August 2011 Archives

I'm going through a "questioning everything" stage, which I'm sure some of you will find annoying, but hopefully it'll also be worthwhile in the end. One of those questions is "What are the actual minimum security practices that should be followed by all personnel?" It's an interesting and somewhat challenging question because, despite having no shortage of source materials to answer the question at length, I'm not necessarily convinced that many of the traditional "requirements" are either necessary or universal.

Thus far, all I've been able to come up with is this short list:
* Have a reasonably long password/passphrase.
* Practice safe computing/browsing.
* Don't share sensitive information (e.g., trade secrets, passwords).
* Protect your physical devices (e.g., phones, laptops).
* Report incidents, suspicious behavior, and related concerns.

That's about it. I'm sure there are more things, but in my somewhat jaded and cynical mindset (at the moment, anyway), I'm having a hard time thinking about what else might be universally applicable to all employees in a company.

What do you think? What am I missing?

I've been doing a bit of reading-up on Operational Risk Management (ORM) this week. It's intriguing to me that yet another method set emanates from the DoD world and yet we're just now seemingly starting to pay attention. Actually, that's not quite true. It appears that the financial crises have triggered an increased focus by groups like the Basel Committee on operational risk (in the financial sector, this seems to be different from the DoD version, maybe? e.g., see the Basel Committee's "Principles for the Sound Management of Operational Risk"), which seems to have in turn caused yet another shift in viewpoint within the inforisk crowd (which is fine).

Soooo... from the firestorm I sparked with my last post, it's very clear I did a really lousy job expressing my point, and that I've also apparently riled folks up by challenging yet another ax of inforisk management. I'm going to try to approach this topic from a different perspective this time and see if I can't maybe get the point across a bit more clearly. I don't think it'll be any less irritating to some people, but hey, you win some, you lose some...

In financial risk management - and particularly with investments - there is a reasonable concept of risk tolerance. You can determine ahead of time just how aggressive you want to be with your portfolio, which maps directly to how much risk you're willing to tolerate (essentially meaning how low a probability of return or how high a probability of loss you're willing to accept). In information risk management we've talked about similar concepts, which on the surface might seem fine, but which in practice seems be inconsistent, unnecessary, and - frankly - outright irrelevant.

eu lo gy -noun, plural -gies. 1. a speech or writing in praise of a person or thing, especially a set oration in honor of a deceased person. 2. high praise or commendation.

I don't do this a lot, because I try to keep this blog positive and constructive, but occasionally I have to speak up and call BS on what is just blatant lunacy. I'll try to keep my criticisms constructive here.

The problem is this: people are once again falling into that rut of blaming the users for making bad security decisions, all the while having created, sustained, and grown an enablement culture that drastically abstracts users from the impact of those decisions. Plainly put: if the users don't feel the pain of their bad decisions, then they have no incentive to make a change. This is basic psychology.

If you travel at all, or are concerned about doing local backups, or maybe don't even have any backups today (talking primarily here about home and SOHO environments), then you've probably thought a bit about the various online "backup" (or "archive") providers. I've looked at a bunch of them and had mixed results. One thing to beware: many of these services style themselves "archive" solutions, rather than "backup" solutions, all to dodge reliability commitments. As such, I thought I'd share some of my thoughts/results...