InfoSec Compliance & Complex Systems: Part 1 – Clinging to the Nearest Passerby

Posted on May 16, 2018 by dutcherstiles

This Saturday I assemble my raiments and get hooded as a Master of Science.  In partial fulfillment of the requirements for the degree, I wrote, re-wrote, heavily edited, and finally collected signatures on my report on information security, compliance, and catalogues of control.  I bounced back and forth on the utility of compliance, especially of compliance frameworks based on catalogues of controls.  My current belief, based on research and an deep case study, is that frameworks that rely on catalogues of controls can’t get it done, when “it” is establishing trust between organizations.

A reason for my research was my own frustration in hearing infosec folks say “security is not compliance!”  I heard the “security is not compliance” again and again as a mantra of frustration, collected with anecdotes about compliant yet breached organizations.   Yet, security should be compliance, right?  That’s what it says in the all the compliance guidance:  the objective is to establish a level of security.  So why the grousing?

I explored a couple of approaches to the question, but ended up addressing compliance as a means to establish trust to third parties.  The certification, whether PCI-DSS, or a FISMA ATO, is a due diligence short-cut, establishing to outsiders that an organization has it together enough to handle your data.  This short cut is useful, as anyone who survived the Great Paper Gramm-Leach Blizzard of the early 00’s.

Nonetheless, the problem is in the implementation.  Getting PCI-DSS certified or a FISMA ATO is table stakes for operating in the payments or federal contracting games.  Organizations are willing to spend money on getting the certifications to get the revenue opportunities.   The certifications can even be used as signifiers of trust even for other entities that don’t require compliance.

So why the disconnect with actual security?  Looking at other industries, particularly accounting, I saw some parallels.  There is a built-in problem with third party assessments.  It is a market for lemons, and some assessors stink at their jobs.  Like used cars, it’s hard to tell a good assessment from a bad one, until the thing fails.

This feature of assessment is exacerbated by the structure of compliance frameworks with control catalogues.  Control catalogues are seductive to both the assessor and implementor.  The implementor gets a straight forward checklist that can mostly be managed within the IT department.  The assessor gets a universal, reusable checklist, so an engagement can be sped through without pausing to actually examine an organization’s proprietary processes, assets, or culture.   Control catalogues can reduce the cost of the lemons to the organization that ends up selling them.

More in my next installment.

Some bibliography:

Kaplan, S., Roush, P., Thorne, L. (2007) Andersen and the Market for Lemons in Audit Reports. Journal of Business Ethics, 70(4), 363-373

Akerlof, G. A. (1970). The Market for “Lemons”: Quality Uncertainty and the Market Mechanism. The Quarterly Journal of Economics, 84(3), 488–500.

And listen to the Blue Lantern.

saintwalkerbluelantern.

 

Posted in Uncategorized | 1 Comment

Valid University ID

Posted on January 30, 2016 by dutcherstiles

I recently began classes at graduate school at UT in the Masters of Science in Identity Management and Security. On the first day of orientation, there was an alignment of my interests and the focus of the program as the staff introduced themselves and their areas of expertise: anthropology, econometrics, law, underwriting, and nuts and bolts infosec.

Best part was I got to be on the TV.

Posted in Uncategorized | Tagged | Leave a comment

SiRACON 2015 – He wanted to stay home; Wish someone would phone

Posted on October 24, 2015 by dutcherstiles

What I learned while in Detroit:

  1. Detroit is cool town. The story repeated by business owners, folks that work down town, and cab drivers is that the worst is in the rear view, and what is coming will be different.  Not a comeback, but a transformation. My limited view of the town over the few days I was there seemed to confirm this upbeat notion.
  2. SiRACON attracts smart people.  The level of discourse was high, and one could hear the comfortable but outdated iconography of information risk crumble and erode.  There is data.  You can quantify.  There are ways to tackle the problem.  All is not lost.  This zeitgeist is refreshing in the milieu of the wider infosec discussion of bitterness and defeat in the face of vicious enemies and stupid users.
  3. A professionally run, information dense conference in a state of the art facility can cost only $100.  The mind is boggled.  Better run, better content, better venue than conferences that charge 10 times as much.  And who need another serving of hotel chicken in Orlando?  No one.
  4. There is plenty of data, it is everywhere you look, and it is there to help you.  Data from open source security indicators, from 3rd party risk assessment questionnaires (my favorite), data from others (VERIS), and your own damn data.  And you can freq it, you can bayes it, or your can just look at it.  It is there to help you, help your gut, make your decisions good.
  5. It’s a gas when your talk goes well.  I think mine did.  If I did nothing but play the role of uditore buffo in some data-driven commedia dell’arte, it would have been enough. Laughs are good.  And maybe my recounting my experiences of dealing with qualies helped.  I hope so.  Auditors are  behind the eight-ball, and need to get on board the science wagon-train.
  6. Treating a debilitating headache with Motrin from the liquor store leads to system purge.  I learned this on my first day, whilst curled in a fetal ball moaning in my comfy bed at the Greektown Casino Hotel.
  7. Choice quotes: “Science advances one funeral at a time” & “When you get kicked in the balls, all you ask about are cups.”
  8. I’ll be back for more SiRACON.  You should too.
Posted in Uncategorized | Tagged , , | 1 Comment

Spider Nest

Posted on February 1, 2013 by dutcherstiles

20130131-214243.jpg

Posted in Uncategorized | Leave a comment

Blue blocks

Posted on January 30, 2013 by dutcherstiles

20130130-101219.jpg

Blue blocks at the National Building Museum.

Posted in Uncategorized | Leave a comment

Bingo

Posted on April 29, 2011 by dutcherstiles

Best Practice

The details are too boring to recount.  Impossibly large amount of records “exposed” due to human error.  Nothing new, same old. 


The only reason to watch is to see how the impact plays out.  It is Texas Politics, after all, and the Lege is in session, and this could prove to be a mild distraction from birthers and budgeteers. 

The data loser in this instance is an elected official, with aspirations to higher office.  Ms. Combs was angling to grab one of the vacant seats when Lite Gov Dewherst runs for US Senate.  So, there’s that.  I doubt many folks enter politics hedging against the risk of career flameout by batch job misconfiguration.  Time to update some campaign risk models. 

The lawsuit loser in this instance has tapped into the type of outrage commonly expressed in writers of comments in newspaper websites  – the “SOMEONEOTTAPAY tiny fist shaking, foot stamping” yadayada.  Sure, they wanna get to the bottom of this for the dignity of the victims.  With no damage, the victims will have a tough road to hoe.  Maybe they are discovering for attack ad quotes.  

At about six minutes in to her interview, we get the biggest loser.  Comptroller Combs says Gartner and Deloitte are on the case to advise on “best practices.”  (It looks like Deloitte may be getting a small return on their campaign investment. )  This sort of reaction chafes me to no end, and is an assault on my dignity.  I might be wrong on this, but the evolving SOP for privacy incident response appears to be to spend money willy-nilly on whatever threat is foremost in the populace’s mind regardless of the proximal cause of the incident.  One company’s reaction to some speed freaks carrying away a safe with a couple of DVDs of data was to air gap their production environment and embark on a FISMA compliance project.   This firehose approach appears to be designed to make the potential victims feel better, I guess, but only enriches the best practitioners and “safe bet” consultants.   To me, it just seems a waste, and decreases my confidence in the competence of the organization.    

And, to quote the Comptroller, “oh my gosh, think of Sony… and think of you grocery store loyalty card.”  

Well, at least country music is alive and kicking every night south of Round Rock, Texas. (The sight of a youthful Dale Watson and the State Capitol restores a measure of my Texan dignity.  That, and Chicken Shit Bingo.)

Best Practices in Risk Management Image courtesy of KoryeLogan.

Posted in Uncategorized | Tagged , , , , , | Leave a comment

Up Yours

Posted on April 26, 2011 by dutcherstiles

Nice metric courtesy of Grits – the costs of false alarms.  And the casualties found at the intersection of reliable metrics and public policy. To quote Grits:

But as [Former Dallas Police Chief] Kunkle says, this is an instance where tuff-on-crime politics interferes with good public policy and common sense. The small minority being subsidized by police responses to alarms are extremely vocal and well-organized by alarm companies, who have lists with contact info of concerned customers that would be the envy of any political consultant. Plus, those with alarms almost by definition are relatively wealthier – after all, they got an alarm because they have stuff to steal – and therefore also more politically influential. By contrast, the 86% of Dallasites without burglar alarms who’re footing most of the bill are unorganized, unaware of the subsidy, and may not even perceive they have a dog in the fight.

This balance of this conflict is similar to those that are duked out in meeting rooms, with varied stakes and different arguments.
Maybe a similar “verified response” should be assessed consultants or auditors who elevate low impact / low frequency risks up to the Board.

Or for the one who turned the risk management dashboard day glo.

Or fought the crisis you can’t see.

(So RIP Poly Styrene, unless this is a false alarm.)

Posted in Uncategorized | Tagged , , | Leave a comment

Audit Drips

Posted on April 20, 2011 by dutcherstiles

I was catching up on the podcast backlog today. I listened for the first time to the Risk Hose, which had a meaty midsection on the internal auditing profession, and whether and how internal auditors assess, analyze and otherwise manage and misconstrue risk.
(A couple caveats. I speak as an internal auditor, with a background in food service and deckhanding. I’m ISACA Platinum, which is more like Centruum Silver than American Express Gold, i.e., it is bestowed upon age. I’m an autodidact when it comes to information risk analysis, but I’m trying to learn.)

Firstly, the standards. The Red Book, or more correctly, the International Professional Practices Framework, includes the following standard (2010 A1)

The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.

So, every internal audit shop has to perform a risk assessment annually, and use it to plan which audits will be performed in the next year.
This type of risk assessment evaluates “audit risk,” defined in Sawyer’s Internal Auditing (from my raggedy 4th edition, Part 3 Scientific Methods* Chapter 8 “Risk Assessment”) as the following:

Audit Risk = Inherent Risk x Control Risk x Detection Risk

A heavy dose of “professional judgment” (also known as “the gut”) is used in this method.   The output of this assessment prioritizes the auditable units (chunks of business functions which make up the audit universe), and crank them through the cycle to maintain “coverage.”  Purchasing on even years, Accounts Payable on odd, et cetera.  Area with weak controls and lots of potential loss should probably float to the top.  This method is old fashioned even for the conservative internal audit profession, but has the backing of some of the AICPA’s more ancient Statements of Auditing Standards.   The resulting assessment is used  internally for audit’s planning purposes, and, from talking to my peers in industries without a regulatory mandate to perform risk assessment, it may be the only organization-wide assessment that gets performed.   The methods vary, as do the results.

The recent revisions to the Red Book standards state that internal auditors  “must evaluate the effectiveness and contribute to the improvement of risk management processes.”  So a shop that follows standards will be in the business of whoever is performing the “risk management” function, including “information systems.”   Internal auditors can’t manage risk, but can help assess.

 From my perspective, a lot of internal auditors have a lot of experience in an old fashioned style of risk assessment, and end up with a gut quantification exercise.  There may be some bet hedging, vindictiveness and four tons of politics involved in the process (see above as to who must have input into it), and, in the end, the board will get what it wants.  Quality and sophistication of boards will vary widely, and if they want red, yellow, and green heat maps, by gum they are going to get it.  If they want quant analysis, they’ll get that too, especially if there is overlap between the Audit Committee and the Risk Committee.

Personally, it is approaching risk assessment season for my shop, and, with Hubbard and FAIR in hand,  I’m working with our CAE to get together at least some quantitative analysis.  Gotta start somewhere.  I’ll get the blame regardless.

*I think I hear a head exploding somewhere.

Posted in Uncategorized | Tagged , | Leave a comment

The Professional

Posted on October 7, 2010 by dutcherstiles

An interesting narrative, trapped unfortunately behind a pay wall, comes from the Chronicle of Higher Education – “Chapel Hill Researcher Fights Demotion After Security Breach”

A cancer researcher’s database of gets potentially pwnd (two years from incident to discovery), spurring the usual breach notification process.  Her bosses cut the researcher’s pay and reduced her status to associate from full professor.  The justification was that she, as principal investigator, was responsible for the security of the personal data entrusted her by the subjects of the study.

The meat from the article (emphasis added):

The provost also accused her of assigning server-security duties to an inexperienced staff member, who failed to install important patches and upgrades, and of not providing the staff member with the training needed. Ms. Yankaskas countered that the staff member, who has since left, had worked for the university’s technology office and that the employee never submitted a formal request for additional training.

“I had an employee who I trusted who told me things were OK,” she added. “I would have no way to get on the computer and tell if it was secure. Unless I assumed my employee was lying to me, I don’t know what I could have done.”

Working in the Public Interest
I believe that there is a another option.  Some folks are in charge of security but are not liars, but are incompetent.    And, yes, it is hard to tell them apart.

If it was money that was stolen, and someone said “I have no way of telling if the books were correct.  I trusted the accountant.  He was an experienced bank teller” what would be the response.  Why didn’t you hire a forkin’ CPA?  CPAs have professional knowledge, and ethical obligations, and if they fail to meet them, you can have their license pulled.  

No so with security folks.  Why is it acceptable to treat for others to manhandle your personal, private data more cavalierly then your  accounting records?  

I’m tempted to start my rant on certification, psuedo-science and “computer forensic professionals” but I’ll save it for the next post.   


Posted in Uncategorized | Tagged , , , , , , , | Leave a comment

Risk a Harm?

Posted on September 23, 2010 by dutcherstiles

Interesting post and comments on privacy risk from Solove at Concurring Opinions.  Despite being raised by a pack of feral solicitors, I can’t claim to understand all the legal theories involved.  I’m attracted to the liquidated damages idea for a number of reasons, including the ability to build a reserve or get underwriting to mitigate potential incidents.  

Harms at Risk

On the other hand, this is where the disclosure rules suck.   For example, an organization loses track of a hunk of physical media that contains a couple hundred thousand records that contain personally identifiable information (but not financial information – no bank or credit card account number).   In this example, there is a very high probability that the media was subsequently destroyed.  Are the individuals identified on the media well served by being notified?  

Imagine there was a method to calculate the likelihood of financial damage to the individual due to the loss of the media.  Lets imagine that there is less than 1% chance that the information will be used in a crime in the next 2 years, and it decreases by half every year that follows.  However, if it is used in a crime, it is likely that the crime will be of a significant impact – a genuine fraud involving a false credentials that would take more than $100,000 for the victim to unravel.   Is notifying the victim of the risk, and making him feel uneasy (since humans perceive risk differently than equations) responsible?  

Or is this just an excuse for me to illustrate a post with a picture of Harms at risk?  

Posted in Uncategorized | Tagged , , , , | Leave a comment