Bright Stove

Reflecting information risk journey

Be ready for the Year of the Wooden Horse

leave a comment »

Today marks the start of a new year on the Lunar calendar. As the Chinese saying goes, as the spring season arrives, happiness and prosperity follow. I would like to wish everyone a happy and prosperous lunar new year.

image

The Year of the Horse, according to the Chinese geomancy (feugshui) system, it’s a Wooden Year, which means a Wooden Horse Year. That immediately calls to our attention the well known Trojan Horse. Perhaps an important reminder of the many facets of security threats, which often leverage the surface appeal of beauty, innocence, or relevance of a subject to lure one into a hidden trap. Think Spear Phishing, Spam mails. Be prepared for the Trojan, be ready to deal with the many hidden challenges.

This year is also the “Jia Wu” year (甲午年) in the lunar calendar (more accurately, the sexagenary system, 六十花甲) that marks the 120th anniversary of the first Sino-Japanese war (甲午战争,1894-1895). The current political tension between China and Japan over various territorial and historical issues doesn’t give much comfort when we read about the historical conflict. Certainly, today’s situation differs vastly from that of 120 years ago. But again, we never know if the leaders will learn from the lessons of history. Perspectives of war often differ between the agressor and the defender. They get more complex as more parties are involved. The stakeholders are many, solution is never easy.

Similarly, perspective on Cybersecurity, Cybercrimes, Cyberwar, and for that matter, everything Cyber, often differs as well. Unlike the conflicts of nations or competition, which leaders and stakeholders can have a choice of actions or inactions, in the Cyberspace, we often don’t even know that we have been targeted or who or what the enemy is. As such, what really matter to an individual on an organisation on the Internet is whether do we know what’s at stake if something bad happens, have we thought about our potential exposure, and are we ready to respond? A few questions that may appear simple, but often, we don’t have the answers, or simply put, not ready.

Once again, wishing everyone a happy new year! 祝大家马年吉祥,身体健康!

Written by mengchow

January 31, 2014 at 11:52 am

Responsive Security – Be Ready to Be Secure

with 2 comments

After much anticipation, my new book, “Responsive Security – Be Ready to Be Secure“, is finally published today. Thanks to Prof Pauline Reich of Waseda University, and Chuan Wei Hoo, who helped to proof read the earlier drafts, my publisher, Ruijun He, my editor, Iris Fahrer, and many friends and family members for all the supports and assistance rendered throughout the long process to make this possible.

Image

The book is based on my thesis on a Piezoelectric Approach on Information Security Risk Management, which captures the past decade of my experience and learning from my practice and fellow practitioners whom I have the opportunity to work with. The book walks through our current knowledge and principles of practice in information security risk management, with discourses on the underlying issues and dilemmas in a constantly changing risk environment. It introduces the concepts of responsiveness, and highlights the importance of readiness and preparedness in face of changes that we may not always able to anticipate, and lest unable to predict. Responsive Security focuses on events that could lead to systems failures rather than the current industry’s focus on the search for vulnerabilities and learning how perpetrators exploit and attack.

If you are interested to find out more about the Responsive Security concepts and approach, the book is now available at CRC Press (http://www.crcpress.com/product/isbn/9781466584303) and also Amazon, where an e-book version has also been published.

12th RAISE Forum Meeting at Jinan, Shandong

leave a comment »

Talking about Shandong in the previous blog (“Before the ashes turn cold“) yesterday, in fact, I just came back from our 12th RAISE Forum meeting which was held at Jinan, the capital city of Shandong province in China on March 27 and 28, 2013. The meeting was co-sponsored and jointly organized by Beijing Powertime (北京时代新威) and Timesure, supported by the Association of China Information Security Industry (ACISI), and co-sponsored by (ISC)2.

IMG_0269

Unlike previous gatherings, the 12th meeting started with a half-day public seminar participated by about 150 professionals mainly from Shandong, and a number of other cities in China. The keynotes of the seminar were given Mr Wu Yafei, Chair of the the ACISI (who is also Executive Director of the Information Security department of the State Information Center, SIC), and Professor Lv Shuwang (the inventor of the SMS4 cryptographic hashing algorithm).

 IMG_0274 IMG_0277

Prof Lv spoke about the nature of Internet and internet, and the importance of knowledge security. In accordance to Prof Lv, knowledge security is a natural progress from information security as we evolve from an information-based economy to knowledge-based economy. Knowledge security is critical not just to organization, or individuals, but also the issues of preserving the massive knowledge from a nation’s civilization and cultural heritage perspective. Knowledge security requires a secure Cyberspace, a Cyberspace that operates on network in which its growth, reliability, maintenance, and security are accorded with national level coordination and protection, as preserving knowledge of a nation’s culture and civilization is a national issue. Today’s Internet is however rooted in the US and not a true internet network where there’s mutual connection between a nation’s public (or citizen) network and US or other nation’s public networks. To have a truly internet network, China needs to have its own public network to begin with. Currently, China’s public Internet network (as well other many other countries’ public Internet) shares a portion of the global Internet, “like a tenant on a rental property”, says Prof Lv. As such, security problems on the Internet continues to proliferate and cannot be resolved effectively. This is not an ideal condition for China’s knowledge security. Prof Lv therefore asserts that “China doesn’t have Internet”. Nevertheless, expecting the global Internet to have its root removed and made completely open is also impractical, Prof Lv concluded.

At the public seminar, Mr Ning Jiajun, retired Chief Engineer of SIC, also shared his thoughts on the Information Security issues and challenges in China, and discussed on the need for a basic Information Security Law, or Ordinance. This is necessary to address the fundamental legal principles, and basic system requirements, in support of more comprehensive information security specialization laws for the security governance of each industry sector.

In the professional certification arena, Mr Wang Xinjie of Beijing Powertime shared the status of the new work item on Information Security (IS) Professional Certification in ISO, which is still in an extended Study Period (totaling 12 months now); the status of CISSP adoption in China (which has more than 600 certified professionals as of March 2013); and the development of a new Certified Information Security Auditor (CISP-Auditor) in China. The idea of the Information Security Auditor is focused on developing a community of professionals who will be skilled at auditing (or validating) the information security practice of organizations. The practice may be based on ISO/IEC 27001 ISMS standard, or other approaches adopted by the organization, or mandated by specific industry regulations.

In addition to the China’s experts’ presentations, representatives from RAISE Forum members also spoke in the public seminar. Mr Koji Nakao presented the status of security standardization at ISO/IEC JTC 1 SC 27 and ITU-T SG17, including the current work plan and the areas of focus in the near term. Prof Hueng Youl Youm of Soonchunhyang University, South Korea, presented the status of Personal Information Management Systems (PIMS) standardization in ISO/IEC JTC 1/SC 27 and also within Korea itself. I shared my thoughts on the Responsive Security approach for information security risk management (which I shall discuss in future blogs perhaps).

IMG_0265
  IMG_0275

The closed-door meeting of the RAISE Forum continues in the afternoon and whole day the next day at the Institute of Information and Communications Research (CIIIC). In person at the meeting were members from Japan, Singapore, South Korea, P.R. China, Thailand, and also representative of (ISC)2, while Malaysia and Chinese Taipei’s representatives joined the discussion and presentations via WebEx teleconference facility online. 

Besides the usual updates on ISO/IEC JTC 1/SC 27 and ITU-T SG 17 standards development activities, the meeting also discussed about some recent Cybersecurity development, such as the Obama’s Executive Order, Japan’s Cybersecurity strategy development, the very recent South Korea Cyber attack incident, and Thailand’s Cyber frauds incidents involving security of smartphone applications. The international standardization activities that are of interest includes the revision of the ISO/IEC 27001 and 27002 standards (both are currently at DIS stage, likely to be published before end of this year), cloud security standards, which includes ISO/IEC 27017, and 27036, and the new work item in WG 4 on the technology aspects), and PIMS related standards efforts. There were also much deliberation on the scope of a RAISE Forum project on “Information Security Audit Framework”, which is currently under development. The result of (ISC)2 2013 Workforce Study report, and the recent RAISE Forum initiated Information Security Management Practice survey results were also discussed. The latter will be shared in a separate update in a few weeks.

The meeting closed with the thanking of the organizers and sponsors, and also a short discussion on the 13th RAISE Forum meeting. This year is in fact the 10th year anniversary of the RAISE Forum, since its inauguration in Nov 2004. The 13th meeting is planned to be held before year-end, venue to be confirmed, and will be held as a 10th anniversary celebration event.

Before the ashes turn cold

with one comment

Bruce Schneier wrote an interesting piece recently about the use of technology for political purposes and suggests that we need “more research into how to circumvent these technologies”: https://www.schneier.com/blog/archives/2013/04/it_for_oppressi.html

Technology is like a knife (in fact, a knife is also a technology). It is double-edged. It depends on the user more than the provider in terms of its application. If a user uses a knife to kill a human being, it is against the law, it is even considered barbaric, animal, etc. We know its danger, but that alone will not stop its use. If we look at the history of technology, explosive was discovered in China many years ago. The emperor then was worried about its negative effects and forbid further research and use. But its utility is far beyond the fear of the imperial order or the negative effects of an explosion. In the hands of the inquisitive minded scientists and the powerful politicians, it has since evolved and today it is not just gunpowder explosive that we are worried about anymore.

Finding ways to circumvent technology would reveal weaknesses that help the provider to strengthen it. It may even create a market selling the idea of its “safe use”. Even if a technology provider decided to discard it, another may acquire or reinvent it, as long as there’s a demand.

Beneath technology is intellectual, knowledge, and information. Knowledge is power. Information flows.

In the Qin (秦) dynasty period, the first emperor of China understood that knowledge is power, and was therefore fearful of the potential threats of scholars and their teachings to his rule of the country. As a result, the Qin emperor ordered the burning of books in an attempt to stop people from learning. Nevertheless, the dynasty was overthrown by two rebels who were illiterates. A poet in the late Tang dynasty summarizes this elegantly, “坑灰未冷山东乱,刘项原来不读书”, which roughly translates, “Before the ashes (of the books) turn cold, Shandong has already rebelled; Liu and Xian (the two leaders of the rebels) were in fact illiterate.” A few emperors in subsequent dynasties did the same thing and again failed badly.

Today, we thought that China and many others would have learned from history that censorship is not an effective tool for maintaining control of information and power (based on the historical lessons learnt). But they don’t. Control gives the perception of power. Power blinds one from seeing things clearly. Letting go (detachment), as we learn in Buddhism, is not a simple thing.

Written by mengchow

April 6, 2013 at 11:34 am

Posted in Misc, Policy

A real sense of insecurity

leave a comment »

Our office at the new business park is an attraction in many regards. There are massage chairs in the lobby area, free flow of coffee and tea in the open pantry, and various forms of open and semi-open areas for local on-site collaboration as well as video-on-demand, telepresence collaboration with remote sites. As in many other companies’ offices, badge access is a norm, and so do ours.

Toilet door with Mechanical Lock Mechanical Lock
Interestingly, the washrooms at our floors, which are situated outside the badged area, near the lift lobby of each floor, have their own access controls. Each has a mechanical number lock installed on the door. As the washroom is a shared facility, with many people using it, the “secret” number to unlock the lock has to be known to all employees, contractors, and visitors. If however you belong to one of these groups, but still don’t know the number, there’s no need to worry or do a brute force attack to crack the secret numbers. You can simply follow someone in, or wait for someone to come out and hold the door to get in. Alternatively, you can go to the mail room nearby and ask the folks there cordially, and they will give you the number. In fact, if you ask anyone who happen to walk by, cordially, they will also happily reveal to you the secret to the valuable rest room.

The question is, why do “someone” decided to have such a lock that provides a real sense of insecurity and a false sense of safety to people in the building?

I found out later that the requirement was raised (by “someone”) as those washrooms have shower facilities in them, and the access control is to provide as a form of safety to people taking shower as well as prevent some other people from taking shower. Seems like a reasonable requirement. Clearly, the security solution implemented has not met the requirements, and everyone else just “follow the flows”.

At another floor in the same building, another “someone” somehow decided to use a badge access control for the washrooms access, inline with those for the normal office access. This provides better consistency, and serves its purpose, i.e., meeting the requirements. Furthermore, with an electronic badge access system, if the shower gets overused, someone can turn on the logging and start monitoring the usage of the facility to find out who have been showering all the time.

Written by mengchow

February 7, 2013 at 5:44 pm

Changing season

with one comment

This is a post that I have drafted roughly about two years ago, when I was still living in Beijing at that time, on an early autumn day. As we approach the end of August, here in San Jose this week, I feel that the temperature is lowering each day, and yesterday, I came across this short article at Nanfang Weekend (南方周末), it reminded me about this post that I still have over here to share some related thoughts.

As the season changes from summer to autumn, we see a changing surrounding of yellowing leaves, and feel the cooler breezes of wind, and lowering temperature. Along with these changes, we often hear Chinese physicians advising the public from radio and TV stations to beware and be careful of the chilling wind, and at this stage of seasonal change, from summer to autumn, not to put on too much warm clothing too quickly as well. The opposite during the change from winter to spring. As our individual body system has its own unique vulnerabilities, the consequence of such exposure to the changing environment could range from catching a cold to a stroke (for the older folks, especially those with a heart condition or high blood pressure). In fact, I can feel the wind is more chilling early in the morning and evening now than during the summer period. I recall a year ago at around this period, in one of the morning, I drove to office and decided to wind down the windows to enjoy the early autumn breezes, and it was quite cooling and pleasant through the journey. Shortly after arriving at office, however, my neck got stiffer by the minutes and it was impossible for me to turn to either side by noon. That lasted for a few days even with a daily massage by a Chinese physician. In my first year in Beijing, I caught a cold in the same period for putting on too much warm clothing too early as well. Adaptation to change is never easy.

Maybe my neck is just too weak after so many years of fixating at the computer/laptop display, and I was living in a yearlong summer season country for so many years then that a slight drop in temperature is a big change that my body reacted to too quickly.

In any case, such seasonal change reminds of the importance of change management in our digital world as well. As organization undergoes ongoing changes, especially from closing one financial quarter to beginning a new quarter, or moving from one fiscal year to another, there are often new or evolved goals, objectives, directions that are put forward, in which changes to the supporting and operating environment follow. The wind of change has its own effect on information security. The consequence of not understanding the information security risks associated with those changes, and not managing or preparing for them appropriately could leave the organization systems with severe gaps or hidden issues. The effect may be minor in some cases, like catching a cold that could be recovered quite quickly by resolving the issues, to severe illness causing prolonged period of downtime or inefficiency. In the worst case, exposing critical systems or information to breaches or compromises. As reported in a not too recent incident, the repeated use of an outdated procedure in a maintenance process had resulted in more than six hours of downtime for a major bank in Singapore. So, before your organization catches a cold in the process of change, best to work the security changes into the planned change, or the seasonal change. In the traditional Chinese health systems approach, the summer is the season to build up energy and get ready for the cooling autumn and chilling winter to come. Going outdoor, working out physically, and taking energy-enhancing food are amongst the common advise from the Chinese physicians. Similarly, in the period before an anticipated change event, or unanticipated incidents, getting organisation (including people) ready (through planning, training, drills/exercises, etc) are important activities that should not be taken lightly.

One question though, what about places like Singapore that don’t really have a four season? In a summer all year long country, are we constantly working out and building energy? Where do we expand those energy? Any thoughts?

Written by mengchow

August 20, 2012 at 12:54 am

11th RAISE Forum Meeting

leave a comment »

Last week in Tokyo, members of the RAISE Forum gathered for the 11th meeting since its inauguration in November 2004. In the past two to three years, activities and participations in the Forum meetings seemed to have slowed down, but core members from Japan, South Korea, Chinese Taipei, Malaysia, and Singapore continued to be active in organising and facilitating the proceedings, focusing mainly on information sharing and keeping each other updated on their respective economies’ developments (in terms of information security and standards). Malaysia, as one of the founding members, also continued to contribute through remote participation (thanks also to the WebEx conferencing tool) even though they couldn’t get the funding to attend the meeting physically.

In this meeting, there were two interesting developments. We have our mainland China’s members sending four representatives and providing two contributions to the proceedings, expanding the members’ presence in the meeting and increasing the level of activities in the forum. At the close of the meeting, we also agreed on two new initiatives to pursue forward. As this is still a semi-open forum, I shall not discuss more details about the new work items proposed until we have something more concrete to share. Meanwhile, if anyone in Asia has interest to participate and contribute (not just observe and listen ;-)) to improve the sharing of information security learning and experience, feel free to drop a comment here, or send a direct message to us in Twitter @raiseforum, or our alternative RAISE Forum group site at LinkedIn.

Special thanks to Japan NICT for their sponsorship for the meeting, and our Japanese members for organising the logistics and administrative supports, including the reception gathering, which all made the meeting possible and successfully held for the 11th times. Our next meeting will be held in mainland China, organise by our P.R. China members.

Stay in touch!

Written by mengchow

August 19, 2012 at 6:40 am

Follow

Get every new post delivered to your Inbox.

Join 134 other followers