Thanks to a link posted to an email reflector, I've just stumbled across a 2006 PhD thesis that examined a number of approaches to information security awareness in order to develop design guidelines for awareness programs and activities. The research was mentored by Professor Mikko Siponen, leader of Oulu University's Information Systems Security Research Center in Finland. The thesis, " A design theory for information security awareness " by Petri Puhakainen is well written. As usual for a scientific PhD thesis, it starts by briefly reviewing existing literature in the field of information security awareness, then goes on to present the author's research experiments, findings and conclusions. The thesis uses cognitive theories on how learning and behavioural changes are understood to occur to evaluate common awareness practices. For example, "Communication is presented as a continuous process where the parties should take turns and create information ...

The following extraordinary sentence launched yet another tedious social enginering 419 scam in my spam box: "Take notice that based on the UNITED NATIONS government inauguration of this committee which extended to all countries which combined with the United Nation Anti-crime commission to alleviate and redeem the image and past wounds of our dear citizens and foreign firms who were duped, defrauded, scammed and abandoned by some impostors who indiscriminately use the name of God, Office of governors, Presidency, Banks etc to slight down our dignities to international communities." Most 419ers are clearly one sandwich short of a picnic as all they seem to do is replay the same old scams over and over. The 'clever' ones add daft little elaborations and the rest duly plagiarise them without actually understanding how dumb they end up sounding. This cretin continued: "Many banks have been in bankruptcy today, Universal firms, Companies due to the activity of these...

Using banned-word lists to block spam may be a simple and hence cheap control but it may be too crude or simplistic to work properly. Blocking emails with "teen" in them, for example, is perhaps not the smartest move made by New Zealand's Social Development Ministry .

A set of policies , presented as checklists or guidelines for employees, explains typical rules for employees who use blogs or other social media: "The Disclosure Best Practices Toolkit is a draft series of checklists to help companies, their employees, and their agencies learn the appropriate and transparent ways to interact with blogs, bloggers, and the people who interact with them. We believe in the principles of transparency and openness, and this document is a way of making this real on the inside. Our goal is not to create or propose new industry standards or rules. These checklists are open source training tools designed to help educate the hundreds or thousands of employees in any large corporation the appropriate ways to interact with the social media community." The authors evidently have a bee in their bonnet about people disclosing any pecuniary interest in the matters on which they are writing. If adapted to become corporate policies, management may wish to be...

The CBC Blogging Manifesto is not unlike a skeleton corporate policy about blogging by employees. Even in this succinct original form, it would be an interesting advisory or discussion piece for your intranet Security Zone.

Social networking has become extremely popular of late and is getting lots of coverage on new and traditional news media. Given the fact that a great deal of network/Internet use and applications have traditionally been social in nature, this is hardly surprising: what is more surprising is that the media and technology pundits seem to feel that we need to have a special term for it. Like most Internet and IT developments, it’s more evolution than revolution, and in fact more hype than substance in many cases. Businesses are making use of interactive social media for corporate (primarily marketing) purposes. While these applications are, at the moment, more projected than proven, it is undeniable that many enterprises are either openly examining social networking and so-called Web 2.0 technologies, or are facing covert use of these systems and technologies by rogue employees. Either way, employees need to find out about the concerns and security dangers related to such use before lan...

Some Nigerian thinks I was born yesterday: Content-Type: text/plain Content-Transfer-Encoding: 8bit Message-Id: Date: Wed, 14 Oct 2009 19:12:44 +0200 (CEST) From :The Honourable Officeof the Finance Minister.(FMF)In collabration with (CBN)Office.ATT : Honourable Contr(FMF/CBN) Payment Notification Update. In order to eradicate the fraudulent rampant extortion of money from contractors as transfer charges and taxes by non-exiting individuals and corrupt Government officials.I am obliged to reach you concerning the immediate payment of your fund by ATM Visa Card. Be- informed that this communication superside any other you must have had with any office in connection with your payment. Investgations reveal that you have paid some good money in the past as transfer charges and taxes which did not reflect in the bank treasury, that means officials concern have help themselves to the money at your own detriment. Now that your file has scaled their huddle and your file is on my table.I want ...

NISTIR 7564 " Directions in Security Metrics Research " says: "Advancing the state of scientifically sound, security measures and metrics (i.e., a metrology for information system security) would greatly aid the design, implementation, and operation of secure information systems." Hear hear! "... Enterprise-Level Security Metrics, was included in the most recent Hard Problem List prepared by the INFOSEC Research Council ..." That I didn't know, but I totally agree: security metrics is indeed a Hard Problem. If you would like to metricate your ISMS, do take a look at NIST's new paper. The main body is quite short at just 15 pages but covers a wide brief, drawing on metrication practices from other fields. If you are eager to learn more, there are six pages of references to deepen your knowlege still further.

The Electronic Freedom Foundation's paper on locational privacy explores the privacy issues relating to automatic road toll devices and similar systems that check the locations of users. Such systems can be designed to incorporate locational privacy controls but this increases their complexity and cost - the question is whether that's justified by the privacy benefits. It's also a moot point given that most of us already carry cellphones which can be tracked to a few city blocks or a few miles in open country.

Info4security published news about HSBC's privacy lapses: "The Financial Services Authority (FSA) has fined three HSBC firms over £3 million for not having adequate systems and controls in place to protect their customers' confidential details from being lost or stolen ... During its investigation into the firms' data security systems and controls, the Financial Services Authority (FSA) found that large amounts of unencrypted customer details had been sent via post or courier to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets, and could easily have been lost or stolen. In addition, it was noted that members of staff had not been given sufficient training on how to identify and manage risks such as identity theft." Read the whole item here .

Privacy is both a narrow, intensely personal issue relating to the individual, and a broad democratic principle relating to society at large. It’s one of those things in life that perhaps we don’t truly appreciate until it’s gone – ask anyone who has suffered intrusive media coverage for instance, lost their identity to an identity thief, or had their medical, personnel or credit card data records “lost presumed stolen”. A lay person might define personal information as “Details about someone that they would consider private.” That definition may make perfect sense to you and me but is probably too subjective for the courts. Personal information is defined more narrowly in the legislation, but annoyingly the definitions vary between countries.

Today's release of Information Security 101 adds another valuable tool to the security awareness toolkit from IsecT Ltd. Information Security 101   was formally known as the Induction Module and that remains its primary purpose: facilitating security induction courses for new employee orientation. It provides a coherent and comprehensive set of foundation level awareness materials covering the basics of information security, the kinds of things that all new employees (and indeed contractors, consultants and even temps) should soon become familiar with when they turn up for work. All the awareness materials from the original Induction Module have been thoroughly revised, updated and refreshed, with several brand new items being added.  Information Security 101   still provides three parallel 'streams' of materials addressing three audience groups with subtly different awareness information needs and perspectives: General employees or staff have broad responsibilities fo...

Last month a story broke about employees of the company behind Twitter being hacked. TechCrunch has published details of the incident, and the comments on their story identify some of the possible controls. In short: - A Twitter employee uses Gmail - Gmail has a password reset function that sends the user's password to a pre-registered email account - The Twitter employee had originally configured Gmail to use a Hotmail email account for this - The Hotmail account was unused for months and lapsed - The hacker requested and obtained the same Hotmail email address [it looks like the hacker was able to guess the address, preumably it was a similar address to the Gmail account] - The hacker told Gmail to reset and send him the Gmail account password via the Hotmail address that he now owns, which it did - The hacker then logged on to the Twitter employee's Gmail account - One of the emails he could now access was the original "Welcome to Gmail" type notice with the or...

A new magazine for fans of digital forensics will debut later this year, covering: • Cyber terrorism • Law • Management issues • Investigation technologies and procedures • Tools and techniques • Hardware, software and network forensics • Mobile devices • Training • eDiscovery • Book/product reviews Meanwhile they are seeking input - perhaps we should recycle one of our recent security awareness deliverables ...

An article about responsible Twittering hints at a broader concern for all social media, and in fact all forms of communication between the office and the outside world. Examples in the article include people falsely claiming to represent their employers and disclosing sensitive information via Twitter, plus Twitter being used to direct potential victims to infectious sites hosting malware. People have done the same kinds of things for years using email, telephone, blogs, bulletin boards, IM, VoIP and so on - even letters in the post: the incidents are pretty similar though the communications media vary. This obviously raises questions about how to reduce the risks without unduly interfering with legitimate business communications. Technical controls offer limited assistance e.g. blocking IM will block legitimate IM activities, and determined users can sometimes find ways around such blocks anyway. Automatically appended email disclaimers have dubious legal validity, particularly ...

The BBC reports that fraudsters are exploiting taxpayers' passwords to access an online Inland Revenue system in attempts to make fraudulent claims for tax refunds. They presumably obtain the passwords by stealing the notification letters from the post or carelessly discarded in rubbish bins, by tricking people out of them (perhaps by social engineering or phishing), or perhaps most worryingly for the tax authorities, hacking their lovely online and/or back-end IT systems. It's hard to imagine that taxpayers would deliberately discard letters with login credential that might let them reclaim overpaid tax, but its possible some do not even realise that they are able to do so. I doubt the tax man says this in big bold print! We know from studies by the Police and other dumpster divers that many people routinely discard all sorts of juicy documents without a care. Stealing mail from the postal system is certainly a possibility, although of course there are controls in place to...

We've released a thoroughly refreshed and updated awareness module on office security , covering physical and IT security in the workplace. It includes email security and security for other forms of office messaging and inter-personal communications such as IM and VoIP.

Used hard disks bought on an online auction site were found to contain personal and proprietary data . Some of the drives that had supposedly been erased yielded their secrets to forensic examination techniques. Others still had the original undeleted data and could have been read easily by any purchaser. The Irish newspaper article notes that homeworkers were probably the source of at least some of the security lapses, having used their own PCs for work projects, "forgotten" about the sensitive work data they contained, and sold the disks or whole systems privately. This kind of breach would fall outside the remit of most organizations I have worked for, except those few who insist that staff only use company systems for work activities, typically providing laptops for the purpose. That said, whether the laptop hard disks were properly erased at the end of their life, or the extent to which employees complied with the company policies on not working on personal IT equip...

Dear friends of NoticeBored, Digital forensics - the capture and analysis of digital evidence for use in court - is an increasingly important topic not just for law enforcement but for ordinary organizations and even individuals. The forensic investigation of computers, cellphones, PDAs, USB memory sticks etc. is a tedious, painstaking process involving the systematic collection, storage, examination, analysis and interpretation of the data they contain. Digital forensics is a completely new topic for NoticeBored, our 35th information security focus area so far. While we do not know of any competing security awareness products that cover forensics, it’s a fascinating topic for those who enjoy whodunnit thrillers or watch CSI Miami. Awareness of the procedures and issues involved in digital or computer forensics might just interest technical employees enough to take up the challenge and complete the training, and should give management the basic knowledge to be able to select and/or ...

Writing in Computerworld, author Jennifer Bayuk offered some innovative suggestions on how best to write information security policies that are effective and workable in practice. I particularly like the way she emphasized taking time to canvas management on their perspectives on the value and hence need to protect their information assets, drawing out management's control objectives as a prelude to drafting the actual policy statements. She talked about an implicit risk assessment approach, I guess: I have successfully used risk workshops and so forth to achieve essentially the same ends, namely explicit management understanding and support for information security. It works. Jennifer mentioned the use of standards such as ISO27k, COBIT and the ISF Standard of Good Practice, all of which I would agree form a sound basis for developing reasonably comprehensive policy sets - in fact, it could be argued that organizations should perhaps use a synthesis of all three, plus relevan...

From today's GigaLaw news: "A federal appeals court ruled that the office that has records about millions of possibly missing e-mails from the Bush White House does not have to make them public. The appeals court in Washington ruled that the White House Office of Administration is not subject to the Freedom of Information Act. Read more: http://gigalaw.blogspot.com/2009/05/appeals-court-protects-white-house.html (Source: WPVI-TV)" What is it with US public admininstration and cover-ups? Is the White House above the law? Does anybody (besides me, and I'm 10,000km away) care? I shall remember this story the next time I hear an American lecturing about fraud and corruption in foreign parts ...

Popular Mechanics gives the US national infrastructure a once-over from the perspective of its resilience to cyberwarfare, asking "How Vulnerable is U.S. Infrastructure to a Major Cyber Attack? Could hackers take down key parts of our infrastructure? Experts say yes. They could use the very computer systems that keep America's infrastructure running to bring down key utilities and industries, from railroads to natural gas pipelines. How worried should we be about hacking, the new weapon of mass disruption?" It starts with a pop culture doomsday scenario to grab the readers' attention: "The next world war might not start with a bang, but with a blackout. An enemy could send a few lines of code to control computers at key power plants, causing equipment to overheat and melt down, plunging sectors of the U.S. and Canadian grid into darkness. Trains could roll to a stop on their tracks, while airport landing lights wink out and the few traffic lights that remain act...

I've been reading and thinking today about a revised NIST Special Publicatio SP800-16 , currently released for public comment. If you are genuinely interested in making security awareness more effective, I recommend setting aside an hour or three to read and consider the draft document. To whet your appetite, here are just a few short paragraphs from one section of the draft, with my own thoughts and comments cited below. Under section 2.2.1 of SP800-16, NIST says: "Awareness is not training (1). Security awareness is a blended solution of activities (2) that promote security, establish accountability, and inform the workforce of security news (3). Awareness seeks to focus an individual’s attention on an issue or a set of issues (4). The purpose of awareness presentations is simply to focus attention on security (4). Awareness presentations are intended to allow individuals to recognize information security concerns and respond accordingly. (2) In awareness activities the lea...

In " A cautionary tale about nuclear change management " ComputerWorld blogger Scott McPerson discusses a few security incidents that have been linked to SCADA systems, picking out two causes: poor change management and problems with the IT architectures. If only things were so simple in Real Life. According to Scott, the change management problem can be solved by adequate pre-release testing of patches. Mmm. OK, well let's assume a SCADA-using organization has the resources to invest in an IT test jig comprehensive enough to model the live SCADA/ICS systems, complete with real-time data feed simulators and control panels, or at least a sufficient part of the complete live system to allow representative and realistic testing. Presumably they could test the patches and software upgrades thoroughly enough to reduce the possibility of unintended consequences, but how far can or indeed should they go? Anyone who has actually tried to do exhaustive software testing, even...

SCADA security specialists Digital Bond run an annual summary of the top SCADA security stories of the year before. Here are their lists for 2008 , 2007 and 2006 . In 2007, the story about successfully hacking and taking control of an electricity generating plant was hot news, along with NERC's moves to improve information security for the US electricity industry. In 2008, the US water industry seems to have followed NERC's lead with their own security roadmap .

Unprecedented collaboration between ICANN, antivirus vendors, other malware security professionals and domain name registrars in US, China and elsewhere is seeking to neutralize the Conficker/Downadup worm . The worm's authors evidently intended the worm to download payloads from any of a long list of domains, so the security community has been busily registering or regaining control of those domains to prevent them being abused. Microsoft has offered $250k for information leading to the arrest and prosecution of those behind Conficker/Downadup, a sign that Internet security issues are bad for all Internet users, not least the big businesses that depend on it. Meanwhile, a third variant of the worm has been detected with a trigger date of April 1st. This could be big.

Our latest product is a brand new security awareness module on SCADA , ICS, DCS and related acronyms - essentially industrial process control systems. I suspect few employees outside of IT will have heard of SCADA and hardly any will have considered the security requirements associated with keeping the lights on, both literally (SCADA systems are heavily used by the electricity generators and grid) and figuratively (modern factories are packed with all manner of computerized industrial machinery). For those who work not in manufacturing industry but in ordinary offices, we point out that elevators and other facilities are typically managed by a Building Management System, itself a form of SCADA. For those who don't even work in an office, the Engine Management System in their car is another example. In addition to the potential for unplanned production outages and disruption to critical infrastructures, the health and safety plus environmental protection aspects make SCADA secur...

News of the Conficker/Downadup worm rumble on. Britain's Daily Telegraph is relaying news from a French newspaper that a French naval network was infected, disrupting communications and hence military opertions as the network was isolated for disinfection. The same piece reports that a "report in the military review Defense Tech revealed that in the first days of January 2009 the British Defence Ministry had been attacked by a hybrid of the virus that had substantially and seriously infected the computer systems of more than 24 RAF bases and 75 per cent of the Royal Navy fleet including the aircraft carrier Ark Royal." While the journalists and military PR people are typically at pains to point out that such events affect only unclassified or lowly-classified networks, the impacts sometimes appear to indicate otherwise - unless that is the French navy is in the habit of passing military orders over unclassified networks, which I doubt. The reality of modern...

Reuters says : "A 35-year-old computer programer pleaded not guilty on Friday to charges that he planted a computer virus designed to destroy all the data on 4,000 Fannie Mae computer servers the day he was fired from the company ..." While we read about logic bombs in security textbooks, real world examples are relatively few and far between, in other words the probability of attack is quite low. The impacts could be significant, although in practice most attacks we read about have been thwarted while a proportion of successful attacks are likely either to be misdiagnosed as bugs, viruses, outsider attacks etc . or covered up by embarrassed managers. As so often when assessing information security risks, the true scale of the insider threat can only be surmised from imperfect data and hence contingency planning is sensible in case we miscalculate. Disgruntled technically-competent insiders, usually IT professionals, get the blame for logic bombings. Logic bombs are but on...

A news item about botnets from Secureworks includes some useful information about how botnets are used and protected. They are used to distribute spam (including money mule come-ons, fake pharmaceuticals, enlargement products, loans and more) and malware. The estimated sizes of the botnets range up to about 175,000 compromised machines, with most being a few tens of thousands, well short of the millions that lurid mainstream news headlines sometimes claim. Still tens of thousands of broadband connected computers can do a lot of damage.

While researching for our next awareness module on SCADA security, I came across the Omron PLC website and couldn't help laughing when I read their news items. They haven't been well translated from the original - at least I doubt anyone would seriously have meant to write "The reverend converts the broadcasting waves echolike backwards from the RFID attach into digital aggregation that crapper then be passed on to computers that crapper attain ingest of it.". Let's hope we make more sense of SCADA security in our awareness briefings!

Hi there! We've just released an updated, refreshed and extended awareness module on malware, one of those enduring "core topics" that we have covered several times in the six years or so since we launched our awareness service, and yet the threat is subtly different every year. As with the previous awareness topic, hacking, the most noticeable change lately has been the increasing use of malware for criminal purposes such as identity theft, spamming and industrial espionage. The days of viruses displaying funny graphics and playing silly tunes are long gone. It’s become much more serious, both for individuals and for organizations on the receiving end. Malware authors are constantly exploring different modes of infection, creating new payloads and inventing novel criminal activities. Some malware modifies its own code in order to try to escape detection by pattern-matching antivirus software, or picks up new component parts through the Internet as the in...

I can't resist re-posting this hilarious 419 scam fresh from my inbox, allegedly from innocent Natalya pictured above from the JPG attached to "her" email - I say "her" because the sender was listed as Frederick somebody, hardly a common ladies' name where I come from! Hi! I ask you to read this letter, it will not borrow a lot of your time. This letter not advertising, but this letter from usual Russian woman which wishes to meet the man of she dream... My name is Natalya. I'm 28 years old. My friends speak, that I - very cheerful and sociable woman and I have good sense of humour. I like to learn something new, to travel, walk on a nature. But unfortunately, I did not manage to meet the man to which I could trust, be very close with him and love him. At my age it is time to me to reflect on family, children. But all men whom I met, did not concern to this seriously. Therefore I have decided to try to find the man in other country. I have addressed in...

Hacker Gary McKinnon has to date successfully avoided extradition to the US to face up to his hacking of US military systems in 2001/2002. He continues to make full use of the British and European legal systems, his latest exploit involving allegedly admitting to an offense under the UK Computer Misuse Act in an apparent attempt to be incarcerated at Her Majesty's pleasure rather than, perhaps, end up languishing in an orange jump suit in Cuba. Admitting to the CMA offense is surely a desperate measure since it is hardly likely to improve his defense if he ever stands before the US courts. This is all an object lesson in the perils of hacking Uncle Sam's. It could literally be a life-changing experience.

The president of a company that develops software for oil and gas exploration was sentenced to 12 months' supervised probation and fined $2,500 for hacking a competitor using an airport's wireless network connection, according to eWeek . The company is also facing charges that it sold restricted software products to Cuba, potentially implying a wider governance failure if proven rather than simply a rogue employee, albeit a very senior one. Governance concerns are also raised by the alleged hacking of the World Bank's systems by an IT outsourcing supplier although the supplier denies the accusations . The supplier's website proudly announces that it won "the coveted Golden Peacock Global Award for Excellence in Corporate Governance for 2008" [an award that I personally hadn't heard of, but what do I know?], so it is possible that, if true, the hacker was a lone Black Hat that the company's award-winning governance processes failed to identify and/...