How to build up your information security management system in accordance with ISO 27001

Håkon Olsen8 Comments

Maintaining security is an ongoing process which requires coordinated effort by the whole organization. Without backing from the top management levels and buy-in through the ranks there is little chance of building up resilience against cyber attacks. As organization complexity increases and value creation becomes distributed it will be necessary to have an integrated approach to security; your company needs an information security management system. ISO 27001 is an international standard that sets requirements to such as system based on what has been internationally recognized as best practice.

ISO 27001 [external link] is a management system standard that follows many of the same principles as other ISO standards such as ISO 9001 for quality management. Assuming that the client has a ISO 9001 compliant system in place, the information security management system should be built on the existing processes and workflows. This means that existing auditing systems and reporting requirements should be appended, rather than building everything from scratch.

The following are key elements of information security management system establishment. First we look at the activities that need to be performed in the order of appearance of requirements in ISO 27001. Afterwards, we summarize the bare minimum that you will have to do in a table.

Main requirements and activity descriptions

Context mapping

(Ref. ISO 27001 Section 4)

The context mapping consists of creating an overview of the value chain as well as the internal requirements to security (you can read more about that in What are the things that need to be considered when doing a risk assessment?), and how this affects the information security risk. Key activities:

  • External stakeholder definitions
    • Who are the main customers
    • Who are the main suppliers
    • Under which regulatory regimes does the organization operate?
    • Who are the main threat actors based on the external context? (Script kiddies, hacktivists, cyber criminals, nation states, etc.)
  • Internal stakeholder definitions
    • Who are the system owners?
    • Who are the system users?
    • Which process owners depend the most on the information assets?
    • Who are responsible for maintaining security?
    • Identify main information assets
    • What are the critical information objects?
    • Why are they critical in the context of operations?
    • Are there assets that require security due to external stakeholder situations (legal or commercial requirements, or due to risk drivers)

The most efficient approach for this type of context development is a working meeting with the organization’s top management where these key issues are identified.

071415_0731_Fourgoldenp1.png
Building a management system requires the involvement from the whole organization. Focusing on business strategy, key stakeholders and the value chain in terms of core competence, contracts with the supply chain and how to drive compliance (e.g. through auditing) is key to securing the organizations’ assets in the long run.

Policy development and leadership

(ISO 27001 Section 5)

  • Top management must be involved in policy development, and promote its integration in the overall management system of the organization
  • A policy should be developed and be sanctioned and signed by top management. The policy shall include the following:
    • Policy objectives
    • Should commit the organization to compliance with infosec requirements, and to continuous improvement. It should therefore refer to the organizations existing systems for compliance measurement and continuous improvement processes, as well as to internal information security standards with more practical requirements.
    • The policy shall be documented and made available and communicated to all users
  • Top management shall assign responsibility and authority for follow-up of information security, and for reporting to top management. In most organizations a single role is recommended for this, and a person competent in both the organization’s core activity and in information security principles should take this role. In most commercial organizations this role is designated as CISO.

Policy objectives should conform to the requirements of Clause 6.3 of ISO 27001. In order to identify these goals when building a new system it is recommended to write the policy after an initial risk and vulnerability assessment has been performed.

Recommended practice is to develop the policy in cooperation with the assigned CISO (if existing at this point). A policy document should be written and discussed with top management before it is updated. The policy should be dated, and an expiry date should be set in order to guarantee regular reviews (this is not an ISO 27001 requirement but is considered good practice for security critical process documents).

Information security risk management planning

(ISO 27001 Section 6)

  • Define a process for information security risk assessment. The recommended elements of this process:
    • Requirements to documentation of [USERS, HARDWARE, SOFTWARE, NETWORKS]
    • Requirements to performing risk assessments
    • Risk acceptance criteria. It is recommended to keep this at a coarse level and use qualitative descriptors
    • HAZID-type risk identification (use of guidewords)
    • Control planning methodology (ref. to Annex A of ISO 27001)
  • Perform a risk assessment for all applicable systems (Scope definition à HAZID à Risk ranking à Risk treatment planning)
  • Produce a statement of applicability for the controls in Annex A of ISO 27001
  • Formulate infosec objectives (ref policy development). These objectives should be measurable, or at least possible to evaluate with respect to performance. The objectives should align well with the overall criticality of the information assets (ref. risk context). Annex A of ISO 27001 is a good guidance point for developing objectives. Also, the organization should not choose objectives that are inconsistent with the maturity and capabilities of the organization.

The risk assessment procedure should be written in a practical way, such that the organization can apply it with the available resources. It should include examples of format for reporting, and also the recommended guidewords/threat descriptors.

A key difficulty for infosec risk assessments is the risk ranking. There are several ways this has been approached, varying from using “complexity of attack vector” as an proxy for probability and generic ratings for impact, to context related impact assessments in operationally relevant categories such as revenue loss, legal and litigation consequences, or reputation loss. The probability dimension can also be treated using aggressor profiling techniques, which is recommended for sophisticated organizations with a good understanding of the threat landscape. You can read more about that technique in this blog post from 2015: https://safecontrols.blog/2015/09/08/profiling-of-hackers-presented-at-esrel-2015/

Support

(ISO 27001 Section 7)

  • The organization must perform a competence requirements mapping with respect to infosec for the various roles in the organization. This work should be performed in cooperation with the organization’s HR department, and set verifiable requirements for groups of employees. Responsibility for following up this type of competence should be given, preferably to the HR director or similar. Typical employee groups would be:
    • Senior leadership
    • HR and middle management
    • Information system users
    • IT personnel
    • Specific roles (CISO, internal auditor, etc.)
  • The organization must develop an awareness program. The awareness program should as a minimum include:
    • Making employees aware of the policy
    • Why complying with the policy and the procedures is necessary and beneficial
    • Implications of non-compliance (up to and including employee termination and criminal charges in serious circumstances, depending on local legislation)
  • Information security aspects should be included in the communication plans for both internal and external communication.

For document control and similar processes, it is assumed that the organization has an appropriate system. If not, see ISO 27001 Section 7, Clause 7.5.3, as well as ISO 9001 requirements).

The awareness program should be made the responsibility of either the CISO or the training manager /HR. These departments must cooperate on this issue.

The communication plan for information security can be integrated in other communication plans but shall be approved by the CISO. It is recommended to develop a specific plan for information security that other communication plans can refer to. This is especially relevant for communications during incident handling, which may require tight stakeholder cooperation and maintaining good public relations and media contacts.

Operations and Performance Monitoring

(ISO 27001 Section 8-9)

  • The organization must implement and document the performance of the risk mitigating controls. A lot of the proof can be extracted from data from technological barrier functions, whereas other measures may be necessary to document organizational controls.
  • Information security aspects should be included in the organizations change management procedures (ref. ISO 9001 requirements)
  • Information security monitoring should be implemented based on control and objectives
  • Information security auditing should be included in the internal auditing program. It is recommended to build up on the existing system, and to include requirements to competence for the subject matter expert assisting the head auditor (ref. back to competence management and HR processes). Some extra reading about auditing and what it is good for can be found here, but for the context of reliability engineering. It should be equally applicable in the context of cybersecurity: Why functional safety audits are useful
  • Include infosec in management review. In particular ensure efficient reporting on infosec objectives. It is recommended to create a simple and standardized reporting format (e.g. a dashboard) for this use.

Continuous Improvement

(ISO 27001 Section 10)

  • Include infosec into the existing non-conformance system
  • Assign CISO as owner of infosec related deviations

Activity summary and sequence

Building a management system requires multiple activities that have interdependencies, as well as dependencies on other management system artifacts. The following sequence is a suggested path to developing an information security management system from scratch in a robust organization.

Note that it should be expected that some iterations will be needed, especially on:

  • Policy and objectives
  • Risk assessment procedure and risk and vulnerability study (the procedure is updated based on experience with the method)
  • Objectives and measurements will need to be reviewed and updated based on experience

Note also that a consultant has been included in the “People” category. For organizations that do not have sufficient in-house competence in management system development it can be beneficial to contract a knowledgeable consultant to help with the project. For organizations with sufficient in-house capacity this is not necessary, and it is not a requirement for compliance with ISO 27001.

Main activity Sub activities Inputs Outputs People
Context development Stakeholder mapping Customers/users, organization charts, suppliers, partner lists, etc. Information in technical note on Context: stakeholders. Should include who, why, what and how with respect to the information security risk. Top management

Consultant
Context development Inventory mapping Network topologies, asset lists, document systems Prioritized inventory description as section in technical note on Context. CISO

IT department

Archiving department

Consultant
Context development Threat actor assessment Outputs from previous activities.

News and general media. Experience from previous incidents.

Open security assessments from police and intelligence communities.

 List of threat actor categories with descriptions of motivations and capabilities. CISO

Consultant
Risk procedure development Risk assessment procedure document CISO

Consultant
Risk assessment Scope definition for risk assessment Context note with inventory.

Topology drawings. Organization charts. Use cases.

 Scope presentations Consultant

System owners

CISO
Risk assessment Risk identification Use of guidewords for each scope node, ref risk assessment procedure. Risk identification table (HAZID table) Consultant

System owners

CISO
Risk assessment Risk evaluation HAZID table. Risk ranking. Consultant

System owners

CISO
Risk assessment Mitigation planning (including ISO 27001 Annex A review) HAZID table with risk ranking. List of actions and controls to be evaluated or implemented. Consultant

System owners

CISO
Risk assessment Reporting HAZID table and risk mitigation results. Risk and vulnerability report. Consultant
Statement of applicability Review each control in Annex A Context note. Risk and vulnarbility report. Statement of applicability (report) Consultant

CISO
Objectives development Suggest objectives based on previous activities and maturity of the organization Risk assessment, context, statement of applicability Information security objectives, including measurement and review requirements in technical note or procedure. Consultants
Objectives development Review of objectives with key stakeholders Objective note. Revised objective note. CISO

Top management

Consultant
Policy development Develop draft policy for information security. Objectives, statement of applicability, risk and vulnerability report, context, policy templates. Draft policy. Consultant

CISO
Policy development Review draft policy in meeting with top management. Top leadership needs to be involved and take ownership, headed by the CISO. Draft document Revised policy Top management

CISO

Consultant
HR Integration: competence management Develop competence requirements for roles Role descriptions Updated competence requirements in role descriptions HR

CISO

Consultant
Awareness program Develop awareness program, tailored to competence requirements of groups. Updated role descriptions Awareness program plan HR/Training responsible

CISO

Consultant
Internal auditing requirements Update internal auditing requirements Infosec policy and procedures, objectives Updated audit plans and competence requirements for subject matter expert CISO

Internal auditor

Consultant
Other integrations Update change management system and management’s annual review reporting requirements Infosec policy and objectives Updated change management procedure

Updated reporting format to top management.

 CISO (recommend that this is done internally unless consultant’s assistance is needed)

After the management system has been established, it is recommended to perform an internal requirements audit to identify gaps.

After the system has been in operation for 6 months an internal security audit with focus on evidence of use is recommended.

Summing up what you just read

You have determined your company needs a security management system. This blog post gives you a blueprint for building one from scratch. Keep in mind that the system with its processes, governing documents and role descriptions only provide a framework to work within. Key to getting value from this process is starting to use the system.

Building a management system from scratch is a big undertaking, and for many companies it makes more sense to do it piece by piece. Start with a minimum solution, start using it, and improve on the processes and documents based on your experience. That is much better than trying to build the system to be fully compliant from day 1 – and you will start to see real benefits much sooner.

What is threat hunting in cybersecurity defense?

Håkon Olsen3 Comments

What is hunting and why do it?

A term that is often used in the cybersecurity community is threat hunting. This is the activity of hunting for intruders in your computer systems, and then locking them out. In the more extreme cases it can also involve attacking them back – but this is illegal in most countries. Threat hunting involves several activities that you can do to find hackers on your network. The reason we need this is that the threats are to some extent intelligent operators who adapt to the defenses you set up in your network – they find workarounds for each new hurdle you throw at them. Therefore, the defense needs to get smart and use a wide arsenal of analysis techniques to find the threats; meaning analysis of data that can indicate that an intrusion has occurred. Data on user behavior, logins, changes to files, errors, and so on can be found in the systems logs. In addition to things that can be automated (looking for peaks in network traffic, etc.), threat hunting will always include some manual inquisitive labor by the analyst – both for understanding the context more deeply, and perhaps utilizing statistical and data science tools for special cases. Based on successful hunts, automated signals can be added to improve future resilience. The interplay between automated red flags, context intelligence and data science is shown below.

Threat hunting is active search for threats, instead of waiting for an attack to occur and react after the fact. It means you need to tie together a number of activities, both automated scans, threat landscape intelligence and context development, and smart use of machine learning, data science and creative data exploration.

The conglomerate joint venture deal: a potential source of an advanced persistent threat?

Johnny the Hunter was going to work as usual in the morning. He got a cup of coffee at sat down at his computer to start his day. As most office workers, Johnny first skimmed his e-mails, and checked his Twitter feed for any interesting news. He noticed one e-mail that stood out, from one of the sys.admins, who told him that one of the application servers had rebooted without any good reason last night. No functionality had been lost, and no significant downtime was recorded – it was just a simple reboot. The logs on the server did not show any suspicious activity.

This triggered Johnny’s curiousity – what had casued the reboot? Was it some random hardware issue? Was it a software bug causing a kernel crash? Probably not, that would have been recorded in the server logs.

Johnny decided to make this the starting point for a hunt. First, he checked all automated surveillance systems; there were a few orange flags (detected abnormal activity but not something considered critical). He decided he needed to review the newest intelligence data they had on the threat landscape. There was nothing from the typical providers that caught his attention, so he turned to the intranet to check if something was going on internally in the company. He noticed the CEO had posted a video explaining that they were negotiating with an Asian conglomerate about buying up one of the conglomerate’s competitors as a joint venture. They had not yet agreed on who would be the controlling company in the joint venture. He didn’t notice any other big news.

He then called HR to ask if there were any new hires onboarding that would have anything to do with the Asian deal. The HR director told him that they had several applicants, all coming from the Asian conglomerate, and they were all highly qualified. It seemed a waste of talent not to hire at least one of them but the CSO had told HR to hold it off.

Johnny decided to start looking at network logs from the last 2 years, to have a baseline, and then to look for anomaly’s after negotiations about the buy-up started. For this he collected logs not only from the application servers, e-mail servers, web servers and network security devices, but also news items and social media posts. He deciced he would use supervised learning to correlate news events with network anomalies and called up Sin Jing, the head of their internal big data and machine learning R&D unit to discuss how best to do this.

Using a range of techniques Johnny investigated behaviors and could find a correlation between news and strange network activities from the last 4 months. Prior to that there was no such correlation. He also tracked down the activity to two user accounts in the accounting department, and the activity was always managed over VPN outside of normal office hours. He had a lead on the threat actors – and decided to discuss it with the HR department to assess the possibility of this being an insider threat, or if the compromised accounts were simply compromised accounts not detected by their endpoint security solutions.

This is threat hunting – and for the most advanced threats it is the only way to decrease detection time, and to effectively reduce the attack surface.

6 things everyone can do to avoid hacking by cyber criminals

Håkon OlsenLeave a comment

Protecting your personal data is important, whether you are a teenager or in retirement. A lot of people are confused about what they can do to avoid becoming victims of internet fraud. Cyber criminals use phishing attacks – email scams where they trick you to click a download link to viruses, or to open attachments that are no good for you. This is by far the most common way to steal someones data, and to abuse it.

lockouthorse
Keep the criminals away from your personal data!
There are two common ways hackers steal your money;

  • They hold your computer hostage by using a virus type known as ransomeware or cryptovirus. What this does is it locks your computer files with a password, and they demand money to give you the password back. Sometimes they make you pay several times and don’t give it back to you anyway.
  • They steal your payment data, like a credit card. Malware that monitors your purchases can send your credit card data to the hacker, who then abuses the credit card by buying things or paying to himself by setting up a merchant account with a credit card processing company like PayPal.

The question is: what can you do to avoid this? The following list contains about the same information that big companies are offering their employees as cyber awareness training. If you follow these 6 rules you will reduce the risk of this type of cyber attack by around 90%:

  1. Always be critical of e-mails you receive and don’t open links or attachments you are not sure about. Check the actual internet address of the link and see if it makes sense before opening it. Copy and paste it into your browser instead of clicking it to see this. Don’t visit the site if it looks suspicious.
  2. Keep all of your software up-to-date.  Software upgrades are normally security fixes – they are removing vulnerabilities hackers need to attack your software. Only use software from reputable sources.
  3. Don’t use public open wifi without a virtual private network (VPN). A VPN creates a protected path for your data communication with the internet, making it impossible for hackers on the network to read your data traffic.
  4. Always have antivirus software running on your computer, and a firewall.
  5. Regularly back up your data. You can use a USB drive for this, and disconnect it when you are done backing up. This way hackers can’t lock your files away from you, because you have a safe backup they cannot reach.
  6. Don’t use the same passwords for many online sites. Sites on the internet are hacked quite often, and if you have used the same email and password on many sites, they get access to everything. ID theft is a big problem, partly because people use the same password everywhere.

What are the things that need to be considered when doing a risk assessment?

Håkon Olsen1 Comment

My answer to What are the things that need to be considered when doing a risk assessment?

Answer by Håkon Olsen:

The process can be summed up in three layers – the continuous flows of stakeholder communication, risk assessment itself, and the risk treatment.

risk_management

Here’s my answer from Quora:

Risk assessments can be performed at many levels of granularity but the same general structure of the process can be used for all such assessments. There is an ISO standard that describes this approach which is generally recognized as best practice (ISO 31000). This involves:

  • Defining the context
  • Identification or risk factors
  • Analysis of risk (likelihood and impact)
  • Evaluation of risk
  • Treatment planning
  • Monitoring of risk and treatment
  • Stakeholder communication and consulting

The context includes the scope of your assessment, who the stakeholders are, what is considered acceptable and not acceptable risk levels and how the value chain is affected by the risk exposure.

Identificaiton of risk factors can be done in many ways, but the use of “guidewords” is very common, hooks to get the ideas running. This is a sort of guided brainstorming, taking past experience into account but also avoiding disregarding events that have not yet happened. Typical guidewords for the risk to an office building could be; fire, bomb threat, hurricane, power outage, robbery. The list of guidewords must be tailored to the scope, and the context in general.

Analysis of risk means assessing how likely each scenario is, and what the potential impact can be. This can be done in a purely qualitative way, or it can be a sofisticated mathematial modeling excercise involving computer simulations and advanced statistics. The point is to arrive at an assessment of how likely something is to happen, and how bad it would be.

In evaluation of the risk you sort which risks must be reacted to, and which ones you can disregard. You typically prioritize risks that are both likely and with a potentially serious outcome. Thse risks are usually unacceptable to leave as they are. Then there is an intermediate ground with risks that are somewhat likely, or somewhat bad, or bouth, that you may want to do something with. In many areas these risks are treated if actions can be found that will reduce them without adding excessive cost – often referred to keeping risk ALARP (as low as reasonably practicable – a UK legal concept).

Treatment planning is all about what you do about your risks. You can build barriers to reduce the likelihood of the event happening (automatic pressure relief valves on pressure cookers), or that will reduce the impact (sprinklers to fight fires). This is called mitigation. You can also in many cases defer the risk to other partis through buying insurance – but this is not always possible. You can also avoid the risk if you cannot find a reasonable way to deal with it by stopping the risky activity, or redesigning whatever it is you do. Finally, you may also choose to accept the high rist because you think the rewards are great enough to justify it.

Over to practice; you need to monitor the risk level and the integrity or quality of the barriers you have built. If risk is building up you need to take action. This is a continuous activity, something banks, chemical factories and airlines do a lot of.

Finally, and perhaps one of the most overlooked parts of risk assessments, is communication. You have a lot of stakeholders that you should have identified in the concept description. Keeping them involved and engaged throughout your assets lifecycle is key to managing risk effectively. You can read more about the people management aspect of stakeholder engagement here: 4 steps to engaging people in risk conversations (my blog – lots of stuff about risk assessment there, have a look around!)

What are the things that need to be considered when doing a risk assessment?

Are we ready security -wise to ditch the office?

Håkon OlsenLeave a comment

Here’s an article I shared on linkedIn some time ago – it spurred some interesting discussion about how digital transformation is changing the way we work and how we look at attendance. A key question not discussed in that piece is “are people able of protecting corporate data and intellectual property when the social fabric of the physical office is dismantled? I’d love to hear your thoughts about that!

IMG_0988
Technically we can work from anywhere – but are people able to maintain the necessary level of information security? 

Excerpt: Telecommuting has been a thing for some years. It works well for some, and not at all for others. Technology has come a long way, and it should now be possible to interact and work remotely for most types of “knowledge work”. In spite of this, we just can’t make it really work. More often than not, when trying to have a video conference at work, we spend 20-25 minutes to set the meeting up and make everything work. Usually because someone at the other end doesn’t know how to use his or her equipment. Clearly, technology is not enough by itself, it is necessary for people to learn how to use it. And, unfortunately, “professional” communication equipment has extremely bad UX design. Compare a top-of-the-line conferencing set up with Skype or Google Hangouts – there is a real difference in ease of use, and the feel of the whole thing.

Read the rest of the article on LinkedIn: Do we need physical attendance at work?

4 steps to engaging people in risk conversations

Håkon Olsen1 Comment

Risk management is about managing uncertainty; it is the planning, monitoring and handling of the unexpected. All of this happens in a specific context. You have something you want to protect from various risks, and you have the people who depend on that something. Communication with those people is key to all phases of risk management. If you cannot involve your colleagues, your suppliers and your customers in the way you deal with risk, you are going to fail. Let us first look at who the people you most likely need to deal with are.

The boss

The supplier

The workhorse

The consumer

The boss is responsible for the stuff you are trying to protect and must be involved in determining which risks are OK to take. The boss also needs to own the outcome and make sure everyone is on board pulling in the same direction. Getting the boss on your team should be a high priority.

The suppliers are all the people you depend on to do what you do, to make what you do. If the suppliers don’t want to play ball you are going to have a hard time understanding what can hit you, and you may not be able to deal with difficulties without their help. Communication can be difficult here, because the suppliers also have their own context and see the world from a different mountain top than you do.

The workhorse is the doer, the expert, your colleagues. These are the people you need to understand how things work, and the people you need to take action. If they don’t work with you on dealing with risk, you will definitely not succeed. Not all workhorses are going to want to help – this is where you need to engage through others; the boss, other workhorses that already are engaged, and perhaps even the suppliers and consumers (hopefully not).

The consumer is the customer, the client, the user. It is the people who depend on you to provide a service or product. Risks hitting you are hitting the entire supply chain, and the consumer may be the people who have the most to lose from bad risk management. The consumer may also be able to help with dealing with risks, and in resolving difficult situations. Involving the consumer in your risk management should always be a priority.

 

Your communication style must be tailored to the role of the person you are trying to involve, and to the ability of that person to contribute. If you do not think about this in advance, communication is not likely to be successful. This is why you need a plan.

Step 1: Make a communication plan

The different roles need different information to feel engaged. They may also have different interests in the asset you are trying to protect. The key to creating engagement through communication is to tailor your plan to the interests of your stakeholders. That being said, you also need this to be a two-way street; you need feedback, you need to gather information. Your communication plan shouldn’t be a long and formal document, a simple plan where you think through the key aspects of communication with each stakeholder is enough. The key steps are:

  • Identify the stakeholders and roles: who are they, what are their roles, what interest do they have in your asset, how much time do they have to support you and what do you need each of them to do?
  • Plan what each person needs to be involved in and how
  • Plan how you distribute information in various channels to the stakeholders – a matrix or table is a nice way of doing this in a condensed format. Think face-to-face meetings, town-halls, e-mails, intranet/web spaces, social media, phone calls, whatever channel you are planning to use. Keep in mind that effective communication works best in the channel the receiver prefers
  • Set up a schedule for how often you are going to communicate with each stakeholder – and make sure you don’t make it a “set and forget”

Step 2: Value relationships as much as results

Risk management is people management. Often risk managers are quite technocratic by nature and prefer to focus on results and technical matters. This is of course necessary, but you also need to value the relationships you have with the people you are communicating with. This means spending time with people, thanking them for their contributions and actively listening to what they have to say – even if it is not related to you risk management activities.

Step 3: Don’t give pole position to compliance

Compliance is important but far too often risk management is reduced to a checklist exercise of controls. This mindset is detrimental to good communication and can contribute to increased risk. The most important risk in risk assessments is overlooking the obvious – and the reason people do this is because they are not engaged in the process. Don’t forget compliance but use it as a driver for continuous improvement instead of being the focus in every activity.

Step 4: 30.000-foot view

With regular intervals, you should take a step back and reflect. Ask yourself open ended questions and try to find answers based on your experience with the various stakeholders in the project.

  • What did Mr. X contribute with?
  • What did Ms. Y not tell me and why not?
  • Do I have what I need?
  • Who is satisfied with their involvement and who is dissatisfied? Why?
  • What do I need to change to get what I need?
  • What do I need to change to make sure every stakeholder feels valued?

If you follow these steps, things may still go wrong. The chances are, however, that you will get much more useful involvement, much more engagement from the people you need to deal with, than if you go about communication in an unplanned ad-hoc way.

How do you update failure rates and test intervals based on limited data observations?

Håkon OlsenLeave a comment

There is one post on this blog that consistently receives traffic from search engines; namely this post on the effect of uncertainty on PFD calculations in reliability engineering: https://safecontrols.wordpress.com/2015/07/21/uncertainty-and-effect-of-proof-test-intervals-on-failure-probabilities-of-critical-safety-functions/

072115_1313_Uncertainty2.png

It is interesting to see the effect on the dynamic probability of failure on demand from a theoretical perspective. Consider now instead the problem of collecting operational data and adjusting the test intervals to optimize uptime while keeping within the PFD constraints given by the SIL requirement. To do this in a robust manner, one must take the uncertainty in the data into account. We are seeking to solve this problem:

In other words; maximize the test interval while keeping the upper confidence bound on the average value of the PFD above the set value C, given that the standard deviation of the rate of dangerous undetected failures is known. To make things more practical, we consider a simple SIL loop where the PFD value is dominated by the final element. We make the simplification, for the sake of the calculation, that a single component is the loop. Let us then assume we have 20 valves of the same type that have operated over an aggregated 400 000 hours, and we have a theoretical failure rate of 10-6 per hour for these valves. We have not had any real demand trips, and the original test frequency was once per year. Testing has revealed that one valve had a dangerous failure in its first year of operation. Can we use this to extend the test interval without increasing the risk to our assets?

A naïve estimate the failure rate based on our observations indicate a failure rate of 1.25 x 10-6, which is obviously better than the a posteriori estimate from the design data. However, the design data is based on a larger data set and should not be disregarded if we wish to be reasonably sure about our decisions. So, the expected mean time to failure would be somewhere between 114 years and 913 years – a significant difference. SINTEF has released a report that gives a simplified approach to updating the failure rate. This approach requires you to define a conservative estimate of the failure rate based on the a priori data – often chosen to be the double of the original failure rate: λDU_CE = 2 λDU. Uncertainty parameters are then calculated based on the Gamma distribution as

Then the combined (updated) failure rate estimate is given as

where is the number of dangerous failures observed, and is the aggregate operational time. Using this on our example gives us

What is going on here – the combined failure rate is higher than the a priori? The expected number of failures in 400.000 hours with an a priori MTTF of 1 million hours is clearly less than 1 – and we had one failure. So the estimate is sound. SINTEF’s methodology will give you lots more details, including credibility intervals for the Bayesian updates.

So – now to the test intervals – if the new combined failure rate is accepted – we should probably test more often, right? It depends, SINTEF argues that it is important to be conservative when updating test intervals to make sure insufficient data do not lead us astray. They propose the following simple rule:

If the new failure rate is less than half of the original failure rate, and the upper 90% confidence bound on the new failure rate is lower than the a priori failure rate, the test interval can be doubled.

If the failure rate is more than double the original failure rate, and the lower 90% confidence bound on the new failure rate is higher than the a priori failure rate, the test interval can be halved (e.g. from one year to every 6 months).

This means that in our case – the test interval stays the way it is.

Why two-factor authentication is not foolproof but still good to use

Håkon Olsen1 Comment

A few days ago, I asked my followers on Twitter if they used the two-factor authentication on Twitter, or if they knew what two-factor authentication was in the first place. The result was that almost no one is using this. Most accounts that are hacked, are hacked because users are stupid and use terrible passwords, and they use the same passwords on every site where they have an account. This means that whenever some news site with terrible security is hacked, the hacker has access to more or less all these users’ accounts, including e-mail, social media and their favorite online stockbroker… This is admittedly bad.

Two-factor authentication comes to the rescue – using this, you cannot log in simply because you have the password and the username. You also need to have some third-party security token, like an app on your phone, a confirmation SMS sent to you, or a code generator device. If the hacker does not have access to this third-party token, he or she cannot take over your account. That is, at least, the design intent.

So, how can a hacker bypass the need for a third-party security token, or getting your leaked password in the first place? They can use a good old phishing attack. Set up a web page that looks like the one you want to log in to, trick you to go to the fake site and enter the login data, and then use these to access the real page. This process is illustrated below.

First, you need to trick the user to visit your fake login page, typically by sending some form of e-mail asking to log in and update something. The user submits username and password in the fake view, that you transfer to the real view in order to generate the third-party confirmation code. The real page, believing it is communicating directly with the legitimate user, sends the confirmation code to the user’s call phone. The user then submits this through your fake login view. Then you, as the hacker, will have access to the confirmation code, and you can take over the account. Depending on the type of site you can execute actions, or at least gain insight to the user’s personal data. For very poorly secured financial applications you can even steal the user’s money.

Of course, this is much more complicated to get to work than simply stealing a username and password, or brute-forcing a weak password, so 2-factor authentication makes a lot of sense. But like all barriers you put in place in risk management, it is not a magic pill solving all headaches. You still need to keep your guard up – don’t fall for phishing scams, don’t use the same password on multiple sites, use strong passwords and keep up to date on security features on the sites you are using and that are critical to you. Sites like Facebook and Google’s products can send you an e-mail or text you whenever there is a new login, with location and type of computer/browser. This is a very good extra layer of security.

To sum it up: use two-factor authentication, but also don’t forget to follow other common good security practices.

Major discount grocery store chain (REMA 1000) exposes their whole customer database

Håkon Olsen1 Comment

REMA1000 did not use any form of authentication on their customer database used by a loyalty program. They claim that this is nothing to worry about. I disagree. Identity theft, blackmail and potential surveillance are threats worth worrying about.

REMA1000, a Norwegian discount store chain, recently released a new customer loyalty program they named ‘Æ’. The letter ‘Æ’ is also the local word for ‘I’ in the Norwegian dialect in the area where Rema1000 is headquartered (Trondheim, the city where I live).

 

ae_rema
The Æ app promising you discounts. And previously it was exposing your data to the world.

 

The way the loyalty system works, is that you install an app on your smartphone, and register your debit card in the app. Whenever you make a purchase they will register what you have bought, and you are offered a 10% discount on the 10 items you spend the most money on, as well as on all vegetables and fruits. Sounds like a sweet deal, right?

The problem is only that the app was launched without requiring any form of authentication between the app and the backend database. This is reported by the Norwegian newspaper Aftenposten.no today. The vulnerability would allow anyone to download customer data from their database, down to each item purchased, as well as key customer data such as phone mumbers and partial credit card numbers. The vulnerability was discovered by infosec professional Hallvared Nygård, who spoke to Stavanger Aftenblad about the issue (another Norwegian newspaper).

In a comment to Aftenposten, Rema1000 claims that they “take the situation seriously”, and accuse the security researcher of having obtained access to the information in an illegal way. They say customers have no reason to worry with regard to security with regard to the data they leave with the stores.

This attitude shows a lack of understanding of security risks from REMA1000. First of all, lack of authentication between frontend and backend in a web application is close to inexcusable. It would be disovered by any reasonable web app security scanner. Protecting database access through secure authentication is the core concept of web application security and should be taught in any introduction to secure development class at your nearest university. Even more worrisome is perhaps that REMA1000 claims customers have nothing to worry about. Identity theft, blackmail and surveillance is pretty serious stuff to worry about if you ask me.  On top of this, REMA1000 is seemingly looking to blame the security researcher for reporting the vulnerability.

 

How machine learning can help the spread of fake news

Håkon OlsenLeave a comment

During the American election campaigns in 2016 fake news was the new big thing, with Russia being accused of orchestrating an intelligence campaign to influence the outcome of the presidential election. Regardless of what Russia did or did not do, spreading the message efficiently requires both that traditional media pick it up to grant it credibility, and that people share it on social media platforms to get as much coverage as possible. Machine learning can play many roles in this, and we will look at an obvious use case, which is pretty much the same way recommendations work on Netflix or Amazon – by use of feature-based labelling.

Any “news” article will have several features. Examples of features are:

  • Language style (using a readability metric)
  • Length of article (word count)
  • Use of celebrities (none, light, medium, heavy)
  • Visual intensity (none, light, medium, heavy)
  • Shock factor (none, light, medium, heavy)

Let us say we consider a news article successful if it receives more than 100k shares on Facebook, or if it is quoted on CNN. So, our news articles can be SUCCESSFUL or NOT SUCCESSFUL depending on these criteria.

One simple but often efficient way we can use machine learning to understand what makes an article successful is to use existing data to train a decision surface. Say we have a collection of 200 news articles, and that we can check whether they are successful or not (they are labelled). This is our training set. Based on that, we can use statistics to find out which features will help us predict which label to apply to which data point. If we boil this down to two factors (language style and word count), we can create a scatter plot of these articles. By analyzing our set of training data, we seek to learn how we can exploit the factors to make our fake news spread. We have plotted our training data in a scatter plot to inspect it visually.

What we learn from simply looking at the plot is that the article should be fairly short, and intermediately difficult in readability (seems to be somewhere between 60 and 80 on the Flesch index, corresponding to articles that can be read by high school graduates).

Using a classification algorithm like the Naïve Bayesian classification algorithm, we can generate a decision surface based on our data.

Everything that falls into the red region will be predicted as successful. Giving up on the ability to plot the features in a single scatter plot, we can feed the algorithm with our full feature set, allowing it to figure out more factors we should care about when creating our fake news campaign.

This shows that the same methods used to drive recommendation engines, can also be used to learn how to best influence people – useful both in marketing, and in trying to “rig elections”. By the way, this simple labeling of data using classifiers like above is one arm of machine learning, known as supervised learning. The data set used in this post was randomly generated – so it didn’t really teach you how to create efficient fake news articles – but it did show you how you can find out.