If you are having trouble viewing this email, click here to view this online



   ISSUE 36

20 July  2014

Article of the Month  Around the World

Information Security Discipline Requires a Paradigm Shift


If you examine closely, information security discipline predates the advent of computers. The term may have been coined later, but ever since mankind started creating, processing and transmitting information security problems have popped up. The first generation of information security professionals were not the first batch of CISSPs. In fact, they probably lived 7000 years ago carving hieroglyphs in Ancient Egypt and few centuries later, writing secret military communications on parchment in Ancient Greece.


One fact can characterise the evolution information security discipline over the years - – increasing technical sophistication of both problems and the potential solutions. This technical sophistication has accelerated during the Information Age. But what’s behind this technical sophistication? It is the fundamental belief that improving technology can help solve information security problems better – an assertion author would like to call the “technology paradigm” of information security. However, many information security professionals would disagree that we are bound by such a paradigm. After all, almost every information security textbook states that security cannot be achieved by technical means alone. Information security standards such as ISO/IEC 27001 and 27002 mandate many procedural and administrative controls in addition to the technical ones.
It is true that some social, organisation and administrative aspects are taken in to consideration by the security profession. However, they are not seen in equal light with the technology under the current security paradigm. To elaborate further, security is designed with two types of subsystems in mind – technology and people who use the technology. Information security is very much concerned with the technology subsystem, and to an extent, interface between technology and people (e.g., access control). However, very little attention is focused on how interactions between people, organisational or contextual factors affect security and there are few controls in that space.

Ample evidence can be provided for the dominance of the technology paradigm in information security. A survey of information security research literature has found out that 94% of all research in the domain focus on the technology aspect while only a handful of papers addresses social and organisational aspects [1]. According to the 2014 Global Cyber Security Survey [2], published by PwC, only 48% of the organisations have carried out behavioural profiling or monitoring at a time when technical controls such as malware protection and network traffic monitoring are ubiquitous.
As pointed out by the famous philosopher - Thomas Kuhn, it is normal for a scientific discipline to be dominated by a single paradigm or a way of viewing problems in the domain [3]. The anomalies or “difficult problems” that cannot be solved within the paradigm are typically brushed aside due to the lack of models and tools to solve them. Information security discipline has been following the same pattern. We have solved many technical problems and either pushed aside ones that are socio-technical or offered technical solutions to those problems. A good example is insider threats. Until recently, almost all controls against insider threats were technical. However, recent high profile insider threat events, such as the Edward Snowden incident [4], have brutally exposed the inadequacy of our approach toward this problem. As pointed out by Kuhn, times like this are ideal for paradigm shifts to occur as people find new ways of analysing problems and synthesizing knowledge. A shift from a purely a technical to a socio-technical paradigm of information systems security is further facilitated by the availability of models and tools we can borrow from other disciplines. Suitable theoretical frameworks, such as the Socio-Technical Systems Theory [5], have been around for decades. Today, there are plenty of options for organisations to track peoples’ behaviour and intentions through sources such as online social networks, emails and blog posts. Moreover, wearable sensor technologies enable even more traditional forms of communication to be tracked. Advancements in data analytics (Big Data is the new buzzword!) enable organisations to draw insights from large volumes of data.
Already, there is evidence of a paradigm shift in the information security discipline. A good example is the evolution of access control models. The early Discretionary and Mandatory Access Control Models were followed by Role-Based Models [6], which are gradually being superseded with the introduction of new Attribute Based (ABAC) [7] and Risk-Adaptable Access Control Models (RAdAC) [8]. However, a paradigm shift in the discipline will not only help solve certain problems, but will create new ones as well. For instance, we have to address privacy and ethical concerns when we analyse a social subsystem. However, security professionals should not resent this. After all, when you take a pill to cure an illness, it inevitably creates some side effects. More importantly, those new challenges are essential for a scientific discipline to keep moving forward.

Hasala Peirs, CISSP




1.  Beznosov, K. and O. Beznosova, On the imbalance of the security problem space and its expected consequences. Information Management & Computer Security, 2007. 15(5): p. 420-431
  2. Pricewaterhouse Coopers, CIO magazine, and CSO magazine, The Global State of Information Security Survey,. 2014.
  3. Kuhn, T., The Structure of Scientific Revolutions. 1962, Chicago: The University of Chicago Press.
  4. Greenwald, G. The NSA Files. 2013 Jan 20, 2014 [cited 2014 Jan 20, 2014]; Available from: http://www.theguardian.com/world/the-nsa-files.
  5. Bostrom, R.P. and J.S. Heinen, MIS Problems and Failures: A Socio-Technical Perspective, Part II: The Application of Socio-Technical Theory. MIS Quarterly, 1977. 1(4): p. 11-28.
  6. Sandhu, R.S., et al., Role-based access control models. Computer, 1996. 29(2): p. 38-47.
  7. Hu, V.C., et al., Guide to Attribute Based Access Control (ABAC) Definition and Considerations. 2014, National Institute of Standards and Technology (NIST): Gaithersburg, MD.
  8. McGraw, R. Risk-Adaptable Access Control (RAdAC). in NIST Privilege (Access) Management Workshop. 2009. Gaithersburg, MD: National Institute of Standards and Technology (NIST), U.S.A.


“. . .The iPhone became the latest target of China’s state broadcaster CCTV today. The phone’s Frequent Locations function, which tracks the exact places you have been and the amount of time you spent there, is capturing “extremely sensitive data,” a researcher told CCTV, according to Reuters. The data could ultimately reveal China’s economic situation and “even state secrets,” the researcher said.. .”


'...As new smartphones hit the market, people are looking to offload their outdated devices more frequently than ever before. When selling an old phone, the standard procedure is to restore the device to factory settings, wiping it clean of any personal data. This creates a new-phone feel for the new owner and offers protection for the original owner...'

Exploring the BYOD security dynamic


'...The initial survey, conducted in late 2013, explored the prevalence of employee-owned devices, how they are being secured, and employee concerns regarding company-mandated security programs. The second survey, conducted in March 2014, looked at how IT managers view the risk of employee-owned devices, the prevalence of formal mobile security policies, and the extent to which employee input is included in developing BYOD policies....'

Cloud security threats, tips and best practices


'....In this interview, Gray Hall, CEO at Alert Logic, illustrates today's top cloud security threats, tackles privacy and surveillance issues, and offers security best practices organizations should implement when moving to the cloud...'


'.... Here’s the thing about those cheap sub-$100 smartphones that nobody tells you: They’re awful. Many of them use aging hardware to run old versions of Android. People tend to use them like regular phones—except to surf Facebook when they’ve got a Wi-Fi connection..."

Month in Brief
Facebook Incidents Reported to Sri Lanka CERT|CC in June 2014
  Statistics - Sri Lanka CERT|CC


Apple Denies Chinese Report of Location Tracking Security Risk

'.... IThe frequent locations function, which can be switched on or off by users, is available on iOS 7, the operating system used by the current generation of iPhones released in September 2013.

"We appreciate CCTV's effort to help educate customers on a topic we think is very important," Apple said Saturday in a statement in Chinese and in English on its China website.......'

Hackers Attack Shipping and Logistics Firms Using Malware-Laden Handheld Scanners

'.... The attack, dubbed "Zombie Zero," has been analyzed by cybersecurity solutions provider TrapX, a company formerly known as CyberSense. According to TrapX, the attack begins at a Chinese company that provides hardware and software for handheld scanners used by shipping and logistics firms worldwide to inventory the items they're handling.....'

Being Secure In The Most Connected World Cup Ever

'.... Sporting events are getting more and more connected, and the just-concluded World Cup is no exception. Brazilian telecom provider Oi made sure that no expense was spared in ‘connecting’ the World Cup , and even claimed that this year’s event is in fact the most connected in the history of the World Cup.....'

Targeted Attack Methodologies for Cybercrime


'...... We recently wrote about the difference between cybercrime and a cyber war, which narrows down to the attack’s intent. With the same intent of gaining information to use against targets, cybercriminals and attackers tend to stress less importance in their choice of “tools”, as these campaigns are all about who carries out the attack..'

Facebook Helps Cripple Greek Botnet



'....Facebook today revealed details of how it helped derail a little-known botnet operation out of Greece that was used to steal and mine digital currency and spread via Facebook and Lightcoin mining -- infecting some 250,000 machines worldwide......'

Notice Board
  Training and Awareness Programmes - July  2014
- 02nd, 03rd & 04th July Training programme of usage of e-content developed for primary grade National Institute of Education, Maharagama
07th & 08th July Training programme on Alice Software for content development. National Institute of Education, Maharagama
24th&25th July Workshop to develop a module on Graphic & Animation for National Vocational Q ualification Computer Laboratory , ICT Branch, Ministry of Education
- 21st to 25th July Training programme for (G.C.E) A/L ICT subject Education Leadership Development Center, Meepe
- 30th June -04th July Script writing for e- Thaksalawa Learning Management System for Grade 9 Computer Laboratory ,ICT Branch, Ministry of Education
- 30th July - 01st August Script writing for e- Thaksalawa Learning Management System for Grade 11 Computer Laboratory ,ICT Branch, Ministry of Education

Brought to you by: