After much anticipation, my new book, “Responsive Security – Be Ready to Be Secure“, is finally published today. Thanks to Prof Pauline Reich of Waseda University, and Chuan Wei Hoo, who helped to proof read the earlier drafts, my publisher, Ruijun He, my editor, Iris Fahrer, and many friends and family members for all the supports and assistance rendered throughout the long process to make this possible.
The book is based on my thesis on a Piezoelectric Approach on Information Security Risk Management, which captures the past decade of my experience and learning from my practice and fellow practitioners whom I have the opportunity to work with. The book walks through our current knowledge and principles of practice in information security risk management, with discourses on the underlying issues and dilemmas in a constantly changing risk environment. It introduces the concepts of responsiveness, and highlights the importance of readiness and preparedness in face of changes that we may not always able to anticipate, and lest unable to predict. Responsive Security focuses on events that could lead to systems failures rather than the current industry’s focus on the search for vulnerabilities and learning how perpetrators exploit and attack.
If you are interested to find out more about the Responsive Security concepts and approach, the book is now available at CRC Press (http://www.crcpress.com/product/isbn/9781466584303) and also Amazon, where an e-book version has also been published.
Talking about Shandong in the previous blog (“Before the ashes turn cold“) yesterday, in fact, I just came back from our 12th RAISE Forum meeting which was held at Jinan, the capital city of Shandong province in China on March 27 and 28, 2013. The meeting was co-sponsored and jointly organized by Beijing Powertime (北京时代新威) and Timesure, supported by the Association of China Information Security Industry (ACISI), and co-sponsored by (ISC)2.
Bruce Schneier wrote an interesting piece recently about the use of technology for political purposes and suggests that we need “more research into how to circumvent these technologies”: https://www.schneier.com/blog/archives/2013/04/it_for_oppressi.html
Technology is like a knife (in fact, a knife is also a technology). It is double-edged. It depends on the user more than the provider in terms of its application. If a user uses a knife to kill a human being, it is against the law, it is even considered barbaric, animal, etc. We know its danger, but that alone will not stop its use. If we look at the history of technology, explosive was discovered in China many years ago. The emperor then was worried about its negative effects and forbid further research and use. But its utility is far beyond the fear of the imperial order or the negative effects of an explosion. In the hands of the inquisitive minded scientists and the powerful politicians, it has since evolved and today it is not just gunpowder explosive that we are worried about anymore.
Finding ways to circumvent technology would reveal weaknesses that help the provider to strengthen it. It may even create a market selling the idea of its “safe use”. Even if a technology provider decided to discard it, another may acquire or reinvent it, as long as there’s a demand.
Beneath technology is intellectual, knowledge, and information. Knowledge is power. Information flows.
In the Qin (秦) dynasty period, the first emperor of China understood that knowledge is power, and was therefore fearful of the potential threats of scholars and their teachings to his rule of the country. As a result, the Qin emperor ordered the burning of books in an attempt to stop people from learning. Nevertheless, the dynasty was overthrown by two rebels who were illiterates. A poet in the late Tang dynasty summarizes this elegantly, “坑灰未冷山东乱，刘项原来不读书”, which roughly translates, “Before the ashes (of the books) turn cold, Shandong has already rebelled; Liu and Xian (the two leaders of the rebels) were in fact illiterate.” A few emperors in subsequent dynasties did the same thing and again failed badly.
Today, we thought that China and many others would have learned from history that censorship is not an effective tool for maintaining control of information and power (based on the historical lessons learnt). But they don’t. Control gives the perception of power. Power blinds one from seeing things clearly. Letting go (detachment), as we learn in Buddhism, is not a simple thing.
Our office at the new business park is an attraction in many regards. There are massage chairs in the lobby area, free flow of coffee and tea in the open pantry, and various forms of open and semi-open areas for local on-site collaboration as well as video-on-demand, telepresence collaboration with remote sites. As in many other companies’ offices, badge access is a norm, and so do ours.
Interestingly, the washrooms at our floors, which are situated outside the badged area, near the lift lobby of each floor, have their own access controls. Each has a mechanical number lock installed on the door. As the washroom is a shared facility, with many people using it, the “secret” number to unlock the lock has to be known to all employees, contractors, and visitors. If however you belong to one of these groups, but still don’t know the number, there’s no need to worry or do a brute force attack to crack the secret numbers. You can simply follow someone in, or wait for someone to come out and hold the door to get in. Alternatively, you can go to the mail room nearby and ask the folks there cordially, and they will give you the number. In fact, if you ask anyone who happen to walk by, cordially, they will also happily reveal to you the secret to the valuable rest room.
The question is, why do “someone” decided to have such a lock that provides a real sense of insecurity and a false sense of safety to people in the building?
I found out later that the requirement was raised (by “someone”) as those washrooms have shower facilities in them, and the access control is to provide as a form of safety to people taking shower as well as prevent some other people from taking shower. Seems like a reasonable requirement. Clearly, the security solution implemented has not met the requirements, and everyone else just “follow the flows”.
At another floor in the same building, another “someone” somehow decided to use a badge access control for the washrooms access, inline with those for the normal office access. This provides better consistency, and serves its purpose, i.e., meeting the requirements. Furthermore, with an electronic badge access system, if the shower gets overused, someone can turn on the logging and start monitoring the usage of the facility to find out who have been showering all the time.
This is a post that I have drafted roughly about two years ago, when I was still living in Beijing at that time, on an early autumn day. As we approach the end of August, here in San Jose this week, I feel that the temperature is lowering each day, and yesterday, I came across this short article at Nanfang Weekend (南方周末), it reminded me about this post that I still have over here to share some related thoughts.
As the season changes from summer to autumn, we see a changing surrounding of yellowing leaves, and feel the cooler breezes of wind, and lowering temperature. Along with these changes, we often hear Chinese physicians advising the public from radio and TV stations to beware and be careful of the chilling wind, and at this stage of seasonal change, from summer to autumn, not to put on too much warm clothing too quickly as well. The opposite during the change from winter to spring. As our individual body system has its own unique vulnerabilities, the consequence of such exposure to the changing environment could range from catching a cold to a stroke (for the older folks, especially those with a heart condition or high blood pressure). In fact, I can feel the wind is more chilling early in the morning and evening now than during the summer period. I recall a year ago at around this period, in one of the morning, I drove to office and decided to wind down the windows to enjoy the early autumn breezes, and it was quite cooling and pleasant through the journey. Shortly after arriving at office, however, my neck got stiffer by the minutes and it was impossible for me to turn to either side by noon. That lasted for a few days even with a daily massage by a Chinese physician. In my first year in Beijing, I caught a cold in the same period for putting on too much warm clothing too early as well. Adaptation to change is never easy.
Maybe my neck is just too weak after so many years of fixating at the computer/laptop display, and I was living in a yearlong summer season country for so many years then that a slight drop in temperature is a big change that my body reacted to too quickly.
In any case, such seasonal change reminds of the importance of change management in our digital world as well. As organization undergoes ongoing changes, especially from closing one financial quarter to beginning a new quarter, or moving from one fiscal year to another, there are often new or evolved goals, objectives, directions that are put forward, in which changes to the supporting and operating environment follow. The wind of change has its own effect on information security. The consequence of not understanding the information security risks associated with those changes, and not managing or preparing for them appropriately could leave the organization systems with severe gaps or hidden issues. The effect may be minor in some cases, like catching a cold that could be recovered quite quickly by resolving the issues, to severe illness causing prolonged period of downtime or inefficiency. In the worst case, exposing critical systems or information to breaches or compromises. As reported in a not too recent incident, the repeated use of an outdated procedure in a maintenance process had resulted in more than six hours of downtime for a major bank in Singapore. So, before your organization catches a cold in the process of change, best to work the security changes into the planned change, or the seasonal change. In the traditional Chinese health systems approach, the summer is the season to build up energy and get ready for the cooling autumn and chilling winter to come. Going outdoor, working out physically, and taking energy-enhancing food are amongst the common advise from the Chinese physicians. Similarly, in the period before an anticipated change event, or unanticipated incidents, getting organisation (including people) ready (through planning, training, drills/exercises, etc) are important activities that should not be taken lightly.
One question though, what about places like Singapore that don’t really have a four season? In a summer all year long country, are we constantly working out and building energy? Where do we expand those energy? Any thoughts?
Last week in Tokyo, members of the RAISE Forum gathered for the 11th meeting since its inauguration in November 2004. In the past two to three years, activities and participations in the Forum meetings seemed to have slowed down, but core members from Japan, South Korea, Chinese Taipei, Malaysia, and Singapore continued to be active in organising and facilitating the proceedings, focusing mainly on information sharing and keeping each other updated on their respective economies’ developments (in terms of information security and standards). Malaysia, as one of the founding members, also continued to contribute through remote participation (thanks also to the WebEx conferencing tool) even though they couldn’t get the funding to attend the meeting physically.
In this meeting, there were two interesting developments. We have our mainland China’s members sending four representatives and providing two contributions to the proceedings, expanding the members’ presence in the meeting and increasing the level of activities in the forum. At the close of the meeting, we also agreed on two new initiatives to pursue forward. As this is still a semi-open forum, I shall not discuss more details about the new work items proposed until we have something more concrete to share. Meanwhile, if anyone in Asia has interest to participate and contribute (not just observe and listen ;-)) to improve the sharing of information security learning and experience, feel free to drop a comment here, or send a direct message to us in Twitter @raiseforum, or our alternative RAISE Forum group site at LinkedIn.
Special thanks to Japan NICT for their sponsorship for the meeting, and our Japanese members for organising the logistics and administrative supports, including the reception gathering, which all made the meeting possible and successfully held for the 11th times. Our next meeting will be held in mainland China, organise by our P.R. China members.
Stay in touch!
Walking past a row of cars parked alongside the street next to my apartment this morning, I noticed that a number of them have their safety belts already buckled. They reminded me of a habit common amongst many drivers and passengers in China, that they would drive without the safety belt on. For newer cars whereby an alarm would go off reminding of an unbuckled seat belt when the engine has started and the door closed, the driver and passenger would normally have the belt buckled and then sit over it, and hence those in the parked cars. In Chinese term, this is simply “上有政策，下有对策”, a common phrase stating that when the top set up a policy, the bottom will have counter measures in response. So when the car manufacturer installed new technology to enforce a safety measure, the user counter it with changing the way it is being used, buckling it to the seat permanently so the alarm no longer goes off. To them, they have chosen to tradeoff their safety for more comfort without the seat belt. Maybe the always congested traffic in cities like Shanghai and Beijing simply make the use of the safety belt less meaningful when they can’t even accelerate to a speed faster than 60 km per hour in most roads. To many, the irritation or inconvenience is simply uncalled for as the “it won’t happen to me” syndrome prevails.
The same thinking runs through the head of many Internet users as well. If we look around, a common user resistance against information security measures is remembering passwords. Users would often find ways and means to find an easy to remember (not necessarily difficult to guess) password to be accepted by the application, and have the same password used across as many applications as possible so that they have less to remember and can get online to use the Web as quickly as possible.
Ironically, unlike car manufacturers improving their safety defaults, many web sites are designed to help users in forgetting their passwords, with the so called “Remember my ID/password” feature as a preselected, ticked checkbox at the user’s first logon. A car driver or passenger may be conscious to see an accident coming, and if alert enough, may still be able to avoid or reduce the corresponding impact. In fact, most drivers and passengers even in China would put on the seat belt (over their body, not behind) when they get on to the express way where the traffic is flowing freely. In short, they still have a choice of when to use it, and also how to respond to changing situation, even though not always making the right ones.
The “Remember my password” feature however makes the user feel safe about the action, and in many cases, would not even let the user notice about an attack on the password store occurring right in front of her. What it instills often is a notion of inconvenience when the user has to remember her passwords. The question is, why implement a password feature if the web site provider doesn’t believe in it and introduce other measures to help users circumvent its use?
Coincidentally, before writing this, I just watched Apple’s new products announcement, which recaps some of the new features in the upcoming iOS 5. Amongst them, Twitter integration with iOS 5 was called out, and the presenter said, which is also stated at Apple’s web site, “Sign in once in Settings, and suddenly you can tweet directly from Safari, Photos, Camera, YouTube, or Maps. Want to mention or @reply to a friend, … you can start typing and iOS 5 does the rest”. So it now has your buckle on by the default before you Tweet. Is it in front or behind your body?