Monthly Archives: March 2014

Choosing your language for your audience when communicating risk

communicatingriskthumbnail

Learning another language …

Communicating risk requires identifying the right language for the right audience. While your experience may be in technical systems and all of the things that can go wrong with them, trying to communicate risk in technical terms to business leaders is generally a futile endeavor. There are a couple of reasons for this:

1) Technical systems and the risk issues that go along with them typically are heavily jargon-laden and without a lot of reference points to the outside world.
2) Everybody has limited bandwidth for talking about risk. You’ve got a very narrow window in which to communicate the issues.

That second point is one of the best pieces of advice that I’ve ever received regarding communicating risk. No matter how good your message may be, there is a finite amount of tolerance that people have to discuss risk in a given discussion. Exceed that window and you’ll be able to hear the clunk as their eyes roll into the backs of their heads.

All the more reason for choosing your language carefully. So, instead of techno-speak, when talking to business leaders, speak in terms of things that are meaningful to them. Depending on your background, this preparation may require a little bit of work on your part. What information products/services (eg reports, databases, workflows, etc) do they count on to do their work? What things do they count on to look good to peers and bosses? (This one may sound childish, but it’s not. It’s got a solid foothold in Mazlow’s hierarchy of needs).

Once you’ve identified what those needs are, you can work backwards to what information systems support them and what risks are associated with those technical systems. Techno-speak with the people supporting these systems is okay, that’s their language. But when communicating risk to business people (possibly to get funding to support your risk mitigation), you’ve got to speak their language.

The Downloads page has a pdf of this graphic.

Good cybersecurity advice to SMB’s from California AG

californiaag

Kamala Harris, Attorney General, California Department of Justice

Kamala Harris, Attorney General, California has posted some pretty good cybersecurity advice for small and medium sized businesses (SMB’s) in that state.

California has 3.5 million small businesses which represents 99% of all employers. The report states 98% of their SMB’s use wireless technology of some sort, 85% use smartphones, 67% using websites, 41% on Facebook, and 36% using LinkedIn.  I would speculate that other states, while not as large, probably have similar percentages of types of technology use.

The document covers threats such as social engineering scams, network attacks, physical attacks, and mobile attacks as threats to SMB’s in that state. Overviews of data protection and encryption, access control, incident response, and authentication mechanisms are also provided.

 

The core tenets espoused by the document are:

  1. Assume you’re a target
  2. Lead by example
  3. Map your data
  4. Encrypt your data
  5. Bank securely
  6. Defend yourself
  7. Educate employees
  8. Be password wise
  9. Operate securely
  10. Plan for the worst

This document does a great job of providing an overview of cybersecurity issues and initial effort prioritization for SMB’s. It would be great to see other States follow their lead.

Cybersecurity & Prussian pragmatics

clausewitz

Carl von Clausewitz

Carl von Clausewitz, Prussian General, famed war theorist, member of the OQBLRC (Often Quoted But Little Read Club), and author of On War makes this statement in Chapter 3 of On War:

“Our knowledge of circumstances has increased, but our uncertainty, instead of having diminished, has only increased. The reason of this is, that we do not gain all our experience at once, but by degrees; so our determinations continue to be assailed incessantly by fresh experience; and the mind, if we may use the expression, must always be under arms.”

Sounds a little bit like what we are trying to do today with information security and risk management, doesn’t it? In spite of massive amounts of information, we actually have more uncertainty. We’re less well-positioned to make good decisions and we’re less confident when we make those decisions.

In information security and risk management, we are constantly learning. While there is some common ground over time, this year is different from last year, this month is different from last month. There are relentlessly new attack techniques, new tools, new players, new alliances, new motivations, new targets, and new vulnerabilities. We are in the position of perpetual learning. In Clausewitz’ words, “we do not gain all our experience at once … [we] are assailed incessantly by fresh experience.” While a different context, I think we can heed Clausewitz’ advice that “the mind … must always be under arms” in our modern cybersecurity environment.

However, not to despair …

Reason for hope #1 — leadership & coup d’oeil

If we can extend the metaphor of kinetic battle a little bit further, Clausewitz tells us that, in the middle of the fur ball of confusion and uncertainty, there are moments of brief understanding of the greater gestalt, though, and that these moments are stepping stones to truth that can guide us in decision making. This has been called coup d’oeil by the French, Napoleon among others, — “There is a gift of being able to see at a glance the possibilities offered by the terrain…One can call it the coup d’œil militaire and it is inborn in great generals.”

I don’t know that we have ‘great generals’ in cyberwarfare, privacy, and business security yet, but I believe that this metaphor suggests that there could be. These are the few that simultaneously see more deeply, more broadly and are resolute in their decisions. Which brings us to ‘resolution’…

Reason for hope #2 — leadership and resolution

Clausewitz says that resolution is what removes “torments of doubt and the dangers of delay when there are no sufficient motives for guidance.” For those of us in the business of information security and managing risk, that is akin to acting with intention even while knowing that we have incomplete information. And we always have incomplete information. However, what often happens in the presence of partial information and the uncertainty that it generates, is that no action is taken or undirected action is taken.

Clausewitz is saying that having that capacity for coup d’oeil — that fleeting glimpse of the comprehensive picture — the great generals then act with intention and resolution to effect their purpose.

Maybe that will be the same with cybersecurity as well, that great generals and leadership will make the difference.

 

[Image: WikiCommons]

Biometric systems can put unseen burden and risk on IT infrastructure

eyeimageRemember the old ad line, “Sell the sizzle, not the steak” ? There seems to be a lot of that going on with biometric systems.  There’s all kinds of excitement about what new body part can be quantified and its near-holy-grail-ness for authentication (the sizzle), but not a lot of talk about the infrastructure required (the steak) to provide the sizzle.  By default, the cost of the steak falls back to the customer, the implementer of the biometrics system.

Interest in biometrics systems for authentication — sensing fingerprints, iris scanning, voice, other — continues to accelerate for several reasons:

  • recognition of inadequacy of passwords as sole system for authentication
  • increasingly hostile online world — cybercrime, nation-state actors, civil unrest
  • rise of the Internet of Things — rapidly increasing ability to manufacture and deploy inexpensive, microcontrolled, networked sensors
800px-Biometric_system_diagram

Image: WikiCommons

Complex Subsystems

Biometrics systems require several functional, secure, and integrated components to work properly with appropriate privacy requirements in mind. They need a template to structure and store the biometric data, secure transmission and storage capabilities, enrollment processes, authentication processes, and other components.  These backend systems and processes, the steak, can be large, complex, and require real oversight and resources.  For example, the enrollment process (getting someone’s biometric profile, aka template, into the database involves multiple, if quick, phases — sensing, pre-processing, feature extraction, template generation, etc.)

Like all systems, there are many points of attack or places where the system has some vulnerabilities as indicated in this vulnerability diagram in a paper by Jain, et al in this article.

fishbonevulnerabilities

Biometric Template Security. Jain, Nandakumar, Nagar.

 

Uncaptured Cost of Infrastructure Enhancement

While there are many points of failure (again as in all systems), the infrastructure component lies squarely with the customer.  Its cost will show up as required enhancements, resources, and staffing to support the additional required infrastructure or it will show up as the cost of unmitigated risk.

biometricvulnerability3

Biometric Template Security: Challenges & Solutions. Jain, Ross, Uludag. (comment by author) http://bit.ly/1fWC21i

The infrastructure cost (or cost of unmitigated risk) occurs because the user’s biometric profile has to be stored somewhere and has to be transmitted to that somewhere and all the other things that we sometimes do with data — backup locally, backup at a distance, audit, maybe validate, etc.   That profile data is the data that is used for comparison for a new real-time scan when someone is trying to unlock a door, for example.  It is the reference point.

Because biometric data is about as personal as you can get, way more personal than a Social Security Number or credit card number — you can change those after all — that personal profile data needs to be highly protected.  So that means that, at a minimum,  you’ll probably want to store the profile encrypted and also transmit the data in encrypted sessions. That’s generally an IT infrastructure function, not a biometric device function.

Some questions to ask your vendor

When considering purchase of a biometric system, a partial list of things to consider might include:

  1. How is the biometric profile data (a parameterized fingerprint, for example) exchanged between the sensing/scanning device and the database that stores the parameter? Is it encrypted? If encrypted, how is it encrypted? Protocols?
  2. Is biometric profile data cached on the device either at time of enrollment or actual use? If so, how long? While cached, is it encrypted?
  3. Does the system use 3rd party software anywhere in the chain, eg device configuration via web service? If so, who wrote it? What is their reputation?
  4. Does the device manufacturer publish data on the current chip set? Chip manufacturer, version, when purchased, etc?
  5. How long does the enrollment process take?
  6. What is the scope of the install? Door entry? Computer access? Other?
  7. Are there other installations? Case histories of user adoption?
  8. Are there auditing, logging, reporting functions from the system?

Whether the biometric system includes just the sensing endpoint device or has backend support to include database and application support,  it is critical that the customer knows where the biometric system infrastructure ends and where their own infrastructure begins and has to carry the burden of the new biometric system implementation.

To ensure privacy and security, someone has to pay for the steak that provides the sizzle. It’s best to figure that out who’s going to do that ahead of time.

 

Other reading:

 

 

[Eye Image: licensed under the Creative Commons Attribution-Share Alike 3.0 Unported license.