Business continuity: things to consider

Let’s continue with business continuity. Today I would like to review some points to be taken into account during the implementation of a Business Continuity Plan, which I consider essential to achieve a successful outcome:

1. The scope.

2. Senior management support

3. Investment

4. Setting the objective recovery times.

And with this extremely short introduction, let’s go into the matter.

1. The scope

The first aspect that we must take into account is the scope of our Business Continuity Plan (BCP), in two different areas. On the one hand, in an horizontal sense, it is necessary to clearly define which services, activities or processes are going to be included in the BCP, if we also intend to certify the management system in ISO 22301 standard. Although from a BCP’s usefulness point of view the most logical thing is to include the entire organization, especially in small companies where the infrastructure is shared for all the organization, it is also possible to choose a reduced scope that covers relatively independent elements (a local branch or the company’s headquarters, for example), or simply include those processes that are known beforehand to be the most critical for the organization’s continuity, such as production or logistics in a more industrial company, or the web portal in a purely e-commerce company.

[Read more…]

Cloud meets business continuity

Following the introductory cloud post a few days ago, and to avoid losing momentum, we are going to keep talking about the cloud, in an area where it seems particularly useful: business continuity. Along with other measures, it is clear that the existence of globally distributed datacenters (did someone say GDPR?), flexible system scaling and almost instantaneous deployment make a cloud infrastructure (on equal terms) more resilient to outages than an on-premise infrastructure. Of course, availability is not the only factor to consider, but we’ll talk about that another day.

However, to speak of the benefits of the cloud, the providers do themselves a pretty good job. What I want to talk about is some of the issues that must be considered before migrating an infrastructure to the cloud (although some of these points are also applicable to PaaS and SaaS). That is: the problems.

[Read more…]

The fight for privacy

The post, next week.

Own text. Original comic strip by RaphComic. Modified with permission.

CISSP certificate – II. Personal experience

In yesterday’s post we saw some general aspects of CISSP certification, which can be expanded consulting the official website of (ISC)2. In this post I will go into detail on the non-formal aspects, such as materials, advice and personal opinions. Let’s get started.

Is the exam difficult?

If you search on Google, the main user communities related to (ISC)2 are found on reddit and in the (ISC)2 forums. In both there are multiple entries relating opinions, experience with the exam, asking and giving advice, reviewing study materials and other topics. However, my impression is that the tone tends to be negative and somewhat frightening, terrifying even at times. Many people who have taken the exam describe it as very difficult and obscure with tricky wording. In addition, there are no “example” questions on the Internet, and the people who produce the training material (including the official question book) or teach the training courses (bootcamps) are never the same people who write the exam questions. Therefore, a critical element to manage during exam preparation is uncertainty.

[Read more…]

CISSP certificate – I

A few years ago (2011), our colleague José Luis Villalón told us about the (ISC)2 CISSP certification. As things have changed somewhat since then, and taking advantage of the fact that I recently passed the exam, we are going to take a look at this certification, the changes it has undergone and (in the next post) some advice that has personally helped me to pass the exam.

Introduction

The CISSP (Certified Information Systems Security Professional) certification of (ISC)2 is currently one of the main (basic to me, although that depends on your experience and background) certifications in the field of information security, although it is more widespread in the USA than in other countries, if we take a look at the number of certificates per country. While on 31 December 2018 the US had around 84500 certificates, between Germany (2100), France (1000), Italy (400) and Spain (650) barely reach to 4000 certifications. This is probably due to the fact that many Human Resources departments in the US consider CISSP to be a basic prerequisite in the field of cybersecurity, in addition to the significant greater acceptance that (ISC)2 certificates have in the US market.

[Read more…]

Publication of the NIS Implementation Regulation (for digital service providers)

(This entry has been prepared in collaboration with Ana Marzo, from Equipo Marzo, which provided a good part of the information).

Just a couple of weeks ago Ana March, from Equipo Marzo, an attorney for whom I have great professional respect, contacted me to tell me about the publication, not expected (at least by me), of a new regulation of the Commission related to the NIS Directive, which I have called in a display of originality NIS implementation regulation.

In fact, on 30 January, the Implementing Regulation (EU) 2018/151 of the Commission from 30 January 2018 was published, laying down rules for the application of the Directive (EU) 2016/1148 of the European Parliament and of the Council with regard to the specification of the elements to be taken into account by digital service providers in order to manage the existing risks for the security of networks and information systems, as well as the parameters for determining whether an incident has a significant impact..

At least it caught me by surprise (and I am sure that some of our readers will see the same thing), since I expected a transposition of the directive, not a regulation emanating directly from the Commission (which does not mean, of course, that we will not enjoy our own NIS-compliant legislation, as the legislator must be kept busy…). Given that, although in different areas, we had both coincided at the same client that fitted into the concept of digital services provider and could therefore be affected, we asked ourselves about the applicability of the regulation to this specific client. For example, is an online newspaper affected? And an online sales website? An online bingo? And the purchase-sale between individuals? Deriving the answer to these questions is the subject of this entry.
[Read more…]

The NSA needs your updates

(Please note this is a translated post from the Spanish version… and that 28th December is in Spain equivalent to April Fools’ Day, so this news was just a joke)

Although this finding has little more than 12 hours (it appeared yesterday in some Chinese media), it has not taken too long to spread through the US specialized media. Among others, ArsTechnica, Bruce Schenier, Wired or Dan Kaminsky have brief reviews commenting the recent findings made by Lian Li and Huan Chen, Chinese researchers from Peking University.

Apparently, all began at the end of 2013, while Li and Chen were performing forensic analysis on three compromised computers. Analyzing different Adobe update packages stored in the computers (suspected to be a vector for infection), they detected that all of them had a similar structure: the update package and an encrypted data block C1 that could vary from 65536 bytes to several MBs.

[Read more…]

NSA, digital walls and a few good men.

It has long been known that the NSA and some similar organizations have suirvellance systems deployed to ensure the safety and protection of us all from evil. However, the NSA always preferred to keep secret to avoid being forced to reject the Nobel Peace Prize. However, after the case of Snowden, Manning, Assange and other rebels, it is clear that the situation has become has become unsustainable.

Luckily, the certainty that the NSA listens to our conversations, reads our emails, spies our activity on social networks and basically knows everything we do has not generated any notable movement at the political or social level, because they do it for our own good (now that I write down it, I clearly remember hearing that in more than one time in my childhood). It would not be desirable that the lust of justice and freedom of a few (literally) we are doomed to hell and existential chaos.

Probably in short they will awarded with the Nobel Peace Prize.

A few good men. (Vía wikiquote).

Kaffee: Colonel Jessup, did you order the Code Red?!
Judge: You don’t have to answer that question!
Jessup: I’ll answer the question. You want answers?
Kaffee: I think I’m entitled!
Jessup: You want answers?!
Kaffee: I want the truth!
Jessup: You can’t handle the truth! Son, we live in a world that has walls, and those walls have to be guarded by men with guns. Who’s gonna do it? You? You, Lieutenant Weinberg? I have a greater responsibility than you can possibly fathom. You weep for Santiago and you curse the Marines. You have that luxury. You have the luxury of not knowing what I know, that Santiago’s death, while tragic, probably saved lives. And my existence, while grotesque and incomprehensible to you, saves lives! You don’t want the truth, because deep down in places you don’t talk about at parties, you want me on that wall. You need me on that wall. We use words like “honor”, “code”, “loyalty”. We use these words as the backbone of a life spent defending something. You use them as a punchline. I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very freedom that I provide, and then questions the manner in which I provide it! I would rather you just said “thank you”, and went on your way. Otherwise, I suggest you pick up a weapon, and stand a post. Either way, I don’t give a damn what you think you are entitled to!
Kaffee: Did you order the Code Red?
Jessup: I did the job that—-
Kaffee: Did you order the Code Red?!!
Jessup: YOU’RE GODDAMN RIGHT I DID!!

Forget privacy

(Opinion article published by Manuel Benet in Valencia’s local newspaper on 2nd July 2013)

The documents leaked by Edward Snowden to The Guardian on a sophisticated global intelligence are, in essence, nothing new. For years has been known that the U.S. and some partners share the ECHELON spy network, involved in the past in several trade scandals. However, we should not underestimated Snowden contribution. While so far the details of the spy system of the National Security Agency (NSA, for short) were based on experts research, we know now not only that this program (PRISM) is larger, intelligent and more ambitious than anything we thought in the past, but that many countries have their own surveillance systems.

Perhaps due to films or literature we have always been accustomed to the fact that espionage is made between States, with objectives and specific actors under certain rules. However, it has now taken a step forward, with the monitoring and recording of any information that could be virtually recorded of millions of individuals around the planet: a system without control or limit that breaks with total impunity and the cooperation of the Internet corporations any idea of freedom, privacy and justice we might have. States have come to spy on its citizens in a move more typical of dictatorships than democracies.

However, despite the seriousness of the matter, no one seems very concerned; do not expect a massive desertion from social network and if we look at the press, Snowden is famous for not having disclosed a large number of documents classified about a global and massive surveillance program, but by the geopolitical tensions that his flight and persecution have created between the U.S. and China and Russia mostly.

Says one of the quotes attributed to Benjamin Franklin that those willing to sacrifice some of their essential liberty for some security deserve neither one nor the other. This seems to be our case. It’s been a long time ago since —despite the great efforts (maybe not always so great, ok) of the data protection agencies both national and transnational— we decided that our privacy had not, at last and after all, the importance they wanted us to think. Made that decision, the transition of our information to a digital world controlled by multinational corporations outside national and European requirements posed no trauma at all.

At first glance there is a big difference between your messages being scrutinized by a nest of spies like the NSA, an opaque entity key in the American intelligence, and knowing that Google scans your emails to position relevant ads. However, there is no such difference: (almost) no one cares about we being spied upon; that is a simple inconvenience that we have taken as inherent of the digital age and something makes me think that we do not even needed the Damocles Sword of terrorism. The saying that goes that if you have nothing to hide, you have nothing to fear, has been assumed almost by obligation with few complains.

We can draw one last thought. Edward Snowden was not 007; he had no license to kill and it was not (that we know) a double agent. It was ‘only’ a system administrator working for a NSA provider, one of the world’s safest organizations. From there he had access to a huge volume of classified documents that James Bond would not even have heard of. In light of this, do we really know who access our information?

The 10 usual errors of an SME in Information Security

There is no doubt that in the last years we have made great progress in Information Security. Gradually, business begin to perceive the idea that security is an area that requires special attention, beyond what many consider “the IT crowd”. However, if it is not good to fall into the doom and gloom, we should not be too lenient: there’s still a long way to go and progress does not always occur at the speed at which, fortunately for criminals, would be advisable or desirable. Every day we see security breaches in organizations with a strong investment in technological infrastructure and security controls, which should give us an idea of ​​the imbalance of forces.

In this line, there are still many errors and beliefs that we can identify as the ten usual errors of SMEs (Small and Medium Enterprises) in Information Security and that mark the way to go these next years.

1. To think that their information or systems do not interest anyone. This is, without a doubt, the main obstacle to the improvement of the information security in an organization: “who may want to attack us?“. There are several powerful arguments against this. First, any equipment is useful for “botnets” or networks of zombie PCs controlled remotely, either a corporate PC or a teenager laptop; if it can be controlled remotely then it can be used with to report spam or attack systems. Secondly, perhaps no one is really interested in those systems, but a worm doing a massive scan could detect by chance a vulnerable system. Finally, many organizations underestimate the value of their information, both for foreign and internal competition: accounting balances, rates of prices, margins, processes of production, innovations, etc.

2. To believe that security is just technical and therefore responsibility of the IT Dept.. To limit the security to its technical side, obviously necessary, leads to neglect controls such as the legal and organizational ones. To manage security incidents and events, perform education on security issues, define responsibilities or address legal requirements are vital aspects to prevent threats such as phishing or social engineering.

3. An antivirus and a firewall are just enough. This is primarily the progress that we talked about in the first paragraph. Few organizations do not have currently an antivirus or a firewall. However, this leads to a false sense of security that makes them to forget that there are many threats, both technical and non-technical, that require more specific measures.

4. To think that security is a product and not a process. This error comes from past times when security was just one thing more of the many tasks within the IT dept. staff. However, things have changed significantly and security has acquired a status of its own. Anyone working in an HR department, production, logistics or accounting performs a daily maintenance, either updating their knowledge, keeping the industrial systems running, implementing new processes or adapting its operation to new legal requirements. The departments adapt to changes constantly. However, security is still considered an area that does not require any maintenance. Nothing is further from reality.

5. Confidentiality is just something of spies and large corporations.. It is true that large corporations and spies sign confidentiality (non-disclosure) agreements. But although many companies still think of them in terms of science fiction, that does not make them unnecessary in the field of the small and medium companies. Suppliers, customers, employees, stakeholders and any natural or legal person with access to the company information must sign confidentiality agreements whose purpose is to protect the information of the organization. Very few times such a small effort brings such huge profits.

6. To forget the security in corporate contracts. Today a simple order form is still in many cases the procedure to contract services. No formal service contract, no confidentiality clauses, no legal requirements nor information about the security measures the provider must apply on the information we provide. Ultimately, security, in all its areas, is still absent in the contracts that many SMEs sign with suppliers and/or customers.

7. Privacy, the great unknown. Although privacy has been a critical issue for the last decade and there are legal requirements in many countries, many companies still ignore their duties in this area and some of those who know choose not to carry out any action. Whether to avoid economic sanctions or “just” social responsibility to the people who gives us their personal data, any company should take the necessary measures to ensure the security of the personal data of their customers, employees, suppliers … (please note this point was adapted from the Spanish Personal Data Protection Act to a more general view).

8. Just to look outside threats. Without the desire to criminalize and despite the mass media news , it is well known in the field of security that most of the security problems come from within the organizations. In some cases, malicious users. But in many other cases it is sheer ignorance: an employee who uses an infected USB, opens an attachment or clicks on a link in an email or simply throws confidential information to the recycle bin. It is essential to adopt a permanent strategy of awareness in information security, including managerial staff that handles sensitive information, to prevent and mitigate risky behaviors for both the organization and the employee.

9. To provide Internet services regardless of their safety. A service offered to the Internet is accessible virtually by billions of people, some of which will have not certainly good intentions. Without losing sight of the necessary legal requirements (in many cases very easy to fulfill) that we have seen, the story repeats again and again: services that contain web forms vulnerable to attacks that existed a decade ago, webservers misconfigured or directly not configured, etc.

10. To forget systems and network management. Last but not least, many companies still neglect the required security maintenance of their servers and networks, leading to vulnerable network devices, WiFi access points that allow a person on the street to access the corporate network, internal databases accessible from the Internet, or servers not updated in years. Without mentioning that this leads to the most absolute ignorance about what happens in the infrastructure of the organization, where an intruder can do whatever he wants. The rest is left to the imagination.

This decalogue of errors, more common than one would think, could certainly be completed with many other specific problems that SMEs commit daily. However, if in a few years we could cross off at least half of these errors, we would have made great strides in securing our companies.