(Blog first appeared on nexor.com)

Automated security tools can be a very effective security tool, but there are pitfalls for the unwary. I will use a couple of well-known maths puzzles to illustrate why these pitfalls exist.

1 = 2

Most 16 year old maths students will be able to provide a convincing proof that 1 equals 2. The following variant courtesy of Wikipedia:

Before reading on, if you are home schooling due to Covid restrictions, see if your maths student can spot the “error” in the above. Each step, on its own, is mathematically correct.

You can only spot the “error” when you look at the bigger picture (or operational context): the transition from line 4 to 5 is a division by zero error, because by definition a = b, so a – b = 0.

1 + 2 + 3 + 4 … = -1/12

Things are not always that simple. It probably takes an undergraduate studying a mathematics course covering number theory to figure out what goes “wrong” here…

In other words, a proof that:

(See Wikipedia for an explanation). The issue comes between the two steps:

It is similar to the divide-by-zero “error”, but this time based on doing the scalar calculation on infinity. Four times infinity is still infinity, not something four times bigger.

As with the 1 = 2 case, to spot the problem, you need to look beyond the line by line maths and understand the bigger picture – the operational context.

Automated Tooling = Security?

To support gaining accreditation to cyber security standards like Cyber Essentials, many suppliers are bringing automated tools to market. In many cases they are really good tools.

These tools provide the equivalent of one, or multiple, lines of the above “proofs”.

As shown mathematically, this can lead to a false result – or a false sense of security. It is only when the results and operational context are analysed by a security professional can the true meaning of the tools results be understood and the company’s true security posture assessed.

So is this mathematic proof that “Automated Security Tools do not Provide Security?”

No, but it illustrates the point: to be secure you need to think about the whole system and how elements interact – a tool cannot do that for you.

ISO 27001 = Security?

ISO 27001 is an international standard that “provides best practice recommendations on information security management, risks and controls within the context of an overall information security management system (ISMS)”.

Some businesses choose to implement ISO 27001 as it is a market expectation in their chosen markets, while others choose to do so to improve the security posture of their business. The former may choose to use ISO 27001 as a checklist (Annex A) of things to show an auditor they have done everything – the challenge is this risks missing the bigger picture – the divide by zero assumption that means all the steps do not join up to a secure organisation.

So is this mathematic proof ISO 27001 that does not mean security?

No, but it illustrates the point: to be secure you need to think about the whole system and how it interacts; blindly following a line by line checklist will miss key evidence. There are plenty of ISO 27001 success stories, but these are obtained following a process of business improvement, not tick box compliance.

Avoiding errors with automated tools

My intention is not to discredit all automated security tools, but to encourage businesses to see them as part of a larger picture. The same big picture view also applies to an ISO 27001 checklist.

Automated tools and accreditations like ISO 27001 can be valuable additions to an organisation’s security setup, but they must be viewed in the context of the whole operational system. Seeing an automated tool as a complete solution in itself is likely to lead to the sort of errors that can make a maths student conclude that 1=2.

Reblog. Original (Nexor.com)

High Assurance products are needed where information or networks need to be protected from high end threat actors, and you need a high level of confidence that the solution will mitigate the risk.

Continue reading High Assurance Cyber Security →

Reblog. Original (Nexor.com)

For the last few years, the cyber security commentary has been if you focus on the basics, and do the basics well, you will prevent 90% plus of cyber security attacks. To many this has been interpreted as doing the “Cyber Essentials”.

Then the SolarWinds / Sunburst attack occurred. Doing Cyber Essentials will not have prevented this. This was one of the 10% attacks. So, is Cyber Essentials dead?

Continue reading A Day in the Life of a CISO →

Reblog. Original (Nexor.com)

A CISO – Chief Information Security Officer – at an SME is responsible for security operations, securing the business, its technology, and its initiatives, and leading the business’s information security strategy. A CISO must liaise with different areas of the business including IT, HR, and C-level executives to ensure that their objectives are achieved.

There is no such thing as a typical day in the life of a CISO, but some activities are more common than others. The following breakdown gives you an idea of what to expect from a CISO, though each day will look very different.

Continue reading A Day in the Life of a CISO →

Cyber Security Marketing – Please read your own messages?

I just received a marketing email entitled “Your Complete Guide to Phishing”.

Interesting.

All I had to do to get the guide was…

1. Click on a link (from the unknown source)
2. Provide my name and email address

Oh the Irony.   “Learn how not to click links and provide details, by clicking this link and giving us your details.”

If we are to protect people from mass phishing attacks, our industries marketing needs to do better.

When looking at commercial or consumer products how often do you seen the phrase “military grade security”, very often as the only nod to the security of the product?

The phase tells me two things.

1. You do not understand security;
2. You do not understand military grade security.

So I won’t buy your product.

Why?

By saying “military grade security” you probably mean you have implemented an algorithm such as AES.   This is not knocking AES, it’s a great algorithm, designed to protect routine confidential information.   Yes, it may be used by the military to protect routine stuff, but it is not used for anything they consider particularly sensitive – in today’s climate they will, also certainly be using high-grade, quantum safe algorithms.

Algorithms such as AES are perfectly suitable for commercial grade products – but I don’t care.   Rarely do security attackers break the encryption.   They break the passwords or keys used by the encryption – it’s much easier to do!  Alternatively they find a weakness in the software to gain access to the unencrypted data.

So please don’t tell me you use military grade encryption.   Instead, please tell me how you protect the keys used, and the quality controls mechanisms you use to verify the software.