Despite our best intentions and investment in a range of preventive security controls, serious incidents and disasters may still interrupt IT systems and impact the business processes which they support. As some say, **it happens. Just when everything is running sweetly, something unanticipated occurs, revealing that Plan A is not quite so perfect after all. Contingency planning (Plan B) puts us in a better position to survive any disaster by: 1) Managing the immediate crisis professionally and confidently; 2) Keeping the organization’s essential processes and systems running despite the event through resilience and continuity planning; and 3) Recovering non-essential processes and systems as soon as possible thereafter disaster recovery planning. The time to plan for a disaster is now , when things are going well: planning during a disaster will be too late. As always, this month’s NoticeBored module provides a range of high quality security awareness materials aimed at staff, manager...

Having recently submitted an article for EDPACS on social engineering myself, I was interested to read a similar piece by Dan Timko in the latest ISSA Journal. Dan explores the psychological/human factors that make social engineering such a significant threat. His description of the controls is a bit light but covers the basics - policies and awareness, coupled with suitable technical controls where possible. Well worth a read. The ISSA Journal is just one of the benefits enjoyed by ISSA members. The Information Systems Security Association is primarily an international social network that has brought information security professionals together at meetings for over 2 decades. Along with CISSPforum , ISSA neatly complements CISSP and similar qualifications, taking professional education well beyond the study guides, exam cramming and boot camps.

A woman mistakenly thinking she was about to be fired allegedly took revenge on her employer by going into the office late one evening and deleting data files worth $2.5m . Although the deleted data were later retrieved (whether from backups or by 'undeleting' them is not stated), the potential remains for trusted insiders with access to corporate IT assets to cause enormously costly damage by sabotage. Deliberate or accidental sabotage by backup operators are tough threats to control against. They have both physical and logical access to servers and their data, often work unsupervised out-of-hours, and are mostly relatively junior staff. Trust is the primary control, though many would argue that it is no control at all, merely blind faith in many cases. The risks can be reduced by various security control measures, such as: - Alternating backup operators - Combining on- and off-site backups - Tightly controlling physical access to backup storage and especially archives - C...

NIST security standard SP800-114 is a new User’s Guide to Securing External Devices for Telework and Remote Access . "Many people telework (also known as telecommuting), which is the ability for an organization’s employees and contractors to conduct work from locations other than the organization’s facilities. Teleworkers use various devices, such as desktop and laptop computers, cell phones, and personal digital assistants (PDA), to read and send email, access Web sites, review and edit documents, and perform many other tasks. Most teleworkers use remote access, which is the ability of an organization’s users to access its nonpublic computing resources from locations other than the organization’s facilities. Organizations have many options for providing remote access, including virtual private networks, remote system control, and individual application access (e.g., Web-based email)." The 14,000 customers of an ISP who lost their email accounts (see our previous blog entry )...

A software error during routine maintenance caused an ISP, Charter Communications, to delete the contents of 14,000 customer email accounts. "Charter gives each new Internet user a free e-mail account, but some customers opt to use other accounts instead. So every three months the company deletes inactive accounts, Lamont said. "During this maintenance we erroneously deleted active accounts along with the others," Lamont said. "It's never happened before. They are taking steps to make sure it never happens again." The news article doesn't mention whether the "software error" was an unfortunate and evidently untested change to the maintenance scripts (indicating a hole in their change management processes), a genuine bug in the code (possible I guess), or a simple human error by an operator/systems manager (seems entirely possible). Since the lost email accounts disappeared forever in a puff of logic, it seems the ISP had no backups of custo...

FERC, the Federal Energy Regulatory Commission , has approved eight new mandatory critical infrastructure protection (CIP) reliability standards developed by NERC, the North American Electric Reliability Corporation , covering: - Critical cyber asset identification (NERC standard CIP-002) - essentially inventory and risk assessment of critical information assets; - Security management controls (CIP-003) - security policy and management structure, exceptions process etc .; - Personnel and training (CIP-004) - personnel risk assessment, training and, of course, security awareness ; - Electronic security perimeters (CIP-005) - a 'crunchy outer shell' for networks; - Physical security of critical cyber assets (CIP-006) - physical perimeter controls, card locks, processes, visitor logs etc .; - Systems security management (CIP-007) - security testing and patching, controlled network services, antivirus, security monitoring and various other IT security controls including, I ...

Following an entry on the excellent Realtime Community Compliance Blog (hi Rebecca! Nice one!), I've been reading about social engineering attacks on US Credit Unions. The Credit Union Times reported that social engineers have successfully bypassed inadequate user authentication methods to authorize fraudulent transfers of large credit balances to other banks and, presumably, quickly moved on through unwitting money mules to lovely untraceable folding munny. The Credit Unions appear to be using telephone call-backs as part of the authentication but those naughty scammers have allegedly discovered how to get the phone companies to redirect phones and thus spoof the phone numbers. They are also able to answer the pretty lame authentication questions typical of single-factor authentication schemes (you know - "What is your secret password? What is your mother's maiden name? What is your inside leg measurement?" - that kind of thing) evidently, perhaps through ins...

Look what just plopped into my inbox ... Subject: Capital Investment and Management Request Dear Friend, I am a freelance, independent investment broker based here in Britain. My client wishes to invest a part of his financial estate into productive ventures in your country under your direct supervision. He looks to make this investment discreetly under discretionary asset Management arrangement, in the areas of agriculture, real estate, transport, oil and gas and other viable venture(s) which you might recommend. I have contacted you on the consideration that I could discuss with you on the possibility of my client placing this fund with you for management either in your existing establishment or other venture to be undertaken at your discretion under terms to be agreed upon. He Prefers that this investment be made in your country. I would be expecting your response in order that we may discuss further in detail. Please write through my email address so that we may work out modali...

An office breakin story (highlit by InfoSec News ) appears to indicate a targeted theft of computers for the valuable data they contained, rather than the hardware itself. "PICKY thieves have led one private education centre to believe that industrial espionage might be the motive for a recent break-in. Early this week, three of the CES group's computers - containing the personal details and contacts of its 30,000 students - were stolen from its Eu Tong Sen Street office. Surprisingly, 10 other computers in the same location, some of them newer than the stolen items, and other expensive equipment like scanners were left untouched. The thieves' specific choices have led CES group chairman Desmond Lim, 35, to suspect that they could have been looking for the information stored in these computers for business reasons. ... And while the computer stolen from the administration room might have been the oldest, it was also the only one with all the students' data, said C...

An identity thief has stolen £10,000 from Barclays Bank by requesting a credit card in the name of the bank's chairman and withdrawing cash from a branch. According to the bank, 'procedures have been tightened' as a result. Barclaycard has repaid the £10,000 to Mr Agius after admitting 'human error' was to blame for the blunder. As a company director, the chairman's personal details are freely available from the public records at Companies House - details such as his full name, date of birth and home address. It's not clear from the newspaper article what if any further information was required of the identity thief, nor what credentials, if any, he/she presented at the branch other than the fraudulently-obtained credit card. I would guess that anyone asking to take out ten grand in readies would be given the third degree at the desk and would most likely be seen on the branch CCTV system ...

An intriguing article in the Washington Post recounts a handful of copyright abuse cases in which corporations have used photographs taken by amateurs and published online , for example in their blogs or on social networking websites. There's a curiously ambiguous thread to the piece: on the one hand it says perhaps people shouldn't publish material online if they don't want it to be copied and used elsewhere, while on the other it notes that people are increasingly calling their lawyers to defend their rights. It is strongly implied that corporations should know better, in other words there's a David and Goliath element to it, especially if the self-same corporations are quick to defend their own copyright material against abuse by others. Blogs and other online social interactions are credited with informing people that their images are being abused, and helping them defend their rights. Online communication between people is definitely changing the nature of huma...

An IT systems administrator, fearing that he was about to be laid off, planted a logic bomb in his employer's systems. He survived the round of redundancies but detonated the logic bomb anyway. Fortunately for all concerned, bugs in the code prevented it working properly. In court, he was found guilty, sentenced to 30 months' jail time and found liable for $81,200 in restitution. This story touches on quite a number of security topics: - He was a trusted insider who went bad - Logic bombs are a form of malware - His office/day-job gave him privileged access to the company's IT assets - Weak change management process controls did not prevent the bomb being installed - The logic bomb had one or more bugs in the program/script - Nevertheless it sparked a security incident - He was called to account for the damage - There was legal and presumably corporate policy noncompliance - The risk of recurrence presumably remains All in all, a nice multi-purpose security awaren...

Arrogant British motoring journo Jeremy Clarkson, star of Top Gear, pooh-pood the potential for identity theft after millions of benefit claimants' personal details were lost recently. He claimed personal information is freely available when people write cheques etc . and even published his own bank details in a newspaper to push the point home. Well, someone evidently took up the challenge and committed Clarkson to a Direct Debit payment of £500 to a charity. Clarkson has now done a swift U-turn, admitting he was wrong and deserved to be punished . The BBC reports him saying: "Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy." Whether that is the end of his troubles remains to be seen. He's probably got that nagging identity theft victim's feeling that someone is still spending his money, living his life, opening lines of credit in his name ...

When a vehicle maintenance contractor's car was stolen, thieves removed a clipboard with a sheet of paper listing access codes for pushbutton locks on 73 Police station yards in West London. The contractor disclosed the loss and all the numbers were changed within 11 hours, but this was yet another embarrassing security blunder for HM Government. Questions have been posed about why a civilian had access to such sensitive information and why he failed adequately to secure it. The relatively poor security afforded by mechanical pushbutton locks would be another concern although thankfully Police stations have multiple overlapping layers of physical security.