One of the main contemporary standards of how to conduct IT security is the ISO/IEC 27001 (the other widely spreading standards system being the PA-DSS / PCI-DSS). The current trend is that without such a certificate, only small players can stay on the market. It contains a number of well thought out approaches that are pretty well protects the organization – however it does so at the price of enacting an almost total surveillance over its employees.
To start with, one has to declare that the ISO 27001, which is all about the implementation and operation of a so-called Information Security Management System (ISMS) is based on very reasonable grounds. It is designed to address all the information (and partly physical) security needs accross an organization as a whole. Interestingly, for the wide angle it covers, its focus on actual cyber threats is quite narrow.
The main vulnerability surfaces of the ISO/IEC 27001
It is without question that – if correctly done – it helps an organization (mainly businesses) to mitigate a large number of threats that aren’t too sophisticated but nevertheless are widespread. But in doing so it exposes the organizations to a number of sophisticated and complex ones, such as:
- It forces organizations to draft security policies which – if landing in the wrong hands – could act as complete roadmaps on how to target them,
- It pushes the organizations to migrate most of their operations to cloud services, which could record and mine their data without much hardship,
- It causes heavy reliance on third-party Software-as-a-Service and Security-as-a-Service packages from vendors which are almost always connected in some ways to government entities (and not necessarily the same governments which has juridiction over the organization),
- It exposes the organization to specialized services in the name of ‘penetration testing’ or ‘ethical hacking’ – and these services are rendered by firms that are normally have ex-government spooks as founders (to say the least…),
- As the goal of the use of the ISO/IEC 27000-series is to have the organization certified it exposes the whole organization to external auditors,
- And lastly about three-quarters of the implementation involves recording and retaining data about or pertaining to the employees of the given organization.
- And an extra: it binds organizations to purchase more and more ISO documents – which recently are broken down into fragmented instead of discrete standards that the organization is expected to buy, reconcile and apply.
(Note: a number of frameworks exist, such as the TOGAF and COBIT which could be used in conjunction with the ISO/IEC 27K series, but the end certificate is limited to the 27K compliance.)
So what it is and how it works?
The ISO/IEC 27001 is the collection of standards regarding the requirements of IT security techniques and Information Security Management Systems. Its ‘Annex A’ is the checklist of all fields where compliance must be gained in order to pass an audit.
The ISO/IEC 27002 is the actual guide (code of practice for information security management) on how to implement and operate such a management system accross the organization. In today’s lingo it is the book of the applicable best practices.
Generally it is implemented in the following way: within the organization some folks draft the security policy paper(s) and set the actual processes accordingly. It is then evaluated and tested and finally let a third-party auditor to evaluate and issue the ISO/IEC 27001 certificate. And if ir is ready then all is well.
This sounds quite simple, but in reality it never is. Partly because of the resistance of the organization against any far-fledging changes and partly because in order to successfully implement it a host of other standards are need to be introduced aswell (such as the ISO/IEC 22301 ‘Societal security – Business continuity management systems – Requirements’, the EU GDPR, etc.).
The ISO/IEC 27001was born out of the UK’s British Standards Institution’s BS7799 standard in 1995. In 2005 it became an international standard, thence the name ISO27001:2005. This is by now superseded by the ISO27001:2013, which is the latest fully implementable version. It is maintained by the ISO’s so-called ISO/IEC JTC 1/SC 27 IT Security techniques Subcommittee, which is an active regulations body engaging in a wide array of security-related stuff.
So the ‘Annex A’ of the ISO/IEC 27001 contains 114 control mechanisms neatly grouped together along another standard, the ISO/IEC 13335-1
(Information technology — Security techniques — Management of information and communications technology security).
To implement or let alone understand it one has to read virtually tens of thousands of pages. Or if that ain’t what one wants then to hire some third-party firm to do it.
The problem with drafting security policies
This part is about the need to draft an over-arching information security policy document which is published and made known to all parties. In my opinion, this really shouldn’t be done – unless secrecy could reasonably be kept. And face it: it couldn’t.
The problem isn’t that a security policy would weaken an organization’s resiliance against external or internal threats. No, it is a good thing to have one. The problem is that in this way an organization will have a security policy that is – since based on a known standard – precictable and which is quite similar to the next organization’s. And predictability is the arch enemy of security.
Also it takes away the leverage of security issues from the organization, as in order to become compliant and keep that way it will not seek security but compliance.
Issues with cloud services
Cloud services are exclusively operated by big data companies. The largest players are Amazon (Web Services), Microsoft (Azure), Google (Cloud Platform and App Engine), Alibaba (Aliyun), Oracle (VM, VirtualBox and Cloud Platform) and IBM (Bluemix and SoftLayer) – companies that are not free from monopoly abuse. You don’t have to search too long to find out what problems you could face…
If you want to comply with ISO27K, and you are having large amounts of data, then you’ll pretty soon need to move your operations onto the cloud services. And once it is done, there is no way of telling whether these companies use (to say the least) your data to their own ends.
To make orgabnitzations swallow the bitter pill, there is a sugar coating of flashy names (like Infrastructure-as-a-service (IaaS), Platform-as-a-service (PaaS), Function-as-a-service (FaaS), Mobile Backend-as-a-service (MBaaS), Software-as-a-service (SaaS), Serverless computing, etc.). The denominations may be numerous, but the the essence is the same: enacting control over your data and infrastructure.
In the world of cloud services the service provider can access the data that is in the cloud at any time. It could read, copy, alter or delete information both accidentally or deliberately. Cloud providers share information with third parties if necessary (read: for them), not just for purposes of law and order. That is permitted in their privacy policies, which users must agree to before they start using cloud services.
Organizations would encrypt data that is processed or stored within the cloud to prevent unauthorized access – but only if it is legally possible, and only if the cloud service provider doesn’t have the technical and computing capabilities needed to decrypt the encryption. And trust me on this one: if you do not use one-time pads of strictly natural random numbers, they are having it – and obviously you don’t use one-time pads.
The only way to combat this phenomenon is to use shared data storage (like storing every odd byte in cloud ‘A’ and every even byte in cloud ‘B’). But even that could be too little if the infrastructure isn’t yours to begin with.
Heavy reliance on third-party software
In regards of compliance to technical specs, the standards are recognizingmostly the use of sophisticated Security-as-a-Sevice solutions as good practice. This obviously a good way to mitigate threats, but at the same time it exposes the organization to the makers of such softwares. As IT security softwares (like anti-virus and firewall products) are produces by companies with deep links to intelligence services (it’s not debatable… 🙂 ) it adds however a subsequent layer of risks. By using more than one such products could be a good way to overcome this (maybe).
Another aspect is that contemporary IT security softwares are NOT actually that smart. They are offering two main functionalities and one possible ability:
- A heuristic approach, that is checking traffic and processes against a database (like a virus definiton database), where indicators are collected. Indicators are IP addresses, emails, parts of the code that are known, etc. This approach has the shortcoming of being completely unable to assess encrypted traffic and polymorphic codes. This is highly dependent on having the latest upgrades.
- A holistic approach that is essentially the analysis of the operation of a program. If it is doing something that is deemed suspicious (like accessing files, initiating network traffic inconsistent with their functions, etc.) it will block from doing so.
- Some IT security software are able to learn as they operate. This however is happening within the scope of the preceding two functionalities.
While the best defense is to have your own techniques of averting threats, these softwares if someone finds a way to circumvent them will make ALL organizations vulnerable that are using them.
Exposure to ‘ethical hackers’
Ethical hackers are corporate employees with knowledge of the latest hacking trends. And by letting them into the premises they will also know the weaknesses of your organizations. Which is like letting an ‘ethical burglar’ into your home. I am not saying that after the ‘ethical burglar’ visits you your home will be burglarized, but I am saying that in this case you are building security on confidence – which is the exact opposite of what security actually stands for.
Exposure to external auditors
The same as before: don’t build security on confidence, because it is called insecurity.
The totally Orwellian surveillance of the employees
If you look at the structure of ISO/IEC 27001, you gonna find that most chapters are all about tightening the control of the ‘users’:
A.7: Human resource security – before, during, or after employment
A.8: Asset management
A.9: Access control
A.11: Physical and environmental security
A.12: Operations security
A.13: Communications security
A.14: System acquisition, development and maintenance
A.15: Supplier relationships
A.16: Information security incident management
A.17: Information security aspects of business continuity management
A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws
If you fully implemented the standard, you will have a total surveillance over everything people doing at the organization. And it leads to a number of moral and ethical questions surely. But it isn’t the ethics that pose the largest problem here.
The biggest problem is that it chases the notion that human are irresponsible and unreliable resources that need to be continually monitored and it would be best if they did not exist. And then you need to stop for a minute and ask yourself: what the flying fuck is this standard is for then? How an organization, which is an artifical entity could be more important than the individuals who make up it? Are the machines the important within? For what else an onganization is than the employees and the machines? So, it actually sets the stage for yet another extermintation campaign against the ‘human imperfection’.
Standards, standards and even more standards
If you start reading the ISO27K, soon you’ll bump into this excerpt:
If the information security policy is distributed outside
the organisation, care should be taken not to disclose sensitive
Further information can be found in the ISO/IEC 13335-1.
So in order to know what you are doing buy some other stuff from us. Nice. And along the text, you’ll have to buy a myriad of other standards and make it compliant with other, non-compatible standards aswell, like the GDPR or the PCI-DSS. And how come that this exposure to these binding, complicated and intricate standards aren’t seemed as being a security issue at the first place?
🙂 For this, you’ll have to know the answer for yourself.