Thinking it through

Three years ago I attended an Information Security Strategy session to debate what future steps we should be taking in the organisation where I work. We had put together 12 of the South African consultants that we most respected to discuss the issue, spent two days positioning ourselves and understanding the landscape and then we got down to the nitty gritty of deciding actions.
Everybody couched their opinion cautiously: it’s not easy to identify what way a large ship should turn; but the same comments came out repeatedly: do an assessment against best practise, identify the weaknesses and build a plan of action. Compile an ISMS framework, get executive buy-in and support, review policy: nothing that we had not heard repeatedly. ISO 27000 was bandied about as the start point and the end goal. I then asked whether anyone had ever seen ISO27000 effectively implemented in any large organisation. Nobody around the table had.

I asked the same question of a senior consultant from one of the big four consultancies this week, and got the same answer: as much as ISO27000 is part of our lexicon, it is too big, expensive and daunting for organisations of any scale to have embraced and implemented. Very little has changed in three years.
I thought about this again when we recorded the 2011 preview Pubcast in January: I queried during the discussion what we were likely to see on the PCI front this year – and got an interesting response: pushback. The opinion was that PCI is perceived as too expensive for retailers to adopt that some organisations would resist, and may consider the fines to be just the cost of doing business.

And now we have the Protection of Private Information Bill, threatening to provide one more set of requirements that organisations are obliged to fulfil – if it ever finds its way to being enacted! The conference halls are full of advice on how to address the issue, the consultants have compiled their frameworks of advice; and again I find myself wondering what the impact of yet another requirement is likely to be on the InfoSec industry.

I think we can all see some immediate effects:
• An industry has built up around ISO27000, another around PCI and we will see the same occur with privacy. Every product imaginable will come pre-configured with capabilities to address the requirements out of the box. Similarly, consultants will provide insights at a cost, perform assessments and make any number of recommendations that should be followed;
• Practitioners will highlight these requirements earnestly during the budget cycle, talk about fines and reputational damage and – if they are successful – identify programmes of work that will run every risk of over ambition;
• Government will address this at the pace that government does, may choose to make examples of some intransigents, but will provide a legal requirement with insufficient resources to police it, and a juristic system poorly equipped to understand it.

Perhaps I should explain: I am not opposed to the creation of any best practise, guideline or legal framework. This is a difficult enough profession and we need whatever directives will assist. My problem is: I don’t know to what degree they will actually make organisations more secure. Because here’s the problem: these frameworks, while laudable and created with the best possible intentions are out of step with almost every other aspect of business:
• While there is a growing focus on consumer privacy, the same consumers are consciously giving away their information. The underside to the freedom of social networks is that they lull users into sharing details without a clear sense of who is accessing this information, with the result that organisations invest effort and money protecting data which is often (at least partly) in the public domain already;
• These frameworks are expensive at a time when the world has not yet emerged from a recession, and business budgets are used either on cost containment or the early phases of business growth. The same practitioners that are obliged to deliver on these requirements are struggling to access funds to do so;
• Attacks are being levelled against organisations by increasingly well funded and organised protagonists: there is an imbalance between the effectiveness of the attackers (who have only to find one weakness) and the defenders (who must defend everything). This has led to the view that organisations must adopt risk-based (and hence more narrowly defined) approaches to protecting their assets: they simply cannot afford the cost in money and effort to implement these all-encompassing models.

So where does this leave us? The models are as legitimate as they have always been. They are as valuable as they were intended to be and nobody is suggesting that they should be abandoned – but they should be seen in the context of what is appropriate in any organisation at a given time. Sometimes more value can be achieved by just fixing the obvious: I have seen organisations pursuing accreditations and building elegant risk management frameworks while not satisfactorily addressing their most basic security requirements.

There is a lot of talk about how Information Security should be aligned to the business; but business is about nuance and agility: the need to re-divert resources quickly in order to satisfy customer requirements; the need to collaborate across strategy, inbound logistics, operations, delivery and finance – and these models don’t do that. At best they provide some assurance that things are being done more securely – at worst, pursuing overambitious implementations, they layer in cost.
Information Security is – firstly – about applying thought to the state of the company and the risk it faces, then addressing the obvious risks, and ensuring that the work is in line with business requirements. The frameworks help – and provide invaluable insights – but are no replacement for the hard work of thinking the problem through, taking measurements and making the hard choices that will best assist the business.

I don’t want to be #African

I had an argument with my father over 30 years ago in which we debated identity. My view was that I self-identified myself as a South African, and considered all other South Africans as part of my community. That view enraged my dad: the only society to which he wanted to belong was very white and very Calvinistic. We never reconciled our views: to his death he railed against the new order, even as South Africa was trying to live up to the “Rainbow Nation” label that we were given.

In the post-1994 years I had to come to terms with what my viewpoint meant: I had naively associated myself with a myriad of cultures that I didn’t understand – couldn’t understand from a white privileged upbringing through the 60’s and 70’s. And my faith that we could simply reconcile was not borne out by the reality: the beer-advert utopia of a shared community was just the marketing which glossed over the reality of a still-divided South Africa in which the only shared communities were those enforced upon us at schools, workplaces and movie houses.

I have visited Nigeria, Lesotho, Kenya, Egypt and Uganda. The sight of the continent from the air has always left me feeling deeply attached to this earth; the people I met always seemed to be the best part of the visits; but I could not pretend that we are of the same blood: a cultural chasm exists between myself and the people I have met to the north. I don’t share their history; I often don’t understand the subtleties of their motivations; and our shared aspirations for Africa are borne more out of economic necessity than a desire to commune.

So when Sentletse claims that we are not all Africans (http://www.thoughtleader.co.za/sentletsediakanyo/2010/12/28/we-are-not-all-africans-black-people-are/) I understand why he would choose to make the distinction. I also don’t particularly care: I have committed myself to being South African, to sharing and trying to best develop this little corner of the continent. I have driven through Lagos: it was not home. I walked through Nairobi: it was not home. When I stood next to Lake Victoria I was overawed – but it was not home.

If Sentletse wishes to retain the distinction of being African to himself he is welcome to do so. I, however, choose to identify myself as South African. And it has been troubling to see how divisive this issue is for South Africa: this argument over one word has flooded the local social network with anger and vitriol – which Sentletse has parried with bemused superiority: he got the response he wanted and has skilfully played a game which has dramatically elevated his persona. His skill has been in presenting a coherent intellectual argument: this is not the right-wing rambling of a Steve Hofmeyer but someone who has successfully challenged the intelligentsia on their own turf. The anger that has been displayed is simply because he cannot be easily dismissed. The only winner in this debate has been Sentletse himself.

But I would ask why he chose to discuss this issue now. He deliberately chose to be provocative and salt the same wounds that have existed since before we became a democracy. We all have the right to discuss anything we want – but he orchestrated a result which has undermined our collective efforts to move on, to create a nation, to compete successfully. With everything that we could write about – the need for education, for service delivery, for reconciliation – he chose this. It has placed him squarely in the public eye – and so I would assume he considers it to have been a success.

The great leaders, the men and woman that have progressed this nation, the figures that history will remember as bringing us together achieved this by identifying and elevating the things we shared, and by allowing us to collectively aspire to be something greater than we are – not by scraping through the residue of old enmities. If being African means being divisive I don’t want it. I aspire to more.

Shifting Gears

The nature of Information Security management is that it progresses incrementally, punctuated by occasional incidents. It involves operational micro-management, patches, updates, audit responses, penetration tests and monitoring metrics. Despite the popular perception, INFOSec is more about Edward Deming than Harrison Ford.

Occasionally, though, things change. I attended an information security conference in Prague in 2000, at which the watchword was that a new reality had emerged: Information Security was progressively becoming criminalised. And although that didn’t immediately materialise, over the following years we progressively focused less on preventing defacement and more on safeguarding assets. It was the first time in my INFOSec career that I was aware that an inflection had occurred.

I had this sense again in 2008 when Conficker was shown to use professional software management disciplines, patching its own vulnerabilities and proving to be complex and difficult to eradicate. Malware development had become an organisational activity. Gears were shifting, and Graham and I discussed the issue in an episode of the IT Security Pubcast.

And in 2010 I saw gears shifting again twice.

Firstly – national INFOSec interests repeatedly attained centre stage: firstly, when China was accused of hacking Google, then when China was again accused of diverting 15% of the internet’s traffic for 18 minutes in April; and finally when Iran’s nuclear facilities were affected with a bespoke piece of cyber malware – Stuxnet. Of course political attacks are not new: we can go all the way back to Code Red in 2001 to open the conversation. But Stuxnet was not an amateur effort: it was specific, targeted and probably orchestrated by one or more national agencies. The way these things happen, it would be difficult to say whom: too many players stand to gain from the demise of the Iranian capability – but it is likely that western organisations had at least a token involvement. For a moment the curtain was drawn back and the public got a glimpse of what is likely a more regular occurrence than we suspect.

Secondly, from the release of the video of American military activity to the leaked diplomatic cables, everybody has spoken in depth about Wikileaks and I will not resurrect it again. What is important are the lessons it reinforced:

• regardless of technology, people hold the capacity to leak data;
• people will  take to their keyboards to deliberately and maliciously demonstrate their support (or anger); and
• there can be substantial collateral damage in the wake of a leak. Note the attacks on Visa et al.

As a South African INFOSec practitioner this has left me musing, and I think that the following is important:

• there are some new realities – but they reinforce the need to do the job. Layered defence, micro-management, continual measurement – all of these remain as vital as they always were and we cannot lower our guard;
• but we need to apply additional focus in classifying , securing and monitoring our assets. The Privacy Bill is still a bill; PCI fines are in danger of becoming merely a cost of business and unless you are a multi national there is very little drive to aggressively curtail data loss. The travesty is that – although this is difficult – there is so much that can be done, from comprehensive awareness campaigns to Data Leakage Prevention. We need to do more because these leaks will increase so long as there are agents provocateurs like (a now common knowledge) Wikileaks and disgruntled employees;
• and – as professionals – we need to seriously consider the state of our national INFOSec defences. I am aware of good work being done by individuals in their own capacities – but government seems stalled and woefully behind the game. South Africa’s inclusion in BRIC is a measure of how important this country is becoming in the second economic colonialisation of Africa: we can expect to become progressively embroiled in the diplomacy of conquest – and the target of intelligence gathering aimed at gaining diplomatic and economic advantage. We need to account for this on two fronts:
  • encouraging government to recognise the importance of this and attack responsibly; and
  • where we are entrusted with defending national assets as part of our professional lives, to do so with integrity and commitment: this is no longer just a job – the professionalism we bring to ensuring continuity of infrastructure, banking, health, food production and other vital services could materially affect all of our futures.

The gears have shifted and 2011 is a slightly more dangerous environment in which to secure information. Our actions will determine whether we rise to the occasion and steer securely through this new reality. As cyber attacks progressively shift into the realm of national interest, Information Security practitioners carry a greater responsibility than we ever have before: let each of us neither underestimate the potential impact of failure, nor our accountability to ensure success.

 

For the Dominic White interview on the Google attack, see http://www.discussit.co.za/index.php?option=com_content&task=view&id=186&Itemid=65

For a commentary on the China diversion of the internet traffic, see http://www.renesys.com/blog/2010/11/chinas-18-minute-mystery.shtml

Wikipedia does a good breakdown of Code Red at http://en.wikipedia.org/wiki/Code_Red_(computer_worm)

I blogged previously about Wikileaks at http://olivieranthony.wordpress.com/2010/12/12/rules-of-the-game/

The Mail and Guardian have an insightful commentary on the South African inclusion in BRIC at http://www.mg.co.za/article/2010-12-29-sa-not-just-another-bric-in-the-wall

 

 

 

 

 

The message is inane

I came across Google Baraza yesterday: a site in which people can post questions for others to answer: http://www.google.com/baraza/en/

My first naive  intuition was that this could be an interesting way to discern what people are thinking about, and so I spent a bit of time looking at both questions and answers. These included the following issues, so concerning that they drove people to pose questions to the world:

• Why can’t a woman leave you peace fully [sic] when you break up?
• Is it possible to genuinely fall in love with a lady without telling even a single lie?
• Which one’s better: a surgeon or an actuary?
• Why has music evolved to these crap auto tune and techno remixes?
• Are human beings “farmed” for their DNA (or flesh slaves)?
• Why do women like Mozambican men?

Even with the advanced search capabilities available on the net, there are still, occasionally, questions for which the answers are difficult to source. The net may place the wisdom of the ages at our fingertips, but not everything is easy to find:  Baraza may offer a solution to the gap between what information is published and what is needed. But I was struck by the discord between the potential of Baraza and the inanity of the content.

Has somebody seriously been pondering why Mozambican men are like catnip to ladies?  Is someone honestly fearful that their flesh is being coveted from across the cosmos? These questions don’t deserve comment – they have no substance outside of somebody’s whimsical internal dialog.

We all choose what we buy into – and people have every right to verbalize their  beliefs; but Bazara is highlighting the paucity of logic that people use.  I have been pondering this: the rise of Web2.0 technologies have shifted the power of expression into the hands of the individual; but, to misquote one of the sages of our time – it is impossible to shift both power and responsibility to the individual at the same time. As much as some people will use these technologies to express coherent viewpoints and try influence the collective thought process, most will just dribble their inanities into the public forum.

The issue is not that people think mindless thoughts – the issue is that the expression of these thoughts using  Web2.0 technologies elevates this content by association. If the medium is the message, these messages pollute the collective conscious that is the web dialog.

The  internet held the promise of an intellectual democracy, with the same ease of access for publishing and accessing information. Unfortunately, this has only highlighted the existing inequities in reasoning. The internet elevates equally – even when the message is inane.

—

For a worthwhile commentary on McLuhan’s message, see http://individual.utoronto.ca/markfederman/article_mediumisthemessage.htm

Rules of the game

I have been pondering all week what one should say about Wikileaks. At various times I thought I had a viable viewpoint – only to have somebody else express it first, or to be overtaken by events.

It’s also hard to judge how significant it all was: at one point I thought I heard the rallying call: “this is the mother of all cyber wars!” But of course it wasn’t. Or if it was, cyber war amounts to some success against some sites, lots of rhetoric, amusing one liners and indifference outside of geekdom. The Twitter #wikileaks hashtag saw two messages a second at one stage – with vitriol heaped upon authority and numerous quotes about the importance of media freedom. It felt for a few hours as if the world was changing under our feet and the democratising spirit of the internet was in the ascendancy.

On reflection, though, I think that is a naive view. The objective truth is never simple and while this week’s events were significant the after-effects will manifest untidily for some time.

The activist view is that Wikileaks did not steal the information; that the press has an obligation and right to publish relevant facts. But this is a disingenuous view: Wikileaks exists as an agent provocateur and stands on shaky moral ground at best. It is a provocative manipulation of the spirit of internet openness. Besides: nobody wants to have their secrets exposed while their competitors remain hidden.

The authorities are on an equally questionable footing: blaming Julian Assange is helpful spin to turn attention away from the security weaknesses of the American administration. It was not Wikileaks that stole the information – it was the military that lost them. Julian Assange will garner no comfort from this: the administration has him in their sights and will not let him escape easily.

Nonetheless, the administration – and companies everywhere – will have taken note and security controls will progressively become more intolerant. Already the military has outlawed the use of external memory devices: security and consultancy budgets continue to profit while personal liberties will decline.

The ethos of the time, however, is that Wikileaks cannot be destroyed any more than file sharing could. Already new variants of the service are springing up while Wikileaks itself is splitting. But this is illusory: the pro-Wikileaks camp will fall into progressive disarray, driven by internal rivalries and parochial objectives. This is not a coherent group with a clearly defined mission and it will not lead to a new democratic openness.

Wikileaks harks back to the spirit of Anarchism which influenced the 19^th Century. It springs from a dissatisfaction with the existing order and promotes an unclear approach to change it, and an even less clear end objective. While Anarchism succeeded in changing societies, it only led to the replacement of one set of despots with others. It was never a viable alternative to true democracy or a true voice for people’s aspirations. And so it is with Wikileaks: the minority of technophiles that revel in this week’s activities neither reflect the overwhelming aspirations of the mass of society, nor can they hope to influence the general populace into believing this is a legitimate struggle: for the time being, at least, Sarah Palin and Hillary Clinton will continue to hold sway, as Machiavellian as their motives may be.

The world did change under our feet – the freedoms promised by the Internet have never been in more danger because the existing order has suddenly recognised how dangerous they can be. Wikileaks will be assigned to an interesting historical footnote, while governments and companies will exert real will to curtail its power. And – for the time being at least – secrets will continue to leak from increasingly embattled individuals and organisations that will eventually be driven underground through law and coercion.

This is not the 60’s. Those great overt battles for democracy and self expression have played out and been relegated to the history books. Political mechanisms will adapt – and the powers that they let slip away for just a moment will be returned to the hands of those in control. The players haven’t changed – just the rules of the game.

 

Collecting my thoughts

A week ago I collapsed. One moment I was awake, then I felt overwhelmingly tired, then I woke up on the floor with a bloody face.

I know that this is probably something that happens to many people – that it’s probably a one-off and I just need to take better care of myself. But what stays with me is that I don’t remember the fall. There’s a period (seconds? minutes?) that disappeared. I don’t know how I fell – why my knee is so sore or my face bloodied. And more than anything it is that gap that leaves me troubled: in a life in which I have always considered myself to be independent and self sufficient it is frustrating to acknowledge that there was a period – however short – when I was so helpless that I can’t even recall the detail.

That silence has crept into me – I have found myself caught up in thought, barely communicating – and aside from retweeting interesting links I have been uncommunicative online. I have had to assimilate the sense that I am as fragile as anyone.

When I told my father that he had terminal cancer he took just a moment to pause, then shrugged and said that he had had a good innings. Later he went through all the phases until acceptance – but I never forgot how he took that first shock: with dignity and courage. And I thought that was me. And now something as trivial as an episodic event has me reflecting on my weaknesses and limitations, and causing me to withdraw into introspection.

And the final indignity: not having a coherent conclusion. I am reminded of Roger Waters lyrics:

The time is gone – the song is over

Thought I’d something more to say….

Today a friend tried to share something …

Today a friend tried to share something important, and I – caught up in my world – didn’t stop to listen. The point is that the friend was telling me something culturally significant for her: in this instance the first arrival of Indians in South Africa.

It was historically interesting for me – but after a couple of comments I moved on – and she become initially disappointed at my disinterest, then upset that this reflected on my insensitivity to her culture.

At first I brushed it aside – until she said: you don’t know what it is like to be Indian in South Africa. And she’s right – I don’t. Any more than I know what it means to be black, Coloured, Chinese, Malay – or any of the other groups that make up this diverse country. I don’t know because I can’t know – my personal history has exposed me to one sliver of culture, jealously guarded for the first 30 years of my life. I don’t know because my formative learnings disrespected other cultures.

I have often said that non-racialism is not a state of mind, it is a journey. Each time that I become arrogant enough to believe that I have progressed sufficiently far on this journey I have pause for thought: my unconscious actions continue to cause both offense and pain. And I realize how easy it is to continue to assume cultural superiority – even unconsciously.

The irony, of course, is that so many of my personal heroes are outside of my cultural context: Mandela, Tutu, King – their names roll off my tongue, I refer to them as if I understand their journeys – and I find myself failing to emulate their humanity so easily.

This is a journey, then – but it continues to be uncharted with a long road ahead. And it is not one that I can travel alone.

Cyber bullying

In South Africa we have a pernicious politician running the ANC Youth League called Julius Malema. Through a combination of abusive rhetoric, populist and arrogant behaviour and blatant bullying he has succeeded in extending his influence far beyond his value.

Aside from threatening the President, he has insulted women, shown involvement in shady business deals and – in a recent high point – threatened to shut down Twitter because anonymous “Julius Malema” profiles appeared on the medium, used to ridicule him. As most bullies would do, he has threatened that the perpetrators will be found and prosecuted. Given that he runs the Youth League he has demonstrated an astonishing level of ignorance about both Twitter and social networking in general.

The South African Twitterati have responded by declaring today to be Julius Malema day, and mocking him en masse by posting comments on Twitter purporting to come from this hero.

http://www.news24.com/SciTech/News/Julius-Malema-Day-on-Twitter-20101112

All politicians expose themselves to criticism and should accept that they will recieve it. And walking into a crowded roomfull of friends and threatening to make them shut up (which is analogous to his Twitter behaviour) only opens one up to ridicule.

But, naive as it may sound, I expected more from this Twitter community. Malema is a schoolyard bully. As irritating as that may be – it is what it is, and responding in the same way lowers the discourse, alienates him even further,  and provides him with legitimate claims about cyber abuse against his person. It further keeps him in the public eye and plays to his constituency.

For each community that participates, the Twitter dialogue represents a collective conscience. We should have done better.

Resurrection

I have a friend that has complained that I either keep my blog current or remove the address from the eMail signature. As I do believe in the merits of the blogosphere I have committed to working on it again.

So – I’m back

A DiscussIT retrospective

As we are starting a new year I though it would be appropriate to reflect on where DiscussIT (http://www.discussit.co.za) is, and what we expect from 2010.

2009:

In January 2009 Graham (the black) Adler and I had released 2 episodes of the IT Security Pubcast under the ZATech banner: it was only in February that we started working with ITWeb, following which we opened After Dinner IT, Scamto, the short-lived PlanIT and Gadget, each podcast brand focusing on a niche topic.

In November and December 2008 we had 12 and 25 podcast downloads respectively. We have grown slowly but progressively: in December 2009 DiscussIT had 1510 downloads across the brands, with over 3200 downloads in the two months before year end: the most popular single episode ever was the Gadget Christmas episode.

Highlights of the year included the recordings done at the ITWeb Security Summit, the eDiligence Conference and ZAConn, each of which increased download numbers and grew listener awareness. Gadget went to the Rage Expo and recorded a live episode which highlighted both interesting technologies and people, while the NIA/Zuma Pubcast special episode

The biggest highlight, though, was the people we met and worked with: Helaine Leggat, Franco Rothner and crew, Matt Erasmus and Ralfe Poisson all joined as hosts, while Herman, Che, Justin and Cameron all provided back end support and guidance.

By the end of 2009 we had achieved the original objective and more.

2010:

Sadly, 2010 is likely to start with the loss of Graham Adler who has chosen to emigrate to the United States. As a founder member of both the Pubcast and DiscussIT, Graham has been foundational in helping make this all happen: he is both a partner and a close friend, and he will be missed.

The Pubcast, however, is a vibrant brand and it will continue to be produced by Matt, Ralfe, Helaine and I.

We also intend to add more brands to the stable: Legalise IT which will address the legislative challenges facing business in 2010. A social networking commentary is likely as well as other potential topics that are still under debate. Whatever the final outcome, we know that we will continue to search for the relevant issues that require debate and the right people to discuss them.

From all of us at DiscussIT we wish you a successful and productive 2010, and hope that you will keep listening and finding value in the material we provide.

- Tony