Security Management: Newsletter - Jun 2023
Security Management
Protection, guarding, defence and management of assets from the realm of threats such as natural, human and operations
Of the 229 posts published to the?Security Management ?showcase page during June 2023, which generated 124,083 views, 30,692 clicks and 1,042 likes, and 402 reposts, here are the top 12, based on volume.? Ridley Tony
Members and Subscribers get more at Patreon. Check it out:
Any risk, safety and security discussion contains a complex, conflicting, overlapping and inconsistent web of definitions, ideology, beliefs, practices, concepts, meaning and context. That is, safety, security and risk may be used to mean the same thing, different things, related things or contain variable scales of public, individual, national and community.
For example, public safety is not the same as personal safety. National security is not the same as corporate security, private security or commercial security, but they all have complex, cumulative and routinely conflicting influence on each other. As a result, 'risk' may vary, change or be interpreted differently by both author and reader, let alone those affected or the subject of safety, security and risk discourse.
It is therefore important to confirm and clarify precisely what we mean when discussing, representing, evaluating or championing risk, safety and security.
Especially across time, space, groups, public/private contexts.
"The Operational Requirements (OR) process helps organisations make smarter investments in protective security measures, enabling them to implement measures which are in proportion to the risks they face. By following the process, security managers and practitioners are able to assess, develop and justify the actions their organisation needs to take, and the investments they need to make to protect against security threats.?"
"#Risk " is personal, specific and varies considerably according to hazard, environment and societal factors. As a result,?#resilience ?is even more dispersed and contingent on individual and community readiness or exposure.
"...the context in which the process of personalising risk is situated by three intersecting dimensions. The vertical axis depicts the hazard context. The horizontal axis includes examples of environmental (built, household and social) characteristics and household circumstances. To personalise their risk, people need to identify how hazard and environmental factors (horizontal and vertical axes) interact to define their household and neighbourhood risk. The oblique axis describes examples of personal, social and societal factors, derived from readiness theories, that influence how people interpret hazard and environmental data (items on the vertical and horizontal axes) to personalise their risk. A need to include interpretive process derives from the fact that the product of hazard and environmental interaction is highly variable"
- Paton, D., Kerstholt, J. & Skinner, I. (2017). Hazard Readiness and Resilience, in Paton D. & Johnston, D. (eds) Disaster Resilience: An Integrated Approach, 2nd ed, Charles Thomas Publisher, p.119
"Cyber attackers target people. They exploit people. Ultimately, they?are?people. That's why people—not technology—are the most critical variable in today’s cyber threats. This year, the 2023 Human Factor report takes an even closer look at new developments in the threat landscape, focusing on the combination of technology and psychology that makes the modern attack chain so dangerous. Here are just a few highlights from this year’s report:
Resilient to what, when and how? This question should remain the prevailing operational resilience check and challenge for all organisations, departments and systems. If not, enterprise risk and resilience pursuits will remain forever elusive or largely unsubstantiated.
"Because of the pervasive nature of operational risk, a comprehensive operational risk management strategy is needed to ensure proper consideration of risk and the effects on operational resilience. The strategy provides a common foundation for the performance of operational risk management activities (which are typically dispersed throughout the organization) and for the collection, coordination, and elevation of operational risk to the organization’s enterprise risk management process. "
- Carallie, R., Allen, J. & White, D. (2011) CERT Resilience Management Model: A maturity model for managing operational resilience, Addison-Wesley, p.720
Risk consideration and preparations therefore remain and essential and foundational element of any and all resilience pursuits. This includes threat intelligence, risk awareness, and risk identification, along with staged and collective evaluation. Skip these steps, and you are kidding yourself if you think either risk mitigation or resilience is achievable, let alone sustainable. Moreover, 'controls' applied without these programatic considerations result in auditing and reporting theatre. Unawareness is fragility. Hubris is operational brittleness. Human, complex, networked and non-linear threats don't care and will overwhelm such veneers repeatedly. How, when and where do 'risk' and 'resilience' interact, compliment and converge in your strategy, organisation and plan?
"This document outlines cloud network security zone models and architectures and provides technical guidance on implementing cloud network security zones. The guidance in this document is intended for information technology (IT) solutions within the Government of Canada (GC) operating at UNCLASSIFIED, PROTECTED A, and PROTECTED B levels (i.e. low sensitivity or partial sensitivity). Systems operating in PROTECTED C or classified domains (i.e. highly sensitive) require additional design considerations that are not within the scope of this document. For non-government organizations, the guidance in this document is intended for IT solutions operating with low or partially sensitive information. Your systems operating at higher levels of data classification require additional design considerations and are outside of the scope of this document. You can email or phone our Contact Centre for guidance on cryptographic solutions for PROTECTED C or classified domains.
Your organization is responsible for determining the security objectives that you require to protect information and services. Following only the guidance in this document does not adequately secure an IT environment.
This document is written for IT practitioners who are familiar with the principles, standards, and terminology of network engineering?"
In sum, defence-in-depth is far easier to express than maintain or assure. That is, stating multiple layers of protection and guarantees of impenetrability are routinely undermined, circumvented or exploited because of greater pressures or desires to accommodate users and previously approved actors into physical and virtual environments. Facilitated and bypassed by practices such as Single Sign-On (SSO)
Failure to check and challenge at all layers, frequently or across virtual and physical domains creates invisible holes that adroit actors quickly identify and exploit...often without detection or declaration, leading to greater Zero Day threats and vulnerabilities than imagined or documented... further distorting security risk management forecasts and accuracy of risk or control estimates. What do your defence-in-depth layers and construct look like to an adversary?
Is it truly an impenetrable barrier with interlocking arc(s), covering surveillance and authentication at each and every stage.... or more akin to the failed Maginot Line that aggressors simply bypassed or used alternate means to breach, not considered by planners or engineers?
"The Australian Cyber Security Centre (ACSC) produces the?Information Security Manual?(ISM). The purpose of the ISM is to outline a cyber security framework that an organisation can apply, using their risk management framework, to protect their systems and data from cyber threats. The ISM is intended for Chief Information Security Officers, Chief Information Officers, cyber security professionals and information technology managers"
Matters of 'security' are not all created or conceived equal, nor are the advanced academic programs that inform security within communities, companies or government. In other words, 'security' remains a catchall phrase meaning many things too many audiences, practitioners and organisations.
This lack of clarity or confusion is often transferred to courses, accreditation and advanced academic courses.
That is, uninformed and professionals alike make the flawed assumption that all security courses teach and demand the same knowledge verifications. Untrue.
To demonstrate the simple distinctions, lining up 8 contemporary security courses, at a Masters level, reveals and highlights considerable distinctions. Especially across science, arts, military and business domains.
"The aim of this report is to provide an overview of the current ICT / operational technology (ICT/OT) supply chain cybersecurity practices followed by the operators in the EU as well as to identify good practices on ICT/OT supply chain cybersecurity. The report focuses primarily on the relationship of essential and important entities with different kinds of direct suppliers and service providers 9, e.g. manufacturers, distributors, integrators, MSPs, managed security service providers (MSSPs) or cloud computing service providers. It thus identifies good practices for essential and important entities, and for different types of suppliers and providers.?"
Great risk, safety, security and resilience claims, confidence, decisions and investments are made on the strength of both the author(s) credentials and the references or citations used to support their views, findings or recommendations. But how much scrutiny or elevated understanding of literature reviews are conducted or present among consumers?
That is, many literature reviews and summary analysis can form convincing arguments and lead to compelling beliefs but may be the product of bias, unstructured, amateur or low quality practices.
"a literature review is a form of research"
(Efron & Ravid, 2019)
Therefore, there are established conventions and structures informing the preparations, documentation and presentation of prior views, opinions and research.
"A literature review is the presentation, classification and evaluation of what other researchers have written on a particular subject. "
(Davies, 2001)
"In the wake of increasingly sophisticated threat actors and more complex digital infrastructures, cyber risk – and how to manage and control it – has become a top agenda item, no longer just for the IT team but for business leaders and board members alike. While protecting an organization from cyber disruption is demanding increasing budgets, much of this is devoted to cyber defence: real-time detection and response to ongoing attacks.
This is no doubt important. However, in a more recent trend, defenders are increasingly looking to ‘move security to the left’ – a reference to the MITRE ATT&CK framework that essentially means an increased emphasis on getting ahead of the attack and proactively hardening chokepoints and vulnerabilities to prevent an attack from occurring in the first place.
The logic behind this is clear: attack prevention is cheaper than incident response.?"
Cultural aspects and factors specific to security are routinely hidden within broad, often unsubstantiated perceptions of organisational culture. However, security-specific culture can be empirically evaluated and measured by means of specific units of analysis.
Conversely, assertions or general claims of security culture in the absence of specific, objective and verifiable units of analysis remain little more than personal opinions or unsubstantiated, unscientific cultural tropes.
领英推荐
In other words, security culture is a unique and specific subset of organisational and geographical culture, which is comprised of empirical values, subject to analytic rigour or objective evaluation.
It is not a throw away tag line nor something you surmise without evidence or appropriate methodological process.
Most importantly, security culture is made up of nodes, relationships and varies across time and location. In sum, security culture is poly centric, protean and varies across spatiotemporal scales of decay.
Repeatedly, safety, security, risk and even resilience advice or narratives within an occupational or work setting are dearth of specific or defined end-states for a healthy, enjoyable, safe or risk-reduced environment. In other words, declaring what is required for security, risk, safety or resilience without actually considering what 'good' or 'ideal' looks like has limited value and creates a risk echo chamber while employees get on with working and shaping their own environments independently.
That is, without a defined outcome or road map, security, safety, security and resilience advice is just never ending noise. It goes on and on...without measurement or comparison to the environment's desired outcome or specific change management requirements.
Advisors, managers and organisations would be better served by identifying and articulating what a preferred or necessitated healthy workplace looks or feels like, before offering safety, security, risk or resilience advice.
"While “terrorism” is one of the most widely used terms in adversarial political discourse, there is still no international consensus about its exact meaning.1 The discussion about the definition of terrorism has been going on for more than half a century and has led to a large number of publications (see bibliography at the end). The purpose of this article is to revisit and review some conceptual approaches in academia, government and international organisations to enable the reader to familiarise her-/himself with the current state of affairs, building on, and expanding, some of the author’s previous conceptual work.?"
"A “terrorism risk assessment” of enhanced duty premises or a qualifying public event is an assessment of— (a) the types of acts of terrorism most likely to occur at, or in the immediate vicinity of, the premises or event (if acts of terrorism were to occur);
(b) the reasonably practicable measures that might be expected to reduce the risk of acts of terrorism of those types occurring at, or in the immediate vicinity of, the premises or event;
(c) the reasonably practicable measures that might be expected to reduce the risk of physical harm to individuals if acts of terrorism of those types were to occur at, or in the immediate vicinity of, the premises or event;
(d) such other matters as the Secretary of State may prescribe in regulations.
(6) In carrying out or reviewing a terrorism risk assessment, regard must be had to—
(a) the size and other characteristics of the enhanced duty premises or the premises at which the qualifying public event is to be held;
(b) existing measures in place in relation to the premises or event of a kind mentioned in subsection (5)(b) and (c);
(c) in the case of enhanced duty premises, the current use of the premises and any likely future uses;
(d) in the case of a qualifying public event, the nature of the event."
#Culture ?within organisations, communities and individuals remains a complex construct. Safety, security, risk and resilience cultures are both distinctly unique but influence, interact and change differently, further compounding the notion of a neat, singular view of what culture is or isn't.
Moreover, each of these cultural dimensions comprises multiple factors, each represented, visible, concealed and expressed in varying ways.
Again, confounding a single statement or assumption that 'culture is....'.
Therefore, the practical question, if not challenge, for any organisation, community or collection of individuals remains,
"what is safety culture, security culture, risk culture or resilience culture and what happens when they interact, come together or compete for resources, priority or attention?"
"New types of profitable cyber crime have also emerged. Traditional criminal business models such as theft of money or assets, extortion, and fraud continue to be popular, but cryptojackers – highjackers of processing power to mine cryptocurrency, and Initial Access Brokers (IAB) have also made an appearance. While cryptojackers are often seen as low skill, and even low threat, they very often lead the way in vulnerability exploitation, and are repeatedly the first to exploit vulnerable servers.
The success of the IAB model, which sells access to victim organizations or individuals, is illustrated not only by their use across the cyber crime landscape, but by the fact that even Nation State APTs such as DPRK (North Korean) actors have been assessed as likely using IABs in their campaigns.
The concepts described were brought together in a single recent WithSecure Incident Response engagement where five different actors were observed exploiting the same victim for completely different purposes. In this incident, WithSecure threat intelligence encountered six distinct examples of the 'as a service' model in use, in the kill chains observed.?"
Risk identification, awareness and analysis are tainted processes.
Not only are the steps never conducted in precisely the same manner (even by the same people/organisations), there are a number of underrepresented and poorly considered factors that attenuate, distort and conceal extremely important, material risks.
For example, assumptions are routinely overrepresented, yet make up a smaller portion of a broader consideration of thinking and reasoning throughout the risk identification, awareness and awareness process.
In other words, risk identification, risk awareness and risk analysis are subject to similar thinking and reasoning conventions as other sciences, professional practices and methodologies.
Assumptions are just part of the process/picture.
Excluding other factors introduces and conceals risks, harm and errors at all levels and stages of the process.
"89% of respondents say their business suffered at least one negative impact in the past year due to lack of cybersecurity and business alignment...the cybersecurity industry has a long way to go to become effective business enablers. The data reveals a lack of alignment among teams as well as within teams, which has the potential to negatively impact both security posture and achievement of business goals.?"
Distinctions between enterprise risk management (ERM) and enterprise security risk management (ESRM) are relatively simple.
That is, ERM artificially constrained the pursuit of managing risk against threats and harms whilst excluding deliberate, malevolent and dynamic intent by human actors to persistently circumvent controls, steal, misappropriate, harm and disrupt organisations.
This is the security component, reintroduced via ESRM.
Put bluntly, accountants, generalists and even safety professionals have limited skills and expertise in matters of crime, criminal behaviour, national/corporate/commercial/private security, which requires commensurate expertise and qualifications.
Hence the broader, holistic inclusion that is ESRM.
Even ESRM is largely redundant, for organisations that did not build walls, exclusions, tribal practices and siloed functions (including 3LOD) in the first instance.
All too often, security, risk and security risk practitioners, professionals, governments and organisations cling to long outdated security management and risk management practices, ideology, cultures and even 'standards'.
HB 167:2006 Security Risk Mangement stands out as just one such example, which refuses to die and remains the stalwart terms of reference to security 'purists' and the unaware alike.
As a result, just like generations before, this 'blunt old axe' (read: blunt instrument) continues to be laboured and applied, over and over again, despite the obsolete nature of the content, instructions and positioning of the document, just like a beloved, well meaning grandparent might insist on using, because 'it was the tool of his time'.
While parts may seemingly remain useful or valuable, for the most part, the tool and concept(s) are long past retirement.
However, even today (2023), you will find government departments, standards, tenders and instructions, insisting on keeping this relic alive, and subscribing to this long outdated terms of reference.
"the document needs updating"
SAI Global (2022), p.2
Risk, Resilience, Safety, Security & Management Sciences (Applied)
#security #securityriskmanagement #securitymanagement #securityrisks #enterprisesecurity #cybersecurity #physicalsecurity #informationsecurity #digitalsecurity #securityoperations #enterprisesecurityriskmanagement #securityassessment #intelligence #threatlintelligence #risk #riskmanagement #safety #safetyfirst #safetymanagement #safetyassessment #safetyrisks #safetyculture #safetyanalysis #personalsafety #workplacesafety #healthandsafety #hazard #danger #peril #threat #PPE #protectivesafety #workplacesafety #risk #risks #enterpriserisk #enterprisesecurityriskmanagement #intelligence #threatlintelligence #riskmanagement #riskanalysis #riskassessment #riskmanagementframework #operationalriskmanagement #projectriskmanagement #projectrisk #operationalresilience #resilience #operationalrisk #riskintelligence #governance #crisis #crisismanagement #complexity #chaos #crisisleadership #crisisplan #crisismanagementplan #stress #governance #decisionmaking #riskmanagement #riskinformed #securitymanagement #securityriskmanagement #resilience #humanfactors #emergency #disaster #emergencyresponse #travelsecurity #travelsafety #travel #businesstravel #tourism #travelrisks #travelriskmanagement
Next Trend Realty LLC./wwwHar.com/Chester-Swanson/agent_cbswan
1 年Thanks for sharing.