Security technology cargo cult: buy more boxes

Fear of reprisal is one of the most potent stimulants for action. It is also one that information security generally ignores. To that end the need to “improve security by buying more technology” is the prevalent course of action for most IT shops in large and small organisations. That this is just perpetuating the losing race is not a message most IT security staff are willing to concede. There is a better way to improve information security posture of large and small organisations, and it starts by mimicking physical security, where psychology has played a significant role.

Wassenaar Arrangement and dual-use computer code

The Wassenaar Arrangement is frequently mentioned in information security (and vulnerability research in particular) since inclusion of computer code as dual-use good. The Agreement does not clearly specify what is and isn’t considered a controlled good that should be subject to export controls, making a number of security researchers and long-term thinkers rightfully concerned about the future of security research. The section on dual-use technology that’s relevant to software (not crypto) says: >‘4. A. 5. Systems, equipment, and components therefor, specially designed or modified for the generation, operation or delivery of, or communication with, “intrusion software”.

Information security and the observer effect

The initial empirical study of the observer effect (Hawthorne effect), which said that people change their behaviour to the better when observed, has seen equal measures of criticism and support over the years. Whilst a lot of the critiques were typically academic (i.e. no impact on the end effect, just argument on which factor influences it) there were also a number of empirical studies that failed to replicate the original study’s results. Two academic papers that I used in the past on the effect of being watched (quantum physics observer effect in real world psychology, if you will) have a lot of lessons for information security designers and architects, if only they will stop rolling out new boxes and start thinking about what it is they really need to do.

Microsoft, No-IP and lawfare

In the grand gesture of protecting public wellfare Microsoft exposed just how fragile the internet really is when a large organisation decides to use lawfare. All that’s needed is a pliable judge. This isn’t Microsoft’s first such grand gesture or use of lawfare, or using law as a weapon of conflict, nor is it likely to be the last. But it certainly proves the point of governments and organisations outside US that are calling for a multi-party governance of the internet.

The value of risk management to the organisation

Most businesses, most boards, don’t spend a lot of time thinking about uncertainty. In fact, they are terrified of doing so. The quote is from a good article in Strategic Risk Global about the value of risk management and why many risk managers can’t seem to make a difference in the perception of what they do for the organisation. [T]o create a more effective relationship between the risk function and the board, risk managers must stand up and show their bosses that they are not mere insurance buyers, as some senior leaders perceive them to be.

Thinking about thinking: risk analysis edition

I’m catching up on my reading and one of the books I’m often going to for quick references is Charles Yoe’s “Principles of Risk Analysis”. There is a great chapter in Morgan D. Jones’s (1998) book The Thinker’s Toolkit. It is called “Thinking about Thinking,” and its primary thesis is that the human mind is not analytical by nature. He explores the fallibility of human reasoning and suggests that the best remedy for the mind’s ineffectiveness is to impose some structure on the way we think.

eBay shows what not to do in a customer data breach

TL;DR: eBay’s security was breached in late February, early March. Customer personal information was stolen. The breach was discovered two months later. The details of the breach are scarce, but eBay has divulged that the attackers only needed simple username and password to breach eBay’s security. Using just username and password to access customer personal information is bad. Storing customer personal information in plain text is a major no-no for any organisation that manages customer personal information. It is even a bigger no-no when the business model is based on trust.

Soft power: the good, the bad, and the ugly

The title may be a bit misleading, because each of these three examples of soft power have a mix of both three. I’ll highlight some of each, but there’s plenty more that could be drawn from them. First example is the use of recent (relatively) Russian tactics against its “near abroad”, its old sphere of influence if you will, from USSR times. Second one is the lack of soft power that China wields, which is self-inflicted. And the last one is the recent trend in the US, which if facing the loss of soft power by the government, but not by the popular culture.

Russia's New Generation Warfare in Ukraine

Recently Edward Lucas tweeted a series on the changes in Russian military doctrine, which signified a change away from physical combat and towards information domination in the form not seen since mid-90’s. That Russians always preferred, and are extremely skilled on, the battlefield in the cognitive domain is not new. But this new view of the recently requested new Russian military doctrine (Putin requested a new draft in 2013, having been dissatisfied with the 2010, strictly defensive doctrine that Medvedev signed off) shows just how forcefully information warfare is making a comeback.

ASPI ICPC's Cyber Maturity in Asia-Pacific region 2014 report: a review

The International Cyber Policy Centre of the Australian Strategic Policy Institute’s (ASPI-ICPC) released its inaugural “Cyber Maturity in the Asia-Pacific Region 2014” report. Like all such endeavours it has its warts, but it should be congratulated for tackling a significant challenge. The report is a mix of quantitative and qualitative approaches and tries to devise simple metrics for a complex issue. It’s a great start that can only get better, and in light of that here are my few comments (mostly on methodology).