Death Star Risk Assessment

We would like to thank Lord Vader and the executive team for the time and support they have given us in undertaking our risk assessment of the new Death Star weapons platform.  We understand that you have finished your initial development, and plan to go live in the very near future if the system tests codenamed Alderaan are successful.

We have considered the project risks in the areas of people, process and technology.

People risks.  The choice of armour for your troops appears to be more focussed on brand management than functionality.  Our assessment has found the following untreated risks:

(1) the armour does not protect against blaster fire; [risk moderate]

(2) the lack of identity badges increases the risk of social engineering attacks. [risk high]

Process risks.  There is little evidence that an effective management system has been deployed.  Our assessment has found the following untreated risks:

(1) management by force of personality and threat of death can be effective in small teams, but does not scale; [risk low]

(2) there are few documented processes for the management of the detention cells, trash compactor and other operational systems. [risk moderate]

Technology risks.  The specifications for the Death Star do not appear to effectively cover non-functional operational components.  Our assessment has found the following untreated risks:

(1) there is no technical security around the management interfaces to the weapons platform; [risk high]

(2) a small unshielded vent port has been detected that has full access to the central core. [risk high]

Our recommendation is that you correct each of these risks before going live, even if it delays the project.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com 

Personal Information is the Currency of the Internet

When we talk about privacy of personal information on the Internet what do we mean?  Many people assume it is the punch-line to a joke, as it is the accepted wisdom that there is no privacy on the Internet.  But the wisdom of the crowds is not something I'd bet on.

Legally personal information is anything that can identify an individual.  But this is an overly broad definition, and includes everything you have on your business card.  Morally personal information is that which is in the sphere of your domestic life.  But the work/life balance is increasingly blurred so that doesn't really work either.  A practical definition of personal information that needs privacy protection is anything that can be used against you.

In the past this has been easy to understand and easy to protect.  We used well understood physical security controls.  If you want to stop someone looking into your bedroom window then close the curtains.  But today it's much harder to understand, as the controls are now all logical, changeable, and set by publicly listed corporations.  If you think you understand the Facebook privacy controls today, wait until they change them tomorrow.

These same public corporations are not privacy advocates.  Facebook and Sun have publicly said that the age of privacy is over.  Google, Microsoft and Apple have all gone to court to fight against having to keep your personal information secure.  But this is entirely rational behaviour on their part - if you don't pay for the service you are not the customer, you are the product.

But do we protest too much.  Do we really care about our privacy?

Turn on a TV anywhere in the Western world and you will be bombarded with reality TV shows.  Go to any news-stand and look at the array of gossip magazines.  These forms of entertainment are very popular, and very, very profitable.  And they are all based on voyeurism and abusing the privacy of others.  There is even a mainstream movie coming out this year called Identity Thief, that will let us laugh along at the hapless victim.

I think that there is an explanation, that explains our use of Facebook, that explains reality TV, an explains why privacy on the Internet really does make sense.

Personal information is the currency of the Internet.  It's what we use to pay for services.  It should be protected in the same way we protect our wallet, and we should make sensible choices about where to spend it.

For the value we get from Facebook, for most of us the spend is reasonable.  For the winners of reality TV shows, the spend is trivial compared to the real world cash they convert their privacy into, even if the same can't be said for the losers.

But if we don't protect our privacy, we will have nothing left to spend.  And no-one likes being poor.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com 

The Perils of Cloud Analogies

Moving your operations to the cloud is like... a dream for those who love analogies.  All sorts of things have been claimed, but there is only one reality.  It's like outsourcing, because that's exactly what it is.

The biggest business risk with outsourcing is that you replace technical controls with contracts, and while a move from tactical operation to strategic management looks excellent in a business plan, it can fail badly when interacting with the real world.  The claim that "insert-vendor-here" should be better at running the infrastructure because they developed it, is much more an article of faith than a well-reasoned position.

Consider the failure of the Windows Azure platform over the last weekend.  I noticed it when I couldn't play Halo 4.  As a gamer it didn't occur to me that there was anything deeper than the Halo servers weren't working, but it turns out they were hosted on a cloud infrastructure.  And the cloud had failed.  Completely.  The reason: "Storage is currently experiencing a worldwide outage impacting HTTPS operations due to an expired certificate."  In 2013.

Information security is a people business, and the people failed.

As Sony previously discovered, the total failure of their game platform is a pain, but it isn't going to threaten the company.  To Microsoft's credit they had it all restored in about 8 hours.

But Windows Azure doesn't just host games - it hosts businesses.  And the same failure happening in the middle of the week would mean that businesses that had fully moved to the Microsoft cloud could do nothing.  No backup.  No failover.  No disaster recovery.  Because all the availability controls were outsourced.  And it is very unlikely that the clients using the service are big enough to make any contractual claim for loss.

This isn't just a Microsoft problem, Amazon had the same sort of outage last year.  Every cloud hosting provider will have these problems.

So here's my cloud analogy: it's like putting all your eggs in one basket - a basket you've never seen and can't locate - along with everyone else's eggs, and having faith that this will be managed well by the fox.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com 

The Sky Falling, NOT!

FUD: Fear, Uncertainty and Doubt.  It seems to drive the product segment of the security market, and it really annoys me.  The sky is falling.  Cybercrime is rampant.  And on, and on, and on...

Let's dial the emotion down, and look at the underlying premise.  How safe online are we really?

As I look out my window, the sky is not falling, it is a beautiful blue.  However there are a few clouds and it may rain tomorrow.  If the doomsayers were in the weather industry instead, they would be telling us all the carry umbrellas at all times, wear raincoats just in case, and take out lightning protection insurance.  I don't see anyone on the street taking these sort of precautions, because they are all able to make a sensible assessment of the likelihood of rain.  Unfortunately they are not able to make a similar sensible assessment on the likelihood of a security compromise, so they worry.  And worry is the marketing tool of choice.

Cybercrime is certainly a problem, but the main problem is the "cyber" prefix.  Cybercrime is just crime.  We don't talk about transport-crime when a thief uses a car as a getaway vehicle.  We don't call it powertool-crime when a safe is cracked.  So why make such a big deal about the enabling technology?  Everything is online now, so everything is "cyber", so let's stop using the word.  People have been stealing from each other since they first decided to pile rocks up in a cave, and it is not much different today.  The majority of crime is theft and fraud, and this is a very rare event in everyday life.  It does happen.  It will continue to happen.  It may be a large absolute value, as much as hundreds of millions of dollars, but the world economy is in the hundreds of trillions, and if we've got crime down to below 0.0001% then we should be pleased about it, not worried by it.

I grew up in a small country town, where everyone knew everyone, and people didn't lock their doors.  Today the same town is much larger, unknown people are the majority, and everyone locks their doors.  In the online world, we are now in the large town, but still acting like we are in the small one.  We need to take sensible precautions against the bad guys, but not spend all our days worrying about them.  And at least know where your umbrella is!

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com 

Myth #10: We have a security plan

We have a security plan, and I can point you to the binder that contains it.  It’s got all the sections that the consultants told us we needed: policy, risk management, personnel security, information classification, incident management and BCP.  So we must be secure!

No doubt the magic binder is in the bottom of a locked filing cabinet, stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'.

Plans that exist only for compliance purposes aren’t functional, and quite literally aren’t worth the paper they are written on.  No-one knows about them, no-one follows them, no-one keeps them up to date.  The only thing that they really are useful for is waving at clueless auditors.

That said, we have a security plan at CQR.  Actually we have a security management system certified to ISO 27001.  But you’d expect that of a security company.  This is because we practice what we preach.

So here’s the preaching: security plans only work if they are part of the day to day operations.  If they are just what you do, not what you drag out to appease the auditors, then practical and pragmatic plans really do add value.  I know it’s a cliché, but security really is a journey, not a destination, with a security plan being the map.

With a good plan, security is easy and this myth is confirmed.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com 

Myth #7: A security review is just an audit

Here’s the thought process behind this myth: security is just risk management; risk management underpins compliance; compliance is driven by audit; audit is well understood.  There are many well defined and accepted audit methodologies for areas such as finance (SOX, SAS 70), process (COBIT) and security (ISO 27001).  Therefore any competent auditor, with an appropriate checklist should be able to perform a security review.

All risk management methodologies, whether qualitative or quantitative assume that risk is the product of impact (what will the loss be if the event occurs) and likelihood (how likely is the event).  Using this methodology events which are catastrophic but rare, and events which are insignificant but almost certain may both be labelled as medium risk.  And the beauty of medium risk events is that they are almost always accepted by the business.

The problem is that this analysis is fundamentally flawed when considering security.

The risk management methodology is designed for random and accidental events.  It is well understood how often buildings burn down.  It is well understood how long the average power failure will be.  This is true because actuaries have been recording tables of unlikely events for more than 100 years.  But IT security isn’t old enough as a discipline to have actuarial tables, which is exactly why you can’t buy anti-hacking insurance.

The insurers know something that businesses haven’t worked out yet.  Attackers completely control the likelihood.  If they have decided to attack, the likelihood is almost certain, no matter how it’s been assessed in a risk methodology.  Being hacked isn’t accidental and it isn’t random.  Remediation of all security vulnerabilities with high impact rather than just high risk is required to improve security.

But if you ask an experienced security specialist to undertake a security review with a current and appropriate checklist, and then you act on all the high impact findings, it’s plausible that you will be more secure.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com

Myth #6: We have good physical security

We have good physical security implemented by guards, guns and gates. All systems are in secure server rooms, located at secure sites, and since the bad guys can’t get to them, they can’t attack them.

This myth presupposes good firewalls, so let’s assume that attack from outside is too difficult. Do organisations really have as good physical security as they believe, and does this keep them safe?

Physical security is implemented by combining three different techniques:

(1) deterrence – making the risks too high to attack in the first place (guns);

(2) prevention – making it too hard or too expensive to attack (gates);

(3) response – having a capability to detect or capture the attacker even if successful (guards).

It does seem plausible that if an organisation gets all of these right, that physical security will protect them. The problem is that they never get them right, and physical access is almost always the easiest way to attack.

If a bad guy really wants to attack an organisation, none of the deterrence mechanisms matter, they’ve already decided to attack. Strike one.

The only prevention mechanism that has any chance of success is complete exclusion of all non-employees from a site. If visitors are let in, prevention has been bypassed. If there are any contracts with any third-party services at all, the only thing that has been done is to require an attacker to buy a second-hand contractor logo shirt from a charity shop. Network level security inside an organisation is usually very poor, and the attacker has just bypassed the firewall. Strike two.

A competent attacker who is determined to physically attack is going to rely on both looking like they should be there, and the normal human nature not to question strangers. The attacker won’t be stopped even in organisations with a name badge requirement and posters everywhere saying challenge strangers. And a simple disguise will make CCTV useless. Strike three.

Put bluntly: deterrence doesn’t work; prevention doesn’t work; and response doesn’t notice. It’s even worse than that, because the belief that organisations have good physical security when they really don’t, makes them blind to physical attack. This is especially true in branch offices.

Physical security underpins everything else, but it isn’t enough by itself, and that is why this myth is busted.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com