach to Risk Decision Making” by Curt Dalton. I must however declare an interest in this, in that I happen to report to Curt in my day job (he is global CISO), and that he was kind enough to share drafts with me as he wrote it for feedback. This will of course therefore be a somewhat biased review, although not too much, but I do hope if nothing else it generates conversation around topics and approaches like this. I have a huge respect for Curt, have learnt much from him over the last few years and hope to get a good score in the next performance review!

In essence, this model is designed to help an orgnaisation decide if it is financially viable to invest in security technology/controls/procedures in order to address a given risk. It is not designed to be used across an organisations risk management porogramme, but rather with those handful of risks that can’t be addressed in day to day operations and have to be escalated to senior management to be effectively resolved. With limited budget and access to that senior leadership, this approach provides support and guidance on what to ‘fix’ and what not to fix.

This scope is a key element of the model; it uses very traditional approaches to monetizing risk versus the more in vogue approach I have reviewed elsewhere in this blog. To that end it uses assigned numerical values to elements of its calculations; this is of course where ‘errors’ may creep in, but in theory an experienced risk manager familiar with their environment should be able to assess this reasonably well.

In summary, the model is as follows:

Figure 2 in the model requires an analysis of controls required to address a risk.

This does of course beg the question, how do you know you have all of the controls required and how do you know you have selected the correct numerical value? Again, the pragmatist in me suggests this is entirely possible with someone who is familiar with the environment and the organisation, but this may of course be more difficult in other situations.

Figure 3 does a similar thing with a similar level of granularity, i.e. defining in nine increments the ease of exploitation of a given risk; where I think there is potentially something missing is that this value applies to ALL of the risks listed in figure 2 rather than individually.

Obviously this would massively increase the complexity of the solution but this is a deliberate approach to ensure simplicity across the model.

These two numbers are then combined with a simple calculation of impact to etsablish a level of monetized risk. Finally, the 80/20 rule (or Pareto’s Principal) is used as a rule of thunmb to define the actual budget that should be spent to mitigate a risk. In the example given therefore a monetized risk of roughly $1.5m USD should be mitigated by spending up to $380k USD and no more. The Pareto Principal can of course be adjusted accoring to your organisations risk appetite, that is, the more risk averse the organisation the more the rule would move from 80/20 to 70/30 or 60/40 etc..

There are a lot of assumptions used in this model, not least the numerical values that may seem to be arbitrarily assigned. However, I believe this can be forgiven for the very simple reason that this is a pragmatic, transparent and easily understood approach; it can be easily transferred into an Excel spreadsheet meaning that some simple modelling can be carried out. I have said before that until the newer approach to risk management has a more easily understood and implentable approach it will not be adopted. This model does.

The other part to this model that I like is that it is not designed to be a cure all, but rather a tool to help organisations decide where to spend money. If the approach is understood then an informed decision can be made within the constraints of that model (or indeed any other model). I believe it is influenced by the ISO27005 approach to risk management which means many risk management folks will be able to grasp and adopt it more easily.

Overall, this is a model that can be adopted quickly and easily by many organisations, and implemented successfully, as long as its basis in assigning numerical values is understood, and calculations are carried out by those in a position to understand their risk profile well. I would strongly recommend you tai a look at the model yourself over at Wired Innovation Insights.

Pros – easily understand, pragmatic, focussed on one business issue, easily implemented.

Cons – relies on assigning ‘arbitrary’ numerical values, doesn’t address granularity of risk and ease of exploiutation.

The different view of risk modelling

3 Comments August 30, 2013 Thom Langford

As someone whose primary function at work is the ‘management’ of risk in all of its glorious forms, I have over the years become very comfortable with its accepted definition and how to measure it. ISO 27005:2008 was my bible, giving me the flexibility to choose a schema that worked for my particular environment as well as the credence that I was doing it right. I always knew that assigning arbitrary numbers to things wasn’t exactly the most scientific way of actually measuring something, but I could deal with that by simply talking about “indicative values” and “helps with prioritisation”.

It was a little under two years ago at the RSA conference that I attended a talk entitled “Pimp My Risk Model: Getting Resilient in a Complex World” by David Porter, and he spoke about a new approach to risk modelling. Rather than focussing on what could happen, and then play that through to the conclusion of an impact that is then measured, it instead focussed on what the desirable outcomes were in the first place and then worked backwards establishing what was required to achieve them, basically dependency modelling. Not only was this more efficient and scalable as not all permutations of threat/vulnerability/asset (for instance) are required to be worked out, it provides better information for early decision making.

The concept is not new, and has its roots in the late last century in the financial markets/actuaries who were looking at better ways to model and manage risk.

There are a number of proponents to this approach, all of whom have a far better understanding than me of this approach, but despite this in the last two years I have simply not seen it in a practical form that can be used every day. Unfortunately, and I am sure I am not alone here, if I can’t implement it quickly it gets passed over for the next best thing that can be. In fact, and perhaps in my own blinkered universe, the approach itself barely raised a murmour since. And yet the concept had stuck with me especially on the few occasions when I had heard it talked about.

It was on Russell Thomas’s blog, exploringpossibilityspace, that I saw just the other day this very approach being touted again. What I enjoyed about this post was the balanced and educational view of the traditional approach (little “r” approach in Russells’s parlance) versus the new dependency modeling approach (big “R”). I think the criticism of ‘r” methods is well founded, although it is widely understood in business and when used properly can help produce at the very least tactical indicators of risk to the business.

My challenge with the ‘R’ approach is that I have yet to see it applied in practical terms and in a way that is easy to digest and understand (I think I hurt myself about two thirds of the way down the article trying to get to grips with the concepts!). As a result therefore, getting business buy in is going to be extremely challenging. Partial information from an ‘r’ approach reaching the business successfully is going to be better than no information from an ‘R’ approach (however better the data is) reaching the business.

I would strongly recommend everyone to read Russell’s writings on this risak model, which also contains links to other resources as well.

There is more work to be done, but I hope it focuses on making it possible to use the approaching a day to day environment; they say there is nothing new in the world of information security, but I have high hopes for an approach to risk modeling that will allow me to do so much more for the business in terms of long term, strategic guidance and support.

And when I can use this model in Excel, count me in!

Risk Appetite – managing feast and famine

Leave a comment August 2, 2013 Thom Langford

I was able to attend the RANT forum a few nights ago, and watch an excellent presentation by Sarb Sembhi. However, and this is no insult to the speakers at the RANT forums (being one myself) the most valuable part of the evening is the socialising with colleagues and peers before and after.

I was talking to a couple of people who were recounting the challenges they face with their leadership regarding their risk management activities. I paraphrase greatly, but the gist of the issue was

Highlighting risks to them is all well and good, but then suddenly they tell us that another activity needs to be escalated up the risk matrix, or that there is a hot topic that they want pushed to the top of the risks list so it gets more attention. How are we supposed to manage a risk programme with any credibility when risks get artificially prioritised or de prioritised according to the mood of management?

We came to the conclusion that the risk appetite of the management team in question was a very flexible and fluid thing that changed quite frequently, and seemed entirely disconnected from the risk management activities being carried out.

This is a complex issue, and not one that can be solved in a single blog post, but there are a few guidelines and concepts that may be pertinent to heading off this kind of behaviour.

Listen to them. On the whole an organisations management know what activities and changes will affect the business more than you. If they are highlighting something it is not to mess you around but because they are genuinely concerned about it. Look at your risk programme; does it squarely address the risks they are highlighting? Are they new risks, old risks, or poorly understood risks? Perhaps you have already found them and they need to be reviewed under the new light cast on it by management.
Educate them. How much does your management team actually understand about the risk work you are doing? Do they really know what the scope of your remit is, how you go about finding risks, and more importantly how you measure them? ISO27005 is often described as an arbitary way of measuring risk, but it does a good job of explaining how you can approach and understand it. If you use that standard in your programme, make sure they understand how you measure them, and get their buy in to the approach. This way, when you disagree with their analysis of a “new” risk you can explain in agreed terms why.
Use your governance structure. Your management team should only be looking at risks that are escalated to them, that is to say residual risks that are still considered as “high” (or whatever parlance you use). Every other risk below that should be managed and dealt with by the governance structure in place. Certain lower risks can be mitigated (managed, avoided or transferred) by people closer to that risk; a developer could change a portion of code, a project manager could remove or add contractors or a team member could go through more awareness training. Changing the course of a project or increasing the staffing costs by 50% is beyond their remit and they are therefore not able (or authorised) to treat them effectively; these risks get passed up your governance chain until they reach a point at which they can be dealt with. At the very top I would estimate they should be seeing no more than 0.1% of total risks escalated to them. Any more and it may be that the structure underneath is not doing their job.
Understand their appetite. One of the standard ISO 27005 risk acceptance approaches provides a matrices for what is acceptable and what isn’t. It is provided as an example only, and should not be used out of the box without considering the risk appetite of your organisation. If you are a risk averse organisation, the yellow and red band move down to the lower left, thereby meaning more “red” risks will need to be addressed. A risk taking organisation will move the green and yellow band up, thereby ensuring fewer “red” risks will need to be addressed. The risk profile of an organisation is something that is rarely understood by those that measure risk, and therein lies the problem. Only if the risk profile is drawn up, understood (including the approach to measure the risks in the first place) and signed off can risks be identified, “measured” and addressed in a way that meets the organisations business objectives.
Accept that the appetite changes. if you review your risks annually (as a bare minimum) that is also a cue to review the risk appetite. If incidents throughout the year affect the business for the good or bad, that is a cue to review the risk appetite. If the organisation management suddenly think something is a big risk and needs to be addressed, that is a cue to review the risk appetite. And when I say review, I mean with the management, and not just in isolation.

There… simple! Well, not at all when you face these challenges every day, but if you can start that dialogue with your management and start to understand the business as they understand it you will be a long way towards heading off the “the sky is falling, fix it now!” response to risks.