The slide show was created to provide visitors to our stand at InfoSec 2010 and will help you understand what CDS is and how go about about our business and what are our objectives. It should answer many of your questions about CDS for you.
We have had several people contact us asking how to solve the last centre tiles. Although they had correctly aligned the colours on the faces they struggled to get the centre tiles to match the rest of the text.
The first tip is to start by completing the orange side first as this means all the text is face up and the whole cube is easier to complete.
You will find you have an even number of centre tiles in the wrong position; place one wrong one on the top of the cube and one on the side facing you and do the above stage six move three times. This will move the three corner pieces around, but as it is an odd number will also rotate the incorrect centre tiles.
To assist you we have made a You Tube video of this fix:
We hope this will help those of you still struggling with the CDS 3x3 cube.
CDS Team
Last Updated ( Thursday, 22 July 2010 08:41 )
Auditing of IT Systems
Written by Martyn Smith,
Thursday, 08 April 2010
Synopsis
This article offers the view that mainstream auditing is flawed, as it applies subjective interpretation of given standards to basic security steps when these basics are ripe for a simple, objective examination. It claims that uncertainty regarding subjective assessment dissuades many small organisations from trying to integrate security measures into the business.
Auditing of IT Systems is a fundamental part of the verification of security measures to ensure that what is expected to be implemented actually is. Like all forms of audit it is dependent upon an expectation based upon a set of standards against which the implementation can be measured; it is a subjective assessment of objective requirements. I am sure none of this is new to anyone and is an accepted view of what it means to audit.
Having spent some considerable time working in the security arena, I am always unnerved by the variety of interpretations applied to any supposed standard. The word standard, by definition implies a fixed and known quantity against which things are measured and yet when it comes to auditing against, say ISO 27001 the subjectivity that can be brought to bear is worryingly varied. It makes sound business sense to prepare for audit as thoroughly as possible, regardless of its nature yet there is rarely a guarantee of success no matter how much preparation is undertaken. In one instance a company spent several months preparing for their audit, even going to the trouble of employing an auditor qualified in their desired standard to act as a consultant. Eventually, when the audit was carried out, by a different auditor to their consultant, it took several more months to correct the areas of non-compliance in the audit report. This anecdote is not in any way intended to slight either of the 2 qualified auditors, but rather it serves to illustrate the diversity of opinion as to what constitutes a successful implementation of a given criterion.
The Ministry of Defence has, in recent years, continued to bemuse many of us with a catalogue of information security blunders followed by either a knee-jerk response or a lengthy study. Yet here is an organisation that is stifled by self-imposed regulatory audits; IIP, Health and Safety, IT Accreditation, as well as the external departmental auditing of the National Audit Office. Given all this apparent attention to detail, why do things continue to go wrong? The answer is that the size of the Ministry and its Armed Forces means that oversight is not provided uniformly by a single organisation or individual. Instead, separate groups provide a variety of audit services against a variety of standards which leads to huge variations in subjective interpretation. The net result is a wide-ranging variable application of each standard as well as variation in whether a particular standard is even applied. In effect this single Government department cannot guarantee that its own information will be uniformly looked after in line with any given set of rules.
The article looks at options for reducing the costs of implementing security standards and the factors which affect corporate decisions to invest in security. It suggests that a structured, incremental application of security against an objective, rather than subjective, standard would offer greater incentive and value for money.
How can effective security be delivered when constrained by budget or management reluctance to invest?
Whenever information security is mentioned within most organisations there is a collective groan; the board don’t want to engage, staff don’t want to be encumbered and the IT department sometimes lack the guidance to implement anything effective. From a security professional’s perspective the most disappointing factor is the board’s unwillingness to participate in this vital part of their business. Information security is often perceived as a disabler or an unnecessary expense which in turn dissuades business leaders from proper and necessary involvement. Neither perception is correct; security is not a product it’s a process and can be tailored to meet budget and business need - providing its implementation is proportionate, structured and fully supported by senior management. Often, the assumption is that protection is only delivered by wholesale security throughout all aspects of the business, so organisations take a chance on never being attacked, preferring no security to the effort required to deliver what they understand as security.
Information is one of an organisation’s biggest assets, comprising the entire business output or the majority of its support. Without information most businesses are paralysed, resulting in immediate or gradual decline and eventual closure. It is therefore imperative that all businesses regardless of their size or their specific output implement information security measures commensurate with the impact of data loss on their ability to continue trading. Security must be proportional since imbedding effective security practices within a business requires effort to implement and maintain, and this effort needs support from the very top of the organisation. Effectiveness of security needs to be judged and agreed as meeting a standard if the measures are to have any meaning outside the organisation. Traditionally, this has not been cheap, especially since information security entrusts the majority of the protection effort in technology, and the most frequently adopted standards are expensive to implement and subjective in their validation. Subjectivity introduces an element of chance that investment will not result in certification, which fosters a culture of over-engineered implementation and added expense.
Limiting the Effects of Human Error in IT Security
Written by Martyn Smith,
Thursday, 08 April 2010
Synopsis
Debates the difference between errors and mistakes and offers directed security education as a solution, albeit one that is a panacea. It offers the pragmatic view that humans make errors and we simply have to deal with the consequences and limit their effects since we cannot prevent their occurrence.
Oscar Wilde took the view, “Experience is simply the name we give our mistakes.” Although Wilde lived in a time when mistakes had consequences that were rarely as far-reaching as they are in the modern globalised world it is perhaps heartening to know that since humans clearly make mistakes we should therefore be growing in experience. In one perspective of the world, humans have been making errors almost since the time of their creation. But there is a difference between a mistake and an error; one which even teachers are often prompted to question if my research is anything to go by. However, I am drawn to this particular explanation: “A mistake is a wrong response that, if thought about, you would realize is wrong. An error is a wrong response because you have no knowledge about what the correct response is.
In a nutshell, you make errors because you don't know any better, and mistakes you make despite the fact that you know better. Pilots in the RAF use the term “switchpigs” to explain situations where the wrong button is pressed or an incorrect switch selection is made despite the operator being perfectly aware of what the correct action should have been. Officially, the RAF uses a term we all probably understand; “Cognitive Failure.” This cognitive failure is what allows the brain to guide our hand to select ‘send’ on our e-mail client when we knew that what we should have done is click ‘save’ whilst we deliberated on the wisdom of sending an e-mail criticising our boss. So if we are to stand by the previous explanation of what constitutes an error, rather than a mistake, we must take it that human error in IT security terms is the result of a lack of knowledge. But a lack of knowledge about what? Not the operation of the IT or how the equipment works surely. I suspect, and many will doubtless agree, the true foundation of human error is the lack of understanding, or knowledge if you prefer, of the implications of their actions.
Information is one of an organisation’s biggest assets, comprising the entire business output or the majority of its support. Without information most businesses are paralysed, resulting in immediate or gradual decline and eventual closure. It is therefore imperative that all businesses regardless of their size or their specific output implement information security measures commensurate with the impact of data loss on their ability to continue trading. Security must be proportional since imbedding effective security practices within a business requires effort to implement and maintain, and this effort needs support from the very top of the organisation. Effectiveness of security needs to be judged and agreed as meeting a standard if the measures are to have any meaning outside the organisation. Traditionally, this has not been cheap, especially since information security entrusts the majority of the protection effort in technology, and the most frequently adopted standards are expensive to implement and subjective in their validation. Subjectivity introduces an element of chance that investment will not result in certification, which fosters a culture of over-engineered implementation and added expense.