- About the risks that abound, in the world of technology when everything is connected and snooped upon, one way or another. Are you safe?

Follow by Email

Friday, October 3, 2014

5 Steps to Take in Security Incident Role Plays

Role plays are effective forms of learning. It is natural to all of us. When children gather they role play. However, as we become adults we mostly shy from role playing unless we see the motivation to do so.

Role play is effective because it involves all our senses to arrive at conclusions based on a scenario and some goals. It is way better than the archaic 'Sage-on-Stage' style of lecture.

But role play requires more preparation, time and patience. The facilitator must also be very knowledgeable in the domain knowledge to literally hit the ground running.

Information security is an ideal subject to be taught with role play. It is by itself dynamic and action oriented. Information security architecture, design and implementation of technical and non-technical controls, essentially pre-empts certain fraudulent or unauthorised actions from taking place. Given such dynamism, students of information security need to have the presence of mind to relate and react to incidents.

For facilitators, here are 5 Steps to Take in Security Incident Role Plays:

1. Create a scenario
  • If you have not encountered a real-life one, look them on the Internet.
  • Make modifications to the scenarios so that they protect the guilty and the victim in the incident.
  • Make modifications so that it is practicable for a classroom role play. For instance, if there is going to be roofs collapsing in the scenario, you have to think of ways to simulate it effectively.
  • Try to make the exercise visual. It is easier for your participants to react to.
2. Assign roles 
  • Put depth into your character. Give your roles the motivation and the penalties for failure.
  • Put boundaries to what they are allowed to do and otherwise. This is not to limit their creativity, but to pin them down to some realities in an incident. For instance, it is unlikely that they will have an unlimited  budget to solve the problem.
3. Break each role into groups for discussion 
  • Ensure that everyone in the group participates and there are no passengers.
  • Allow the participants to learn from their commonsense - effectively starting in the middle from an observation and building their findings upwards or downwards in the hierarchy of knowlege.
  • Sometimes, you may have to intervene to ensure that there is fair discussion, that no one is trying to impose their values on the other. Note that this is not necessarily taking sides of who is right or wrong.
4. Video the role play 
  • With today's very affordable access to technology, it costs next to nothing to record the performance.
  • It is fun and it compels the participants to take the exercise seriously. In odd cases, you may get groups of them giggling and laughing all the way through their performance.
5. Review of what is learnt
  • List down what is learned. 
  • Rationalise the list and compare it with what is established in the text book or industry practice. Are they different? Discuss why.
  • Note the gaps of what is still not realised or learned and plan them as learning goals in the next role play exercise.
I have listed the minimum to execute a role play. You can improve it further by carrying out the exercise outside the comforts of the classroom to somewhere as close to the real deal as possible; you can use props, real equipment and use audio-visual effects.   Most of which are very affordable these days.

Watch this space for the next article about "Learning Programme Development". 

There, you move to managing knowledge in the organisation, prioritising the areas of upgrade, planning internal skill mobility and leveraging the skills to grow the business.

Monday, September 1, 2014

Rethinking Security

Despite more and more being spent on securing information systems, the number of security breaches continues to increase dramatically.

In addition, it has become a laborious task to keep up with product vulnerabilities, tell system administrators to apply the security patches and then test that the patches are properly applied.

Eventually it will become very difficult to keep up with all the latest security fixes and inevitably some will be missed, causing security breaches or heightening the risks.

One of my clients in the Far East has 50,000 attempted attacks on its network a week - or more than 7,000 a day - and the numbers are increasing. The operator monitoring the logs can easily be dazzled by the sheer number. If the trend continues it is likely that some crucial alerts will be missed. The number of attempts is getting so high that the intrusion detection systems are falling over due to overload.

Clearly, more needs to be done. We need to rethink the entire way of protecting our systems and information from unauthorised access, tampering and other malicious acts.

Security needs to be approached with a comprehensive view of the problem. We need to extend the scope beyond computers, networks and other technologies to include human procedures, hiring processes, personnel reporting structures, legal implications, security awareness and physical security. Any failure in any of these is likely to mean security breaches, for security is only as good as its weakest link.

Too often network security dominates, because the network brings together the hardware, software and data. This implies that security is approached on the fly without top-down analysis and happens as an afterthought rather than getting designed in.

In addition, network managers are kept busy keeping up with requirements for more servers, better performance and longer trading hours. Over-stretched network managers often consider the security work done once they have installed the firewalls, intrusion detection systems and encryption processes.

Despite all the advance in operating systems technology, network and system administration is still a laborious task.

The security team is likely to be kept very busy. It is important to prepare them so they know they may have to work unsociable hours troubleshooting obscure bugs, data mining forensics, or poring over manuals. Often financial compensation will not be enough as the sole motivation. These people want training programmes and a working culture that allows them to experiment with their creative energies.

Besides attending to operational security problems, organisations must allocate time and resources to looking at new technologies that are likely to make an impact on the security implementation.

The skills and experience of the security team members must likewise be multifaceted to correspond to the scope of the problems they have to face.

Security solutions differ depending on issues ranging from an organisation's mode of business to the socio-political situation of particular countries. In some African countries for example the security designer cannot rely on communication lines for online authentication, because the cables often get stolen. However, it is probably fine to rely on human labour to painstakingly countercheck security parameters - something affordable in low-wage Africa and an added advantage not affordable in many developed countries. In heavily unionised Australia the practicality of using labour for such tedious work enters a different sphere.

Beyond the security team, the IT, audit, legal, marketing and human resource departments all need to be well informed of information security, because it forms the basis for a business to implement new products and services swiftly.

Security awareness needs to be inculcated regularly in the rank and file. The legal department needs to be made IT literate and to understand emerging cyberlaws and issues like the effectiveness of digital signatures. The audit department must check if its processes are still effective in combating cyberfraud or internal sabotage on computer networks.

The marketing department needs to be more IT savvy to choose business tools without compromising security. The IT department has to know how to evaluate software packages from the security perspective, developers must know how to follow secure coding standards, and data architects must prevent users from arbitrarily accessing data that they are not supposed to see. All this requires training and time that should be built into the human resource department's training or induction programmes.

So security should not be confined to specialist or elite groups in an organisation. Security practice must be pervasive throughout the organisation and everyone has to play a part for it to be effective.

Beyond the organisation, alliances have to extend to external organisations: once connected to the Internet, one's information systems cannot be perceived to be isolated. Other desktops and servers connected to the Internet could well end up advertently or inadvertently attacking your network. There are cases where I have detected servers from friendly companies attacking the servers I was protecting. We found their servers were infected by a worm that in turn was crawling all over cyberspace, in the process attempting to attack our servers. After discussion with their system managers, the friendly companies shut down their servers and had them rebuilt, saving us from having to defend ourselves from their persistent onslaught. So in general, close liaison amongst organisations keeps cyberspace a little more secure, benefiting all.

These activities will result in changes to an organisation, which must be supported by senior management and carefully managed. The security manager's major task is to get buy-in from the board and senior management on such organisational and cultural transformation. Some readers may be amused by this naive suggestion that the security manager is in the position to sell such a major transformation to senior management. I empathise: many security managers report to the head of IT - many layers away from the top management. Often, these managers live a frustrating life, having to answer to the very people they ought to be checking on. This is a result of the myth that considers information security as a technical problem, to be handled by the IT department.

To be effective, the security manager must be independent from system implementers and operators, and have a direct reporting line to the board or senior management. This will ensure a healthy check and balance in the system, with security weaknesses constantly checked and eliminated.

Senior management decisions here have to be based on the return on investment in keeping a high standard of information security. During economic downturns it is tempting for management to freeze or reduce security spending and concentrate on core business spending. This is dangerous, as it is during such times that security risks are at their highest, with staff morale at a low because of lay-offs.

The return on investment must consider the positive cultural transformation that results from a security overhaul. Source code inspected for security not only becomes more secure but also better quality and more stable. Incident response procedures and rehearsals not only make staff fix technical problems more competently but also develop a sense of urgency and attention to detail.

In the long term, security will have to be considered as a foundation for information system infrastructure. More and more business will be conducted over the Internet, and customers will demand ever more reliable and secure transactions. Inevitably, businesses will have to make security a top concern: ignoring or bypassing it will have perilous consequences.

Sunday, August 17, 2014


I have included this post and the preceding ten posts about CISSP for readers who are interested to find out more about the certification, or proceed with their own studies on information security. It is a structured and comprehensive scope about information security. I am not related to (ISC)2 and am not CISSP accredited myself.

In my 25 years of experience serving MNCs and small businesses alike around the world, I have met fantastic practitioners who are CISSP certified and those who are not CISSP certified. I have also presided over a harrowing experience of protecting an organisation from a live  cyberspace attack and bringing the situation back to business-as-usual. Believe me, during those stressful moments, the first thing that struck my mind was definitely not what certifications I hold, but how I could effectively quell the attack with minimum disruption to the business.

CISSP® - Certified Information Systems Security Professional - is a globally recognized certification in the field of information security, hosted by (ISC)2.

It has ten domains:
  • Access Control
  • Telecommunications and Network Security 
  • Information Security Governance and Risk Management
  • Software Development Security
  • Cryptography
  • Security Architecture and Design
  • Operations Security
  • Business Continuity and Disaster Recovery Planning
  • Legal, Regulations, Investigations and Compliance
  • Physical (Environmental) Security

The CISSP® examination consists of 250 multiple choice questions with four (4) choices each,  within 6 hours.

Multiple choice question style of examination is efficient and highly scalable, and so can be extended worldwide to measure and certify information security professionals, 

However, in real life, I have not had a problem that is so explicitly stated that it comes with four possible answers, out of which one will be definitely correct and the other three definitely wrong. Real life  is a lot fuzzier and ambiguous, and often, we will not even know what the real problem is on the outset. Usually, we confront a 'situation', interprete it and construct a scenario based on the information that is obtained or presented before us. Sometimes, there are information that we have failed to uncover, and/or information that are deliberately kept away from us.

So is CISSP bad? No.
Is it super? No either.

CISSP: Access Control

Access control, in one form or another, is considered by most information systems security professionals to be the cornerstone of their security programs. The various features of physical, technical, and administrative access control mechanisms work together to construct the security architecture so important in the protection of an organization’s critical and sensitive information assets.

This domain includes:
  • Concepts/methodologies/techniques
  • Effectiveness
  • Attacks
Here are some videos which explains Access Control well:

[more coming up...]

CISSP: Telecommunications and Network Security

Telecommunications is the electrical transmission of data between systems, whether it is analog, digital, or wireless communication. The data can be converted (digital to analog), compressed, encrypted, and multiplexed many times taking on different forms such a datagram(UDP is one style), packet (IP), cell (ATM), and so on. When it all works together the result is awesome.

As data travels around a network (telecomm or otherwise) it must adhere to a set of rules to be transferred correctly and semi-efficiently.

The most common and largest set of rules is known as the Internet. The Internet is based upon the TCP/IP protocol, which adheres to the world standard ISO layer model.

This domain includes:
  • Network architecture and design
  • Communication channels
  • Network components
  • Network attacks
Here are some videos which explains Telecommunications and Network Security  well:


False Positive

Symmetric and Asymmetric Encryption


Wireless Packet Analysis


Types of Firewalls


Intrusion Detection System