The eponymous man in the street may think information security primarily involves technical security controls but in fact other types of control are equally important in protecting information assets. For example, physical controls (locks, gates, fire/intruder/water alarms etc.), legal and regulatory controls (data protection/privacy laws, PCI DSS, HIPAA etc.) and procedural controls (policies, procedures, guidelines, management reviews, audits etc.). Most security risks are countered by a combination of controls from these different categories. Social engineering is fairly unusual in that technical controls are more or less irrelevant: social engineers aim to bypass the technology completely either by physically penetrating the organization or by fooling employees into giving them unauthorized access to information assets. We have covered awareness of physical security controls and compliance obligations in other NoticeBored modules but November’s module concentrates on pretext...

Here's a crude attempt to get me to install malware, fresh from my inbox: Dear Microsoft Customer, Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista. Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update. Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users. As your computer is set to receive notifications when new updates are available, you have received this notice. In order to start the upda...

Police are using technology to capture criminals, for example by fitting out vehicles with CCTV and leaving them in vulnerable locations to lure car thieves. The CCTV images are so good that it's easy to make out the criminal's facial features and sometimes even his name and birth date tattoo'd on his neck (doh!). But consider the question about whether such activity is ethical. From most perspectives (other than the criminals'!), it seems acceptable since the recording devices are within someone's property space which is clearly being violated by the criminals. One might argue that leaving such an attractive lure in a vulnerable place is entrapment, encouraging an otherwise law-abiding person to step over the line and break in, but what do you think? This is a good topic for a tea-time discussion in the average office. UPDATE Oct 17th: Here's another situation with similar ethical issues. The FBI has allegedly been running DarkMarket , a carders' web ...

My colleague Rob Slade, renowned for his book reviews, has just circulated a glowing review of the book Computer Ethics by Deborah Johnson. I say "glowing" deliberately: Rob has published many harsh reviews and, in my experience, they are generally well deserved. The relatively few books that Rob likes stand out as somewhat exceptional and, again, in my experience are well worth reading. Rob knows his stuff. I find him hard but fair. In short, I trust Rob's judgement on computer security books. Ethically I should point out that I have not actually read Johnson's book myself - I am merely passing on a recommendation. If you have read it and would like to put me straight, please comment below!

A fellow inmate of CISSPforum sent us a link today to an interesting piece in the Boston Globe regarding the victim of a laptop theft using remote access software to log on to his machine and, in due course, identify the suspected thief's name and address as he typed it into a website. At last, an ethical use for a Remote Access Trojan (RAT)! The Web is awash with organizations offering to license their RATs and keylogging Trojans but, so far as I can see, they are mostly aiming at the "Spy on your spouse" market. Some of them claim to be aiming at "Spy on your employees" or "Spy on your children", as if that legimitises their activities but speaking personally, I find these uses unethical too. Spouses, employees and children ALL have legitimate expectations of privacy, whether online or off. To me, spying on them as they use the computers is essentially the same as spying on them in the Real World. It's underhand and unfair. Putting yoursel...

Why is it that so many organizations expect their software developers and other IT people to “do” information security, yet they don’t bother to train them in the art? A new security awareness briefing pack contains a set of notelets (short briefings) to help those involved in managing and delivering IT system developments fulfill their information security obligations. The notelets fall into two groups: Technical notelets introduce common information security controls, explain generic control requirements and outline the options available to satisfy those requirements. Development process notelets outline information security issues that ought to be taken into account during most software developments (including ‘end user computing’ projects such as spreadsheet programs). Although all the notelets are succinct double-sided items, the briefing pack contains 33 of them and hence with introduction and copyright notice is some 70 pages in total. Download the complete pack here (1Mb PDF ...