How Things Gain from Disorder: Nassim Taleb - Applicable to Infosec?

The series of lectures by Entrepreneurial Thought Leaders by the Stanford University's Entrepreneurship Corner is always a must-visit place for those 'eternal learners' who follow these posts or these tweets.

In this occasion I highlight some thoughts extracted from a lecture that Nassim Taleb gave (@nntaleb at @edcorner) on part of the content from his book Antifragile: Things that gain from disorder. Are those thoughts applicable to our Information Security world? Let's see.

As always, a modest disclaimer: These lines by no means replace the reading of this interesting book (or, at least, the watching of the lecture at Stanford).

- The aim will be to look in our activities for a convex function of luck (and not for a concave one). This way, by producing small changes in our activities, we could be aiming at getting greater results. In other words, look for something in which if you lose, you lose small but, if you earn, you win a lot. Look for anti-fragility.

I would consider a proactive defence approach in IT Security an anti-fragile field. A series of small information security preventive and detective improvement measures can bring superior benefits. However, the endless possibilities to undergo an attack by any of the current threat actors is probably a fragile environment. A small mistake in defending against threats could lead to big losses.

- There are certain fields in our lives in which forecasts cannot be made on statistical probability (e.g. he mentions the financial world).

This statement hints an alternative view to the book I wrote titled "Secure IT Up! Cyber Insurance Due Diligence" with regards to cyber security. It cannot be completely managed based only on statistical calculations (a long collection of statistically rare cyber incidents can be a reality).

And now some adjacent wisdom pills also from the talk:

- The sponsor of an option should also have disincentives together with incentives so that, if the adventure fails, they also undergo a kind of failure.

- Be aware of those sponsors trying to hide (but not mitigate) risks from you.

This piece of advice on avoiding hiding risks is also applicable to Information Security.

- Respect and even promote the culture of subtracting (in opposition to the culture of adding): e.g. Mankind will be better off if some toxic elements are taken away (e.g. those who damage public health).

Avoiding complexity facilitates the work of the Information Security practitioner.

- Contrary to common academic views, hands-on practice leads to technology. Technology leads to science (and not vice versa i.e. science leads to technology and technology leads to practice).

This last thought deserves some reflection wearing our Infosec hat. Would we improve Infosec at a faster pace if we allocate funds initially thought for governance to secure DevOpS?


 Happy anti-fragility!

Build your anti-fragile option

Avoid untrusted Wi-Fi APs. Creating a Wi-Fi Access Point in Ubuntu.

3G is too slow for what you need to do with your smartphone?
You don't trust the Wi-Fi access points of your location?
However, you have a trusted Linux Ubuntu box with a somehow trusted Ethernet (cable-based) connection to the Internet (and a Wi-Fi card)?

Then this is the summary of the steps you need to follow to be able to use the Linux Ubuntu box as wireless Access Point.

The command lines to implement it are the following:

1. Installing hostapd:
# apt-get install hostapd
# nano /etc/hostapd/hostapd-minimal.conf
Dan Bishop's provides an example of hostapd config file. 

2. Installing bridge-utils:
# apt-get install bridge-utils
Dan Bishop's provides an example of config file.
Edit your /etc/network/interfaces config file according to Dan Bishop's reference. It will probably look similar to this:

auto lo
iface lo inet loopback
auto br0
iface br0 inet static
        address yourlanaddress
        netmask yourlannetmask
        network yourlannetwork.0
        broadcast yourbroadcast.255
        gateway yourlangateway
        bridge-ports eth0 wlan0


3. Disable the NetworkManager app by editing the config file and changing managed=true to =false

#gedit /etc/NetworkManager/NetworkManager.conf
[ifupdown]
managed=false

4. Stop the NetworkManager service
#service network-manager stop

5. Re-start networking (although it is an outdated way):
# /etc/init.d/networking restart


6. Enabling Internet from the bridging box:
# ip route add default via ipaddressofyourcablerouter
# dhclient br0
More info on this on the Ubuntu documentation.

If you would like to configure the way the dhclient works, make the corresponding changes in the /etc/dhcp/dhcient.conf config file.


7. Start hostapd (-dd is the verbose switch):
# hostapd -dd /etc/hostapd-minimal.conf

Finally, if you need to revert back to the previous state:

Option 1 (clear-cut one):
Retrieve the old /etc/network/interfaces config file and uninstall hostapd and bridge-utils.
#apt-get install purge hostapd
#apt-get install purge bridge-utils

Use purge if you would like to delete also the config files. Otherwise simply use apt-get remove.

These are the 2 references used to write this post:
 - Dan Bishop's using hostapd to add wireless access point capabilities in Ubuntu
covers hostapd.
- Ubuntu documentation on NetworkConnectionBridge covers the installation of bridge-utils and how to enable Internet on the bridging box.

This last reference from Ubuntu manpages on bridge-utils provides background information on bridge-utils.

Option 2 (keeping hostapd and bridge-utils):
Retrieve the old /etc/network/interfaces config file or comment out the lines related to the bridge (normally br0) and add (or uncomment) the loopback section (actually, the only one required in that file as you are going to resume using NetworkManager).
auto lo
iface lo inet loopback

The first two lines above are required so that NetworkManager starts at boot time (as mentioned here).

And edit back the NetworkManager app by editing the config file and changing managed=true (it was = false for hostapd and briedge-utils to work)
#gedit /etc/NetworkManager/NetworkManager.conf
[ifupdown]
managed=true

Finally, restart the network and the NetworkManager service (to avoid a reboot this time)

#/etc/init.d/networking restart
#service network-manager restart

... and double-check that /etc/rc.local is OK for this scenario in terms of services started or not started
(in this case, the little app bum, boot-up manager, could come in handy)

By the way, if you get the message "unable to resolve host: your host name", make sure that your host name appears in the files /etc/hostname and also in /etc/hosts.

Finally, if you would like to check that both machines, your computer and your mobile, are now part of the same lan, a very easy way to do it is:
#nmap -sP ip.address.of.your.lan.0/24

Happy browsing!


Surfing the sky!

Security site to bookmark: www.wtfuzz.com

The information security practitioners community in emerging countries is worth mentioning. The author of the blog that I recommend on this occasion, wtfuzz.com, is from India. His name is Rishi Narang. On twitter he defines himself as a consultant, author and researcher in cyber psychology and threat intelligence.

The first posts date from 2010. As of 2011, Rishi Narang writes about security at least six times a year. This no-frills blog is an example of the value of Internet as a marketing and personal branding vehicle. He published in 2013 two articles with detailed and useful hands-on content about the (in)security of session "cookies"  in renowned places like Outlook, Google, Twitter, Linkedin, Facebook and Yahoo. Both articles were accompanied by a video, a proof of concept "script" to "guess" those "cookies" and a summarizing table of the analyzed "cookies".

The three conclusions drawn from these two articles on "cookie-based" session maintenance are:

- "Cookies" need to expire on the server that sends them, at least when the session expires and, preferably, periodically.

- The preference of using HTTPS and HTTP as transport protocol.

- These session "cookies" need to be created in a truly random manner.

The popular security publication SC magazine reported the vulnerabilities that Rishi Narang found in those big Internet names and published a link to his blog. Surely he has received an invitation to share his analysis and contribute to improving the security of some of these companies' cookies or the proposal to join a web development security provider.

In short, wtfuzz.com card is an excellent presentation of an inquisitive security professional.

Outside the typical IT security, in this blog you can find a non-technical article titled "It's you and me". It was published in October 2012. It talks about human emotions and differences between women and men. Perhaps this is why Rishi defines himself as a cyber psychology researcher?


Vulnerable tower... and cookies?
 

Happy cooking!

You can also read this entry in Spanish.

Linux commands hodgepodge (II)

Again this post is an unusual one. The second unusual one after the first one on linux command lines. The reader will not find a series of paragraphs with a ine of thought in it but rather a collection of command lines and related telegraphic recommendations for some aspects of the Linux Universe (e.g. Ubuntu).

Happy command line experience!

- To install a debian package via command line
# dpkg -i deb package

- To list the packages we have installed
dpkg -l

- To indetify whether a package name is installed
dpkg -l | grep package name

- To get rid of configuration files from packages that are not installed anymore
dpkg --list |grep "^rc" | cut -d " " -f 3 | xargs sudo dpkg --purge

The legend of the dpkg --list output can be found here.

- To know which Ubuntu is installed
lsb_release -a

- To know which linux kernel is installed
uname -a


- To remove a debian package (leaving the configuration files)
#apt-get remove packagename

- To remove a debian package and the related configuration files
#apt-get purge packagename

- To find which files have being created in the last 24 hours
find -mtime 0


- To download a blogspot blog
wget -m http://securityandrisk.blogspot.fr

(you can also try with http://securityandrisk.blogspot.de/search?max-results=2000)

- To know the status of networking interfaces
#rfkill list

- To unlock one of them
#rfkill unblock number

- To start the firestarter firewall
#/etc/init.d/firestarter start

- To dump all traffic seen by the network interface not sent to or by your box and not part of multicast or broadcast
#tcpdump -i eth0 net 192.168.x.0/24 and not host 192.168.x.a and not multicast and not broadcast

- To identify active Internet connections (only servers)
#netstat -tulpn

- Nice and easy way to identify the networks this box has been
#grep -i NetworkManager /var/log/syslog

- To edit the scheduler in linux
crontab -e

- The basic way to use vi or vim:

To move into the text: h l j k
To replace a character under cursor with c rc
To insert before or after the cursor i a
To open a new line below or above the current line o O
To delete a character x
To undo the last command u
To select a line yy
To paste a line p P
To write and exit :wq
To toggle edit/meta mode ESC

When installing packages, you will find the config files in /etc/apt/apt/conf and the binary files in /usr/bin

- You need to define a network interface in Linux via a config file and not via NetworkManager? Then this is the location and syntax
edit /etc/network/interfaces
in the file
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1

- You need to define a DNS servers in Linux via a config file and not via NetworkManager? Then this is the location and syntax
/etc/resolv.conf
nameserver 8.8.8.8

- You need to declare the name of your host via a config file? Then this is the location and syntax
/etc/hosts
127.0.0.1 localhost

- You need to swith on/off a network interface in Linux via the command line and not via NetworkManager?
Then you can use ifup/ifdown or
sudo ifconfig down
sudo ifconfig up

- A quick way to become root?
sudo su -

- Need to get processes associated with a name
ps aux | grep name

- A non-elegant way to kill a process?
killall processname

- You need to get rid of the disturbing sound with typing
sudo modprobe –r pcspkr


Command lines enlighten us



Security site to bookmark: www.rationalsurvivability.com

Rationalsurvivability is Chris Hoff's personal blog. Chris is a renowned IT security architect, currently working for Juniper. Browsing his Linkedin presence, you read about the technical security and network management positions he has held in companies like Cisco, Unisys or Qualys. His career confirms the value of the suggestions he writes in rationalsurvivability.

Just the name of the blog, rationalsurvivability, hints the strategic change in information security that the author suggests. In security, rather than trying to get close to the illusion of total, or "almost total" security, the survival of our organizations should be our mission. Innovate to survive. Using a term coined in psychology, the aim should be to improve the "resilience" of the business and therefore, of their processes.

Chris's articles are not for beginners. Technology lovers who are passionate about security and are willing to challenge their views with alternative or controversial content will enjoy rationalsurvivability: An invitation to enhance the role of information security and its practitioners in organisations.

Since 2006, at least once a month, using a typical template Wordpress, Chris publishes ideas on strategic issues such as the lack of real innovation in current security solutions, creating added value through software security as a service , virtualization and complex network management software or the opportunity to improve security in organizations using cloud services.

An attractive point of his site is the variety of topics covered and the frequent link to his conversations on twitter: from a text about the differences between real and virtual firewall to a futuristic proposal on the use of social networks to interact with machines.

In an example of controversial article, Chris reiterates the intrinsic value of the security professionals community comparing security integrators with the service industry for pets: both devote too much energy to criticize, and not constructively, the industry that supports them.

Further evidence of the interest in this blog and the value of the ideas proposed are the comments left by names like Dan Kaminski, Matt Joyce or Preston Wood.

Happy survival!

Let's help business to survive


You can also read this entry in Spanish.

Whatsapp via python. Open security questions

Whatsapp is an instant messaging application for smartphones. Its popularity increases daily. From the security viewpoint, a simple piece of advice would be to use it only to communicate content you would not mind to be known by anyone else. Details about some of the security concerns can be read in the .org version of wikipedia.

I focus on this app not to pick on the lack of security (mainly integrity and confidentiality) but rather to show the instrumental role that reverse engineering and black box testing plays in assessing the security of web-based and now smartphone-based applications such as Whatsapp.

Reverse engineering the Whatsapp app and studying the packets that the app exchanges with the server (black box testing) are two ways to be able to understand how the app works and its security features.

In a python-enabled Ubuntu box, we download the Yowsup library including the command line interface named Yowsup-cli. As mentioned in reference [1], you need to construct a configuration file preferably with phone number and an IMEI code belonging to a mobile phone that, first, you own, and, second, that you didn't use before for Whatsapp.

The command lines that reference [1] proposes are:
- Requesting a code
    ./yowsup-cli -c [yourconfigfile] --requestcode sms

- Registering with the received code

    ./yowsup-cli -c [yourconfigfile] --register thecodeyourreceivedinyourphone

- Modifying the config file with the received password as shown in
reference [1]

- And you are ready to send Whatsapp messages
    ./yowsup-cli -c [yourconfigfile] -s [destination phone number] “message”

Now some security related questions:

- The config file uses an IMEI code and a phone number. As long as someone has access to those two pieces of information, what prevents them from following these steps and sending messages?

- Why instant messaging attract a myriad of users and secured or hardened systems are not so attractive?

- Would it be worthy to research the crossroad between user friendliness and information security? Certainly!
 
The sites I used as reference to build this post are:
[1]- Whatsapp in Linux with Python by Alejandro Pernin.
[2]- The python code by Tarek Galal hosted in github.
[3]- The command line interface page by Tarek Galal hosted in github.

Happy (in)secure messaging!

Photos also communicate

Book review: The Phoenix Project by Gene Kim, Kevin Behr and George Spafford

Every now and then I share with the readers my views on a specific IT or IT security related book. This time I start with a final statement: This is a must-read novel. Every IT and IT security professional will sleep much better after the reading of this The Phoenix Project. Why? Here you are some telegraphic arguments or tips extracted from its pages:

- Consider IT development and IT operations as elements in a production plant.
- Go and re-visit how you can use Kanban boards to protect your bottlenecks i.e. your highly overdemanded resources.
- There are 4 types of work: Business project work, IT project work, changes and unplanned work. The last two ones, if not properly managed, will destroy you.

This book is a tool to reflect on how you need to interact with core business areas and executives. Above all, this is a novel, a human story that you will find very close to your everyday live.

The special bonus in this book for those related to security? Read how the IT security officer goes from being hated to being a part of the solution to the problems the company is having. That is a great worth reading passage in this book.

An additional ingredient in the book is the role of a somehow distanced but experienced mento. One of the lessons of the book: do not despair and think simple!

And remember:
- IT is pervasive, like electricity, it is not just a support area.
- If IT wins, the business wins.
- IT and business in unsuccessful companies is a dysfunctional marriage.
- Interesting idea: A hedge fund betting on organisations with a great IT department. 
- A new? concept: devops (from development and operations).
- And even a newer proposal: organisations with no IT department, but rather IT inside the business areas. How does this sound?

Kudos to the authors Gene Kim, Kevin Behr and George Spafford!

Infosec people, build the tower but enjoy the tree!


The Charisma Myth by Olivia Fox Cabane: Applicable to Infosec?

Charisma
These are the main points extracted from a talk that Olivia Fox Cabane gave in the Stanford's Entrepreneurial Thought Leaders Lecture Series. The question would be whether we can use these learning points to build an Infosec charisma.

- Charisma is an asset.
- Charisma let people trust you, like you and want to be led by you.
- Charisma is the result of specific behaviours.
- Behaviours that define charisma: behaviours of presence, power and warmth.
- Presence is the core of charisma.

Presence
- Charismatic people make you think that they are present, with you, fully with you.
- People can read facial expressions in 17 milliseconds. So, when you are not fully into what they are telling you, they will instantly notice. Your presence will diminish, appearing inauthentic.
- How to avoid it? One technique, focus on the physical sensation of your toes (yes, your toes!).

- Second technique. focus on the myriad of colours that your interlocutor's eyes have (but don't overdo it!).
- Charisma is how you make people feel about themselves.
- Let them impress you and they will love you for it.

Power
- We look for power signs in body language.
- Voice fluctuation and pitching skills are key,
- Powerfull people claim as much physical space as possible.
- When people adopt these poses, energy boosting hormones rise.
- Learn how to play Chemistry with your own brain.

Mental side of power
- The single biggest obstacle is lack of confidence.
- How to deconstruct the "impostor's complex". Recognise those destructive thoughts (e.g. I am not able to make it!) and consider them as graffiti on the wall and do not pay much attention to them.
- Learn how to read reality.
- We have a limited capacity of attention.

Warmth
- It is so closely tight to body language that you cannot fake it.
- Warmth comes mainly from your eyes and your voice.
- Don't act as if ... be that person, that character. Our brain cannot tell the difference between imagination and reality.
- Think of something really nice, open your eyes and link it with what you are doing right now.
- The area around the eyes is the most mobile area in the entire human face. Eyes will tell everyone the degree of warmth you are displaying.
- Never assume that your immediate assumption is the valid one.
- Choose a charisma-enhancing assumption. Re-write reality: Invent a story to alleviate your anger. Choose the reality that puts you in the most useful mental state. Don't control your body language, control your mind.
- What to do with conflicting interlocutors, think of three positive features you find of them (they can also be part of an invented story).

Practice tips
- Get your energy levels up.
- Improvise.
- Learn something that teaches you to own the space around you.
- Dance.
- But don't get charismatic with "the charismatic person".

Imagine applying even if it is only 10% of all this in your next meeting with customers.

Happy charismatic reading!

Infosec Charisma







Security site to bookmark: measurablesecurity.mitre.org


Makingsecuritymeasurable is an initiative of the U.S. non-profit organisation MITRE. The site is easy to navigate. It provides links to standard-related initiatives dealing with 15 closely interrelated security elements. I recommend visiting makingsecuritymeasurable to learn about current proposals to describe and exchange security information.

This site is based on three basic ideas:

- "We can't manage what we don't measure."
- "We need to share more information to succeed in our current challenges."
- "In order to share information, we need to use a common a language, a protocol, a mechanism of exchange."

It introduces five major themes in information security:

- Quality assurance in software development and applications.
- Threat analysis.
- Vulnerability management.
- Protection against malicious code and system & network analysis.
- Incident management and reporting.

Each of these five broad specialities presents three specific areas with useful links either to their basic principles or to current implementation initiatives. Browsing through all these pages, it is evident that, more than a common language, we need several different ones, such as those dedicated to vulnerabilities:

- The type dictionary (CVE).
- The evaluation system (CWSS).
- The vulnerability-based risk management framework (CWRAF).
- Classification of typical attack patterns (CAPEC).

Similar skeletons begin to be built for threats (eg STIX), malware (MAEC), attacks (OpenIOC) and incidents (MILE, IODEF).

In summary, the information linked from the makingsecuritymeasurable site can help formalise, measure and justify proposals to improve security for our customers and to share data between different industry players. The final question would be how many of these initiatives will mature and really become a industry standard? Time will tell.

A version in Spanish of this post will be located here in this publication. Stay tuned!

Happy browsing!

Making security visible

A security rucksack for Android

To start the year, I share a non-comprehensive list of security (or just handy) related Android apps that could constitute a sensible set of preventive security measures during our daily smartphone use & enjoyment:

To check what it is going on...
- Task Manager
- Network Monitor
- Antivirus (one of the handful of them)
- DroidWall 
- Virus Total
- Advanced Task Killer
- OS Monitor
- Startup Auditor

- X Ray
 
To prevent leaks...

- LBE Privacy Guard

To prevent losses...
- Titanium Backup

To save space...
- App2SD

To save energy...
- Juice Defender

To find files... 
- ES File Explorer

To avoid adds...
- AdAway

To find the device...
- Androidlost

A useful security suite (AV, antimalware, device locator - requiring GPS - and backup)
- Lookout

And to make space (sooner or later you'll need it)
- DiskUsage 

Thanks to all those who contributed to build this list.
Would you add other security apps to this list? Let me know.

Happy phoning!

Keeping information where it should remain

Android SDK and Ubuntu

Ever tried to communicate via command line from an Ubuntu machine to an Android phone connected via the USB port?
Here I write some tips that could facilitate this experience:

- First of all, we need to install the Android SDK in our Ubuntu box. I recommend to follow the Android Developer site. From there, we can download the Android SDK. The steps to have the Android SDK up and running are basically:

Two necessary elements that we need are the ia32-libs (if we have a 64-bit machine) and Java (sun-java6-jdk).

# apt-get install ia32-libs (if your box has a 64-bit processor)
# apt-get install default-jdk (the Java development kit)

Unzip the Android SDK.
Go to the tools folder and run $./android (a graphical configuration page will appear, just press install). It will add a minimum set of packages: tools, platform-tools and at least one (the latest) platform.


Configure the udev file as mentioned in this android page.

And that's about it! To test it, connect your android device via USB and you should be able to see it typing:
# platform-tools/abd devices

- Before focusing on the Android Debug Bridge (adb) tool, a few words on two important elements:
A mechanism to flash (here we mean write to the flash memory) the filesystem in Android devices, e.g. using fastboot (a tool that run with the Android SDK) or flash_image (this last one for a very specific purpose).

Actually this flashing tool will be used to install ClockworkMod (the Rom Manager). A powerful mechanism to, among many things, install new OS, make backups and mount filesystems in Android smartphones.

- adb shell provides a command line shell in the connected device and mounted filesystem (e.g. we can cd to a folder and mv to change file names).
- adb push allows us to copy files from our Ubuntu box to the system folders in the smartphone.

In essence, a Java-based development platform with lots of development potential.

By the way, some additional Android tips:

- Remember a previous Android related post!
- Android 1.x has a very simple file system structure compared to Android 2.x. There will be times when we first have to update to an image of Android 2.x with enough space in each of its partitions before even being able to install ClockworkMod.
- If you receive the following message: ADB: error: insufficient permissions for device then try with these commands as mentioned here:
./adb kill-server
./adb start-server
Now you should be able to run commands like:
./adb devices
./adb shell

- Sometimes you need to install an official image before daring making something with a pre-cooked rom. The way to install official Android images is slightly different and pointed out in this forum: You need to extract the zip file in your computer. Afterwards, copy the entire "dload" folder (resulting out of the decompressing action) into the root folder of the smartphone's SD card.


- Surprise, surprise... Changing an Android firmware could mean that the MAC address of the device changes ;-)!

For those who run out of internal memory, please have a read at the next 4 recommendations:

- If you re-partition the external SD-card, e.g. to make use of apps like Link2sd, after booting with the newly partitioned card, unmount and mount the card (via the android OS) to have access to the apps that were previously installed on the sdcard.

- Regarding re-partitioning an SDcard, my 2 humble cents, 50% space FAT32 and 50%ext2. This leaves the phone ready to use Link2sd.

- The use of App2SD before Link2sd is not recommendable. You would need to re-move the SD'ed apps to the phone memory to be able to use Link2sd, as it says in their FAQ. Link2SD moves not only the .apk file but data, cache and libs (which is a better deal).

- About using Link2sd to move (in Link2SD terms, that is "a link") system apps (like Keyboard, Google Play Store, etc.), just avoid it. 

And finally, remember to use ClockworkMod to create a backup of your phone (and copy the content of your SD cards) right before and after changes.

With all this soup of tools and commands, two security related reflections:
- Android market share could suffer from such a big OS versioning dispersion.
- The Android SDK is a great tool for developers... and hackers ;-)

Happy flashing!

Android or iOS, who will ring the bell?

Secure IT Up! Cyber-Insurance Due Diligence

In my first infosec book, "itsecuriteers", published in 2010, revealed how to create an Information Security team that enables business objectives. "Secure it up!", my second book, provides qualitative and quantitative insights that justify why the adoption of Information Security measures brings benefits to organisations and facilitates cyber-insurance due diligence processes.

In the world we live in, risk management and information risk management are complex fields under continuous development. If you need to justify why applying security to your organisation will provide value to your customers or you are involved in cyber-insurance due diligence engagements, "Secure it up!" helps you with a statistically sound quantitative study and a set of reputable literature references.

As I write at the beginning of the book, "now it is when information security can change the business". In a nutshell, here is why:

Three ingredients:
  • The presence of a committed layer of management setting risk objectives and appetite.
  • The development of a strong Information Security practice as part of a holistic Enterprise and Operational Risk Management function.
  • The alignment of Enterprise Risk Management with the business strategy.
Will provide three benefits in your business:
  • Increased stakeholder value.
  • New business opportunities.
  • Better governance.

Here you are two introductory comments both from academia and the business world:

"The recommendations in this book are simple but effective: managers will find them of practical relevance and easy to communicate.  They are based on sound empirical research which makes them go beyond consultancy speak." 

Jean-Noel Ezingeard,  Dean and Professor of Processes and Systems Management
at Kingston University, London.

"Secure it up combines a comprehensive analysis of existing literature and the results of surveys of subject matter experts to make the argument for combining Enterprise Risk Management (ERM) with information security practices."

Richard Stiennon,  Chief Research Analyst at IT-Harvest, Author of "Surviving Cyberwar","Cyber Defense: Countering Targeted Attacks", Blogger at forbes.com, Michigan.

Happy reading!
Happy 2013!