Alignment vs Compliance vs Certification

I have had a series of conversations recently where the concepts of alignment, compliance and certification of ISO 27001 were very confused. Certification was seen as horribly costly and alignment was held out as a good enough goal that was entirely achievable.

In this particular environment they were already ‘aligned’ and had achieved most of what they needed to do to be ‘compliant’ but were still scared of the impact of certification. I ended up having to come to a common set of definitions of alignment, compliance and certification to explain to a variety of security specialists and business stakeholders what they were discussing to try and defuse the fear that was starting to set in. Here are the definitions I ended up with.

Read the rest of this entry »

Making sense of pen testing, part two

This is the second in a series of posts looking at the current state of pen testing as I see it and presenting some ideas for the future. Part one is available here.

In this post I will explore some of the issues I see in pen testing, it’s something of a rant that I have regaled a number of pen testing friends with over the last couple of years. If you disagree violently with this let me know, if I’ve missed something let me know, we need to open up this conversation in the industry.

In the next post I start exploring why these problems exist and how they might be improved.

What is wrong with pentesting?

As an informed customer, and an ex-pentester, I see a number of problems with pentesting as delivered today;

  • Too much focus on 0day as a measure of success
  • Too much variation in quality and coverage between testers and between tests
  • Too much unexplained and undefined ‘black magic’

Read the rest of this entry »

Making sense of pen testing, part one

This is the first in a series of posts looking at the current state of pen testing as I see it and presenting some ideas for the future. In this post I will apply a framework to understanding the process of pen testing.

In the next post here I discuss some of the problems I see in pen testing.

Sensemaking

The pentesting process is a form of expert behaviour similar to intelligence analysis where there has been a lot of work understanding the key components of expert performance; this is often broken down into a process flow as follows:

Gather Information → Represent in Expert Schema → Develop Insight → Define Product or Action
Read the rest of this entry »

ORGCon 2012

I attended the Open Rights Group Conference (ORGCon) this year.

We are at a weird moment where the Internet and the associated digital technologies it has spawned and supported are wreaking changes to the social, cultural and economic environment that don’t easily fit the current models of law and governance. Cory Doctorow makes this point more completely and more eloquently here (Lockdown: The coming war on general purpose computing).

As a result we are seeing law and regulation that is driven much more by lobby groups rather than politicians. The politicians that understand these changes are few and far between and made more notable for that irrespective of their party allegiance (For example Tom Watson and Francis Maude). I am heartened by the ORG as they represent the other side of the coin from the industry lobby groups.
Read the rest of this entry »

Documenting an As-Is Security Architecture, part two

This is a continuation from part one.

Documenting current environments

This activity is focused on identifying the physical and logical environments in scope for the business architecture.

A logical and physical model will be created to hold entities describing physical facilities, wide area networks and systems that store, process or transmit information assets that fall within scope of the business architecture. It is likely there will be gaps identified and that these will need to be investigated with stakeholders and partners. This is a model that will evolve with more detail as the projects move into delivery and suppliers are contracted and systems are implemented. Read the rest of this entry »

Twitter RSS