Security Good Practices

When Security Good Practices Aren’t Good Enough

For the better part of 20 years I have fought with – and sometime against – my clients to help them achieve a particular standards of security. Whether it was PCI, ISO 27001 or any other standard, all I have ever done my whole career is beg my clients to take security a little more seriously. I’d say that I have failed more than I have succeeded, security is just not a priority to most organisations. Kinda like insurance.

Recently however, I have had the distinct pleasure to be told that neither the ISO 2700X standards or NIST Cybersecurity Frameworks are enough, they wanted more. A lot more. In fact, they wanted security so good that they could actually use it as a selling point for their services. For security itself to be a distinct and measurable competitive advantage.

Once the shock wore off, we had to work out how we would actually deliver this. Not only have I never been asked for more than ‘good enough’, I’ve never actually thought about what truly great security looked like. For individual components, yes, but not for a soup-to-nuts security program. And I have certainly not given much thought as to how I would begin the implementation of one. What was the point?

So where did we start? First, we had to address:

  1. What standard(s) to use for alignment – like it or not, unless you align yourself to industry accepted good practices, it is far more difficult to demonstrate the ‘appropriateness’ of your security program. Any client with regulatory compliance obligations must bear this in mind;
  2. How to determine what ‘great’ looks like – regardless of the request to go above and beyond, the final result has to be achievable. In an industry plagued with pointless technology and buzz-words, the final result has to be both achievable, and justifiable. If you cannot demonstrate a meaningful ROI you have wasted their money;
  3. What’s is foundational, and what is a separate project – In security, there are a number of basics you cannot do without. What I call core concepts. Management buy-in, governance, policy set etc. Then there are things that can begin as a project before consolidating the output with the whole (logging and monitoring, access control etc.);
  4. What are the client’s business goals / principles – as I’ve said too many times; security is only here to enable the business. If a security solution does not map to a goal it’s wrong; and
  5. How long do we have? – The implementation of any security program takes time, and the more you want the longer it takes. The desire for great security has enormous ramifications on resources and capital expenditure, and absolutely cannot be rushed. The resulting program must not only be sustainable, but it has to be embedded in the culture. We’re talking years, not months, and this must be understood at all levels.

You will notice however that at no point were we concerned with technology. Yes, technology will be enormously important – there can be no great without automation – but technology choices are driven by the processes they are meant to enhance, not a solution by themselves. Besides, it’s always the functional requirements you define first as you have no idea who’s going to be managing it yet.

So we ended up going with a combination of ISO 27001 and the NIST Cybersecurity Framework (v1.1), but we mapped these to what we considered to be the most logical groupings encompassing a full security program. Governance, Policy Set, Risk Management, Asset Management and so on. There are 18 of them.

But even this combination could only ever represent average, as ‘compliance’ with either standard is achievable long before you could be considered secure. So then we had to define a scale where average was where it should be, in the middle, and ‘great’ went up from there. We went with the ages old Capability Maturity Model (CMM), then mapped all of things we believe represent each level. ‘Defined’ = average.

For example, this is what Governance looked like:

The are simply no standards or documents for what happens next. The client has to understand what each of the groupings means, then they have to choose how far up the scale they wish to go. This is a long conversation, and if the results of this conversation aren’t understood at the Board level, we’re already derailed.

There are also many dependencies to consider. You can’t have great vulnerability management without very mature asset management, or business continuity without top notch incident response for example.

And above all, if the implementation of the program is not simple, with clear direction and guidance, the people who have to do the work will never get on board. Nor will they ever be able to manage it after we’re gone.

Honestly, I have no idea how this is going to end up, I’m in new territory for the first time in many years. This is also the first blog I think I’ve written where I’m not either trying to help, or bitching about someone/something.

I just thought I’d share something positive for a change, and I look forward to sharing my numerous mistakes and lessons learned! 🙂

[If you liked this article, please share! Want more like it, subscribe!]

Data Protection

GDPR and DPA are Not Actually About Data Security

Before you get up in arms, yes, both the DPA and GDPR contain elements of true data protection, but addressing that can be summarized in 3 words; ‘appropriate security measures‘. Everything else in both the GDPR and DPA refers to privacy.

In case you’re not familiar with the difference between security and privacy – or haven’t ready any of my other blogs – data security does NOT equal privacy. Loss of data can potentially lead to a loss in privacy, but misuse of the data is not prevented by the normal implementation of data security controls. Misuse of data = loss of privacy.

For example; even a data-centric security control like Data Loss Prevention (DLP) is not going to tell you if you have appropriate consent, legitimate interest, or appropriate contract language.

So imagine the confusion of the vast majority of the population, who have likely not read either regulation, when unscrupulous cybersecurity experts offer unqualified ‘GDPR compliance’ services. That’s like a plumber offering to build the entire house …maybe they have the skills, but what are the chances?

In truth, the laws should be called the General Data Subject Privacy and Data Protection Regulation (GDSPDPR) and the Data Subject Privacy and Data Protection Act (DSPDPA) respectively. Because that is exactly what they are. Even I hate acronyms greater than 4 characters, but it would have helped!

So how did this confusion begin in the first place? First you have to remember that our concept of data in the 2010’s is very different from that even 20 years ago? Think amount this prediction for a minute; ‘More data will be created in 2017 than the previous 5,000 years of humanity’. Or this one; ‘Amount of Data Created Annually to Reach 180 Zettabytes in 2025‘ (that’s 180 TRILLION gigabytes). Would you have even considered this possible in 1997 when the price of storage per gigabyte was around $175.00 USD? It’s now less than 2 cents.

Frankly we really weren’t that concerned about the data stored, especially in the [almost] absence of technologies such as big data processing or AI. Now it’s all about the data. Partly because of these ‘new’ technologies (amongst others), we are now equating the storage and failure to protect our data with transgressions against our privacy. They are not.

To compound the problem, the incredible rate of innovation in mobile devices has given us unprecedented functionality and convenience. While our options to self-educate on the impact of this convenience has likewise improved, the majority of us just can’t be bothered. We prefer instead to complain and blame others when things go wrong. We’d rather listen to those who are promising the world, instead of those who offer real solutions.

With GDPR and the new DPA now we don’t have to worry too much about this as data subjects, it’s the organisations who are responsible for putting control of our data back in our hands. But if you represent an organisation, you better know the difference between data security and data privacy.

There is no excuse, or lenience, for ignorance.

[If you liked this article, please share! Want more like it, subscribe!]

Consent as a Service

GDPR: Data Subject Consent as a Service (DSCaaS), it’s Coming

In [X]aaS, The Outsource of Everything I made fun of the trend to “…as a Service.” everything under the sun, and that eventually we would run out of letters. Well, that happened years ago, so we’re now doubling and tripling up on the letters. Data Subject Consent as a Service (DSCaaS) is my latest attempt in a long line of failures to coin an acronym.

It’s every security professional’s dream.

And yes, Privacy Consent as a Service (PCaaS) would have been better, but that was taken by those damned Personal Computers!

Regardless of what it’s called, I believe the service is not only viable, it’s basically a necessity. 99% of organisations simply do not have the skill-sets, knowledge, or technical capability to manage the collection and management of consent. Especially in a fashion that has been vetted by privacy experts and kept up to date with EU-wide precedent.

Not that consent will be an organisation’s first choice for complying with GDPR. Legitimate Interest, contractual language, even binding corporate rules will likely be easier to maintain. But to get any of these to work requires each organisation to hire their own lawyers, and I’m fairly sure a lot of us would rather pay for a technology instead.

One of the first hurdles for any service like this is to explain to organisations that having yourselves the data is not your competitive edge. Making the best use of the data is. The only thing you should really care about is getting what you need out of the data, not what it took to get there, and definitely not where the data is. And let the experts worry about how to do that in line with the GDPR.

It’s like when I ask a room-full of merchants if credit cards are core to their business. 99% of them say yes, when it’s actually being paid that’s core to their business, not how they were paid.

So what does DSCaaS look like?

  1. First, it must clearly be a Cloud-based service with a seamless iFrame-esque integration with your organisation’s webpage. Where you would normally collect the personal information on your webpages, you would simply redirect this collection to a 3rd party provider;
  2. Depending on the type of information collected and the reason for collection, very simple consent notices can be developed. For e-commerce for example, these consent notices can be pretty much boiler-plated into; payment authorisation, product/service updates, customer service, marketing, etc. For HR, these would be in-line with the individual employment contract and so on. This consent is now tracked by the DSCaaS provider;
  3. The existing personal data previously collected by the organisation would be normalised/parsed and imported into the service in order to allow for the following:
    1. The removal of the vast majority personal data from an organisation’s systems (using tokenisation and APIs to link existing systems if required);
    2. tracking and collection of consent, plus renewal of consent where necessary;
    3. automated personal data removal/destruction based on data retention policies;
    4. online portal for data subject to change/erase data, or demand processing cessation;
    5. all data controller and processor contracts in place.
  4. DSCaaS provider would need to be able to demonstrate ‘appropriate security measures’ through compliance with (and/or certification to) well-known standard like ISO 27001, ITIL, COBIT, NIST and so on;
  5.  DSCaaS provider would have existing and robust relationships with supervisory bodies (ICO in the UK for example) to standardise reporting of processing (if required).

Clearly this is oversimplified, but if there’s one thing missing in all of these bandwagon ads for GDPR services it’s the spreading of the cost across multiple parties. Especially as it’s very likely that the millions of smaller organisation cannot afford privacy expertise on an individual basis.

The intent of the GDPR is a good one, and organisations have to understand that the data they are making so much money off does not belong to them. While I have no issue with them doing so – as long as I also benefit – I want complete control over what happens to it. The vast majority of organisations in the UK cannot even comply with the existing DPA, let alone one amended inline with the draft Data Protection Bill. For organisations to ‘comply’ with the intent of the GDPR, they will need help, and that help will not come from cybersecurity organisations, ‘certified’ GDPR practitioners, and not even privacy lawyers. It will come from organisations who combine all of these skills into a service where access to data is appropriately controlled.

Gone are the days when you could do whatever you wanted to profit from personal information. It’s what you do WITH the data that matters, and it’s almost always the best ideas that win out. We all need help doing that appropriately.

[If you liked this article, please share! Want more like it, subscribe!]


WPA2 / KRACK, and the Coming Storm of Marketing BS!

This is going to be my shortest blog ever, because basically it’s just a warning: IGNORE THE MARKETING BULLSHIT AND THE DOOMSDAY JOURNALISTS!

Every time there is an outbreak of malware, or a new vulnerability exposed, or a protocol deprecated, the marketing departments of every security vendor go into overdrive. Their only goal; to make more money. Not to help, not to provide sound advice so that people don’t make bad decisions based on FUD, and not even because they know what the Hell they’re talking about.

Just money.

And the newspapers do what they do best; create panic with little to no understanding of the subject.

Yes, WPA2 has likely been broken, but because of the integrity of the researcher who discovered it we won’t have any information about it until later today. Which means we currently have no idea of the impact.

Apparently this is the guy you need to be watching;

So here is what I would be doing right now if I were you:

  1. Determine what the impact would be on your organisation is WPA2 were truly broken;
  2. Update EVERY relevant device, as by now most of the bigger manufacturers should have a patch or a workaround;
  3. Tell your entire employee base NOT to panic, but they too should update their home computers (anti-malware etc.), mobile devices and home routers;
  4. Update your incident response plan to cover any issues.

The one thing you should NOT do is be part of the problem! Don’t spread rumours, spread fact, and be part of the SOLUTION! Share this blog if you want, or at least articles like it.

The security industry is rapidly becoming a bunch of used car salesmen, let’s each do our part to get THIS one right.

[If you liked this article, please share! Want more like it, subscribe!]


GDPR: How to Spot the Charlatans

Here we go again. A regulation or standard gets released and suddenly everyone’s an expert, every vendor has a solution or silver-bullet technology, and hundreds upon hundreds of organisations spend a fortune on something they were far better off doing themselves.

It happened with PCI, SoX, and a plethora of other smaller or more region/sector specific regulations, and now it’s happening to GDPR. All because most of us are just too bloody lazy to do a little bit of homework to find a real expert.

Or in a lot of cases, too lazy to even read the damned standard! Yes, it’s dull, but it’s not that difficult to decipher to the point you can ask a few intelligent questions.

But the real problem stems from the fact that most people don’t even know what privacy is. Personally, I am not an expert in privacy, I’m an expert in cybersecurity. If you think those two things are the same, or even very similar, you are already way off the mark. Yes, there is an overlap, but only in so far as a data breach can possibly lead to a loss in privacy.

But that’s the point, it’s only a possibility. Just because someone stole your data, does not mean they’re going to use it against you.

To summarise in a very general way:

Security = Preventing unauthorised ACCESS to your data; and

Privacy = Preventing unauthorised USE of your data.

It’s because this distinction is universally misunderstood, cybersecurity vendors are often the first ones organisations turn to. However, instead of steering these poor deluded fools in the RIGHT direction, vendors sell them what they asked for. What they got, and are still getting, is a fraction of what’s required. 3.34% to be exact.

I’m not saying a security expert cannot be a privacy expert as well. I’m also not saying that every vendor lacks integrity. But I am saying you’re the one blame if you end up with a muppet.

So How DO You Spot the Charlatans

Actually it’s rather easy, they use phrases like:

  • Avoid hefty fines by ensuring you’re GDPR compliant!;
  • Time is running out, save your business!;
  • Ask our security experts how to [enter rest of lie here];
  • They claim that ISO 27001 can cover the entirety of the regulation;
  • Any combination of words that includes “GDPR compliance” or “GDPR certification”;
  • Any sales pitch or article that leads with possible fines (unless it’s to put down those that try).

…or they are:

  • Regular cybersecurity vendors;
  • Any vendor selling ‘GDPR software’;
  • A recent Certified General Data Protection Regulation (GDPR) Practitioner (and has no other privacy experience);
  • Anyone with CISSP, CISA, CISM, CRISC etc. emblazoned on their LinkedIn profiles (and has no other privacy experience);

Finding a real expert is not that difficult, you just have to look for people who have been doing privacy stuff for a long time. These people do not HAVE to be privacy lawyers, but it certainly helps. And while there will be a whole swarms of scum-bag lawyers chasing the GDPR ambulance, there are a lot of good ones out there anxious to help. My own sister is one.

On the positive side, look for things like this instead. These were bullet points taken from a free seminar that I have actually signed up for:

  • Understand the implications of the GDPR on your business-critical processes;
  • Learn how to prepare for the implementation of the GDPR;
  • Gain invaluable instruction and insight on the regulation and how to comply;
  • Discover the security solutions that can help to mitigate risks and assist in meeting your security obligations under the GDPR

This is the kind of education I can get behind. I really hope it’s not a well disguised sales pitch…

[If you liked this article, please share! Want more like it, subscribe!]