As I said in my last post I have been travelling quite extensively recently, but this weekend I was able to take a long weekend in Oslo with my wife just before the Nordic CSA Summit where I was invited to speak on “the CISO Perspective”. As a gift for speaking, each of us was given a block of Norwgian cheese, in a roughly square shape, that really did seem to have the consistancy, weight and look of a lump of plastique (I imagine…). It did occur to me that in the spirit of all good 44CON prizes, it was intended to get you stopped at the airport.
On my return home yesterday, I was pret sure my bag would be picked up for secondary screening given the presence of this lump of cheesy explosive in my bag (although apparently @digininja tells me a malt loaf has the same effect as well). Sure enough, my bag was selected, I presented to the good natured security folks the block of cheese, and with a wry smile they let my bag through. The same could not be said of my carry on bag though.
I was asked quite curtly if I had a penknife or similar in this bag; now I am getting more forgetful, but I was pretty sure I hadn’t. The security guy really did not look like he believed me, so we started to empty my bag. Then I remembered, I had a pick lock set that I had put into zipped pocket in my bag about nine months ago, intending to give it to my good friend Akash in Boston who had expressed an interest in that particular art. Remember I just said I am getting forgetful? That’s why it has been in my bag for so long having seen Akash many times this last nine months. Oh well.
But it also occurred to me that I had been through about ten different airports in that time, and this was the first time it had been picked up, let alone even identified as a possible penknife (understandable as the picks fold into the main body).
This underscores to me the inconsistency of the security scanning at virtually every airport. Shoes on or off? Belts on or off? IPads as well as laptops taken out? Kindles, in the bag or out? My bag of cables that you tell me to keep in my bag at one airport, and then getting admonished for not pulling it out of the bag at the next? As an end user of these services (and I am fully supportive of them despite this I must say) it is extremely frustrating. There seem to be too many exceptions in place without clear reason, and without tying back to a singular way of doing things. The shoe bomber, Richard Reid, saw to it we have to take our shoes off going through security… except of course when you don’t.
Consistency in an information security programme is obviously key. But sometimes the pendulum swings too far the other way. Any policy that ends with “There are no exceptions to this policy” is asinine at best, and crippling to the business at worst. There will always be a need for an exception in order to ensure business can be carried out effectively. As long as the risks are understood and communicated effectively, then move on and do it.
It certainly doesn’t mean that the exception can be used as an excuse to carry on working like that. There is no concept of precedence in this case. If there was the natural end state would be complete mayhem as every exception is used to the point where there is no policy left. An exception is just what it says on the tin, a one off easing off the rules for business to to operate effectively and efficiently. It should be time based, must be reviewed regularly, and where possible repealed if alternative approaches have come to light.
Consistency is important when applying policies, especially across a large organisation, but for goodness sake, don’t forget that change is an important part of business and needs to be embraced. But please do a better job of managing that change, and the subsequent exceptions, than airport security does.
Conferences and Presentations
What with InfoSec Europe, BSides, RSA Unplugged and the just attended Nordic CSA Summer conference it has been busy on the presentation front again. I have a few more presentation to upload to this site as well as some footage. I am hoping to make it to Blackhat in Vegas for the first time this year, and speak on behalf of friendly vendor who I have always enjoyed working with.
As I also mentioned in my last post, my employer became a sponsor of the European Security Blogger Awards, something I hope we will be for future events as well. Unfortunately I lost my best personal blogger award crown this year to Lee Munson of Security faq’s. I can’t help but feel that if I have to lose to someone, Lee would be top of my list as he consistently outshines me in both quality and volume of blogging. As a community we are lucky to have someone like Lee and if you haven’t already done so please do reach out to him and congratulate him.
As someone whose primary function at work is the ‘management’ of risk in all of its glorious forms, I have over the years become very comfortable with its accepted definition and how to measure it. ISO 27005:2008 was my bible, giving me the flexibility to choose a schema that worked for my particular environment as well as the credence that I was doing it right. I always knew that assigning arbitrary numbers to things wasn’t exactly the most scientific way of actually measuring something, but I could deal with that by simply talking about “indicative values” and “helps with prioritisation”.
It was a little under two years ago at the RSA conference that I attended a talk entitled “Pimp My Risk Model: Getting Resilient in a Complex World” by David Porter, and he spoke about a new approach to risk modelling. Rather than focussing on what could happen, and then play that through to the conclusion of an impact that is then measured, it instead focussed on what the desirable outcomes were in the first place and then worked backwards establishing what was required to achieve them, basically dependency modelling. Not only was this more efficient and scalable as not all permutations of threat/vulnerability/asset (for instance) are required to be worked out, it provides better information for early decision making.
The concept is not new, and has its roots in the late last century in the financial markets/actuaries who were looking at better ways to model and manage risk.
There are a number of proponents to this approach, all of whom have a far better understanding than me of this approach, but despite this in the last two years I have simply not seen it in a practical form that can be used every day. Unfortunately, and I am sure I am not alone here, if I can’t implement it quickly it gets passed over for the next best thing that can be. In fact, and perhaps in my own blinkered universe, the approach itself barely raised a murmour since. And yet the concept had stuck with me especially on the few occasions when I had heard it talked about.
It was on Russell Thomas’s blog, exploringpossibilityspace, that I saw just the other day this very approach being touted again. What I enjoyed about this post was the balanced and educational view of the traditional approach (little “r” approach in Russells’s parlance) versus the new dependency modeling approach (big “R”). I think the criticism of ‘r” methods is well founded, although it is widely understood in business and when used properly can help produce at the very least tactical indicators of risk to the business.
My challenge with the ‘R’ approach is that I have yet to see it applied in practical terms and in a way that is easy to digest and understand (I think I hurt myself about two thirds of the way down the article trying to get to grips with the concepts!). As a result therefore, getting business buy in is going to be extremely challenging. Partial information from an ‘r’ approach reaching the business successfully is going to be better than no information from an ‘R’ approach (however better the data is) reaching the business.
I would strongly recommend everyone to read Russell’s writings on this risak model, which also contains links to other resources as well.
There is more work to be done, but I hope it focuses on making it possible to use the approaching a day to day environment; they say there is nothing new in the world of information security, but I have high hopes for an approach to risk modeling that will allow me to do so much more for the business in terms of long term, strategic guidance and support.
And when I can use this model in Excel, count me in!
<Some of you have commented on my extended absence, but a busy few weeks followed by a lovely holiday camping in France took priority. Back in the saddle now and very much looking forward to your comments and feedback!>
Risk Management can be a tricky business, and this is coming from a fairly straightforward perspective with a simple view of risk management (which means even I can understand it!). To the lay person the purpose of risk management is to find the risks and then remove the risks to the organisation, otherwise why bother?
The clue of course is in the word management. Many information security professionals already know that you can do one of four things to your risks, once identified:
- Mitigate (aka Manage), that is implement a control or carry out at activity that reduces the risk.
- Avoid, or basically just stop doing the thing that is causing the risk.
- Transfer, or just give the risk to someone else, like an insurer or a third party vendor.
- Accept, or just face facts that this risk is the price you pay for doing business in this area.
So let’s assume you have completed your risk assessment and applied at least one of these actions to each risk, does this mean you are done? Does this mean you have successfully removed all of your risks from your organisation? Unfortunately, not by a long chalk.
Risks are always going to be present in your organisation; there are the ones you know about albeit reduced, the ones you think are too small to worry about, and finally the risks you have no idea about.
With the risks you know about even though you have reduced them, even though they may have gone from scoring an 8 to a 4 (in ISO 27005 parlance) they still exist! They can still happen, and worse still, the day after you have measured it, your assumptions are technically out of date. And just to really make your day, they may have even evolved and become unrecognisable and therefore invalid in your risk register.
The smaller risks you deem to be at an acceptable level will also suffer in the same way. Again, in ISO 27005 parlance the likelihood of something happening may change dramatically, or perhaps the ease of exploitation. Even worse, the asset value that you are measuring your risks against may have changed which will have a number of far reaching impacts to your risk register. To that I mean that a project that was once of little importance to the organisation, or even a physical asset, may suddenly take on a more important role and therefore greater ‘asset’ level. All of this is going to have an impact on your risks and how they impact your organisation.
Finally, the risks you weren’t even aware of. To be honest, and by their very nature, there is not a lot you can do about these except consider the following advice which applies to all risks;
You should be clear on one thing, namely that risk management is not a one time activity. All of the text books and standards will say that your risk register needs to be reviewed every year or after every major change. Whilst I don’t disagree with this per se (and in fact a minimum of a yearly formal review is an absolute necessity), I think in reality this needs to be much more frequent. Really, reviewing your risks needs to be an organic part of your day to a greater or lesser degree, and dependent upon the type of environment you operate in.
This does not necessarily mean you need to pore over your risk registers every day, but rather make a concerted and formal effort to be aware of the changing ‘threat landscape’; you can do this through popular news sites (e.g. BBC, CNN etc), specialist news sites (e.g. SANS, Sophos Naked security etc), blogs of people you know and trust, and of course Twitter for instance. There are likley to be many examples, but each one of these sources is going to give you a constant stream of information that needs to be processed and reviewed in some away against your risk register. You may only make minor changes every month or so, or you may find more frequent changes dependent upon your environment, but either way you will be ensuring that the your risk environment is fresh and up to date.
Now that your risk register is up to date and managed well you can be assured that the information you have is accurate, timely and subsequently meaningful. What you do with that information however is even more important, and something that will be looked at in a later post. As always, your comments and questions are welcome.
(Artwork by Peter Spier from his book, RAIN.)