Building better cyber security in organisations

A speech given by Alex Webling to the opening of Z-CERT, the Hague, Netherlands, January 2018

Building better cyber security strategy in organisations

The opening of Z-CERT is an important development in the protection of the Netherland’s health care system. I wish you all the good fortune in the world.

Z-CERT launch
launching the Z-CERT website

When I started working in cybersecurity for the Australian Government in 2002, the world was a different place.

For one thing, we called it electronic security and mostly it was a small extension of the great game of espionage played between nation states. We focussed almost exclusively on keeping our information confidential.

However, even then, we realised that in order to keep our systems and citizens secure, we’d have to collaborate with like-minded countries and the Netherlands was top of my list.

I have continued to admire the Dutch, because I think that you tend to be quite pragmatic in your approach to problems. Solving the issues related to cyber security and privacy are no different

The cyber landscape has continued to evolve quickly under our feet and the need to collaborate and share best practice has only accelerated.

“If you think technology can solve all your security problems, then you don’t understand the problems and you don’t understand the technology”  Bruce Schneier

I think you all know that the information age is upon us and has been for some time. This year, like the last, and the one before will bring more connectivity, digital transformation initiatives, and data for organisations and their human operators to handle.

The opportunities this information age brings are amazing.

All organisations, not least health providers are focussed on getting the right information to the right people at the right time, and avoiding the wrong people accessing it too.

This is an incredibly difficult task. Getting it right, relies on judgement and experience. It is becoming increasingly difficult to achieve. Information travels at the speed of light, but we can’t think that fast.

Just think:
unlike any previous time in human history, information has become very expensive to delete as well as to create.

Within a couple of generations, many organisations have moved from paper records to electronic ones. Access to electronic information brings so many benefits for the health professional.

But there is also a dark side.

With the opportunities come the threats. Threats to privacy, reputation, financial status and also to patient outcomes.

More tools developed by government hackers have become public, and it’s easier than ever to create sophisticated ways to spread malicious software or steal data.

Estimates are that ransomware cost victims 2billion Euros in 2017, twice as much as in 2016.

Meanwhile others have predicted global losses from another growing trend, compromised business email scams, will exceed 9billion Euros next year.

With the advent of the GDPR in less than five months, the financial penalties if data protection goes wrong are about to get much more serious. GDPR fines will be up to 20 million Euros or 4% of annual turnover (whichever is higher).

The cost is not just monetary, NHS hospitals in the United Kingdom were hit by the ransomware cyberattack WannaCry, delaying surgery for patients. The potential for things to get much worse is real.

Opportunities and Threats

Yet, the opportunities are so great, that organisations have no choice but to manage the threats that the information age brings.

So the key point of this talk is:

Good information security is dependent on dynamic organisational governance of cyber security.

An Information Security Management System can help organisations become resilient to the dynamic threat

What is it?

So what is an Information Security Management System or ISMS and how can it help me and my organisation?

To answer that, we need to look at three questions

  1. Why should my organisation care about cyber security?
  2. Who is responsible for organisational cyber security?
  3. What does good cyber security look like?

Because I have found that many senior executives find it difficult to answer these questions for themselves and I’m going to give you good reasons to take back to your organisations to make change happen.

Why should my organisation care about cybersecurity?

Your organisation is an information business

At the risk of repeating myself, whatever else it does, your organisation is an information business. Information is the lifeblood of a modern organisation. A cyber attack can mean your organisation’s information goes to the wrong people, is changed or is removed. Even worse, you may not even know this has happened for months.

The legislative and regulatory environment will continue to become more stringent as the cyber threat increases

eg GDPR

The GDPR is not the first regulation to place responsibility on organisations for protection of specific data. The introduction of the GDPR is part of an ongoing trend for legislation and regulation striving to catch up with the changes in technology and society that the information age has brought us.

You are probably aware that as early as 1995, the European Council adopted the Data Protection Directive which aimed to protect individuals’ personal electronic data.

PCI DSS does this for credit card information around the world. The Health Insurance Portability and Accountability Act (HIPAA) did this for personal health information in the USA.

GDPR requires organisations to map their personal information holdings. But mapping under GDPR is not just another classification exercise. It also requires the organisation to correlate the data back to an individual, a country of residence, consent, purpose of use and more. Under GDPR it’s not enough to just know the personal data content; it’s also essential to know the context of the data because the organisation is the steward of the information, not the owner.

The increasing reputational and financial damage suffered by organisations that are hacked

In many ways this is related to the previous point. The outrage that the public expresses every time another organisation loses their data is growing.

Some organisations have tried to hide that they have been hacked. Uber and Equifax are alleged to have done this, but any conspiracy is almost always revealed quickly. Mandatory reporting provisions are putting increased pressure on organisations to reveal breaches quickly and to show how organisations are dealing with cyber events

Where this doesn’t happen, the public is voting with their feet. This is having direct impacts on the tenure of leaders, CEOs and boards. For listed companies, it is impacting their share value directly.

When the GDPR comes into force in May this year, to repeat for emphasis, fines of up to 4% of the organisational turnover are possible where organisations are shown to be negligent in the protection of EU citizen’s personal information. This will be a very significant increase over the previous regimes.

Who is responsible for cyber security

This one’s easy.

It is the owner of the cyber risk

That’s the board or CEO of the organisation. These are the people that regulators are increasingly targeting when things go seriously wrong.

It is not the ICT manager, the CIO, or the security manager. The decisions on how much cyber risk the organisation should take comes down to the CEO and Board. The organisation leader needs to make those decisions in an informed manner that balances relevant stakeholders’ perspectives.

Goldilocks Security

I call it ‘Goldilocks Security’ – that which is just right for the organisation, not too much and not too little.

Goldilocks security is different for different organisations. Cybersecurity is a series of tradeoffs between the confidentiality of information, its integrity and its availability.

If you think about it: The most secure information is completely inaccessible to all and pretty useless.

There needs to be a balance.

How does the board and CEO become informed about cyber risk?

They use experts who understand the threats, vulnerabilities and consequences of cyber attack, and communicate in business-ese to the board, but they retain the decision making for themselves.

Time to move away from the word ‘Cyber’

By the way this is probably the time to tell you that I don’t really like the word ‘cybersecurity’, and prefer the term ‘information security’.

Cyber tends to make people think only of computers and networks. This then can lead to the responsibility for cyber being put solely on the shoulders of the CIO or ICT manager.

Words Matter – and as hard as it is to change the way we talk, we need to make the change.

We have to continually remind ourselves that people are both the central cause and the primary victims of information security attacks.

Weaknesses in human behaviour are still one of the easiest ways of compromising any organisation.

What does good security look like?

So now we get to the crux of the matter.

Good organisational cybersecurity is tested, systematic and repeatable, however, for many organisations it is anything but like this!

Developing cybersecurity maturity is not an overnight process, but it is possible. The most difficult aspect is committing to required changes and implementing organisational governance that embeds accountability and realistic assessment of risk.

This requires a certain amount of bravery on the part of executives.

Unfortunately, our experience is that many organisations need a compelling event, such as a major breach, before they take cyber security seriously. However, it doesn’t have to be this way for change to happen.

The organisational leadership can create an Information Security Management System or ISMS.

The Information Security Management System (ISMS)

An ISMS is a set of better practice, policies and procedures for systematically managing an organisation’s information.

The ISMS operates by identifying, assessing and managing information security risks resulting from internal and external threats exploiting the organisation’s vulnerabilities.

The goal of an ISMS is to

  • manage the risk of a cyber event occurring on an ongoing basis in a holistic manner; and
  • minimise the impact on the organisation if and when a cyber event occurs.

A Strategic Decision

Implementing an ISMS is a strategic decision for the organisation. Implementation requires CEO and Board commitment – because they own the risk.

At the strategic level, the CEO / Board create an ISMS committee which has responsibility for the organisation’s information security. The committee meets regularly and oversights the development of a structured approach for organisations to develop better enterprise security by dynamically monitoring and improving information security effectiveness.

Cyber risks are assessed at a holistic level. Sometimes, the organisational leadership will decide to take more cyber risk in order to achieve a business objective. The important thing is that it is done with full knowledge of the risk – both positive and negative.

When the ISMS committee operates in this manner, the organisational cybersecurity stance evolves to meet the increasing threat and the organisational business needs.

Minimising the impact of a cyber event. Or…. You will be compromised

I mentioned before that information security is all about tradeoffs. Tradeoffs between your people being able to access the information they need to do their jobs – availability. Tradeoffs that information is correct – integrity. Tradeoffs that information doesn’t fall into the wrong hands – confidentiality.

It is a legacy of the old cyber security thought that many security people worry more about information confidentiality than integrity and availability, rather than worrying about what the business needs to achieve its objectives.

Bringing information security to the board level, means that decisions about tradeoffs must be made, particularly in tight fiscal environments.

Sometimes it will go wrong….

Even with an ISMS in place, there is always a risk that an information security event occurs. When it does, the organisation must respond. Good cyber response involves much more than the ICT area.

Whilst the technical response is occurring, the organisation needs to work out how to respond to stakeholders, what if anything to report to authorities etc.

One of the key aspects of the GDPR, as I’ve mentioned earlier is the mandatory reporting of data breaches. An ISMS brings together key stakeholders to consider risks, including the data protection officer, who can consider the impact of a breach from a GDPR perspective and advise the organisational leadership about the implications, if any.

However, like a fire drill, cyber response needs to be practised.

A smooth response to an event can minimise the impact on the organisation significantly. In my experience, the technical response to cyber incidents works better than the non-technical response, simply because the techs are responding to minor incidents day in and day out, but for other parts of the organisation, it is not their day job.

Recovering (more) gracefully

There are multiple examples (eg Uber, Equifax) of companies handling data breaches badly. However, here’s a case of one that was handled well from a public relations perspective.

In Australia, the Red Cross Blood Bank was compromised in 2016. Over 500,000 blood donors’ personal information was exposed publicly.

At that time, it was not mandatory to report breaches of personal information.

However, the Red Cross was proactive in informing the public and the Australian Privacy Commissioner. In doing so, Red Cross made the best out of a bad situation by displaying transparency and showing that they were doing their best to fix the problems.

By getting on the front foot, the Red Cross maintained the public’s trust in the blood system.

http://www.abc.net.au/news/2016-10-28/red-cross-blood-service-admits-to-data-breach/7974036 https://www.oaic.gov.au/media-and-speeches/statements/australian-red-cross-blood-service-data-breach

In summary

Why should my organisation care about cybersecurity?

Care because your business is information (whatever your business)

  • Your business is information
  • The GDPR is just the next step in a global tightening of Legislation and Regulation for organisations operating in cyberspace.
  • If you don’t play by the rules and you get caught, your reputation and finances will suffer

Who is responsible for cyber security

  • The owner of the risk, generally the CEO, Agency Head or Board
  • The CEO needs to make informed decisions about how much security is just right – Goldilocks security
  • Your security and ICT people help the leadership make informed decisions. They need to translate geek-speak into business-ese

What does good security look like

• An information security management system is recognised as the better practice for information security and is eminently applicable to the data protection requirements of the GDPR.

• An ISMS evolves continuously to meet the changing risks. It is not ‘set and forget’ and only works if the risk owner engages with it.

• You will be compromised. Practice your cyber response at the organisational level, not the ICT level.

CONCLUSION

We are well into the information age. Information is the lifeblood of the organisation. The days when somebody from IT was responsible for cybersecurity are long past.

Executives responsible for organisational success must take ownership for cyber security. Cyber is just another risk category like finance.

Establishing and running an information security management system is recognised as the best way to manage and balance information security and privacy risks for organisations.

A well run ISMS helps the organisational leadership understand the value of its information and take advantage of the opportunities of the information age as well as reducing the downside risk.

The GDPR is part of a continuum of regulation that will force organisations to design security for citizen data across its entire lifecycle into their processes. The provisions relate not only to technology, but also to policies and employee behaviour. The policies and practices that are instituted to meet the requirements of the GDPR can also be applied to improve information security across the whole organisation.

Developing cybersecurity maturity is not an overnight process, but it is possible. The most difficult aspect is committing to required changes and implementing organisational governance that embeds accountability and realistic assessment of risk.

You have the power to make cybersecurity happen in your organisation. Start today, by creating your information security management system board. Make sure that the CEO is at the table. Keep the scope small and manageable whilst you learn by doing.

Looking at the risks associated with GDPR would be ideal if your organisation hasn’t started. Once you understand what you’re doing, start expanding the scope.

 


Alex travelled to the Netherlands as a guest of Z-CERT, the Dutch Computer Emergency Response Team for healthcare (Zorg)  in January 2018.

Z-CERT’s website is https://www.z-cert.nl/ 

 

Poodle vulnerability

Poodle Vulnerability 

Padding Oracle On Downgraded Legacy Encryption (POODLE)

The poodle vulnerability has been around as an exploit since 2014.It led to an attack which led to completely disabling SSL 3.0 on the client and server-side to prevent hackers from making use of this man-in-the-middle attack. 2014 also brought us Heartbleed bug, BERserk, and FREAK exploits. That might seem like ancient history in cybersecurity. But history has a freaky way of repeating itself.poodle anime

In 2016 the DROWN attack took advantage of support for SSLv2 protocol and exposed the weakness in more than 81,000 of the top 1 million most popular websites.  As we get closer to 2017, the odds are increasing that the number of exploits will continue to rise.

Krebs is usually a good source of the most up to date info. But it remains a race, and I’m not always sure we’re winning.  http://krebsonsecurity.com/

Poodle in the Park
Black standard poodle

In the meantime, here’s some pictures of poodles to lighten the mood! This is Cleaver Black – destroyer of dragons (blue stuffed ones).

Sleepy Poodle
Let Sleeping Poodles Lie
Poodle in the park
Happy poodle

 

Portrait of a young poodle
Portrait of a young poodle
Cleaver - Destroyer of (toy) dragons
Cleaver – Destroyer of (toy) dragons

Cyber-Resilience

Cyber-Resilience

Cyber-Resilience in the Information Age

The Global Resilience Collaborative held a curated seminar  at Parliament House in Queensland.  Alex Webling gave a speech on Cyber-Resilience to the assembled audience

The Speech posted on Youtube. The video is embedded below.

In summary, Alex introduces four ideas for cyber-resilience in the information age.

  1. Information is the lifeblood of the modern organisation.
  2. The value of data should determine how it should be protected
  3. Data value changes with time
  4. Considering data flows within an organisation allows an organisation to develop an adaptable and resilient approach to its security and longevity.

Subscribe to the Resilience Outcomes Channel at https://www.youtube.com/channel/UCh0XQODTB2r8nQzUBoTGSeA

Why the world needs the cyber equivalent of an international law of the sea

Islands of order in a sea of chaos

I’ve been thinking for the best part of the last decade about Internet governance and its impact on national security. In that time, little has changed to improve security for users.

The Internet as we know it today can be compared in many ways to the high seas during the swashbuckling so-called Golden age of Piracy between around 1650 and 1730 when pirates ruled the Caribbean.

Why is this comparison valid? Because in the Internet today, like on the high seas of yesteryear, there are islands of order surrounded by seas of chaos. The islands of order are the corporate networks like Facebook, Google, Amazon, Ebay etc and those run by competent governments for their citizens. However, between these orderly Internet islands are large areas where there are no rules and where pirates and vagabonds thrive. An additional similarity is that some of the most competent and successful historical pirates operated with the explicit support from countries seeking to further their national aims.

Even those who govern the orderly Internet islands are subject to bold attacks from chaos agents if they are not vigilant! Witness the compromise of Linkedin earlier this year and very few governments have not had some significant compromise affect their operations.

On the high seas, piracy has been reduced significantly since the 18th Century. With the exception of places like the coast of Somalia, there are now far fewer places where there is a significant piracy problem.  There are a number of reasons why this has been a success. Not least of these has been the development of law of the high seas.

In cyberspace, the world also needs to be moving on from the swashbuckling days. Internet criminals need to be hunted down in whichever corner of the Internet they lurk. Additionally, the concept that some countries could give free reign to local cyber-criminals, as long as they don’t terrorise their own countrymen/women, is an anathema in the 21st Century.

The long term solution has remained in my view a cyber version of the  UN Convention on the Law of the Sea. UCLOS is the international agreement, most recently updated in 1982 that governs behaviour by ships in international waters. Apart from other things the convention deals with acts of piracy committed in international waters.

In the same way, a similar international cybercrime convention could deal with acts where the victim was from for example the USA, the criminal from the Vatican and the offence committed on a server in South Korea.

It would seem that at the moment any move towards a UN convention has gone off the boil. A proposal was shot down in 2010 over disagreements around national sovereignty and human rights. As well, the European Union and USA  position was that a new treaty on cyber crime was not needed since the Council of Europe Convention on Cyber Crime had already been in place for 10 years and has been signed or ratified by 46 countries since  2001.

As I recently noted, wariness by both USA and China continues and means that any international agreement which includes Western countries and the BRICs will be a long time coming. China, Russia and other countries submitted a Document of International Code of Conduct for Information Security to the United Nations in 2011 which the USA seems to have dismissed out of hand.

A code of conduct is nice and the Council of Europe convention is a good start, but they need to be supported by some sort of international cyber ‘muscle’ in the long term.

However, all is not lost. In the meantime, working to coordinate the orderly organisations’ defences that I wrote about before, is a practical step that organisations and governments should be doing more of. This is the cyber equivalent of escorting ships through dangerous waters and passing them from one island of order to another.

There’s a good reason for this, and here’s the resilience message. The cyber-security of an organisation does not begin and end at their firewall or outer perimeter. Whilst in most cases an organisation cannot force other organisations to which it is connected to change, it can maintain vigilance over areas outside its direct sphere of control. This then allows the organisation more time to adapt to its changing environment and of course, a chain is only a strong as its weakest link.

The other step to be taken is to help emerging nations and organisations with poor online security to improve their cyber-defences. If the first step was like escorting ships between the orderly islands, this second step is the equivalent of helping nearby islands to improve their battlements so that the pirates don’t take over and then attack us! This work has been going on for some time. I chaired a number of seminars on cyber security and the need for computer emergency response teams for the APEC telecommunication and information working group which began this work in 2003 and this has been carried on by a number of countries around the world in fits and starts, but we need more.

Alex

In cyberspace, if you don’t share, you don’t survive

This might seem a brave call when talking about cyber-security threat information. But the truth is that the cyber world forces a new paradigm on security. The tools that are familiar in the offline world for providing elements of security, such as obscurity, tend to benefit the attackers rather than the defenders, because the very advantages of the online world, things like search and constant availability are also the online world’s greatest weaknesses. What matters most in the online world is not what you know, but how fast you know and make use of the information you have.

I’ve been reading the Cyber Security Task Force: Public-Private Information Sharing report, and I think its worth promoting what it says. It presents a call to action for government and companies in the US to improve information-sharing to prevent the increasing risks from cyber attacks on organisations, both public and private. The work was clearly done with a view to helping the passage of legislation being proposed in the USA, however..

 Most, if not all the findings made could be extrapolated to every advanced democracy around the world. 

 If you are familiar with this field, much of what has been written will not be new, as we have been calling for the sorts of measures that are proposed in the report since at least 2002. That does not mean that the authors haven’t made a valuable contribution, because they have made recommendations about how to solve the problem. Specifically they recommend removing legislative impediments to sharing whilst maintaining protections on personal information.

According to the authors: From October 2011 through February 2012, over 50,000 cyber attacks on private and government networks were reported to the Department of Homeland Security (DHS), with 86 of those attacks taking place on critical infrastructure networks. As they rightly point out, the number reported represents a tiny fraction of the total occurrences.

As is the case in many areas of security, the lack of an evidence base is at the core of the problem, because it creates a cycle where there is resistance to change and adaptation to fix the problems efficiently and effectively.

 Of course, the other thing that happens is that organisations don’t support an even level of focus or resourcing on the problem, because, most of the time, like an iceberg, the bit of the problem that you can ‘see’ is comparatively small.

To make matters worse, new research is telling us that we are optimistically biased when making predictions about the future. That is, people generally underestimate the likelihood of negative events. So without ‘hard’ data, and given the choice of underestimating the size of a problem or overestimating it, humans that make decisions in organisations and governments are likely to underestimate the likelihood of bad things happening. You can find out more about the optimism bias in a talk by Tali Sharot on TED.com

The cost differential to organisations when they don’t build in cyber security, are unable to mitigate risks and then need to recover from cyber attacks is significant. This cost is felt most by the organisations affected, but its effects are passed across an economy.

So what can be done to break this cycle of complacency? Government and industry experts have long spoken about the need for better sharing of information about cyberthreats. I was talking in public fora about this ten years ago.

The devil is in the detail in the ‘what’ and the ‘how’. Inside the ‘what’ is also the ‘who’. I’ll explain below

What should be shared, who should do the sharing – and with whom?

Both government and industry, whilst they generally enthusiastically agree that there should be sharing, think that the other party should be doing more of it and then come up with any number of excuses as to why they can’t! For those who are fans of iconic 80’s TV, it reminds me of the Yes Minister episode where the PM wants to have a policy of promoting women and in cabinet each minister enthusiastically agrees that it should be done, whilst explaining why it wouldn’t be possible in his department. In government, the spooks will tell you that they have ‘concerns’ with sharing, ie they want to spy on other countries and don’t want to give up any potential tools. It’s no better in industry, companies don’t have an incentive to share specific data, because their competitors might get some kind of advantage.

The UK has developed perhaps the most mature approach to this. UK organisations have been subject to a number of significant cyber attacks and government officials attempt to ‘share what is shareable’. The ability to do this may be because of the close relationship between the UK government and industry, developed initially during the time of the Troubles in Ireland and has been maintained in one form or other through the terrorism crises of this Century. It remains to be seen whether the government will be able to maintain these relationships and UK industry will see value in them as the UK and Europe struggle with short-termism brought on by the fiscal situation.

Australia has also attempted to share what is shareable, however as the government computer emergency response team sits directly within a department of state this is very difficult. It seems that the CERT does not have a clear mission. Is it an arbiter of cyber-policy and information disseminator, or an operational organisation that facilitates information exchange on cyber issues between government and industry?

This quandary has not been solved completely by any G20 country. Indeed, it will never be solved, it is a journey without end. It is possible that New Zealand has come closest, but this seems to be because of the small size of the country and the ability to develop individual relationships between key people in industry and government. Another country that is doing reasonably well is South Korea – mainly because it has to, it has the greatest percentage of broadband users of any country and North Korea just a telephone line away. The Korean Internet security agency – KISA brings together industry development, Internet policy, personal information protection, government security, incident prevention and response under one umbrella.

For larger countries, I am of the view that a national CERT should be a quasi-government organisation that is controlled by a board comprised of:

  • companies that are subject to attack (including critical infrastructure);
  • network providers;
  • government security and
  • government policy agencies.

In this way, the CERT would strive to serve the country more fully. There would be more incentive from government to share information with industry and industry to share information with government. With this template, it is possible to create a national cyber-defence strategy that benefits all parts of the society and provides defence-in-depth to those parts of the community that we are most dependent on, ie the critical infrastructure and government.

Ensuring two-way information flow within the broader community and with industry has the potential to provide direct benefits for national cyber-security and for the community more broadly. Firstly, by helping business and the community to protect itself. Secondly, for government, telecommunications providers and the critical infrastructure in the development of sentinel systems in the community, which like the proverbial canary in the coalmine, signal danger if they are compromised. Thirdly, by improving the evidence base through increased quality and quantity of incident reporting – which is so often overlooked.

Governments can easily encourage two-way communication by ‘sharing first’. Industry often questions the value of information exchanges, because they turn up to these events at their own expense and some government bigwig opens and says ‘let there be sharing’ and then there is silence, because the operatives from the three letter security agencies don’t have the seniority to share anything and the senior ones don’t understand the technical issues. I am not the first person to say that in many cases (I think 90%), technical details that can assist organisations to protect their networks do not need to include the sensitive ‘sources and methods’ discussion. By that I mean, if a trust relationship exists or is developed between organisations in government and industry and one party passes a piece of information to the other and says “Do x and be protected from y damage”, then the likelihood of the receiving party to undertake the action depends on how much they trust the provider. Sources and methods information are useful to help determine trustworthiness, but they are not intrinsically essential (usually) to fixing the problem.

As the Public-Private Information Sharing report suggests, many of the complex discussions about information classification/ over-classification and national security clearances can be left behind. Don’t get me wrong; having developed the Australian Government’s current protective security policy framework, I think there is a vital place for security clearances and information classification. However, I think that it is vastly over-rated in a speed of light environment where the winner is not the side with the most information, but the side that can operationalise it most quickly and effectively. Security clearances and information classification get in the way of this and potentially deliver more benefit to the enemy by stopping the good guys from getting the right information in time. We come back to the question of balancing confidentiality, integrity and availability – the perishable nature of sensitive information is greater than ever.

How should cyber threat information be shared?

This brings me to the next area of concern. There is also a problem with how information is shared between industry and government, or more importantly the speed with which it is shared. In an era when cyber attacks are automated, the defence systems are still primarily manual and amazingly, in some cases rely on paper based systems to exchange threat signatures. There is an opportunity for national CERTs to significantly improve the current systems to share unclassified information about threats automatically. Ideally these systems would be designed so that threat information goes out to organisations from the national CERT and information about possible data breaches returns immediately to be analysed.

Of course, the other benefit of well-designed automated systems could be that they automatically strip customer private information out of any communications, as with the sources and methods info, peoples’ details are not important (spear phishing being an exception). In most cases, I’d rather have a machine automatically removing my private details than some representative of my ‘friendly’ telecommunications provider or other organisation.

These things are all technically possible, the impediments are only organisational. Isn’t it funny, people are inherrently optimistic, but don’t trust each other. Its surprising civilisation has got this far.

CERTs – Computer Emergency Response Teams


References

1How Dopamine Enhances an Optimism Bias in Humans. Sharot, T; Guitart-Masip, M; Korn, c; Chowdhury, R; Dolan, R. CURRENT BIOLOGY. July 2012. www.cell.com

2 Yes Minister Series 3, EP 1 – “Equal Opportunities” 1982

Useful trick to add a nick to your google+ account leads to the darkside

I’ve been updating the Resilience Outcomes Google+ site. A friend asked me what the site url is, but Google in its wisdom has not made this easy. The site reference is https://plus.google.com/103380459753062778553 !!! What a mouthful and not really a set of numbers I want to dedicate my diminishing neurons on. A partial answer is http://gplus.to/  . Using this site you can get a nickname or vanity url for your gplus site.

So now I can give the url http://gplus.to/resilienceoutcomes and you get to the Resilience Outcomes Google+ site!

My friend Karl H. is going to point out that this is not very resilient, because although Google has a reputation for fairly bulletproof infrastructure I know nothing about gplus.to . Karl you’re absolutely right – it demonstrates why thinking about resilience is so difficult… The Dark side has cookies! Literally in the case of gplus.to.

http://gplus.to/ is almost certainly more fragile than google.com or .Google or whatever it will call itself next month. If http://gplus.to/ goes down then all the efforts of google to support their systems are naught in my case. As such, I am faced on a small-scale the choice faced by all who wish to become more resilient and mainstream security. Do I increase accessibility to the site whilst reducing integrity and confidentiality or not? In this case, the question is not an either or, and rarely is it ever. The answer may be in my case that http://gplus.to/ is used when friends ask me what the site is verbally, but that I always write the full url in posts.

🙂