Practical Information Security

Tips and Tricks for better Information Security and Cyber Security


2016 – The year in infosec

Note: This is a long post about infosec in 2016 and 2017. Read when you have the time.

2016 has been an interesting year. Donald Trump became president elect. The Syrian crisis worsened. Brexit happened.  India demonetised 87% of its currency in one stroke. Cybersecurity and infosec was uttered more frequently in corporate boardrooms – and for good reason too.

How was the year for infosec? Here are a few areas where things happened and will probably continue to happen in 2017.


Cloud Security Policy

8 steps to write a cloud security policy

Everything is moving to the cloud – a cliche we have heard so often that we have started to believe it to be true. To some extent, it is. The infosec professional has been caught on her heels about cloud security. Just when she got round to analysing the risks of virtualisation, the monster of cloud based services crept up behind her. The simplicity and attractive pricing offered by cloud service providers makes the shadow IT sign up for the service before you could say ‘cloud security’.  There are myriad arguments flying around…

“Everyone’s using Evernote! What’s infosec got to do with it?”

“…but it is free for up to 5 users and we are not more than 5 users!”

“This is way cheaper than what my accounts package costs…and I can access it from home.”

These are words that strike terror in the heart of infosec professionals.


The Apple encryption saga…

Apple’s CEO Tim Cook, in a very public letter, has opposed the US government’s demand to incorporate a ‘backdoor’ in an iPhone 5C. The cyber world has been abuzz with activity ever since.

I have been following this with interest, and also trying to make sense of, arguably, one of the biggest question since Edward Snowden. A few questions come to mind and I try to muse through them here:


Password image

The quest for good passwords

Passwords are easily the most talked about infosec control. Perhaps the simplest concept the explain and surprisingly hard to implement well. Allow a user to keep any password, without restriction, and she will keep her username as the password. Add complexity requirements and she will write it down.

Infosec professionals take every possible measure to get users to keep their passwords confidential. They provide guidelines on creating good complex passwords. They use analogies – ‘  A password is just like a key! Would you share the key to your house?’. They enforce password rules by building them into the systems. Try as you might, it seems that people and passwords seem to have a healthy dislike for each other.



Difference – ISO 27001:2005 and ISO 27001:2013 – Part 2 – Context

This post is in continuation to my previous post about the differences between ISO 27001:2005 and ISO 27001:2013. You check it out here. My quick and dirty analysis of the differences can be found here.

’Tis all a matter of context. One of the most prominent differences between the old standard (ISO 27001:2005) and the new standard (ISO 27001:2013) is the presence of ‘context’ in the new one. This context forces the implementor to focus on the question ‘Why are we doing this?’. In the old standard, one could not question the reason for doing an ISMS. We had to take it as a matter of faith and go straight to the task of defining the scope and the boundaries of the ISMS.


If you don’t have anything important to say, don’t say anything – Information Security Metrics


If you don’t have anything worthwhile to say, don’t say anything. (Could be one of the reasons why this blog has been silent for a while now…)

After infosec metrics became fashionable, a lot has been said about how to measure the effectiveness of your security program. ISO 27001:2013 made it worse – not only does it want you to measure the effectiveness of your security program, it also wants you to measure your information security objectives. With so many ideas and views and opinions floating around about what makes an effective security metric, I thought of writing a general guideline on how to identify what to measure in your organisation.


The Product-Process chasm – and how to bridge it

product-process gap

Have you implemented a firewall? An IPS? An AV? An IAM solution? A DLP? A DRM? An APT solution? A gateway proxy? An MDM solution? An SIEM? Chances are that you have answered “Yes” to at least two questions. (If not, please leave the information security industry right away and do something else. Really. Anything else will do!)

All these are very good technologies. They solve an information security problem, and they solve it well. What worries me, is that many (if not most) implementations of these technologies are not as effective as they can me. The problem? – Lack of well defined processes.


The mysterious disappearance of TrueCrypt

It is difficult to imagine a time without TrueCrypt. I do not even remember how I first got to know of TrueCrypt. I remember, however, moving the mouse randomly to create a new container. Young and foolish at that time, I thought it was a gimmick – not knowing that random number generation can be such a big pain. However, the software itself was great to use. Ever dependable. It had an element of mystery as well – the password for ‘duress’ where you could dump dummy data. It made you feel like a bit of a spy.