Thanks to a link posted to an email reflector, I've just stumbled across a 2006 PhD thesis that examined a number of approaches to information security awareness in order to develop design guidelines for awareness programs and activities. The research was mentored by Professor Mikko Siponen, leader of Oulu University's Information Systems Security Research Center in Finland. The thesis, "A design theory for information security awareness" by Petri Puhakainen is well written. As usual for a scientific PhD thesis, it starts by briefly reviewing existing literature in the field of information security awareness, then goes on to present the author's research experiments, findings and conclusions.
The thesis uses cognitive theories on how learning and behavioural changes are understood to occur to evaluate common awareness practices. For example, "Communication is presented as a continuous process where the parties should take turns and create information to be shared, interpreted, and reinterpreted until a sufficient degree of mutual understanding and agreement is achieved to enable collective action. The outcomes of the communication process are social (mutual understanding, agreement, and collective action) and individual (perceiving, interpreting, understanding, and believing)." (page 78).
As I read it, Petri (in common with many others in this field) often confuses 'awareness' with 'training', for example discussing a research case involving quite narrow training on the use of encryption for confidential email as a security awareness exercise. To my mind, awareness is intended to achieve a generalized appreciation or understanding of information security throughout the enterprise as a whole, while training is intended to focus on a specific problem area or development need for specific individuals or teams. Awareness aims to change employees' behaviour in quite subtle but broad ways (cultural development), while training aims to change employees' behaviour more overtly under quite specific circumstances (personal development). These are quite distinct aims that are usually satisfied by different teaching/training and moticational/awareness methods.
By stating "At least in large organizations, it is not possible to aim at mutual understanding by engaging all employees in the conversation process. Such approach would be expensive and slow, making [it] unfeasible." (also on page 78), Petri arguably misunderstands the value of broad-based enterprise-wide security awareness programs that inform and engage employees throughout the corporation but without the expense normally associated with classroom training sessions.
All arguments aside, the previous two paragraphs hint at the value of reading petri's thesis in depth, exploring the many embedded references and thinking critically about what the author presents. As an information security professional with more than two decades experience and a penchant for both academic and pragmatic writings on the subject, I'm delighted to have learnt new things and found useful new references in the thesis. Good job Petri!
Thursday 10 December 2009
Saturday 7 November 2009
Cheapskate copycat 419 scammers
The following extraordinary sentence launched yet another tedious social enginering 419 scam in my spam box:
"Take notice that based on the UNITED NATIONS government inauguration of this committee which extended to all countries which combined with the United Nation Anti-crime commission to alleviate and redeem the image and past wounds of our dear citizens and foreign firms who were duped, defrauded, scammed and abandoned by some impostors who indiscriminately use the name of God, Office of governors, Presidency, Banks etc to slight down our dignities to international communities."
Most 419ers are clearly one sandwich short of a picnic as all they seem to do is replay the same old scams over and over. The 'clever' ones add daft little elaborations and the rest duly plagiarise them without actually understanding how dumb they end up sounding.
This cretin continued: "Many banks have been in bankruptcy today, Universal firms, Companies due to the activity of these hoodlums. However, investigation have shown that these people have dropped over 500,000 clients after collecting their money, many committed suicide and others living by the grace of God," [that comma ended the paragraph].
By the third paragraph, the bizarre language had actually become quite entertaining: "Meanwhile, we have a committee whose duties are to re-commend [sic] genuine contractors, loan bidders, next of kin (inheritance payment), foreign firms who have completed all the U.S government normal payment requirements but abandoned due to take over of some sacked officials who take Government papers to collect money and leave the beneficiary half way." He's obviously read far too many emails by his friends in the back-street Internet cafe, and mashed them all together in his tiny pin-head, as if that somehow enhances the magic.
After a boring fourth paragraph, we discover that his CAPS-LOCK key is evidently sticking: "We also have endorsed your payment to FALCON BANK TO PAY YOU THROUGH A DIPLOMATIC COURIER SERVICE without prejudice and will need a confirmation of all your communication until you finally receive your money so as to investigate more so to find out more facts on this issues, it will be well appreciated if you can provide us some vital information on how you have been scammed. The U.N government is using this opportunity to compensate the entire victim who some have duped."
The 'U.N Government'?! Gosh, I must have missed that election. Silly me.
"So you are advice to contact Mr. Felix De Lapaz to mail to you a certified check which can be cashed anywhere in the world and the amount is $250,000.00 U.S.D(TWO HUNDRED AND FIFTY THOUSAND UNITED STATES DOLLARS)." Now, just in case the rest of this tripe somehow escaped my beady and rather jaundiced eye, I clearly smell a very large malodorous rat as most of this cheapskate scammer's peers are offering me many MILLIONS (all in CAPS of course, spelt out for me word-by-word as if this somehow adds credibility to those crazy digits).
After asking me to cough up a little personal information ("Please fill the following form for documentations:"), the numbskull ends with this: "As soon as you give him the following he will mail your compensation cheque to you. THIS IS PROUDLY SPONSORED BY "THE U.N CAMPAIGN TEAM AGAINST ONLINE SCAMS"." So, this is a sponsored scam, eh? I'm sorely tempted to write back to see if I can discover how he managed to secure such high-powered sponsorship ... but then I come to my senses and realise that bozos like this are simply not worth the electrons.
Still, at least I got yet another entertaining case study out of it. And a wry smile.
"Take notice that based on the UNITED NATIONS government inauguration of this committee which extended to all countries which combined with the United Nation Anti-crime commission to alleviate and redeem the image and past wounds of our dear citizens and foreign firms who were duped, defrauded, scammed and abandoned by some impostors who indiscriminately use the name of God, Office of governors, Presidency, Banks etc to slight down our dignities to international communities."
Most 419ers are clearly one sandwich short of a picnic as all they seem to do is replay the same old scams over and over. The 'clever' ones add daft little elaborations and the rest duly plagiarise them without actually understanding how dumb they end up sounding.
This cretin continued: "Many banks have been in bankruptcy today, Universal firms, Companies due to the activity of these hoodlums. However, investigation have shown that these people have dropped over 500,000 clients after collecting their money, many committed suicide and others living by the grace of God," [that comma ended the paragraph].
By the third paragraph, the bizarre language had actually become quite entertaining: "Meanwhile, we have a committee whose duties are to re-commend [sic] genuine contractors, loan bidders, next of kin (inheritance payment), foreign firms who have completed all the U.S government normal payment requirements but abandoned due to take over of some sacked officials who take Government papers to collect money and leave the beneficiary half way." He's obviously read far too many emails by his friends in the back-street Internet cafe, and mashed them all together in his tiny pin-head, as if that somehow enhances the magic.
After a boring fourth paragraph, we discover that his CAPS-LOCK key is evidently sticking: "We also have endorsed your payment to FALCON BANK TO PAY YOU THROUGH A DIPLOMATIC COURIER SERVICE without prejudice and will need a confirmation of all your communication until you finally receive your money so as to investigate more so to find out more facts on this issues, it will be well appreciated if you can provide us some vital information on how you have been scammed. The U.N government is using this opportunity to compensate the entire victim who some have duped."
The 'U.N Government'?! Gosh, I must have missed that election. Silly me.
"So you are advice to contact Mr. Felix De Lapaz to mail to you a certified check which can be cashed anywhere in the world and the amount is $250,000.00 U.S.D(TWO HUNDRED AND FIFTY THOUSAND UNITED STATES DOLLARS)." Now, just in case the rest of this tripe somehow escaped my beady and rather jaundiced eye, I clearly smell a very large malodorous rat as most of this cheapskate scammer's peers are offering me many MILLIONS (all in CAPS of course, spelt out for me word-by-word as if this somehow adds credibility to those crazy digits).
After asking me to cough up a little personal information ("Please fill the following form for documentations:"), the numbskull ends with this: "As soon as you give him the following he will mail your compensation cheque to you. THIS IS PROUDLY SPONSORED BY "THE U.N CAMPAIGN TEAM AGAINST ONLINE SCAMS"." So, this is a sponsored scam, eh? I'm sorely tempted to write back to see if I can discover how he managed to secure such high-powered sponsorship ... but then I come to my senses and realise that bozos like this are simply not worth the electrons.
Still, at least I got yet another entertaining case study out of it. And a wry smile.
Wednesday 4 November 2009
Word-based email blacklisting
Using banned-word lists to block spam may be a simple and hence cheap control but it may be too crude or simplistic to work properly. Blocking emails with "teen" in them, for example, is perhaps not the smartest move made by New Zealand's Social Development Ministry.
Monday 2 November 2009
Blogging policies
A set of policies, presented as checklists or guidelines for employees, explains typical rules for employees who use blogs or other social media:
Note: this may be just as much an issue for employees (or indeed contractors, consultants and others) blogging 'in their own time' as for those blogging at work.
"The Disclosure Best Practices Toolkit is a draft series of checklists to help companies, their employees, and their agencies learn the appropriate and transparent ways to interact with blogs, bloggers, and the people who interact with them.The authors evidently have a bee in their bonnet about people disclosing any pecuniary interest in the matters on which they are writing. If adapted to become corporate policies, management may wish to be crystal clear about the limits on employees discussing the organization, its products, customers or related matters in any public forum (including all social media), particularly if all such pronouncements should normally be explicitly sanctioned by Public Relations, Law, Marketing or other interested parties.We believe in the principles of transparency and openness, and this document is a way of making this real on the inside. Our goal is not to create or propose new industry standards or rules. These checklists are open source training tools designed to help educate the hundreds or thousands of employees in any large corporation the appropriate ways to interact with the social media community."
Note: this may be just as much an issue for employees (or indeed contractors, consultants and others) blogging 'in their own time' as for those blogging at work.
Friday 30 October 2009
Blogging policy
The CBC Blogging Manifesto is not unlike a skeleton corporate policy about blogging by employees. Even in this succinct original form, it would be an interesting advisory or discussion piece for your intranet Security Zone.
Wednesday 28 October 2009
New security awareness module on social networking
Social networking has become extremely popular of late and is getting lots of coverage on new and traditional news media. Given the fact that a great deal of network/Internet use and applications have traditionally been social in nature, this is hardly surprising: what is more surprising is that the media and technology pundits seem to feel that we need to have a special term for it. Like most Internet and IT developments, it’s more evolution than revolution, and in fact more hype than substance in many cases.
Businesses are making use of interactive social media for corporate (primarily marketing) purposes. While these applications are, at the moment, more projected than proven, it is undeniable that many enterprises are either openly examining social networking and so-called Web 2.0 technologies, or are facing covert use of these systems and technologies by rogue employees. Either way, employees need to find out about the concerns and security dangers related to such use before landing themselves, their family, friends and colleagues, and maybe even their employers, in trouble.
Humans are social animals. Social networking websites such as MySpace, Facebook and Twitter, plus associated network applications, provide a conduit for social interaction by individuals, for example keeping in touch with family and friends, making new acquaintances and friends, and often publishing details of their normally private and personal activities on the Interwebnet.
The primary information security risks relating to social networking and social media can be classed as social engineering - the deliberate manipulation of vulnerable people in order to gain control over the information assets they own or have access to, and the use of information so obtained to deceive or manipulate others. With systems and networks getting ever more complex, ordinary users are getting more and more remote from the underlying technologies, which opens them to new threats from hackers who know how to turn the technologies and processes to their advantage.
Thursday 15 October 2009
Yet another inept 419er
Some Nigerian thinks I was born yesterday:
Give it a break you idiots. We're tired of all this spam.
Content-Type: text/plain Content-Transfer-Encoding: 8bit Message-Id: <20091014171244.7474f21fec20@kunde.business-light.com>The "non-exiting individuals" interest me but I'm not pleased my email address has "scaled their huddle", even if it does "superside" others.
Date: Wed, 14 Oct 2009 19:12:44 +0200 (CEST)
From :The Honourable Officeof the Finance Minister.(FMF)In collabration with (CBN)Office.ATT : Honourable Contr(FMF/CBN) Payment Notification Update. In order to eradicate the fraudulent rampant extortion of money from contractors as transfer charges and taxes by non-exiting individuals and corrupt Government officials.I am obliged to reach you concerning the immediate payment of your fund by ATM Visa Card. Be- informed that this communication superside any other you must have had with any office in connection with your payment. Investgations reveal that you have paid some good money in the past as transfer charges and taxes which did not reflect in the bank treasury, that means officials concern have help themselves to the money at your own detriment. Now that your file has scaled their huddle and your file is on my table.I want to ensure the immediate payment of your fund by ATM Visa Card. You are thereby advise to re-confirm to me the following:Your full Name 2) Your Telephone and Fax number (3)Your receiving Address &Banking particulars. (4)Copy of your international passport. This is imperative to enable me confirm your informations and make my recommendations to Foreign Operation ATM Department of FMF for immediate payment of your fund by ATM Visa Card.Note:If your file returns to the cabinet without my recommendation you will end up not benefiting from the present batch of beneficiaries.PETER EZE,Minister Ministry of Finance FMFFederal Republic of Nigeria.Contact me via my private e-mail address;( petereze.eze@gmail.com)
Give it a break you idiots. We're tired of all this spam.
Thursday 3 September 2009
Directions in Security Metrics Research
NISTIR 7564 "Directions in Security Metrics Research" says:
Hear hear!
If you would like to metricate your ISMS, do take a look at NIST's new paper. The main body is quite short at just 15 pages but covers a wide brief, drawing on metrication practices from other fields. If you are eager to learn more, there are six pages of references to deepen your knowlege still further.
"Advancing the state of scientifically sound, security measures and metrics (i.e., a metrology for information system security) would greatly aid the design, implementation, and operation of secure information systems."
Hear hear!
"... Enterprise-Level Security Metrics, was included in the most recent Hard Problem List prepared by the INFOSEC Research Council ..."That I didn't know, but I totally agree: security metrics is indeed a Hard Problem.
If you would like to metricate your ISMS, do take a look at NIST's new paper. The main body is quite short at just 15 pages but covers a wide brief, drawing on metrication practices from other fields. If you are eager to learn more, there are six pages of references to deepen your knowlege still further.
Wednesday 2 September 2009
Locational privacy
The Electronic Freedom Foundation's paper on locational privacy explores the privacy issues relating to automatic road toll devices and similar systems that check the locations of users. Such systems can be designed to incorporate locational privacy controls but this increases their complexity and cost - the question is whether that's justified by the privacy benefits.
It's also a moot point given that most of us already carry cellphones which can be tracked to a few city blocks or a few miles in open country.
It's also a moot point given that most of us already carry cellphones which can be tracked to a few city blocks or a few miles in open country.
Tuesday 1 September 2009
HSBC fined for not protecting customer confidentiality
Info4security published news about HSBC's privacy lapses:
"The Financial Services Authority (FSA) has fined three HSBC firms over £3 million for not having adequate systems and controls in place to protect their customers' confidential details from being lost or stolen ... During its investigation into the firms' data security systems and controls, the Financial Services Authority (FSA) found that large amounts of unencrypted customer details had been sent via post or courier to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets, and could easily have been lost or stolen. In addition, it was noted that members of staff had not been given sufficient training on how to identify and manage risks such as identity theft."
New security awareness module on privacy
Privacy is both a narrow, intensely personal issue relating to the individual, and a broad democratic principle relating to society at large. It’s one of those things in life that perhaps we don’t truly appreciate until it’s gone – ask anyone who has suffered intrusive media coverage for instance, lost their identity to an identity thief, or had their medical, personnel or credit card data records “lost presumed stolen”.
A lay person might define personal information as “Details about someone that they would consider private.” That definition may make perfect sense to you and me but is probably too subjective for the courts. Personal information is defined more narrowly in the legislation, but annoyingly the definitions vary between countries.
Friday 21 August 2009
Cradle-to-grave security awareness
Today's release of Information Security 101 adds another valuable tool to the security awareness toolkit from IsecT Ltd.
Information Security 101 was formally known as the Induction Module and that remains its primary purpose: facilitating security induction courses for new employee orientation. It provides a coherent and comprehensive set of foundation level awareness materials covering the basics of information security, the kinds of things that all new employees (and indeed contractors, consultants and even temps) should soon become familiar with when they turn up for work.
All the awareness materials from the original Induction Module have been thoroughly revised, updated and refreshed, with several brand new items being added. Information Security 101 still provides three parallel 'streams' of materials addressing three audience groups with subtly different awareness information needs and perspectives:
Information Security 101 was formally known as the Induction Module and that remains its primary purpose: facilitating security induction courses for new employee orientation. It provides a coherent and comprehensive set of foundation level awareness materials covering the basics of information security, the kinds of things that all new employees (and indeed contractors, consultants and even temps) should soon become familiar with when they turn up for work.
All the awareness materials from the original Induction Module have been thoroughly revised, updated and refreshed, with several brand new items being added. Information Security 101 still provides three parallel 'streams' of materials addressing three audience groups with subtly different awareness information needs and perspectives:
- General employees or staff have broad responsibilities for information security and need to know the simple things such as choosing good passwords, running antivirus and backing up their data. For them, security is an incidental aspect of their work and home life that most don't really consider without some conscious effort being made to make them aware;
- Managers and Directors have specific governance and compliance obligations in respect of information security although they may not at first appreciate this. They are invariably busy people, yet take an interest in high level security strategies, policies and so forth. Getting managers on board with information security significantly improves the chances of the awareness program resonating with staff and ultimately being successful;
- IT professionals have an obvious interest in the more technical IT security controls. They are broadly expected to design, implement and operate most of the IT security controls on behalf of general IT users throughout the organization, yet it is not uncommon to find that IT pros have had limited exposure to even fundamental information security principles during their formal education, let alone leading security practices such as federated identity management and multifactor authentication.
As well as its use for induction/orientation purposes, Information Security 101 gives extra value by helping organizations launch (or relaunch!) best-practice security awareness programs. Bringing the whole employee base quickly up to speed on information security ensures that everyone has a firm grasp of the basics, preempting the regular security awareness activities that follow.
Information Security 101 embodies our passion for the subject. Few if any information security managers would dispute the importance of security awareness, training and education, yet they seldom have the time or indeed the skills to really do it justice. By providing "camera ready" security awareness materials on topical subjects, we release our customers from the tedious burden of researching, writing and polishing the awareness content, leaving them free to concentrate on the fun part - interacting with employees, promoting good security practices and enthusiastically spreading a little of that passion we mentioned. In some ways, it's a shame we can't walk the last mile with you ... good luck.
Friday 7 August 2009
Twitter admin email password reset incident
Last month a story broke about employees of the company behind Twitter being hacked. TechCrunch has published details of the incident, and the comments on their story identify some of the possible controls. In short:
- A Twitter employee uses Gmail
- Gmail has a password reset function that sends the user's password to a pre-registered email account
- The Twitter employee had originally configured Gmail to use a Hotmail email account for this
- The Hotmail account was unused for months and lapsed
- The hacker requested and obtained the same Hotmail email address [it looks like the hacker was able to guess the address, preumably it was a similar address to the Gmail account]
- The hacker told Gmail to reset and send him the Gmail account password via the Hotmail address that he now owns, which it did
- The hacker then logged on to the Twitter employee's Gmail account
- One of the emails he could now access was the original "Welcome to Gmail" type notice with the original password, so the hacker was able to reset the Gmail password back to the one the real user knew, before the real user noticed it had been changed
- Through information disclosed between Twitter employees by email, and by guessing his passwords to other Web systems, the hacker obtained a further bunch of confidential information including access to the email accounts of senior Twitter execs
- The hacker eventually disclosed the hack to the news media for some reason, causing public embarrassment to Twitter and fears about their evident insecurity
- A Twitter employee uses Gmail
- Gmail has a password reset function that sends the user's password to a pre-registered email account
- The Twitter employee had originally configured Gmail to use a Hotmail email account for this
- The Hotmail account was unused for months and lapsed
- The hacker requested and obtained the same Hotmail email address [it looks like the hacker was able to guess the address, preumably it was a similar address to the Gmail account]
- The hacker told Gmail to reset and send him the Gmail account password via the Hotmail address that he now owns, which it did
- The hacker then logged on to the Twitter employee's Gmail account
- One of the emails he could now access was the original "Welcome to Gmail" type notice with the original password, so the hacker was able to reset the Gmail password back to the one the real user knew, before the real user noticed it had been changed
- Through information disclosed between Twitter employees by email, and by guessing his passwords to other Web systems, the hacker obtained a further bunch of confidential information including access to the email accounts of senior Twitter execs
- The hacker eventually disclosed the hack to the news media for some reason, causing public embarrassment to Twitter and fears about their evident insecurity
Digital Forensics Mag
A new magazine for fans of digital forensics will debut later this year, covering:
• Cyber terrorism
• Law
• Management issues
• Investigation technologies and procedures
• Tools and techniques
• Hardware, software and network forensics
• Mobile devices
• Training
• eDiscovery
• Book/product reviews
Office comms risks and controls
An article about responsible Twittering hints at a broader concern for all social media, and in fact all forms of communication between the office and the outside world. Examples in the article include people falsely claiming to represent their employers and disclosing sensitive information via Twitter, plus Twitter being used to direct potential victims to infectious sites hosting malware. People have done the same kinds of things for years using email, telephone, blogs, bulletin boards, IM, VoIP and so on - even letters in the post: the incidents are pretty similar though the communications media vary.
This obviously raises questions about how to reduce the risks without unduly interfering with legitimate business communications. Technical controls offer limited assistance e.g. blocking IM will block legitimate IM activities, and determined users can sometimes find ways around such blocks anyway. Automatically appended email disclaimers have dubious legal validity, particularly those that are written or modified by amateurs. Policies and procedures can help but only if employees are made aware of, accept and comply with them, which requires awareness activities (such as this month's NoticeBored module) and compliance activities (such as management oversight - basically taking an interest in what staff are doing at their desks).
Risk avoidance is arguably the most effective control, in other words discouraging or preventing unnecessary office communications outside the organization. However this is likely to have an adverse impact on legitimate business activities, and hence costs.
Since the controls are evidently not perfect, wise organizations make contingency arrangements in preparation for situations when the controls fail and incidents occur. Examples:
[Scary postscript: the Pentagon thinks there is value in 'instant comms', if only soldiers can be persuaded not to disclose little things such as battle plans ...] [Or is this just a crude attempt by the US to encourage foreign militia to permit their soldier to use Twitter ?]
This obviously raises questions about how to reduce the risks without unduly interfering with legitimate business communications. Technical controls offer limited assistance e.g. blocking IM will block legitimate IM activities, and determined users can sometimes find ways around such blocks anyway. Automatically appended email disclaimers have dubious legal validity, particularly those that are written or modified by amateurs. Policies and procedures can help but only if employees are made aware of, accept and comply with them, which requires awareness activities (such as this month's NoticeBored module) and compliance activities (such as management oversight - basically taking an interest in what staff are doing at their desks).
Risk avoidance is arguably the most effective control, in other words discouraging or preventing unnecessary office communications outside the organization. However this is likely to have an adverse impact on legitimate business activities, and hence costs.
Since the controls are evidently not perfect, wise organizations make contingency arrangements in preparation for situations when the controls fail and incidents occur. Examples:
- Incident notification and specific response procedures covering these kinds of incident;
- Response procedures include 'damage limitation' using legal actions (e.g. those disclaimers and Non Disclosure Agreeand Public Relations (e.g. stock press releases ready to issue);
- "Learning the lessons" which means using incidents (particularly those suffered by the organization but also its peers and others in the public domain) as case studies and training materials;
- Disciplinary procedures taking account of incidents of this nature, typically using examples.
[Scary postscript: the Pentagon thinks there is value in 'instant comms', if only soldiers can be persuaded not to disclose little things such as battle plans ...] [Or is this just a crude attempt by the US to encourage foreign militia to permit their soldier to use Twitter ?]
Thursday 6 August 2009
Tax passwords are valuable!
The BBC reports that fraudsters are exploiting taxpayers' passwords to access an online Inland Revenue system in attempts to make fraudulent claims for tax refunds. They presumably obtain the passwords by stealing the notification letters from the post or carelessly discarded in rubbish bins, by tricking people out of them (perhaps by social engineering or phishing), or perhaps most worryingly for the tax authorities, hacking their lovely online and/or back-end IT systems.
It's hard to imagine that taxpayers would deliberately discard letters with login credential that might let them reclaim overpaid tax, but its possible some do not even realise that they are able to do so. I doubt the tax man says this in big bold print! We know from studies by the Police and other dumpster divers that many people routinely discard all sorts of juicy documents without a care.
Stealing mail from the postal system is certainly a possibility, although of course there are controls in place to prevent this kind of thing. Rogue postal workers sometimes get the blame. Fraudulent redirection of post and theft from mailboxes also occur from time to time.
It's interesting that the possibility that someone might have been hacking the tax systems is not even mentioned by the BBC or the Revenue's spokesperson. Perhaps it's just too horrific to countenance?
It's hard to imagine that taxpayers would deliberately discard letters with login credential that might let them reclaim overpaid tax, but its possible some do not even realise that they are able to do so. I doubt the tax man says this in big bold print! We know from studies by the Police and other dumpster divers that many people routinely discard all sorts of juicy documents without a care.
Stealing mail from the postal system is certainly a possibility, although of course there are controls in place to prevent this kind of thing. Rogue postal workers sometimes get the blame. Fraudulent redirection of post and theft from mailboxes also occur from time to time.
It's interesting that the possibility that someone might have been hacking the tax systems is not even mentioned by the BBC or the Revenue's spokesperson. Perhaps it's just too horrific to countenance?
Office and email security awareness
Friday 3 July 2009
Forensic examination of secondhand disks
Used hard disks bought on an online auction site were found to contain personal and proprietary data. Some of the drives that had supposedly been erased yielded their secrets to forensic examination techniques. Others still had the original undeleted data and could have been read easily by any purchaser. The Irish newspaper article notes that homeworkers were probably the source of at least some of the security lapses, having used their own PCs for work projects, "forgotten" about the sensitive work data they contained, and sold the disks or whole systems privately. This kind of breach would fall outside the remit of most organizations I have worked for, except those few who insist that staff only use company systems for work activities, typically providing laptops for the purpose. That said, whether the laptop hard disks were properly erased at the end of their life, or the extent to which employees complied with the company policies on not working on personal IT equipment, is anyone's guess.
Tuesday 30 June 2009
New awareness module on digital forensics
Dear friends of NoticeBored,
Digital forensics - the capture and analysis of digital evidence for
use in court - is an increasingly important topic not just for law
enforcement but for ordinary organizations and even individuals. The
forensic investigation of computers, cellphones, PDAs, USB memory
sticks etc. is a tedious, painstaking process involving the systematic
collection, storage, examination, analysis and interpretation of the
data they contain.
Digital forensics is a completely new topic for NoticeBored, our 35th
information security focus area so far. While we do not know of any
competing security awareness products that cover forensics, it’s a
fascinating topic for those who enjoy whodunnit thrillers or watch CSI
Miami. Awareness of the procedures and issues involved in digital or
computer forensics might just interest technical employees enough to
take up the challenge and complete the training, and should give
management the basic knowledge to be able to select and/or work with
digital forensic services from third party specialists or indeed the
police and forensic science units.
While almost all of the awareness materials are only available to our customers, the newsletter is available as a read-only PDF file
All the best,
Gary
Wednesday 17 June 2009
Writing workable infosec policies
Writing in Computerworld, author Jennifer Bayuk offers some innovative suggestions on how best to write information security policies that are effective and workable in practice. I particularly like the way she emphasizes taking time to canvas management on their perspectives on the value and hence need to protect their information assets, drawing out management's control objectives as a prelude to drafting the actual policy statements. She's talking about an implicit risk assessment approach, I guess: I have successfully used risk workshops and so forth to achieve essentially the same ends, namely explicit management understanding and support for information security. It works.
Jennifer mentions the use of standards such as ISO27k, COBIT and the ISF Standard of Good Practice, all of which I would agree form a sound basis for developing reasonably comprehensive policy sets - in fact, it could be argued that organizations should perhaps use a synthesis of all three, plus relevant NIST SP800 standards and all applicable legal or regulatory or contractual compliance/security obligations and relevant strategic goals in relation to protecting information assets ... except that such an approach would soon get completely out of hand in practice. The true art of policy writing is to say all that needs to be said, no more, no less, clearly and in a manner that motivates the audiences to comply. Yes, audiences, for there are several.
I would however take exception to Jennifer's comment that "these documents [meaning the security standards] are inherently generic and do not state specific management objectives for security". ISO/IEC 27002 is generic, granted, but it comes remarkably close to laying out a suite of management-level security objectives (called "control objectives" in the standard) that would apply to virtually any organization. Several other standards take a similar line, and most in fact start from the position "First, managers, examine your risks and determine your information security priorities ...". The guidance they go on to offer is not meant to be prescriptive, rather it is like an a la carte menu of popular controls that, by implication, represent generally accepted good practice.
Our very own information security policy manual is based around the structure and guidance from ISO/IEC 27002. Although the whole manual is over 100 pages long, it incorporates a set of 39 management-level "security axioms" derived from 27002's 39 control objectives and threaded throughout the manual, plus a selection of 7 even higher level security principles. The axioms and principles are repeated in an appendix of just under three pages that should not be too much of a burden for management, even ADHD senior management, to consider and hopefully approve or mandate. The remaining 100-odd pages then lay out the mid-level details which are primarily aimed at information security practitioners and direcly correspond to those control objectives approved by management. There is a coherence to this design that I commend to others and I must say our policy manual is selling very well, thank you, so I submit that's the real proof of the pudding.
Finally, Ms Bayuk says next to nothing about the hardest part of security policies, which is not in fact writing them or getting them approved: it's implementing them and gaining compliance in real organizations, facing real day-to-day crises and strategic challenges, with employees and third parties who generally "have better things to do than worry about security" and would love to point the finger at Someone Else. Management simply laying down the rules is not in itself sufficient, even if (in our policy manual anyway), the CEO has a paragraph right at the start saying, basically, "This is important, do it or else". Security awareness activities provide the oil to slip the policies quietly into place. Awareness combines information provision ("This is what the policies say") with pragmatic guidance (procedures, guidelines etc.) but most of all it motivates people to do something different. Believe me, there are far more subtle forms of motivation than "Do this or else", for example finding creative angles on security topics pointing out that it is generally in employees' own best interests to behave securely. The rather negative comply-or-die-punk approach may work for some people some of the time, but on the whole, do-this-to-help-yourself-and-the-organization is a far more positive approach and an easier sell. Both types of message delivery are needed as they complement, between them pretty much covering the lot.
We have just updated our policy manual to reflect the release of ISO/IEC 27000 and continue to incorporate our understanding of good security practices at every opportunity. Even our generic policy template is very much a living document, not least because in security, someone keeps on moving the bloody goalposts!
PS Sorry for lack of blogging lately, I've just not been in a creative mood following the death of my father. They say bereavement affects people in different ways and now I think I understand what they mean.
Jennifer mentions the use of standards such as ISO27k, COBIT and the ISF Standard of Good Practice, all of which I would agree form a sound basis for developing reasonably comprehensive policy sets - in fact, it could be argued that organizations should perhaps use a synthesis of all three, plus relevant NIST SP800 standards and all applicable legal or regulatory or contractual compliance/security obligations and relevant strategic goals in relation to protecting information assets ... except that such an approach would soon get completely out of hand in practice. The true art of policy writing is to say all that needs to be said, no more, no less, clearly and in a manner that motivates the audiences to comply. Yes, audiences, for there are several.
I would however take exception to Jennifer's comment that "these documents [meaning the security standards] are inherently generic and do not state specific management objectives for security". ISO/IEC 27002 is generic, granted, but it comes remarkably close to laying out a suite of management-level security objectives (called "control objectives" in the standard) that would apply to virtually any organization. Several other standards take a similar line, and most in fact start from the position "First, managers, examine your risks and determine your information security priorities ...". The guidance they go on to offer is not meant to be prescriptive, rather it is like an a la carte menu of popular controls that, by implication, represent generally accepted good practice.
Our very own information security policy manual is based around the structure and guidance from ISO/IEC 27002. Although the whole manual is over 100 pages long, it incorporates a set of 39 management-level "security axioms" derived from 27002's 39 control objectives and threaded throughout the manual, plus a selection of 7 even higher level security principles. The axioms and principles are repeated in an appendix of just under three pages that should not be too much of a burden for management, even ADHD senior management, to consider and hopefully approve or mandate. The remaining 100-odd pages then lay out the mid-level details which are primarily aimed at information security practitioners and direcly correspond to those control objectives approved by management. There is a coherence to this design that I commend to others and I must say our policy manual is selling very well, thank you, so I submit that's the real proof of the pudding.
Finally, Ms Bayuk says next to nothing about the hardest part of security policies, which is not in fact writing them or getting them approved: it's implementing them and gaining compliance in real organizations, facing real day-to-day crises and strategic challenges, with employees and third parties who generally "have better things to do than worry about security" and would love to point the finger at Someone Else. Management simply laying down the rules is not in itself sufficient, even if (in our policy manual anyway), the CEO has a paragraph right at the start saying, basically, "This is important, do it or else". Security awareness activities provide the oil to slip the policies quietly into place. Awareness combines information provision ("This is what the policies say") with pragmatic guidance (procedures, guidelines etc.) but most of all it motivates people to do something different. Believe me, there are far more subtle forms of motivation than "Do this or else", for example finding creative angles on security topics pointing out that it is generally in employees' own best interests to behave securely. The rather negative comply-or-die-punk approach may work for some people some of the time, but on the whole, do-this-to-help-yourself-and-the-organization is a far more positive approach and an easier sell. Both types of message delivery are needed as they complement, between them pretty much covering the lot.
We have just updated our policy manual to reflect the release of ISO/IEC 27000 and continue to incorporate our understanding of good security practices at every opportunity. Even our generic policy template is very much a living document, not least because in security, someone keeps on moving the bloody goalposts!
PS Sorry for lack of blogging lately, I've just not been in a creative mood following the death of my father. They say bereavement affects people in different ways and now I think I understand what they mean.
Thursday 21 May 2009
Appeals Court Protects White House Office E-mails
From today's GigaLaw news:
"A federal appeals court ruled that the office that has records about millions of possibly missing e-mails from the Bush White House does not have to make them public. The appeals court in Washington ruled that the White House Office of Administration is not subject to the Freedom of Information Act.
Read more: http://gigalaw.blogspot.com/2009/05/appeals-court-protects-white-house.html (Source: WPVI-TV)"
What is it with US public admininstration and cover-ups? Is the White House above the law? Does anybody (besides me, and I'm 10,000km away) care?
I shall remember this story the next time I hear an American lecturing about fraud and corruption in foreign parts ...
"A federal appeals court ruled that the office that has records about millions of possibly missing e-mails from the Bush White House does not have to make them public. The appeals court in Washington ruled that the White House Office of Administration is not subject to the Freedom of Information Act.
Read more: http://gigalaw.blogspot.com/2009/05/appeals-court-protects-white-house.html (Source: WPVI-TV)"
What is it with US public admininstration and cover-ups? Is the White House above the law? Does anybody (besides me, and I'm 10,000km away) care?
I shall remember this story the next time I hear an American lecturing about fraud and corruption in foreign parts ...
Thursday 26 March 2009
Pop Mechanics does infrastructure security
Popular Mechanics gives the US national infrastructure a once-over from the perspective of its resilience to cyberwarfare, asking "How Vulnerable is U.S. Infrastructure to a Major Cyber Attack? Could hackers take down key parts of our infrastructure? Experts say yes. They could use the very computer systems that keep America's infrastructure running to bring down key utilities and industries, from railroads to natural gas pipelines. How worried should we be about hacking, the new weapon of mass disruption?"
It starts with a pop culture doomsday scenario to grab the readers' attention: "The next world war might not start with a bang, but with a blackout. An enemy could send a few lines of code to control computers at key power plants, causing equipment to overheat and melt down, plunging sectors of the U.S. and Canadian grid into darkness. Trains could roll to a stop on their tracks, while airport landing lights wink out and the few traffic lights that remain active blink at random."
Referring to the "hodgepodge" of Industrial Control Systems controlling elements of the critical infrastructure such as power and water supplies, the author at one point claims that "a good rule of thumb is that any device that is computer-controlled and networked is vulnerable to hacking". That's true I guess, for undefined values of 'vulnerable'. But SCADA/ICS devices that are connected to wireless/microwave control links or use phone lines and modems are also vulnerable to hacking: are these 'networked' I wonder?
I would disagree with the author on one point. He says "Infrastructure is meant to last a long time, so upgrades to existing systems tend to occur at a glacial pace." The glacial pace is not because infrastructure is meant to last a long time, but because changing such complex, safety-critical systems in any way (even to implement security patches) creates additional risks that may outweigh the need to make the change. It's a risk management decision, of course, and a delicate one given that leaving the systems open to cyberwarfare attackers does not necessarily lead to cyberwarfare, whereas creating a power cut or safety incident is bound to hit the headlines.
The article covers the usual range of headline incidents and scare stories with a little expert commentary, and as such is fine as a general security awareness piece. There's nothing of much use here, though, for security or general management at critical infrastructure organizations.
It starts with a pop culture doomsday scenario to grab the readers' attention: "The next world war might not start with a bang, but with a blackout. An enemy could send a few lines of code to control computers at key power plants, causing equipment to overheat and melt down, plunging sectors of the U.S. and Canadian grid into darkness. Trains could roll to a stop on their tracks, while airport landing lights wink out and the few traffic lights that remain active blink at random."
Referring to the "hodgepodge" of Industrial Control Systems controlling elements of the critical infrastructure such as power and water supplies, the author at one point claims that "a good rule of thumb is that any device that is computer-controlled and networked is vulnerable to hacking". That's true I guess, for undefined values of 'vulnerable'. But SCADA/ICS devices that are connected to wireless/microwave control links or use phone lines and modems are also vulnerable to hacking: are these 'networked' I wonder?
I would disagree with the author on one point. He says "Infrastructure is meant to last a long time, so upgrades to existing systems tend to occur at a glacial pace." The glacial pace is not because infrastructure is meant to last a long time, but because changing such complex, safety-critical systems in any way (even to implement security patches) creates additional risks that may outweigh the need to make the change. It's a risk management decision, of course, and a delicate one given that leaving the systems open to cyberwarfare attackers does not necessarily lead to cyberwarfare, whereas creating a power cut or safety incident is bound to hit the headlines.
The article covers the usual range of headline incidents and scare stories with a little expert commentary, and as such is fine as a general security awareness piece. There's nothing of much use here, though, for security or general management at critical infrastructure organizations.
Tuesday 24 March 2009
Revised NIST security awareness/training standard
I've been reading and thinking today about a revised NIST Special Publicatio SP800-16, currently released for public comment. If you are genuinely interested in making security awareness more effective, I recommend setting aside an hour or three to read and consider the draft document.
To whet your appetite, here are just a few short paragraphs from one section of the draft, with my own thoughts and comments cited below.
Under section 2.2.1 of SP800-16, NIST says:
My comments:
(1) The terms "awareness", "training" and "education" are often used interchangeably and sometimes combined, as in "awareness training". However, they are different activities with different mechanisms and purposes. SP800-50 “Building an Information Technology Security Awareness and Training Program” covers this point rather eloquently, better in fact than SP800-16 and FISMA which tie themselves in knots over the terminology.
(2) If you can read past the much abused second word of "blended solution of activities", the real point is that awareness requires a range of separate but complementary activities - and by "activities" I mean things that involve physical actions by both the information givers and the information receivers. I am talking about proactive learning, not passive entertainment or "edutainment". The most important part of a training course is not the presentation slides or other materials, the presenter, the facility or the audience: it's the engagement, interest and interaction that happens when members of the audience become inspired to change what they do thereafter.
(3) Informing people, in other words providing relevant facts about information security risks and controls, is an important element of awareness, training and education but is not in itself sufficient, in most cases. Erudite but boring and dry factsheets have limited impact and can be counterproductive. News stories are just one way to bring information security to life, reminding people that we are not talking purely hypothetically about security incidents. They are really happening around us, and not just Out There in the news headlines but much closer to home, affecting us, our colleagues, friends and families, and of course our organization and society. Getting personal on information security matters is a good way to engage with people.
(4) Focus is important. Generic, bland "be more secure" messages are a total waste of brain cycles. People need to know what, specifically, they should be worried about and what they should do ... but first they need to open up in order to even receive the message. Making people "wake up and smell the coffee" is one option but is not the only way (I'll speak about other techniques another time). Focus, to me, includes getting straight to the point - being direct and avoiding unnecessary fluff or irrelevancies. It also includes picking on specific information security topics, providing more depth than is typical of those rushed security induction training classes.
(5) Building knowledge and skills to enhance job performance is all very well but has little value unless people actually use the knowledge and skills when they get back to work. Achieving this is the crux of effective awareness, training and educational activities. Unless people are taken beyond the point of being mere receptacles for facts and are motivated to behave more securely, the program is not going to earn its keep.
(6) Notice that "forcing employees to sit down en masse in a stuffy meeting room or lecture theatre while some boring IT geek or clueless manager spouts off about information security" does not feature in NIST's list of worthwhile activities, but is not far from the truth in some organizations! Awareness, training and education take creativity and passion. It's not that hard really. [For lots more ideas, thing such as case studies with role plays, crosswords, competitions etc. see NoticeBored!]
(7) Taking focus to the extent of a single awareness activity covering just a single information security control might perhaps be necessary if that one control is conspicuously failing but seems unlikely to cover the full breadth of security controls that employees should understand and respect, in any reasonable timeframe. Coupling this point with comments about keeping the content interesting implies to me the need to run quite rapidly through a sequence of topics, moving ahead at or just before the point that eyelids start to droop. This idea of a rolling awareness program, in my experience, makes all the difference but there's one more little point to bear in mind. "Sequences" can be random or directed. A random assortment of information security topics may achieve the coverage desired but misses the opportunity to link together successive topics into a more coherent security story. Being smart about the sequence and scope of the topics leads to a more subtle form of the old teacher's saw "Tell them what you are going to tell them, tell them, then tell them what you told them". We can introduce future topics and refer back to previous topics, all while delivering the present topic. The interrelatedness of information security topics makes this quite easy to achieve with just a bit of thought and planning. The advantage is a level of coherence and reinforcement that random assortments don't achieve.
(8) Now there's a thought: we are seeking "cultural change" are we? Great idea, one I thoroughly endorse ... but unfortunately for many managers, security awareness is less about achieving cultural change than about "being seen to be Doing Something" or, even worse, "doing it for compliance reasons". Health and safety training finds itself in the same pickle. Effective H&S training has a lasting impact on what employees do as they go about their normal business activities, long after the ink has dried on the training evaluation forms. It's about putting on the ear muffs and safety goggles even when there's nobody else looking. It means taking a moment to deal with a trip hazard in a public thoroughfare even when you yourself have clearly spotted and avoided the hazard. Achieving cultural change to create a "culture of security" is a fabulous objective, one that's much easier to say than to do. For me, it goes somewhat beyond the rather simplistic if important ideas noted in section 2.2.1, picking up concepts such as:
Right, that's section 2.2.1 duly considered. I'll stop there for now, leaving consideration of the remaining 156 pages as an exercise for you dear reader - homework if you will. NIST welcomes comments on the draft SP800-16 until June 26th 2009 by email to 800-16comments@nist.gov.
To whet your appetite, here are just a few short paragraphs from one section of the draft, with my own thoughts and comments cited below.
Under section 2.2.1 of SP800-16, NIST says:
"Awareness is not training (1). Security awareness is a blended solution of activities (2) that promote security, establish accountability, and inform the workforce of security news (3). Awareness seeks to focus an individual’s attention on an issue or a set of issues (4). The purpose of awareness presentations is simply to focus attention on security (4). Awareness presentations are intended to allow individuals to recognize information security concerns and respond accordingly. (2)
In awareness activities the learner is a recipient of information, whereas the learner in a training environment has a more active role. (2) Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate job performance. (5)
A few examples of information security awareness materials/activities include:
• Events, such as an information security day,
• Briefings (program- or system-specific or issue-specific)
• Promotional/specialty trinkets with motivational slogans,
• A security reminder banner on computer screens, which comes up when a user logs on,
• Security awareness video tapes, and
• Posters or flyers. (6)
Effective information security awareness efforts must be designed with the recognition that people tend to practice a tuning-out process called acclimation. If a stimulus, originally an attention-getter, is used repeatedly, the learner will selectively ignore the stimulus. (6) Thus, awareness delivery must be on-going, creative, and motivational, with the objective of focusing the learner's attention so that the learning will be incorporated into conscious decision-making. This is called assimilation, a process whereby an individual incorporates new experiences into an existing behavior pattern. (3 & 5)
Learning achieved through a single awareness activity tends to be short-term, immediate, and specific. For example, if a learning objective is “to facilitate the increased use of effective password protection among employees,” an awareness activity might be the use of reminder stickers for computer keyboards. (7)
The fundamental value of information security awareness programs is that they set the stage for awareness training and role-based training by bringing about a change in attitudes which should begin to change the organizational culture. The cultural change sought (8) is the realization that information security is critical because a security failure has potentially adverse consequences for everyone. Therefore, information security is everyone’s job. (9)"
My comments:
(1) The terms "awareness", "training" and "education" are often used interchangeably and sometimes combined, as in "awareness training". However, they are different activities with different mechanisms and purposes. SP800-50 “Building an Information Technology Security Awareness and Training Program” covers this point rather eloquently, better in fact than SP800-16 and FISMA which tie themselves in knots over the terminology.
(2) If you can read past the much abused second word of "blended solution of activities", the real point is that awareness requires a range of separate but complementary activities - and by "activities" I mean things that involve physical actions by both the information givers and the information receivers. I am talking about proactive learning, not passive entertainment or "edutainment". The most important part of a training course is not the presentation slides or other materials, the presenter, the facility or the audience: it's the engagement, interest and interaction that happens when members of the audience become inspired to change what they do thereafter.
(3) Informing people, in other words providing relevant facts about information security risks and controls, is an important element of awareness, training and education but is not in itself sufficient, in most cases. Erudite but boring and dry factsheets have limited impact and can be counterproductive. News stories are just one way to bring information security to life, reminding people that we are not talking purely hypothetically about security incidents. They are really happening around us, and not just Out There in the news headlines but much closer to home, affecting us, our colleagues, friends and families, and of course our organization and society. Getting personal on information security matters is a good way to engage with people.
(4) Focus is important. Generic, bland "be more secure" messages are a total waste of brain cycles. People need to know what, specifically, they should be worried about and what they should do ... but first they need to open up in order to even receive the message. Making people "wake up and smell the coffee" is one option but is not the only way (I'll speak about other techniques another time). Focus, to me, includes getting straight to the point - being direct and avoiding unnecessary fluff or irrelevancies. It also includes picking on specific information security topics, providing more depth than is typical of those rushed security induction training classes.
(5) Building knowledge and skills to enhance job performance is all very well but has little value unless people actually use the knowledge and skills when they get back to work. Achieving this is the crux of effective awareness, training and educational activities. Unless people are taken beyond the point of being mere receptacles for facts and are motivated to behave more securely, the program is not going to earn its keep.
(6) Notice that "forcing employees to sit down en masse in a stuffy meeting room or lecture theatre while some boring IT geek or clueless manager spouts off about information security" does not feature in NIST's list of worthwhile activities, but is not far from the truth in some organizations! Awareness, training and education take creativity and passion. It's not that hard really. [For lots more ideas, thing such as case studies with role plays, crosswords, competitions etc. see NoticeBored!]
(7) Taking focus to the extent of a single awareness activity covering just a single information security control might perhaps be necessary if that one control is conspicuously failing but seems unlikely to cover the full breadth of security controls that employees should understand and respect, in any reasonable timeframe. Coupling this point with comments about keeping the content interesting implies to me the need to run quite rapidly through a sequence of topics, moving ahead at or just before the point that eyelids start to droop. This idea of a rolling awareness program, in my experience, makes all the difference but there's one more little point to bear in mind. "Sequences" can be random or directed. A random assortment of information security topics may achieve the coverage desired but misses the opportunity to link together successive topics into a more coherent security story. Being smart about the sequence and scope of the topics leads to a more subtle form of the old teacher's saw "Tell them what you are going to tell them, tell them, then tell them what you told them". We can introduce future topics and refer back to previous topics, all while delivering the present topic. The interrelatedness of information security topics makes this quite easy to achieve with just a bit of thought and planning. The advantage is a level of coherence and reinforcement that random assortments don't achieve.
(8) Now there's a thought: we are seeking "cultural change" are we? Great idea, one I thoroughly endorse ... but unfortunately for many managers, security awareness is less about achieving cultural change than about "being seen to be Doing Something" or, even worse, "doing it for compliance reasons". Health and safety training finds itself in the same pickle. Effective H&S training has a lasting impact on what employees do as they go about their normal business activities, long after the ink has dried on the training evaluation forms. It's about putting on the ear muffs and safety goggles even when there's nobody else looking. It means taking a moment to deal with a trip hazard in a public thoroughfare even when you yourself have clearly spotted and avoided the hazard. Achieving cultural change to create a "culture of security" is a fabulous objective, one that's much easier to say than to do. For me, it goes somewhat beyond the rather simplistic if important ideas noted in section 2.2.1, picking up concepts such as:
- Providing continuity - planning awareness activities over the long term (and I don't mean 'scheduling next year's security awareness session'!);
- Addressing the entire organization (staff and managers), in fact the scope can usefully cover the extended organization including friends and relatives of employees, contractors/consultants, outsource suppliers, customers, suppliers, business partners, other stakeholders and, to some extent, society at large
- Using creativity to create interest and engage people with the program, and retaining that interest indefinitely;
- Being sensitive to cultural norms, communications preferences and so forth for the audiences - notice the plural: it makes little sense to focus all the security awareness activities on one homogeneous audience when we know full well that business units, departments, teams and individuals vary markedly in many key respects. "Selling" copyright compliance to, say, an Indian or Chinese business unit is a rather different prospect to getting the same point across to a Scandinavian organization. For some people, the 3 minute high level overview is more than enough: for others, 3 minutes would not be nearly enough for the briefest of introductions;
- Taking audience engagement to the extent of active audience participation, for example encouraging managers, IT professionals and employees to converse on the same information security topic, putting their respective points of view in the context of a shared understanding of the terms and concepts involved.
Right, that's section 2.2.1 duly considered. I'll stop there for now, leaving consideration of the remaining 156 pages as an exercise for you dear reader - homework if you will. NIST welcomes comments on the draft SP800-16 until June 26th 2009 by email to 800-16comments@nist.gov.
How to fix SCADA security [not]
In "A cautionary tale about nuclear change management" ComputerWorld blogger Scott McPerson discusses a few security incidents that have been linked to SCADA systems, picking out two causes: poor change management and problems with the IT architectures. If only things were so simple in Real Life.
According to Scott, the change management problem can be solved by adequate pre-release testing of patches. Mmm. OK, well let's assume a SCADA-using organization has the resources to invest in an IT test jig comprehensive enough to model the live SCADA/ICS systems, complete with real-time data feed simulators and control panels, or at least a sufficient part of the complete live system to allow representative and realistic testing. Presumably they could test the patches and software upgrades thoroughly enough to reduce the possibility of unintended consequences, but how far can or indeed should they go? Anyone who has actually tried to do exhaustive software testing, even in a very simple laboratory setting, knows that it is literally impossible to test everything in practice. With the best will in the world, the fanciest test jig that money can buy and the most competent, skilled and diligent professional testers on the job, there is always a residual risk at the declared end of testing. In real life, the end of testing is almost always declared by management well before the testers are truly happy, not least because the issues and risks that the planned software changes are supposed to fix inevitably persist at least until the fix is applied, so there are clearly competing pressures. Damned if we do, damned if we don't.
OK, I'm certainly not arguing that pre-release software testing is a waste of time on SCADA or any other IT systems, far from it. But the reality is that no matter how much testing and fixing is done, the eventual decision to implement implicitly if not explicitly accepts the residual risk. In my experience, the operational, safety and commercial risks associated with system failures on SCADA systems are so significant that the opposite situation is more of a problem, namely that SCADA systems are not patched at all, or at least not promptly, due to the extreme risk aversion. Legacy systems are the norm not the exception in SCADA/ICS-land. In the case of safety-relevant and certified systems, plus the highly specialized bespoke systems typical of controllers for complex machinery (such as, oh er, a nuclear power station), the inertia problem is even worse.
Scott's second point about IT architectural issues also seems rather glib to me. "The fact that some utilities -- including nuclear utilities -- are stupid enough to attach the servers that control and manage SCADA systems to the same Internet that runs porn and Nigerian scams and MySpace is ludicrous. It is also dangerous." That statement seriously denegrates the highly competent IT and business managers in the utilities, manufacturing and engineering companies where I have worked. Such people are far from stupid. As I said already, they are highly risk averse and do not take such decisions lightly. But again there are competing priorities. The Internet is a convenient, cheap way to access SCADA/ICS systems, networks, devices etc. for remote diagnostics and support purposes, for example, and often glues together critical business processes throughout the supply chain. Connecting the SCADA/ICS network to any other network (even the internal corporate LAN) is clearly fraught with danger so security is always a concern.
The main beef I have with you, Scott, is that you have over-simplified the problems and provided trivial solutions, as if simply saying these things will make a difference. Calling the people who are actually dealing with the risks "stupid" is hardly going to make friends and influence people.
According to Scott, the change management problem can be solved by adequate pre-release testing of patches. Mmm. OK, well let's assume a SCADA-using organization has the resources to invest in an IT test jig comprehensive enough to model the live SCADA/ICS systems, complete with real-time data feed simulators and control panels, or at least a sufficient part of the complete live system to allow representative and realistic testing. Presumably they could test the patches and software upgrades thoroughly enough to reduce the possibility of unintended consequences, but how far can or indeed should they go? Anyone who has actually tried to do exhaustive software testing, even in a very simple laboratory setting, knows that it is literally impossible to test everything in practice. With the best will in the world, the fanciest test jig that money can buy and the most competent, skilled and diligent professional testers on the job, there is always a residual risk at the declared end of testing. In real life, the end of testing is almost always declared by management well before the testers are truly happy, not least because the issues and risks that the planned software changes are supposed to fix inevitably persist at least until the fix is applied, so there are clearly competing pressures. Damned if we do, damned if we don't.
OK, I'm certainly not arguing that pre-release software testing is a waste of time on SCADA or any other IT systems, far from it. But the reality is that no matter how much testing and fixing is done, the eventual decision to implement implicitly if not explicitly accepts the residual risk. In my experience, the operational, safety and commercial risks associated with system failures on SCADA systems are so significant that the opposite situation is more of a problem, namely that SCADA systems are not patched at all, or at least not promptly, due to the extreme risk aversion. Legacy systems are the norm not the exception in SCADA/ICS-land. In the case of safety-relevant and certified systems, plus the highly specialized bespoke systems typical of controllers for complex machinery (such as, oh er, a nuclear power station), the inertia problem is even worse.
Scott's second point about IT architectural issues also seems rather glib to me. "The fact that some utilities -- including nuclear utilities -- are stupid enough to attach the servers that control and manage SCADA systems to the same Internet that runs porn and Nigerian scams and MySpace is ludicrous. It is also dangerous." That statement seriously denegrates the highly competent IT and business managers in the utilities, manufacturing and engineering companies where I have worked. Such people are far from stupid. As I said already, they are highly risk averse and do not take such decisions lightly. But again there are competing priorities. The Internet is a convenient, cheap way to access SCADA/ICS systems, networks, devices etc. for remote diagnostics and support purposes, for example, and often glues together critical business processes throughout the supply chain. Connecting the SCADA/ICS network to any other network (even the internal corporate LAN) is clearly fraught with danger so security is always a concern.
The main beef I have with you, Scott, is that you have over-simplified the problems and provided trivial solutions, as if simply saying these things will make a difference. Calling the people who are actually dealing with the risks "stupid" is hardly going to make friends and influence people.
Thursday 19 March 2009
SCADA stories of 2008
SCADA security specialists Digital Bond run an annual summary of the top SCADA security stories of the year before. Here are their lists for 2008, 2007 and 2006.
In 2007, the story about successfully hacking and taking control of an electricity generating plant was hot news, along with NERC's moves to improve information security for the US electricity industry. In 2008, the US water industry seems to have followed NERC's lead with their own security roadmap.
In 2007, the story about successfully hacking and taking control of an electricity generating plant was hot news, along with NERC's moves to improve information security for the US electricity industry. In 2008, the US water industry seems to have followed NERC's lead with their own security roadmap.
Worming the Internet
Unprecedented collaboration between ICANN, antivirus vendors, other malware security professionals and domain name registrars in US, China and elsewhere is seeking to neutralize the Conficker/Downadup worm. The worm's authors evidently intended the worm to download payloads from any of a long list of domains, so the security community has been busily registering or regaining control of those domains to prevent them being abused.
Microsoft has offered $250k for information leading to the arrest and prosecution of those behind Conficker/Downadup, a sign that Internet security issues are bad for all Internet users, not least the big businesses that depend on it.
Meanwhile, a third variant of the worm has been detected with a trigger date of April 1st. This could be big.
Microsoft has offered $250k for information leading to the arrest and prosecution of those behind Conficker/Downadup, a sign that Internet security issues are bad for all Internet users, not least the big businesses that depend on it.
Meanwhile, a third variant of the worm has been detected with a trigger date of April 1st. This could be big.
Wednesday 4 March 2009
Scared of SCADA?
Our latest product is a brand new security awareness module on SCADA, ICS, DCS and related acronyms - essentially industrial process control systems. I suspect few employees outside of IT will have heard of SCADA and hardly any will have considered the security requirements associated with keeping the lights on, both literally (SCADA systems are heavily used by the electricity generators and grid) and figuratively (modern factories are packed with all manner of computerized industrial machinery). For those who work not in manufacturing industry but in ordinary offices, we point out that elevators and other facilities are typically managed by a Building Management System, itself a form of SCADA. For those who don't even work in an office, the Engine Management System in their car is another example.
In addition to the potential for unplanned production outages and disruption to critical infrastructures, the health and safety plus environmental protection aspects make SCADA security impacts potentially horrific. Simply being obscure is no defence against some hackers and, potentially, their terrorist masters. Governments and managers at major utilities are worried about SCADA security risks, so all in all this is an important awareness topic.
Friday 20 February 2009
Military systems not immune to civil (or for that matter military) malware
News of the Conficker/Downadup worm rumble on. Britain's Daily Telegraph is relaying news from a French newspaper that a French naval network was infected, disrupting communications and hence military opertions as the network was isolated for disinfection. The same piece reports that a "report in the military review Defense Tech revealed that in the first days of January 2009 the British Defence Ministry had been attacked by a hybrid of the virus that had substantially and seriously infected the computer systems of more than 24 RAF bases and 75 per cent of the Royal Navy fleet including the aircraft carrier Ark Royal."
While the journalists and military PR people are typically at pains to point out that such events affect only unclassified or lowly-classified networks, the impacts sometimes appear to indicate otherwise - unless that is the French navy is in the habit of passing military orders over unclassified networks, which I doubt.
The reality of modern life is that most organizations are connected to the global Internet, and therefore they rely on network security controls to prevent "unauthorized traffic", including malware and hackers. Even those with no Internet connections remain vulnerable to malware infections by other routes, such as USB memory sticks in the French navy case. If even the highly controlled and well funded military are vulnerable to such nasties, what hope is there for other organizations, particularly large or diverse organizations with limited control over their IT systems and networks? I'm very conscious that our own small business remains vulnerable, despite the firewalls, antivirus software, network monitoring and so on, but at least we have security awareness on our side!
While the journalists and military PR people are typically at pains to point out that such events affect only unclassified or lowly-classified networks, the impacts sometimes appear to indicate otherwise - unless that is the French navy is in the habit of passing military orders over unclassified networks, which I doubt.
The reality of modern life is that most organizations are connected to the global Internet, and therefore they rely on network security controls to prevent "unauthorized traffic", including malware and hackers. Even those with no Internet connections remain vulnerable to malware infections by other routes, such as USB memory sticks in the French navy case. If even the highly controlled and well funded military are vulnerable to such nasties, what hope is there for other organizations, particularly large or diverse organizations with limited control over their IT systems and networks? I'm very conscious that our own small business remains vulnerable, despite the firewalls, antivirus software, network monitoring and so on, but at least we have security awareness on our side!
Tuesday 3 February 2009
Alleged Fannie Mae logic bomber denies charges
Reuters says:
While we read about logic bombs in security textbooks, real world examples are relatively few and far between, in other words the probability of attack is quite low. The impacts could be significant, although in practice most attacks we read about have been thwarted while a proportion of successful attacks are likely either to be misdiagnosed as bugs, viruses, outsider attacks etc. or covered up by embarrassed managers. As so often when assessing information security risks, the true scale of the insider threat can only be surmised from imperfect data and hence contingency planning is sensible in case we miscalculate.
Disgruntled technically-competent insiders, usually IT professionals, get the blame for logic bombings. Logic bombs are but one example of the damage privileged insiders can cause, ranging from fraud and theft of intellectual property (personal or proprietary) to passive resistance such as faked incompetence and "accidental" damage to the IT systems and networks under their control. Last year's story of network administrator Terry Childs holding the city of San Francisco to ransom for the access password is another real-world example.
What controls would be useful to guard against this sort of situation? There's a wide choice including:
"A 35-year-old computer programer pleaded not guilty on Friday to charges that he planted a computer virus designed to destroy all the data on 4,000 Fannie Mae computer servers the day he was fired from the company ..."
While we read about logic bombs in security textbooks, real world examples are relatively few and far between, in other words the probability of attack is quite low. The impacts could be significant, although in practice most attacks we read about have been thwarted while a proportion of successful attacks are likely either to be misdiagnosed as bugs, viruses, outsider attacks etc. or covered up by embarrassed managers. As so often when assessing information security risks, the true scale of the insider threat can only be surmised from imperfect data and hence contingency planning is sensible in case we miscalculate.
Disgruntled technically-competent insiders, usually IT professionals, get the blame for logic bombings. Logic bombs are but one example of the damage privileged insiders can cause, ranging from fraud and theft of intellectual property (personal or proprietary) to passive resistance such as faked incompetence and "accidental" damage to the IT systems and networks under their control. Last year's story of network administrator Terry Childs holding the city of San Francisco to ransom for the access password is another real-world example.
What controls would be useful to guard against this sort of situation? There's a wide choice including:
- Management oversight - bosses keeping an eye on what their staff are doing (not so easy to arrange if the boss is the trouble maker and other bosses are incompetent to oversee or are simply unaware!);
- Divisions of responsibility such that a lone cowboy cannot easily take advantage of his access (tricky again if he has system privileges and access to information, systems and processes that permit him to bypass or undermine standard access controls);
- Laws, regulations, policies, standards, procedures and guidelines, not just to influence potential logic bombers (who, by their very nature, are unlikely to respect the rules) but also to establish and mandate the supporting/compensating procedural, technical and physical security controls;
- Audits, whether periodic/planned/pre-notified or ad hoc/unannounced/surprise visits, plus management reviews and similar checkpoints, particularly when scoped and panned specifically to address this issue and performed by experts with prior experience in this area;
- Technology-related controls such as air-tight change and configuration management processes; scans for unauthorized or inappropriate source code, malware and hacker tools on production systems; logical access controls as a whole; trustworthy backups; network intrusion detection and content management systems etc.;
- Slick incident management processes to identify and respond rapidly and efficiently to potential incidents and thus limit the damage;
- Liabilities on those responsible, whether employees or third parties, that are legally defined and practically enforceable in employment or service contracts (an after-the-fact contingency or corrective control);
- Whistleblowers' hotline - a facility to encourage peers and co-workers (including managers and HR people dealing with clearly disgruntled staff) to report their concerns or suspicions in confidence for independent review;
- Security awareness, training and educational activities, for instance promoting the whistleblower's hotline and policies, and training those who oversee IT operations in the symptoms of insider attack to watch out for (e.g. when logic bombers develop and test their evil schemes prior to the Big One);
- Pre- and para-employment screening of employees in an attempt to locate and drop the bad apples, assuming that they can be identified as such (some believe that bad apples can be psychologically profiled but this practice is probably more art than science - merely being a social misfit or square-peg-in-a-round-hole is not in itself sufficient cause to track or sack somone, and such people can be extremely beneficial and creative if somewhat difficult to manage employees);
- Sensible termination procedures, designed to remove possible hitches from a leaver's last few days or weeks on site (e.g. arranging for an "understudy" to shadow a leaver, both to pick up important new skills and to watch out for inappropriate activities);
- Keeping employees gruntled, not disgruntled (!). Seriously, maintaining good employer-employee relations is a general baseline control against many forms of insider threat, and a particular challenge for management in an economic downturn. Procedural controls are particularly likely to suffer when people have other things on their mind than the organinization's best interests.
Botnets to watch in 2009
A news item about botnets from Secureworks includes some useful information about how botnets are used and protected. They are used to distribute spam (including money mule come-ons, fake pharmaceuticals, enlargement products, loans and more) and malware.
The estimated sizes of the botnets range up to about 175,000 compromised machines, with most being a few tens of thousands, well short of the millions that lurid mainstream news headlines sometimes claim. Still tens of thousands of broadband connected computers can do a lot of damage.
The estimated sizes of the botnets range up to about 175,000 compromised machines, with most being a few tens of thousands, well short of the millions that lurid mainstream news headlines sometimes claim. Still tens of thousands of broadband connected computers can do a lot of damage.
Website content integrity failure
While researching for our next awareness module on SCADA security, I came across the Omron PLC website and couldn't help laughing when I read their news items. They haven't been well translated from the original - at least I doubt anyone would seriously have meant to write "The reverend converts the broadcasting waves echolike backwards from the RFID attach into digital aggregation that crapper then be passed on to computers that crapper attain ingest of it.". Let's hope we make more sense of SCADA security in our awareness briefings!
Thursday 29 January 2009
Malwareness
Hi there!
We've just released an updated, refreshed and extended awareness module on malware, one of those enduring "core topics" that we have covered several times in the six years or so since we launched our awareness service, and yet the threat is subtly different every year. As with the previous awareness topic, hacking, the most noticeable change lately has been the increasing use of malware for criminal purposes such as identity theft, spamming and industrial espionage. The days of viruses displaying funny graphics and playing silly tunes are long gone. It’s become much more serious, both for individuals and for organizations on the receiving end.
Malware authors are constantly exploring different modes of infection, creating new payloads and inventing novel criminal activities. Some malware modifies its own code in order to try to escape detection by pattern-matching antivirus software, or picks up new component parts through the Internet as the infection progresses (Malware as a Service!).
Thursday 15 January 2009
"I like to learn something new, to travel, walk on a nature"
I can't resist re-posting this hilarious 419 scam fresh from my inbox, allegedly from innocent Natalya pictured above from the JPG attached to "her" email - I say "her" because the sender was listed as Frederick somebody, hardly a common ladies' name where I come from!
Hi! I ask you to read this letter, it will not borrow a lot of your time. This letter notGood day to you. Go forth and multiply, Natalya.
advertising, but this letter from usual Russian woman which wishes to meet the man of she dream...
My name is Natalya. I'm 28 years old. My friends speak, that I - very cheerful and sociable woman
and I have good sense of humour. I like to learn something new, to travel, walk on a nature. But
unfortunately, I did not manage to meet the man to which I could trust, be very close with him and love
him.
At my age it is time to me to reflect on family, children. But all men whom I met, did not concern
to this seriously. Therefore I have decided to try to find the man in other country. I have addressed in
agency of acquaintances and to me have offered to dispatch my letter, I have agreed... If there is even
one chance from thousand, I am ready... I believe... I so would like to give my heart, the love my
favourite person.
If you have read my letter and wish to continue dialogue, write on mine e-mail: natalyakorobkova@googlemail.com
If you will write to me only for game or to receive my photos, I ask you to stop it.
If you have decided to answer my letter, I ask you tell about yourself. It will be interesting to
me to know about you more.
What is your name?
How old are you? Your city.
Would you like to meet the woman for love?
So, I finish the letter, thanks, that you have read it. I hope, that I shall receive the answer
from you. And this hope allows me to look at the world in another way...
Please be in earnest to my letter very much. Also be fair.
I wish you good day.
Natalya.
POSTSCRIPT 15th January 2009: a British man has lost £130,000 to Nigerian 419 scammers.
Tuesday 13 January 2009
Hacker desperate to avoid extradition to the US
Hacker Gary McKinnon has to date successfully avoided extradition to the US to face up to his hacking of US military systems in 2001/2002. He continues to make full use of the British and European legal systems, his latest exploit involving allegedly admitting to an offense under the UK Computer Misuse Act in an apparent attempt to be incarcerated at Her Majesty's pleasure rather than, perhaps, end up languishing in an orange jump suit in Cuba.
Admitting to the CMA offense is surely a desperate measure since it is hardly likely to improve his defense if he ever stands before the US courts.
This is all an object lesson in the perils of hacking Uncle Sam's. It could literally be a life-changing experience.
Admitting to the CMA offense is surely a desperate measure since it is hardly likely to improve his defense if he ever stands before the US courts.
This is all an object lesson in the perils of hacking Uncle Sam's. It could literally be a life-changing experience.
Sunday 4 January 2009
Is hacking a governance failure?
The president of a company that develops software for oil and gas exploration was sentenced to 12 months' supervised probation and fined $2,500 for hacking a competitor using an airport's wireless network connection, according to eWeek. The company is also facing charges that it sold restricted software products to Cuba, potentially implying a wider governance failure if proven rather than simply a rogue employee, albeit a very senior one.
Governance concerns are also raised by the alleged hacking of the World Bank's systems by an IT outsourcing supplier although the supplier denies the accusations. The supplier's website proudly announces that it won "the coveted Golden Peacock Global Award for Excellence in Corporate Governance for 2008" [an award that I personally hadn't heard of, but what do I know?], so it is possible that, if true, the hacker was a lone Black Hat that the company's award-winning governance processes failed to identify and/or stop.
Governance concerns are also raised by the alleged hacking of the World Bank's systems by an IT outsourcing supplier although the supplier denies the accusations. The supplier's website proudly announces that it won "the coveted Golden Peacock Global Award for Excellence in Corporate Governance for 2008" [an award that I personally hadn't heard of, but what do I know?], so it is possible that, if true, the hacker was a lone Black Hat that the company's award-winning governance processes failed to identify and/or stop.
Subscribe to:
Posts (Atom)