Today marks the start of a new year on the Lunar calendar. As the Chinese saying goes, as the spring season arrives, happiness and prosperity follow. I would like to wish everyone a happy and prosperous lunar new year.
The Year of the Horse, according to the Chinese geomancy (feugshui) system, it’s a Wooden Year, which means a Wooden Horse Year. That immediately calls to our attention the well known Trojan Horse. Perhaps an important reminder of the many facets of security threats, which often leverage the surface appeal of beauty, innocence, or relevance of a subject to lure one into a hidden trap. Think Spear Phishing, Spam mails. Be prepared for the Trojan, be ready to deal with the many hidden challenges.
This year is also the “Jia Wu” year (甲午年) in the lunar calendar (more accurately, the sexagenary system, 六十花甲) that marks the 120th anniversary of the first Sino-Japanese war (甲午战争,1894-1895). The current political tension between China and Japan over various territorial and historical issues doesn’t give much comfort when we read about the historical conflict. Certainly, today’s situation differs vastly from that of 120 years ago. But again, we never know if the leaders will learn from the lessons of history. Perspectives of war often differ between the agressor and the defender. They get more complex as more parties are involved. The stakeholders are many, solution is never easy.
Similarly, perspective on Cybersecurity, Cybercrimes, Cyberwar, and for that matter, everything Cyber, often differs as well. Unlike the conflicts of nations or competition, which leaders and stakeholders can have a choice of actions or inactions, in the Cyberspace, we often don’t even know that we have been targeted or who or what the enemy is. As such, what really matter to an individual on an organisation on the Internet is whether do we know what’s at stake if something bad happens, have we thought about our potential exposure, and are we ready to respond? A few questions that may appear simple, but often, we don’t have the answers, or simply put, not ready.
Once again, wishing everyone a happy new year! 祝大家马年吉祥，身体健康！
After much anticipation, my new book, “Responsive Security – Be Ready to Be Secure“, is finally published today. Thanks to Prof Pauline Reich of Waseda University, and Chuan Wei Hoo, who helped to proof read the earlier drafts, my publisher, Ruijun He, my editor, Iris Fahrer, and many friends and family members for all the supports and assistance rendered throughout the long process to make this possible.
The book is based on my thesis on a Piezoelectric Approach on Information Security Risk Management, which captures the past decade of my experience and learning from my practice and fellow practitioners whom I have the opportunity to work with. The book walks through our current knowledge and principles of practice in information security risk management, with discourses on the underlying issues and dilemmas in a constantly changing risk environment. It introduces the concepts of responsiveness, and highlights the importance of readiness and preparedness in face of changes that we may not always able to anticipate, and lest unable to predict. Responsive Security focuses on events that could lead to systems failures rather than the current industry’s focus on the search for vulnerabilities and learning how perpetrators exploit and attack.
If you are interested to find out more about the Responsive Security concepts and approach, the book is now available at CRC Press (http://www.crcpress.com/product/isbn/9781466584303) and also Amazon, where an e-book version has also been published.
Talking about Shandong in the previous blog (“Before the ashes turn cold“) yesterday, in fact, I just came back from our 12th RAISE Forum meeting which was held at Jinan, the capital city of Shandong province in China on March 27 and 28, 2013. The meeting was co-sponsored and jointly organized by Beijing Powertime (北京时代新威) and Timesure, supported by the Association of China Information Security Industry (ACISI), and co-sponsored by (ISC)2.
Bruce Schneier wrote an interesting piece recently about the use of technology for political purposes and suggests that we need “more research into how to circumvent these technologies”: https://www.schneier.com/blog/archives/2013/04/it_for_oppressi.html
Technology is like a knife (in fact, a knife is also a technology). It is double-edged. It depends on the user more than the provider in terms of its application. If a user uses a knife to kill a human being, it is against the law, it is even considered barbaric, animal, etc. We know its danger, but that alone will not stop its use. If we look at the history of technology, explosive was discovered in China many years ago. The emperor then was worried about its negative effects and forbid further research and use. But its utility is far beyond the fear of the imperial order or the negative effects of an explosion. In the hands of the inquisitive minded scientists and the powerful politicians, it has since evolved and today it is not just gunpowder explosive that we are worried about anymore.
Finding ways to circumvent technology would reveal weaknesses that help the provider to strengthen it. It may even create a market selling the idea of its “safe use”. Even if a technology provider decided to discard it, another may acquire or reinvent it, as long as there’s a demand.
Beneath technology is intellectual, knowledge, and information. Knowledge is power. Information flows.
In the Qin (秦) dynasty period, the first emperor of China understood that knowledge is power, and was therefore fearful of the potential threats of scholars and their teachings to his rule of the country. As a result, the Qin emperor ordered the burning of books in an attempt to stop people from learning. Nevertheless, the dynasty was overthrown by two rebels who were illiterates. A poet in the late Tang dynasty summarizes this elegantly, “坑灰未冷山东乱，刘项原来不读书”, which roughly translates, “Before the ashes (of the books) turn cold, Shandong has already rebelled; Liu and Xian (the two leaders of the rebels) were in fact illiterate.” A few emperors in subsequent dynasties did the same thing and again failed badly.
Today, we thought that China and many others would have learned from history that censorship is not an effective tool for maintaining control of information and power (based on the historical lessons learnt). But they don’t. Control gives the perception of power. Power blinds one from seeing things clearly. Letting go (detachment), as we learn in Buddhism, is not a simple thing.
Our office at the new business park is an attraction in many regards. There are massage chairs in the lobby area, free flow of coffee and tea in the open pantry, and various forms of open and semi-open areas for local on-site collaboration as well as video-on-demand, telepresence collaboration with remote sites. As in many other companies’ offices, badge access is a norm, and so do ours.
Interestingly, the washrooms at our floors, which are situated outside the badged area, near the lift lobby of each floor, have their own access controls. Each has a mechanical number lock installed on the door. As the washroom is a shared facility, with many people using it, the “secret” number to unlock the lock has to be known to all employees, contractors, and visitors. If however you belong to one of these groups, but still don’t know the number, there’s no need to worry or do a brute force attack to crack the secret numbers. You can simply follow someone in, or wait for someone to come out and hold the door to get in. Alternatively, you can go to the mail room nearby and ask the folks there cordially, and they will give you the number. In fact, if you ask anyone who happen to walk by, cordially, they will also happily reveal to you the secret to the valuable rest room.
The question is, why do “someone” decided to have such a lock that provides a real sense of insecurity and a false sense of safety to people in the building?
I found out later that the requirement was raised (by “someone”) as those washrooms have shower facilities in them, and the access control is to provide as a form of safety to people taking shower as well as prevent some other people from taking shower. Seems like a reasonable requirement. Clearly, the security solution implemented has not met the requirements, and everyone else just “follow the flows”.
At another floor in the same building, another “someone” somehow decided to use a badge access control for the washrooms access, inline with those for the normal office access. This provides better consistency, and serves its purpose, i.e., meeting the requirements. Furthermore, with an electronic badge access system, if the shower gets overused, someone can turn on the logging and start monitoring the usage of the facility to find out who have been showering all the time.
This is a post that I have drafted roughly about two years ago, when I was still living in Beijing at that time, on an early autumn day. As we approach the end of August, here in San Jose this week, I feel that the temperature is lowering each day, and yesterday, I came across this short article at Nanfang Weekend (南方周末), it reminded me about this post that I still have over here to share some related thoughts.
As the season changes from summer to autumn, we see a changing surrounding of yellowing leaves, and feel the cooler breezes of wind, and lowering temperature. Along with these changes, we often hear Chinese physicians advising the public from radio and TV stations to beware and be careful of the chilling wind, and at this stage of seasonal change, from summer to autumn, not to put on too much warm clothing too quickly as well. The opposite during the change from winter to spring. As our individual body system has its own unique vulnerabilities, the consequence of such exposure to the changing environment could range from catching a cold to a stroke (for the older folks, especially those with a heart condition or high blood pressure). In fact, I can feel the wind is more chilling early in the morning and evening now than during the summer period. I recall a year ago at around this period, in one of the morning, I drove to office and decided to wind down the windows to enjoy the early autumn breezes, and it was quite cooling and pleasant through the journey. Shortly after arriving at office, however, my neck got stiffer by the minutes and it was impossible for me to turn to either side by noon. That lasted for a few days even with a daily massage by a Chinese physician. In my first year in Beijing, I caught a cold in the same period for putting on too much warm clothing too early as well. Adaptation to change is never easy.
Maybe my neck is just too weak after so many years of fixating at the computer/laptop display, and I was living in a yearlong summer season country for so many years then that a slight drop in temperature is a big change that my body reacted to too quickly.
In any case, such seasonal change reminds of the importance of change management in our digital world as well. As organization undergoes ongoing changes, especially from closing one financial quarter to beginning a new quarter, or moving from one fiscal year to another, there are often new or evolved goals, objectives, directions that are put forward, in which changes to the supporting and operating environment follow. The wind of change has its own effect on information security. The consequence of not understanding the information security risks associated with those changes, and not managing or preparing for them appropriately could leave the organization systems with severe gaps or hidden issues. The effect may be minor in some cases, like catching a cold that could be recovered quite quickly by resolving the issues, to severe illness causing prolonged period of downtime or inefficiency. In the worst case, exposing critical systems or information to breaches or compromises. As reported in a not too recent incident, the repeated use of an outdated procedure in a maintenance process had resulted in more than six hours of downtime for a major bank in Singapore. So, before your organization catches a cold in the process of change, best to work the security changes into the planned change, or the seasonal change. In the traditional Chinese health systems approach, the summer is the season to build up energy and get ready for the cooling autumn and chilling winter to come. Going outdoor, working out physically, and taking energy-enhancing food are amongst the common advise from the Chinese physicians. Similarly, in the period before an anticipated change event, or unanticipated incidents, getting organisation (including people) ready (through planning, training, drills/exercises, etc) are important activities that should not be taken lightly.
One question though, what about places like Singapore that don’t really have a four season? In a summer all year long country, are we constantly working out and building energy? Where do we expand those energy? Any thoughts?
Last week in Tokyo, members of the RAISE Forum gathered for the 11th meeting since its inauguration in November 2004. In the past two to three years, activities and participations in the Forum meetings seemed to have slowed down, but core members from Japan, South Korea, Chinese Taipei, Malaysia, and Singapore continued to be active in organising and facilitating the proceedings, focusing mainly on information sharing and keeping each other updated on their respective economies’ developments (in terms of information security and standards). Malaysia, as one of the founding members, also continued to contribute through remote participation (thanks also to the WebEx conferencing tool) even though they couldn’t get the funding to attend the meeting physically.
In this meeting, there were two interesting developments. We have our mainland China’s members sending four representatives and providing two contributions to the proceedings, expanding the members’ presence in the meeting and increasing the level of activities in the forum. At the close of the meeting, we also agreed on two new initiatives to pursue forward. As this is still a semi-open forum, I shall not discuss more details about the new work items proposed until we have something more concrete to share. Meanwhile, if anyone in Asia has interest to participate and contribute (not just observe and listen ;-)) to improve the sharing of information security learning and experience, feel free to drop a comment here, or send a direct message to us in Twitter @raiseforum, or our alternative RAISE Forum group site at LinkedIn.
Special thanks to Japan NICT for their sponsorship for the meeting, and our Japanese members for organising the logistics and administrative supports, including the reception gathering, which all made the meeting possible and successfully held for the 11th times. Our next meeting will be held in mainland China, organise by our P.R. China members.
Stay in touch!