Whereas most months we revise and reissue NoticeBored security awareness modules on topics we've covered before, this month we've written a completely new one on ethics and morality in information security. To be fair, its something we have touched on several times but it seemed appropriate to go into a bit more depth for once. Ethical people and indeed organizations act in accordance with principles of conduct that are generally considered correct, appropriate or proper. In respect of information security, ethical behavior reinforces procedural controls. Unethical people who disregard the principles and ignore procedures weaken security, just as a rusty door bolt can jeopardize physical security. However, there is more to ethics than mere compliance. We all face ethical decisions and dilemmas from time to time, situations in which our internal values, beliefs guide our actions as much as external pressures. The NoticeBored newsletter explores the risks around ethics and s...

A blog entry by Gerry O’Neill , CEO of the Institute of Information Security Professionals , gives us an update on the IISP's progress towards defining and implementing a certification process for its members.  Gerry acknowledges a handful of existing certifications (such as CISSP, CISM, CISA and MSc) from which ISSP appears to have borrowed a few ideas ( e.g . referring to a "common body of knowledge", presumably similar to the CISSP CBK?).  He identifies certain characteristics of a profession, including "a ‘licence to practice’, based around a core of specialist knowledge, skills and disciplines, regulated by a professional body and, crucially, with business recognition of its value."  The ‘licence to practice’ idea works well for professions such as medicine, accountancy and law but these professions are clearly much older than information security.  Whether the IISP can first establish itself as a recognised professional body, secondly impose regulations an...

An email allegedly from an Asian domain name registrar based in China caught my eye in the spam box today.  The email basically says an investment company intends to register NoticeBored.ASIA and NoticeBored.CN, and that we'd better act fast to stop it. Dear Manager, We received a formal application on intending to register "noticebored" as their domain name and Internet brand in China and also in Asia from an investment company pn Sept.7th,2008. During our audit period, we find that this Investment company has no trade mark, brand or patent. As a professional institution of domain name registration, we have reasons to suspect this investment company to be a domain name grabber. Therefore, we need your confirmation on two points as follows. First of all, whether this investment company is your business partner or distributor in China? Secondly, whether you are interested in registering these domain names? (According to the rules of domain name registration, the investmen...

The drip-feed of news about the Terry Childs case continues. [Quick recap: Childs held the City Government of San Francisco to ransom by refusing to divulge the city's network admin passwords that were under his sole control.] The Washington Post tells us: "Childs compromised more than 1,100 devices and created unauthorized network doorways, allowing him unfettered and undetectable access. He collected pages of user names and passwords, including his supervisor's, to use their network log-ons. And he downloaded thousands of gigabytes of city data -- possibly privileged information, such as police reports and e-mails -- to a personal encrypted storage device. Experts still aren't sure what data the device contains." 'Thousands of gigabytes'? That's an impressive capacity for a personal storage device. The Post also says Childs had a criminal record: "Childs, as it turns out, carried a list of convictions, including aggravated burglary, aggrava...

Dan Swanson just put me on to the fact that MIT, the world-renowned Massachusetts Institute of Technology, publishes course notes from many of its classes, for free, on the Web.  This includes the Sloan School of Management with its broad range of fascinating courses about managerial psychology and other topics of interest to security awareness professionals and management students alike - take a look at Advanced Corporate Risk Management for example to understand a bit about futures and options trading where amazingly enough, risk has an upside! Thanks Dan!

 Infoworld reports on the sentencing of a phisher : "A West Haven, Conn., man has been sentenced to seven years in prison for masterminding a phishing scheme that targeted AOL users over a four-year period.  Michael Dolan, 24, was sentenced Wednesday in Connecticut federal court. The seven-year sentence was the maximum he could have received, said Assistant U.S. District Attorney Edward Chang, via e-mail. Dolan was also sentenced to three years' supervised release, and a $200 special assessment, he added. Last year Dolan pleaded guilty to fraud and aggravated identity theft charges. ..." Dolan conned AOL users into disclosing their credit card numbers, using fake greetings cards.  He also "attempted to bribe a codefendant, threatened to kill someone he thought was a government informant, and suborned perjury from his girlfriend" according to the article, indicating the sort of person he is.

The BBC reports that a father, concerned about his under-age daughter's relationship with an adult ice hockey coach, installed spy software on the family PC to monitor her online liaisons.  It soon became apparent from the emails and Messenger chat the pair were exchanging that they were having unlawful sexual intercourse.  The coach was arrested, charged and convicted of five counts of sexual activity with a child and jailed for 4½ years. In a corporate setting, it is not entirely obvious to many IT, HR and information security professionals whether an employer has the legal right to monitor it's employees' use of email and other IT facilities in the same way, even if those facilities clearly belong to the organization and are provided to employees for work purposes.  In some countries, privacy laws constrain what employee monitoring employers can reasonably do but there are often exceptions to permit more intrusive monitoring in order to investigate suspected illegal a...

Email security is our topic for September's NoticeBored module. This is a core topic covering perennial issues worth reminding employees about every year. By the way, we've had some problems with the blog feeds lately but hope things are working OK now. I'm also posting occasionally to the (ISC)2 blog in the company of other CISSPs and luminaries. Do take a look if you're not already subscribed.