Archive for the ‘Awareness’ Category
On risk, uncertainty, and impact
Risk management is an approach that is commonly used across many industries. However, the language of risk has not been consistent or easy to understand across existing risk literatures. In particular, the definition of risk is at times mixed with uncertainty (e.g., ISO 31000 and ISO/IEC 73), and described in terms of the value of the asset involved (e.g., ISO 51 and 63). This has not helped in evaluating, and making risk informed decisions. This blog is an attempt to clarify and provide better understanding of these terminologies.
Risk versus Uncertainty
Risk and uncertainty are two separate concepts or ideas. Risk is neither a subset nor a branch of uncertainty principles. As Frank Knight pronounced in his classic work “Risk, uncertainty, and profit”, “If you don’t know for sure what will happen, but you know the odds, that’s risk, and if you don’t even know the odds, that’s uncertainty”(Knight, 2006). This delineation of risk and uncertainty is fundamental and important.
Risk is tied to the possibility of loss, like gambling. Uncertainty, on the other hand, is merely the unknown; loss is not always involved. Yet, uncertainty makes us more uneasy than when we face a situation that has known risks. … The uncertainty we face in the dark has no real risk, just perceived risk, because we do not know, for sure, what’s out there. We desire an order, or perfect knowledge, that comes only when we turn on the lights. In the dark, there is no order (Bernstein, 1999).
As noted above, uncertainty is not necessarily a bad thing. Recognizing uncertainty is part of the decision-making process.
We experience true uncertainty when we do not know the probabilities of the possible outcomes because we do not even know what all of the possible outcomes are. By understanding how truly ignorant we are, we will be able to make better decisions, even as we continue to make mistakes (Peter Edgar in Bernstein, 1999, p. x).
On Risk
Quantitatively, risk is normally expressed in terms of a probability of occurrence of the threats involved. This probability number is influenced by the presence of vulnerability, and the ease of exploitation of the vulnerability.
The constituent parts of a risk are therefore the threats and vulnerabilities associated with the system being evaluated. In other words, risk is a function of threats and vulnerabilities, or r = f (t x v) (McChrystal & Butrico, 2021, pp. 10-11; Stewart, Chapple, & Gibson, 2015, p. 62). Risk exists when there is a threat in or around the system, and the system has vulnerability (or weakness) that can be exploited by the threat. When the exploitation takes place, the risk is realized, or materialized. If a threat has a high probability of occurrence, but the associated vulnerability cannot be easily exploited, then the risk is effectively low. The converse is also true. We can also say that if there is no threat, i.e., r = f (0, v) = 0, there is no risk. Similarly, when there is no vulnerability, i.e., r = f (t, 0) = 0, there is also no risk. There will however always be threats (either introduced by human being, technology, or nature, e.g., hurricane, earthquake), and weaknesses will always exist in any given system.
In the context of digital information systems, when managing information security risks, we use threat hunting, threat intelligence, and threat detection systems to help identify, detect, and measure threats that are operating or emerging in and around our system, and we use tools such as vulnerability scanning, penetration testing, and patch management systems to identify, detect, and update/patch our systems vulnerabilities. By detecting threats early, and being prepared for their occurrence, we can isolate, block, and/or contain the blast radius (or scope of effect) of the threat thereby reducing risk to our system. Similarly, by getting our systems updated to the latest patch available, or implement workarounds to reduce exploitability of a vulnerability, we reduce our risk exposure level.
Note that there may also be other factors that can influence risk. For example, time, as in Winn Schwartau’s “Time-based Security” (Schwartau, 2001). In the equity market, the timeliness of information plays a significant role in preventing frauds such as insider trading and ensuring fair market practices. In such a situation, risk of unauthorized disclosure of information that have influence over a company’s stock price changes with time. Before the information goes public (e.g., announcement of a strategic acquisition or merger), the risk of unauthorized disclosure will be closely watched. But once the information has been released to the public, it is no longer confidential, but the integrity will remain important. Risk of unauthorized modification will continue to be an important focus.
Risk versus impact (or Consequences)
The probability of a risk materializing, as computed from the risk equation (where r = f (t, v)), should not be confused with the potential magnitude of impact that the risk may cause. For example, a statement such as, “the risk is high as it can cause significant financial losses to our organization” is misleading. Does the risk have a high probability of occurrence because of the financial value involved, or because there is a threat that is likely to materialize due to the existence of certain vulnerabilities that can be easily exploited? We need clarity in order to manage the risk effectively. The magnitude of a risk materializing, also known as potential impact, is the outcome or consequence, not inherent in the risk itself. Impact is related to the value of the system as an asset, not the risk per se. Impact assessment is therefore a separate tool that is used in risk management, not in risk analysis. We should not rate a risk as high simply because the value of the asset involved is high.
By separating impact from the risk measurement, we can make our risk management decisions based on the significance of the risk in relation to the value of assets independently. We can weigh which is more important in a given context, and whether to focus on the value of the asset, or the risk specifically. Considering a two-level high-low risk rating system, we will have four situations:
- Low risk, high impact
- Low risk, low impact
- High risk, low impact
- High risk, high impact
It is clear from this breakdown that our top priority for managing risk will be on systems that fall into situation #4–high risk, high impact. Our next priority, i.e., either #1 or #3, will depend on whether we consider the principle of “security is only as strong as the weakest link” should weigh more than the value of the specific asset involved. In a highly connected system environment where low and high value assets are interconnected and have dependency on each other, a high-risk issue despite being found on a low value asset may still result in impacting high value asset due to their dependency and/or connectivity. In such a case, situation #3 will take precedence over situation #1. Alternatively, we may isolate systems in #3 and address the risk issue in situation #1 with a higher priority. In either case, addressing situation #1 will still be desired to prevent or reduce the effect of a Black Swan event (Taleb, 2007) should the low risk materialize on a high value system. We should also continue to monitor and re-evaluate systems in situation #2 to make sure that they neither become the “weakest link” nor a Black Swan.
References
Bernstein, P. L. (1999). Patterns in the Dark – Understanding risk and financial crisis with complexity theory: John Wiley & Sons, Inc.
Knight, F. (2006). Risk, uncertainty and profit. New York: Dover Publications, Inc.
McChrystal, S., & Butrico, A. (2021). Risk – A User’s Guide: Penguin Business.
Schwartau, W. (2001). Time Based Security – Measuring Security and Defensive Strategies in a Networked Environment (Revised ed.): Interpact Press.
Stewart, J. M., Chapple, M., & Gibson, D. (2015). (ISC)2 Certified Information Systems Security Professional (CISSP) Official Study Guide (7th ed.): John Wiley and Sons.
Taleb, N. N. (2007). The Black Swan: Pengiun Books.
《响应式安全:构建企业信息安全体系》
三年多年前与中国电子出版社和清华段海新教授启动了翻译《Responsive Security》这本书终于在几个星期前圆满完成出版在中国亚马逊和其它网络书店了。中文书名《响应式安全:构建企业信息安全体系》与英文书名有点差别。主要是为了方便读者搜索关键词能更容易找到这本书。不然的话,更正确的书名应该是《响应式安全:有备无患》。
特别感谢中国电子出版社的刘姣和郑柳洁编辑,Taylor & Francis的瑞君,以及清华大学的段海新教授和王永科博士的幕后工作和支持!
Fear when it is dark, fear when there is light
We have fear of the dark because we can’t see what is in the dark. Many of us probably have similar experience of walking up or down an unlighted stairwell in the middle of the night, or into a dark room or somewhere. Our mind respond to the change. With a sudden surge of attention, our retinas open without the need for us to give any command as we try to look into the darkness. Our ears try to listen for the slightest sound in vicinity, and our nose try to sense any unusual smell, and any unpleasant smell suddenly seem more foul than usual. Our body also react to any notable temperature change, and if our fear heighten, we start to sweat, along with a series of goose bumps. What happen is that our body is trying to collect data about the surrounding environment, and our brain is working hard to analyze and interpret those data. The least data we get, the more fear our mind generates, which is probably a way to get us to do something – collect more data, or just do something, through which we may get some (more) data from the unknowns in the dark. The “do something” can be different action for different individuals. Some may just try to escape the dark. What we would like ourselves to be able to do is likely to pause, calm ourselves, look for light (the flashlight on our mobile phone is pretty convenient these days), move forward slowly, touch for something to hold, or backtrack. But our legs might have already been stiffen from the fear generated. Even then, many try to calm down and take stock after some frightful wondering time. We give up only when our heart stops. Meanwhile, our mind continues to wonder for a way out or scare us into desirable or undesirable actions.
If you read all the dark stories or news of exploitation and attacks, you may feel that the Cyberspace is a dark place. Many users however don’t seems to have any fear of it. That’s primarily because their experience are often shielded by the layer of Web user interface (web browser, mobile Apps, etc.) that gives them a perception that they are in the light, and that they are in control. Blocking their fear sensors basically. What we need is to surface the known risks so that the darkness in the Cyberspace becomes visible. Besides being educated so that their body/mind sensors would respond to those risks, they need to be trained to be competent to deal with the risks appropriately, so called practice secure computing.
Shutting them out or designating specific device for use in the Cyberspace is unlikely going to change their mind sensors, and influence their behaviors against those risks. On the surface, it will seem that the overall surface area of attack has reduced as a specific channel of exposure gets shut down. Like water, the risk will flow towards those permitted devices, especially those that do not have the level of security protection available on corporate machines. Weak links prevail. More importantly, users will find ways to overcome the restrictions in the name of getting their job done more efficiently. If an insider wants to leak information, he/she will find ways to do it as well.
What’s in the dark stairwell remains dark until we get some light on it. We bring light to counter darkness. The moment we are able to see, our fear subsides. Our other sensors also begin to stand down. However, visibility can also generate fear, like when we encounter a fog or sudden heavy downpour while driving on a highway, or when another vehicle suddenly crosses over from the opposite side of the traffic and heads directly towards us, or when we light up the dark stairwell and immediately see a dead animal in front of us. Partial visibility at times can be worst as our mind starts to interpret whatever it can and may have our imagination running faster than our brain can process. Such situations can cause knee jerk reactions and may result in dire consequences. The “16 waves of Cyber attacks” mentioned in the press on June 9, 2016 have certainly generated much fear of the Cyberspace. Such fear that results from visibility is unlike those of the darkness. It calls for a different kind of response. It is not about collecting more data, but reacting to the present (and also perceived) danger based on what have been learned. If we have to frequently take immediate reactive actions against known visible risks, our heart will also stop beating very soon. Since these are known risks, we can get ourselves prepared and be ready for them so that we can deal with them as “normal” response, and our heart rate needs not surge suddenly. Preparation will have to include not just people knowledge and competency, but also process and infrastructure (technology) readiness.
In short, visibility allows us to see and detect dangers, and gain situation awareness. Readiness is to enable us to contain and reduce the potential impact/damages. Stopping the fog or the heavy storms is not even humanly possible. Do we choose to stop driving then? In many instances, people still drive when there’s a bad weather forecast. Why? They want to live their life and not hide from or stopped by the risks of the nature. As such, like many others, we will continue to face off with the threats of nature when they arrive, and meanwhile, we get ourselves prepared so that we have a lesser chance of being impacted by the danger. When we are already on the road, our readiness will save us at that moment. So we learn about slowing down (having brake, as the technology readied all the time), turn on the head/tail/parking lights so others can see us, and tune in to the weather/traffic channel if available (which is always on in big countries like the US). On top of these, we go for vehicle test and check-ups periodically to gain assurance of the level of our technical readiness.
Some says that a bit of fear is good. I think so too. It gets us to take action to deal with those risks (note that risks are known potential dangers, whereas unknowns are hidden and uncertain.) The challenge however is how to quantify “a bit of fear”. When does a bit become too much? Risk management is a trade-offs, we give away some conveniences, in return for safety or security. Inconveniences are real, affecting our daily life, and consume our energy in many ways. However, a state of safety and security is a perception, a state of mind, something that is not measurable. We feel safe, or secure, when nothing happens. Nothing happens can also be because we have not seen the problem, obscured by other distraction, or not having the capability to see it. However much should we trade-offs remains a challenge. We can never be more secure, since we don’t even know when we get there. Instead, we can be less insecure, by discovering or knowing the vulnerabilities, taking actions to continuously eliminate or reduce their potential for exploitation, and getting ready to respond when they do get exploited, or detect any abnormality. Vulnerabilities can be measured though we may continue to have new ones when old ones get fixed.
A well known depiction of risk, vulnerability, and readiness, is the The Great Wave created by Katsushika Hokusai in 1830 on a woodblock. It portrays the struggle of people whose livelihoods and property are “at risk” from not just the Tsunami, but also the volcano of Mount Fuji. It shows the social, economic, and physical vulnerability of the people, and their capacity and resilience through the design of their boats and the way they oars in parallel with the wave crest. The oarsmen appear to have interwoven their oars into a lattice, perhaps to prevent them being smashed by the giant wave. That’s being ready. Hokusai’s great work of art is a reminder of the awareness of such hazards in Japan as well as the way in which all households, groups, and societies cope with and adapt to such threats to their everyday lives and livelihoods (Wisner, et al., 2004).
Perhaps we need a version of The Great Wave to depict the Cybersecurity challenges and bring about greater awareness of the Cyberspace risks and promote a culture of capacity and readiness against the ever changing vulnerability.
Reference
Today news, June 9, 2016, “Singapore hit by 16 waves of attacks since April last year”.
Wisner, B., et al. (2004). At risk – Natural hazards, people’s vulnerability and disasters, Routledge.
When our guard is down
We don’t normally feel the reality of a criminal attack on the Internet (or so called Cybercrime attack in the Cyberspace these days) until someone we know, especially when a friend, or a relative actually became a victim to such an incident. If we see an accident on the road, we actually see it. Our emotional status changes at that point, and we are likely to become more cautious for at least momentarily, and this heightened state of vigilance will likely stay with us for a short period until the image of the accident has been put behind us. Then nothing happens, and we will let our guard down. Life goes on.
The visibility of risk in the online world (aka Cyberspace) is so opaque that even after learning about an incident that is still ongoing, we go online, everything in front of us (in our own cyber landscape) still looks normal. The scene of incident is not just virtual, but changes dynamically. If the victim is an end user, the affected end device is likely her home computer, tablet, or smartphone, which doesn’t even have a web front, and there’s no network logs available to analyze like what organizations have in most cases. Unless we are physically at the same location as the victim, we have to imagine how the scene looks like. It is not as observable. So our guard will remain down.
One common thing about Cybersecurity incidents is that when we hear or read about it, it is likely that it has already happened before. Otherwise, we may not even find out, especially as an end user. By performing a search online using keywords related to the problem, and as a third person, we will then learn about the danger that we have been so lucky not being exposed, or perhaps not known to have been exposed, but now able to learn how to find out if we are truly lucky, or just being ignorant. I guess that’s one of the benefits of having the Internet.
An old friend called last night. A few hours before, he received a call from someone who claimed to be from Microsoft technical support, who informed him that his machine has been found inflected with a malware, and volunteered to help him solve it. But before they could help him, he has to renew his technical support contract, which costs S$399 to do so. Driven by fear of the unknown malware, and the urgency of the caller’s tone, he complied with the caller’s advice, and proceeded to make the payment online. He then allowed the caller to take over control of his machine remotely, who started installing stuff into it. After the person hang up the phone, while the remote installation continued, he then started to think about what just happened and decided to call me to check if Microsoft will do such a thing. Unfortunately, he had just fallen into a tech support scam 😦 and Microsoft have published quite substantively about the scam at: https://www.microsoft.com/security/online-privacy/avoid-phone-scams.aspx.
As I reflect on this incident, a question emerges on what if I receive such a call myself? Would there be a chance that I get scammed as well? I think there is always a possibility, since I’m also a human being, and can be reacting emotionally or impulsively, depending on how the caller manages the conversation. Furthermore, even as an information security worker, it is impossible for me to know every single possible ways the scammer works. Today they may use tech support, tomorrow another service, and the next day something else that can get me to respond to the way they want it. There are just too many ways to break something or someone, and often not too difficult to do. Social engineering is already a matured craft by itself. Robert B Cialdini has shown in his book “Influence“, so as Kevin D Mitnick in “The Art of Deception“.
When asked about how to stay safe online, the short answer is often “be vigilant.” Unfortunately, it is impossible to be vigilant all the time. It will be highly stressful, and the effects on our health may even be worst that suffering from an online scam. In reality, our guard is often down. We react to situation as it develops. What’s worst is that we also have a tendency to develop and use automation in our brain to take short cuts and react quickly. The default mode is often to react automatically, which is a survival instinct, especially when triggered under pressure, as what Robert B Cialdini has discovered in his research and experience described in “Influence“.
In the organizational context, readiness drills and exercises can help to heighten users’ awareness and build technical infrastructure, and enhance individuals’ competencies to enable faster detection and better responses to security attacks. For example, read my earlier blog on “Responsive Security in Action” in my blog series on Responsive Security. Many organizations have started doing this in the past few years. The security industry (for enterprise market in particular), in general, has been developing more products and services in recent years to facilitate higher security readiness as well. But for consumers at large, people who are not working for big organizations, how to get them to be ready to be safe and secure? I think this is a much more challenging area. Over the years, I have thought about a few ideas, but these are just snippets of tactics, not a complete solution.
For example, can there be virtual security signposts and posters (in the form of warning/alerts, or “watchful eyes“, instead of just advertisements) in the online environment where we browse and roam around regularly? How should the web architecture on the Internet evolve to facilitate security needs? Who should own the outcomes, which dictates the contents, and the delivery?
Who should plan, organize, and fund Cyber readiness drills/exercises activities for citizens who are online as well? How to tell if a drill is real or yet another scam? There is no simple answer to these questions, unfortunately.
What I’ve also realized through a number of incidents involving friends thus far is that money is a common denominator. That’s what most scammers are after (unless you are someone who has more to offer than money). If someone asks for money to be transferred, stop, take a deep breath, and think about it again – must I make this payment, and must it be now? This approach is similar to what Cialdini advises in “Influence” on how not to be scammed into buying things that we don’t need, i.e., turn off the automated reaction mode. Pause, think, then act. It may not be fool proof, since we are human, taking shortcut is in our DNA. But if we can remember to slow down under stressful or questionable situations, it will very likely halt the incident from progressing to a full blown one. Nevertheless, something not happening is not an observable outcome. Bear in mind that the attacker may also take less aggressive steps initially in order to gain our trust, and collect more information about us and our friends and family before executing her true mission. Question why we should trust this person (especially if he/she is someone we haven’t met previously) before proceeding.
Finally, if you are a Microsoft users, do take note of how to contact their official support: https://www.microsoft.com/en-sg/contact.aspx. Copy the contact information in your address book perhaps so it is always handy. For Apple users, I couldn’t find a local contact number for Apple support, but just their general support site: http://www.apple.com/sg/support/contact/, which could still be useful.
Best wishes and a happy new year!
Blog series on Responsive Security
I have recently published a five parts series on the captioned topic, based on my book of the same title, at Cisco’s Security Blog site. For convenience of the readers of this blog, I have the links to the five parts consolidated here for quick access:
- Part 1 – Understanding and Addressing the Challenges of Managing Information Security – A More Responsive Approach
- Part 2 – A Circular Problem in Information Security Principles
- Part 3 – Issues and Dilemmas in Information Security Practices
- Part 4 – Learning from Disasters
- Part 5 – Responsive Security in Action
Enjoy the series (if you haven’t read it at the Cisco site ;-)).
A Black Swan on the ATM system
This past week’s news headlines have once again been filled with a number significant cyber security incidents. Data breaches in JP Morgan, Bash shell vulnerability in a number of Unix/Linux operating systems (Apple OS X included), and many others. One that was of particular interest, not because it happened just around our neighborhood location, but one that’s concerned with a risk-based approach to information security management. That’s the Automated Teller Machine (ATM) attacks incident in Malaysia, which was reported in major newspapers online and offline on/around September 30th, 2014.
I was first curious about the ATM attacks as Malaysia had not had an ATM related fraud for quite some time then, at least a few years since all the banks there had upgraded their ATM to a chip card (smartcard) based system. Prior to the upgrade, a number of banks were seriously impacted by major organized crime attacks on their magnetic card system, which involved installation of fraudulent reader to copy the card holders’ account data on the magnetic stripe, and tiny camera overseeing the PIN pad to capture the user PIN as the cardholders enter it while using the machine. With the smartcard based system, data on chip cannot be copied easily, which makes cloning the ATM card a major challenge. Capturing the PIN via an external camera itself doesn’t serve any good when the card cannot be cloned. The smartcard based ATM card system basically “won” the war against the criminals. I was therefore interested to find out how the perpetrator did what they’ve done and got away this time. A good thing is that the news report did provide some useful information to understand the gist of the attack.
As reported in various news sources, the attack essentially involves a combination of physical and logical techniques, and of course a certain amount of courage, confidence, and luck on the part of the perpetrator. The attack begins with the perpetrator forcing open the ATM physical enclosure to reach the computer so as to insert a CD into the CDROM player to launch the logical attack. It appears that the targeted ATM systems were all using a form of weak physical protection that did not even have one of those temper resistant setup that would shutdown the machine, or intrusion detection mechanism that would trigger an alarm when it is forced open. This looks like a fundamental design failure. Otherwise, it would have to be a weak lock, or someone compromising the key.
Once the perpetrator overcomes the physical “protection”, a malware (a file named ULSSM.EXE) that resides in a CD takes over the rest of the work. At this stage, the activation of the malware requires that the machine to be using an operating systems that is compatible with it (which in this case, Windows XP), and more importantly, configured (or rather, mis-configured) in such a way that will “auto-run” the malware program in the CDROM. If it runs successfully, the perpetrator will eventually receive a code on his/her mobile phone that allows him/her to gain administrative access to the ATM to pour out whatever cash that is still in the ATM system at that point.
The perpetrator was either lucky, or had prior knowledge that the malware will work as planned, and there were sufficient cash in each machine to worth the efforts, or a combination of all this. The ATM systems were apparently running Windows XP, have a CDROM installed, and had “auto-run” enabled (a default setting in Windows XP anyway). The total loss reported ranges from 450,000 to as high as 3.1 millions Malaysian ringgits, over several (some say 17, others say 18) ATM systems across the Malaysia peninsula, including Selangor, Melaka, and Johor.
To gain more insights on the attack, I did a quick search of the malware, ULSSM.EXE, and apparently, it had been reported by quite a number of anti-virus software vendors as early as May 2014 (i.e., about four months ago). The first thing that comes to mind was, even if it was reported four months ago, how will the bank know of such a unique malware that was specifically targeted on ATM systems among the millions of malware that have emerged in the period? A subsequent report in the news confirmed our expectation — that the vendor of the ATM system should be monitoring for such vulnerability (and exploit) and inform their customers (the banks) accordingly. Whether the vendor actually contact all their customers directly, or simply post the vulnerability information on their web site is not known.
In Symantec report, the malware is diagnosed as a Trojan, and named as “Backdoor.Padpin”. Incidentally, the Trojan malware is rated as a “Very Low” risk, as shown in the screen shot captured from the Symantec web site on September 30th, 2014. The layout of the site seems to have been updated now, but the contents have remained unchanged.
The “Very Low” risk rating is based on three threat assessment factors: Wild level, Potential Damage, and Distribution. At the time of their assessment (first on May 9, 2014, and subsequently updated on May 20, 2014), the Wild Level is rated “Low” since the number of infections reported is between 0 and 49, number of sites infected is 2, and threat containment and removal are both assessed as “easy”. The Damage assessment is rated “Medium” as the Payload involves “opening a backdoor”, “displaying sensitive information to the attacker”, and “disables the local network to avoid triggering alarms”. Finally, the Distribution is “low” since only two sites have been reported infected at that time. If you are a security manager of a bank that uses the ATM system, how would you respond to such an advisory? My guess is that most security managers are not going to even see a report highlighting such a risk issue, given its “Very Low” risk rating, not to mention taking any precautionary step in view of the advisory that the vendor has published. There are many more “High Risk” items to pay attention to. In the online report, Symantec has also provided detailed recommendations for preventing and mitigating against the malware. They may not have been read by anyone if not for the attacks that have happened.
The risk rating (“Very Low”) appears to be largely influenced by the distribution, even though the potential impact is quite significant. What does “Medium” damage rating mean is not clear, but the capabilities of the malware appears to be sophisticated, designed for very specific purpose — being able to disable the local network and display sensitive information to the attacker at the same time. My retrospective assessment of the impact is perhaps influenced by the occurrence of the ATM attacks incident itself. As such, the incident looks very much like a Black Swan — a “low” risk, but high impact incident, which we only find it to be significant retrospective to its occurrence.
The Black Swan highlights one of the issues of a risk-based approach. That is, we can’t predict what will go wrong or how bad events will play out in the future. Incidents of the past are history, which tell us something about what can go wrong, but do not tell us whether they will happen again. Even if the attack is similar, their future frequency, and distribution of occurrence are basically unknown. Our risk assessments therefore can be wrong, and the worst case is when a low risk issue materializes, since we tend to ignore or give very low priority to low risk issues. Ironically, a risk-based approach relies on risk assessment to make decisions.
A continuous risk assessment approach, which builds on the risk-based approach, doesn’t fare much better either. How often do organizations re-assess their risks of an existing system? If they adopt the ISO/IEC 27001 certification standard, the normal cycle is once a year. If an organization relies on the internal control and audit function, which banks tend to be, it depends on the their schedule and priorities. In all cases, each cycle will normally look at a different scope (due to limited resources, and many new systems to review). The ATM systems security is thus unlikely to get a reassessment of its risk for a long time if the bank has not made any significant changes to it. The previous major change is likely to be the upgrade to the smartcard card system.
Getting back to the ATM incident in Malaysia, the vendor has responded as reported in the news that the banks were warned four months ago. It’s almost a week’s past since the publicity of the ATM attacks incident involving the Trojan malware, the risk information at the Symantec site has remained as “Updated: May 20th, 2014 9:44:15 PM” (as seen at the time of this writing), October 5, 2014 11:50 PM. Apparently, there’s no continuous risk assessment for such threat at its information source either.
Given our knowledge of the Black Swan, Nassim Taleb, the author of the book, “The Black Swan“, has asserted the importance of designing and building robust systems that is “anti-fragile“. Any attack on a system will occur as a change event, or a series of change events, from the perspective of the victimized systems, regardless of the outcome of the attack. A prerequisite for robustness, or antifragility is therefore responsiveness, i.e., having the ability to “see” the effects of the changes, and trigger appropriate actions for criticality alignment. We shall discuss more about Responsive Security in future blogs as the main idea of this blog is to highlight the Black Swan that was observed on the ATM system. Meanwhile, if you wish to learn more, check out the book itself from the links in the earlier blog.
Be ready for the Year of the Wooden Horse
Today marks the start of a new year on the Lunar calendar. As the Chinese saying goes, as the spring season arrives, happiness and prosperity follow. I would like to wish everyone a happy and prosperous lunar new year.
The Year of the Horse, according to the Chinese geomancy (feugshui) system, it’s a Wooden Year, which means a Wooden Horse Year. That immediately calls to our attention the well known Trojan Horse. Perhaps an important reminder of the many facets of security threats, which often leverage the surface appeal of beauty, innocence, or relevance of a subject to lure one into a hidden trap. Think Spear Phishing, Spam mails. Be prepared for the Trojan, be ready to deal with the many hidden challenges.
This year is also the “Jia Wu” year (甲午年) in the lunar calendar (more accurately, the sexagenary system, 六十花甲) that marks the 120th anniversary of the first Sino-Japanese war (甲午战争,1894-1895). The current political tension between China and Japan over various territorial and historical issues doesn’t give much comfort when we read about the historical conflict. Certainly, today’s situation differs vastly from that of 120 years ago. But again, we never know if the leaders will learn from the lessons of history. Perspectives of war often differ between the agressor and the defender. They get more complex as more parties are involved. The stakeholders are many, solution is never easy.
Similarly, perspective on Cybersecurity, Cybercrimes, Cyberwar, and for that matter, everything Cyber, often differs as well. Unlike the conflicts of nations or competition, which leaders and stakeholders can have a choice of actions or inactions, in the Cyberspace, we often don’t even know that we have been targeted or who or what the enemy is. As such, what really matter to an individual or an organisation on the Internet is whether do we know what’s at stake if something bad happens, have we thought about our potential exposure, and are we ready to respond? A few questions that may appear simple, but often, we don’t have the answers, or simply put, not ready.
Once again, wishing everyone a happy new year! 祝大家马年吉祥,身体健康!
Responsive Security – Be Ready to Be Secure
After much anticipation, my new book, “Responsive Security – Be Ready to Be Secure“, is finally published today. Thanks to Prof Pauline Reich of Waseda University, and Chuan Wei Hoo, who helped to proof read the earlier drafts, my publisher, Ruijun He, my editor, Iris Fahrer, and many friends and family members for all the supports and assistance rendered throughout the long process to make this possible.
The book is based on my thesis on a Piezoelectric Approach on Information Security Risk Management, which captures the past decade of my experience and learning from my practice and fellow practitioners whom I have the opportunity to work with. The book walks through our current knowledge and principles of practice in information security risk management, with discourses on the underlying issues and dilemmas in a constantly changing risk environment. It introduces the concepts of responsiveness, and highlights the importance of readiness and preparedness in face of changes that we may not always able to anticipate, and lest unable to predict. Responsive Security focuses on events that could lead to systems failures rather than the current industry’s focus on the search for vulnerabilities and learning how perpetrators exploit and attack.
If you are interested to find out more about the Responsive Security concepts and approach, the book is now available at CRC Press (http://www.crcpress.com/product/isbn/9781466584303) and also Amazon, where an e-book version has also been published.
A real sense of insecurity
Our office at the new business park is an attraction in many regards. There are massage chairs in the lobby area, free flow of coffee and tea in the open pantry, and various forms of open and semi-open areas for local on-site collaboration as well as video-on-demand, telepresence collaboration with remote sites. As in many other companies’ offices, badge access is a norm, and so do ours.
Interestingly, the washrooms at our floors, which are situated outside the badged area, near the lift lobby of each floor, have their own access controls. Each has a mechanical number lock installed on the door. As the washroom is a shared facility, with many people using it, the “secret” number to unlock the lock has to be known to all employees, contractors, and visitors. If however you belong to one of these groups, but still don’t know the number, there’s no need to worry or do a brute force attack to crack the secret numbers. You can simply follow someone in, or wait for someone to come out and hold the door to get in. Alternatively, you can go to the mail room nearby and ask the folks there cordially, and they will give you the number. In fact, if you ask anyone who happen to walk by, cordially, they will also happily reveal to you the secret to the valuable rest room.
The question is, why do “someone” decided to have such a lock that provides a real sense of insecurity and a false sense of safety to people in the building?
I found out later that the requirement was raised (by “someone”) as those washrooms have shower facilities in them, and the access control is to provide as a form of safety to people taking shower as well as prevent some other people from taking shower. Seems like a reasonable requirement. Clearly, the security solution implemented has not met the requirements, and everyone else just “follow the flows”.
At another floor in the same building, another “someone” somehow decided to use a badge access control for the washrooms access, inline with those for the normal office access. This provides better consistency, and serves its purpose, i.e., meeting the requirements. Furthermore, with an electronic badge access system, if the shower gets overused, someone can turn on the logging and start monitoring the usage of the facility to find out who have been showering all the time.
Changing season
This is a post that I have drafted roughly about two years ago, when I was still living in Beijing at that time, on an early autumn day. As we approach the end of August, here in San Jose this week, I feel that the temperature is lowering each day, and yesterday, I came across this short article at Nanfang Weekend (南方周末), it reminded me about this post that I still have over here to share some related thoughts.
As the season changes from summer to autumn, we see a changing surrounding of yellowing leaves, and feel the cooler breezes of wind, and lowering temperature. Along with these changes, we often hear Chinese physicians advising the public from radio and TV stations to beware and be careful of the chilling wind, and at this stage of seasonal change, from summer to autumn, not to put on too much warm clothing too quickly as well. The opposite during the change from winter to spring. As our individual body system has its own unique vulnerabilities, the consequence of such exposure to the changing environment could range from catching a cold to a stroke (for the older folks, especially those with a heart condition or high blood pressure). In fact, I can feel the wind is more chilling early in the morning and evening now than during the summer period. I recall a year ago at around this period, in one of the morning, I drove to office and decided to wind down the windows to enjoy the early autumn breezes, and it was quite cooling and pleasant through the journey. Shortly after arriving at office, however, my neck got stiffer by the minutes and it was impossible for me to turn to either side by noon. That lasted for a few days even with a daily massage by a Chinese physician. In my first year in Beijing, I caught a cold in the same period for putting on too much warm clothing too early as well. Adaptation to change is never easy.
Maybe my neck is just too weak after so many years of fixating at the computer/laptop display, and I was living in a yearlong summer season country for so many years then that a slight drop in temperature is a big change that my body reacted to too quickly.
In any case, such seasonal change reminds of the importance of change management in our digital world as well. As organization undergoes ongoing changes, especially from closing one financial quarter to beginning a new quarter, or moving from one fiscal year to another, there are often new or evolved goals, objectives, directions that are put forward, in which changes to the supporting and operating environment follow. The wind of change has its own effect on information security. The consequence of not understanding the information security risks associated with those changes, and not managing or preparing for them appropriately could leave the organization systems with severe gaps or hidden issues. The effect may be minor in some cases, like catching a cold that could be recovered quite quickly by resolving the issues, to severe illness causing prolonged period of downtime or inefficiency. In the worst case, exposing critical systems or information to breaches or compromises. As reported in a not too recent incident, the repeated use of an outdated procedure in a maintenance process had resulted in more than six hours of downtime for a major bank in Singapore. So, before your organization catches a cold in the process of change, best to work the security changes into the planned change, or the seasonal change. In the traditional Chinese health systems approach, the summer is the season to build up energy and get ready for the cooling autumn and chilling winter to come. Going outdoor, working out physically, and taking energy-enhancing food are amongst the common advise from the Chinese physicians. Similarly, in the period before an anticipated change event, or unanticipated incidents, getting organisation (including people) ready (through planning, training, drills/exercises, etc) are important activities that should not be taken lightly.
One question though, what about places like Singapore that don’t really have a four season? In a summer all year long country, are we constantly working out and building energy? Where do we expand those energy? Any thoughts?
Bright Stove 