Security policy as death contract

I worked with a customer in the waning days of a significant security breech. The customer vocally committed to making cyber security a top priority. *

This commitment included efforts I worked on.

Another item this commitment included was an updated security policy.

The two came into conflict — the new policy, written during the breech and approved immediately upon recovery, was absolute. Part of its strictness was a lack of a clear policy exception process.

The other problem is that the policy enacted while in reaction-mode was not time limited.

Fast forward 6 months and my team and I are ready to implement a bunch of positive security changes to the customer environment, measurable and demonstrative positive changes to the customer environment. Other actions by others are also in process.

We can’t make the changes needed because of the policy. There is no clear exemption path, no clear exemption requirements, and fear about what happens to whomever allows an exception to go forward.

In the calmer, reflective time of the better part of a year between the initial breech and our exception discussions, the customer agreed that the new policy is poorly written, misunderstood, and should be revised.

The policy is so absolute in its wording there is no clear path to doing anything about it until the next general policy review in something like 2023.

Meanwhile, multiple security tracks to improve the security posture effectively stop for eighteen months. The customer is still on the hook to pay for the contracted services in the interim.

Takeaway: anything done in the immediate aftermath of a security breech should be time limited. Some things will be through the nature of subscription or contract. Those that aren’t, like new policies crafted during or immediately after a breech, should have a time limit.

  • The customer did not mention what existing priority would get demoted, a mistake. If everything — or too many things — is a priority, then nothing is a priority.
Published
Categorized as business

Skill as art, peer review as expression

A writer practicing the craft
A friend and colleague asked me to review a section of an already sent customer deliverable. The customer expressed strong negative views about the content and how it was communicated in one specific section. “The customer is always right,” and the customer also happens to be correct in their assessment.

I’m not throwing the person who wrote this material “under the bus”. Most people in IT and cybersecurity are not strong communicators. Maybe this person is usually a strong communicator but had an off day. Maybe sunspots interfered or Mercury was in retrograde or the U.S. tax filing deadline directed focus elsewhere.

Hello, peer review! Peer review should help level out the various stimuli and bias the original writer brings to the table. The message should be clarified, if the peer reviewers are worth their salt. That was not done here.

Hello, editor! Editing should take the technical skill expressed in the writing and translate it into art (a non-technical artifact with technical components) a customer will understand and hopefully embrace. That also was not done here.

A creative, visual expression of complex technical issues requires more than a good template and the liberal application of industry buzz words.

Published
Categorized as business

Where’s the SOX inverse for cybersecurity?

Cast your mind back to the late ‘90s: WorldCom & Enron imploded due to financial impropriety; government reacted; & IT was left holding the bag.

Cut to now: President Biden signed an executive order to improve government cybersecurity.

Bruce Schneier:

I’m a big fan of these sorts of measures. The US government is a big enough market that vendors will try to comply with procurement regulations, and the improvements will benefit all customers of the software.

Adam Bobrow from Just Security:

The executive order is a good first step, but it won’t stop the constant barrage of cyber incidents that has overwhelmed the United States over the last six months. Unfortunately, the insecurity of networked computer systems is simply too great for any single effort to solve the problem. Instead, the solutions lie on a distant horizon. It is not too soon to start charting a course, and Congress can help.

Both are right, but I’m not sure in what proportion. My thoughts are … drafts.

As I see it, the private sector takes one of four basic approaches to cybersecurity:

  1. Accept cybersecurity is key to doing business, and plans and funds accordingly
  2. Knows cybersecurity is important and spends with no planning (blinking lights or shotgun approach)
  3. Knows cybersecurity is important and plans for it but gets no funding (MacGuyver approach)
  4. Hopes nothing bad happens because they think that they’re not a target (magical thinking approach)

While many companies rely on US government contracts, not all do. I’d be curious to see the breakdown, if such a thing exists. Companies that fall into #4 probably aren’t dealing with government contracts at all, and #2-3 might be in varying amounts.

Back in the day the US government passed something awkwardly but accurately called Sarbaines-Oxley Act (a.k.a. SOX, “Public Company Accounting Reform and Investor Protection Act” [in the Senate] and “Corporate and Auditing Accountability, Responsibility, and Transparency Act” [in the House]). The crux of the bill IMNSHO was defining IT measures for making sure companies have it harder to commit financial fraud.

Every IT and InfoSec (it wasn’t called cybersecurity back then) manager worth their salt ran to Finance & the CFO with a budget for all sorts of things to nominally help comply with SOX. The recipients were eager to appear to embrace enforcement.

Most were pet projects that wouldn’t actually help either with SOX compliance or overall security. I saw a request for a tool for a manager to spy on his own desktop support team, one from another manager to increase the storage capacity for audit purposes (but really for his team to be able to share pirated media among themselves), another to set up shadow IT to get around SOX and other oversight (described a parallel production environment for testing purposes which would, in no way, reflect the production environment, of which we had many), and a lot of small stuff that was tangentially related to SOX compliance. There were also purchases of things that would help, but see #2 above.

BTW, the people IT was supposed to reign in were the same people who would approve their SOX budget. And the Big F accounting firms that went along with Enron and Worldcom and the others got to rebrand, keep selling their services, and add a new line of business – SOX auditor.

This was a massive amount of effort and money put into the wrong area with maybe ok intentions. And remember, the stuff that triggered SOC wasn’t impacting most companies bottom line.

Maybe it’s time for a reverse SOX that places the onus on CEOs and CFOs to take responsibility for cybersecurity since it is impacting the bottom line. I’m thinking:

  • Security reports to a CSO equal to the CIO and COO, never reporting through the CIO or CFO
  • Legal and Risk are executive sponsors

Big think for sure, but such a requirement by the US or EU government would mean that security wouldn’t be limited by the conflicts of interest these other entities have in an organization.

Keen observers will note that I do not describe where money should go or even how much. It will vary by any number of variables for each company. Those that do not know what to do or how to do it should seek out consulting to help.

※ I worked on Enron and WorldCom when I was employed at EDS in the 90’s.

Sanity running on fumes

Oustian Bargain:

“The cyberattack disabled computer systems responsible for fuel production from Texas to the Northeast, and now gas stations in the Southeast are seeing panicked motorists lining up in droves to fill their tanks … Drivers are being turned away from now-empty gas pumps.” Panic Drives Gas Shortages After Colonial Pipeline Ransomware Attack.

+ WaPo: Gas shortages intensify in Southeast, with 28 percent of North Carolina stations now dry. (The frenzied gas buying is one more example of citizens not trusting government officials who are telling them not to panic. This mistrust is a bigger threat than hackers.) [emphasis mine]

That last sentence is killer. Feel free to replace ‘hackers’ with your favorite threat du jour.

Colonial, is this your puddle?

Don’t weep for Colonial … 

naked capitalism:

Cyber attack shuts down U.S. fuel pipeline ‘jugular,’ Biden briefed Reuters. Oddly, Colonial’s enormous leak hasn’t generated the same level of coverage.

If you’re not hip to the ransomware story, ZDNet has a decent writeup.

As to more on the pipeline leak that started August 2020 in Huntersville, North Carolina: WCNC MSN Charlotte Observer

And CNBC has a fascinating eye-opening timeline about the company’s travails. Wow. If it wasn’t for back luck, Colonial wouldn’t have no luck at all. (h/t Cream)

At least the profit seekers behind the ransomware apologized. Right?

Dear HR, please don’t ask me to celebrate my boss

My new boss must be coming up on his 5 year anniversary. I got an email inviting me to:

“Make this milestone memorable – and contribute today!”

By contribute, I’m encouraged to click a link that takes me to a website (authenticated: I’m greeted by name) where I can do …  performative things.

“Don’t know what to write? Share a photo, a quick story or favorite memory about [manager]. Or just write a few words that best describe them. It doesn’t have to be long—thoughtfulness is what counts.”

Thank goodness length isn’t required but how thoughtful I am is.

My new boss came into being for me about 14 days ago. While we traveled in some of the same work circles we did not meet until recently – when he became my boss. Thus I have zero to submit to his anniversary fete. He seems like a good guy, but seems is the operative word. I don’t know, and he was told I might not be working for him very long.

Interesting that this is the first time in over 6 years with this employer that I’ve been asked to provide glowing words for the person in whose hands my future with the company resides. Apparently, I should not worry about it:

Your colleague’s network (manager, peers and direct
reports) have already been invited to contribute. But you can invite
other [employees] who are close to the honoree and non-[employees] (clients,
former colleagues, family and friends) to contribute—the more the
merrier! Just send them an invite from the contribution page. (Please do
not forward this personalized e-mail to them because it is linked to
your contribution.)

Wait … what?!?!?! If I understand this dynamic properly, I can:

  1. Submit something nice so my manager sees I submitted something nice; or
  2. Submit something not nice so my manager sees I submitted something not nice; or
  3. I don’t submit anything and my manager gets to deduce that I submitted nothing.

HR can’t be this …  stupid (I don’t know how else to describe it), can they?

p.s. – I will not submit anything.

p.p.s. – I have a whole rant about corporate anniversary celebrations like this one. Tl;dr: I’m not a fan.

p.p.p.s. – I tried to raise this with corporate HR and their internal website is down. Coincidence? Ehh, probably totally unrelated.

p.p.p.p.s. – This stuff is managed by an outside firm. It’s been outsourced. Got a problem with it? Go talk with the outsourcer.

Alerting resembles action

Let’s talk about security fatigue for a minute.

Korean COVID-19 text alerts to be reduced amid public weariness:

This undated image shows multiple coronavirus-related emergency text messages sent out from the Central Disaster and Safety Countermeasures Headquarters and local governments. (Yonhap)
This undated image shows multiple coronavirus-related emergency text messages sent out from the Central Disaster and Safety Countermeasures Headquarters and local governments. (Yonhap)
The central and local governments will reduce their emergency coronavirus text alerts amid mounting complaints that frequent arrivals of such messages have increased the public weariness in the prolonged pandemic, the interior ministry said Wednesday.
The revised guidelines for coronavirus-related text alerts, which go into effect Thursday, require only essential information to be sent out to the public and for the alert system to be turned off between 10 p.m. and 7 a.m.

To deal with growing public fatigue on the matter, the Ministry of the Interior and Safety specifically banned releasing information such as detailed reports on new patients and their itineraries, already widely known virus rules and promotions of local governments’ virus responses.The emergency notification system has played a key role in containing COVID-19 by swiftly delivering relevant information, including details on new infection cases and antivirus measures.

There was one day last week where I received 7 alerts across my iPhone and Apple Watch. That’s 14 unactionable alerts, many of them coming stacked like in the image above.

More than 15,500 such messages were sent out by state authorities from January to February, which translates into a daily average of 263, according to data compiled by the ministry.

The figure jumped six times from 2,711 recorded in the same period last year when the country was at the early stage of the pandemic.

Never mind the fact that they are only in Korean. Most often the alerts are purely informational. They would often include a URL that pointed to the same data on-line.

But at the same time, more people have complained of its excessiveness and redundancy, with the same information available on the central and provincial governments’ websites and social media pages.

… “It is time to shift how the text alert system works considering the persistence and routinization of the pandemic,” Interior Minister Jeon Hae-cheol said, asking people to better utilize online information made available by authorities. (Yonhap)

I work with customers who have their Security Operations Center (SOC) set up to do the above – alert excessively on things that are informational or aren’t actionable or have relatively low impact to the customer. Why?

Alerting resembles action.

The go Language is Google's Own

I’m baffled as to why programmers put their trust in this advertising company to do the right thing, or why companies would stake their reputation on go. Several people tell me that Google handed over control to open source, but the main landing page for go, golang.com, the place were everyone needs to go to program in the language, says:

The Go website (the “Website”) is hosted by Google. By using and/or visiting the Website, you consent to be bound by Google’s general Terms of Service and Google’s general Privacy Policy.

Go the go privacy policy page, and you’re sent to Google’s own privacy policy page.
The copyright page, which a lot of folks point to, actually says:

Except as noted, the contents of this site are licensed under the Creative Commons Attribution 3.0 License, and code is licensed under a BSD license.

… which means Google can exempt whatever it wants from the CC & BSD licenses. A good legal argument could be made about the BSD license for the code as the commas make things more open to interpretation. The term “code” could include HTML and other markup. But IANAL
Back to my main point, Google’s reputation is not good based on their behavior. I would not want to stake my company or my coding on them.
(Picture via Roman Synkevych (@synkevych) on Unsplash)

The End of Reputation

AI can now easily (8 seconds) change the identity of someone in a film or video.
Multiple services can now scan a few hours of someone’s voice and then fake any sentence in that person’s voice. […]
Don’t buy anything from anyone who calls you on the phone. Careful with your prescriptions. Don’t believe a video or a photo and especially a review. Luxury goods probably aren’t. That fish might not even be what it says it is.
But we need reputation. The people who are sowing the seeds of distrust almost certainly don’t have your best interests in mind-we’ve all been hacked. Which means that a reshuffling is imminent, one that restores confidence so we can be sure we’re seeing what we think we’re seeing. But it’s not going to happen tomorrow, so now, more than ever, it seems like we have to assume we’re being conned.
Sad but true.
What happens after the commotion will be a retrenchment, a way to restore trust and connection, because we have trouble thriving without it.

(Via The end of reputation; photo via Raphael Lovaski on Unsplash)
Apologies to Seth for quoting nearly his whole post, but it’s important and scary.
Neal Stephenson, in his book Fall; Or, Dodge in Hell 🇺🇸 🇯🇵, addresses this very issue of reputation and authenticity. In very simplistic & basic terms, it involves leveraging something like blockchain to “check in” or “sign in” to legitimate things by you or things you control. He also talks about Editors, who are human professional social media filters, which takes us down a different rabbit hole.
As I move my on-line life as much on to platforms I control or trust, I am thinking about how to validate “me” outside of that without that validation coming back to bite me later, assuming such a thing is possible.
What do you think?

Bruce Schneier on The Myth of Consumer Security

The Department of Justice wants access to encrypted consumer devices, but promises not to infiltrate business products or affect critical infrastructure. Yet that’s not possible, because there is no longer any difference between those categories of devices. Consumer devices are critical infrastructure. They affect national security. And it would be foolish to weaken them, even at the request of law enforcement.

(Via The Myth of Consumer Security – Lawfare)