We've released January's awareness module on physical security a few days early to beat the Christmas rush. While many information assets are intangible ( e.g.  digital data and knowledge), some have a physical medium, existence or expression that is vulnerable to a variety of physical risks.  Furthermore, many of the controls over intangible information, particularly the IT systems that store, communicate and process most of it, have physical security aspects.   The security awareness materials for January focus on the physical protection of physical information assets against various physical risks.   Proprietary knowledge in the heads of key workers means they really are “our greatest assets”, so health and safety measures are relevant to information security.  We also provide a briefing on hardware hacking to catch the imagination of your IT people.  ...

In his book No Tech Hacking, author Johnny Long ably describes some simple non-technical attack methods mostly involving social engineering and physical site intrusion, but it is a shame he doesn’t present a more compelling call-to-action.  Readers can and indeed should be more aware of, and ideally resistant to, the methods described.  The book presents the basic information but doesn’t really motivate readers to respond, leaving us rather flat.

Serious business disruption stemming from an IT incident at N ational A ustralia bank on the night of November 24th led to serious questions being posed in the press about the bank's governance and even its HR practices . This was clearly a costly incident for the bank, creating a flurry of adverse customer and  media commentary (such as "FURIOUS consumers are demanding compensation after a NAB computer bungle delayed millions of wages, pensions, family payments and business transactions across Australia.    Tens of thousands of anxious people could still be without cash for the weekend because of backlogs from the shambles.") and hence brand damage, in addition to the direct costs of investigating and resolving the incident itself and compensating customers .  Now that the dust is settling, let's review the business continuity aspects of the case, based on media reports, public statements by NAB and a little idle speculation. The actual IT incident, originally t...

Business continuity in the title of December's security awareness module refers to the central purpose of various forms of resilience, disaster recovery/business resumption and contingency planning: these are not purely academic approaches but serve to support the business in a very practical way, in times of crisis. Making processes and systems resilient is an ideal approach to business continuity management if the organization can shrug-off incidents that might otherwise interfere with or stop vital business activities, keeping operations running without a noticeable break.  Disaster recovery and business resumption planning, however, start with the assumption that the business has unfortunately been disrupted as a result of a disaster, for instance if the resilience measures turn out to be inadequate in practice.  Contingency planning takes that line of thinking a step further, preparing the organizatio...

Here's a type of policy I've not seen before, appended to the specification sheet for an electronic component made by National: LIFE SUPPORT POLICY NATIONAL’S PRODUCTS ARE NOT AUTHORIZED FOR USE AS CRITICAL COMPONENTS IN LIFE SUPPORT DEVICES OR SYSTEMS WITHOUT THE EXPRESS WRITTEN APPROVAL OF THE PRESIDENT AND GENERAL COUNSEL OF NATIONAL SEMICONDUCTOR CORPORATION. As used herein: 1. Life support devices or systems are devices or systems which, (a) are intended for surgical implant into the body, or (b) support or sustain life, and whose failure to perform when properly used in accordance with instructions for use provided in the labeling, can be reasonably expected to result in a significant injury to the user. 2. A critical component is any component of a life support device or system whose failure to perform can be reasonably expected to cause the failure of the life support device or system, or to affect its safety or effectiveness. I'm looking forward to readin...

If you are keen to learn about security metrics and perhaps even design or at least refine your own information security measurement system, I recommend Krag Brotby's thought-provoking book Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement .  Managing information security properly demands the use of suitable metrics at all levels from defining security strategy and governance, through prioritizing resources and investing in security, down to decision support for a million day-to-day operational security management decisions.  Krag's book won't give you a checklist of things to measure, but it will lay the groundwork and set you up to define your own metrics shortlist.  If you are using the ISO27k standards and plan to adopt the metrics advice in ISO/IEC 27004 , make the time to read Krag's book before you dive right in at the deep end.

A neighbour called me yesterday about a suspicious phone call she received from someone claiming that she had a problem with her PC.  The caller, who apparently sounded Indian, asked her to switch on her PC so he could help her sort it out.  Thanksfully she had the awareness to notice something amiss.  The caller mumbled who he was working for and wouldn't clarify.  When she told him she needed to verify his identity, he terminated the call .... and presumably went on to try to scam some less-savvy sucker. The NZ government's ScamWatch site is warning of this exact scam :  "Scamwatch continues to receive a steady stream of reports from consumers about out-of-the-blue phone calls from scammers wanting remote access to your computer to 'get rid of viruses' or to 'fix' your computer ... The calls, which appear to be originating overseas, ask consumers for remote access to their PC to 'see if their computer is infected'.  The scammer claims to be ...

News that Google employees are to be treated to a security awareness program from next month is a positive move, but makes me wonder exactly what the sleepy giant has been doing up til now.  Google has been rightly criticized for several privacy breaches already, with the WiFi data captured by Google's snooper vans a recent example that is still rumbling on.  The news piece on TechShout implies that Google's awareness program will cover privacy, but makes no mention of the myriad other information security issues.  Personally, given Google's lackluster response to the privacy complaints, I get the distinct feeling that Google's management just don't get security. I just hope Google's awareness program has messages for management as well as the workforce.

The thumbnail shows the first of a series of 6 posters in November's security awareness module on social engineering.  It's a particularly important topic for us because security awareness is by far the most important control against social engineering.  Alert employees who appreciate the threat and know what to do if they feel they are being targeted stand a much better chance of resisting attacks than those who remain blissfully unaware throughout. As always, the newsletter sets the scene for the topic and outlines the risks associated with exploiting people rather than technologies.  The social engineering capture-the-flag competition at this year's DefCon hacker conference was a real eye-opener for many: we couldn't help but notice a number of prominent organizations hastily sending out warning notices to their employees ahead of the CTF competition, even though the rules of the game were strictly limited to keep the event ethical and educational.  What's more,...

I wrote the following piece in response to a request for input by David Lacey on his blog .  David and other luminaries in ISSA-UK had a meeting to discuss what they feel are the biggest security challenges we'll face in the decade ahead.  An ISSA White Paper is planned at the end of this year, so it would be good for the wider infosec community to collaborate on this. I composed the following as a reply to David's blog but for some reason the ComputerWeekly site refuses to accept it.  Perhaps it's too long or goes against their editorial principles, who knows?   Anyway, here's what I wrote ... FWIW my main concern for the decade ahead is the increasing power and resourcing of the black hat community - not so much the lone home hackers and hacker clubs (who are formidable but rather fragmented and from what I've seen relatively benign, well-meaning even in some cases) but the true criminal community that increasingly uses hacking and social engineering to harves...

Thanks to someone on CISSPforum, here's a gift idea for busy, well-connected friends on your holiday list - a password directory : "There are user IDs and passwords to remember everywhere you turn. There are codes and passwords for a variety of Web sites, bank accounts, frequent traveler programs and voicemail systems. It's tough to keep track of them all! Our Password Directory can help. It's alphabetically organized to log the user name, password or a password hint for any number of applications. It's a thoughtful gift for the busy, well-connected friends on your holiday list."   Unbelievable!  Well, actually it's entirely credible. Worryingly, there probably is a market for products like this, at least among the clueless buying for the security unaware. I'm puzzled as to the evident lack of general interest in or uptake of secure 'password vault' programs which neatly solve the most awkward and annoying aspects of the passwor...

The first recommendation in Verizon's latest report on PCI compliance reads: Don’t drive a wedge between compliance and security.  Whatever your stance on the “compliance vs. security” debate, hopefully we can all agree that intentionally keeping them apart doesn’t make sense from either a compliance or a security perspective.  Why force a false dichotomy between two concepts that should, in theory, be in alignment?  After all, they both have the goal of protecting data.  Sure, maybe you’ll need to do some things for compliance that you wouldn’t do for security (based on risk assessment or tolerance) or vice versa, but it’s hardly an either-or situation across the board.  The overall direction of managing compliance should be in line with the security strategy.  Is your compliance management team the same as your security management team?  If not, is there a concerted effort to collaborate when and where possible or do both sides govern their own priv...

Wired.com is reporting that the Lower Merion school district found guilty of invading its students' privacy by spying on them through webcameras installed in the school-issued MacBook laptops, has to pay $610,000 to settle lawsuits brought by two students.  The school district claims not to have been deliberately spying on students in a non-specific way (a 'dragnet' operation). However, the fact that a secret photo was used by the school as evidence to discipline a student indicates that, at the very least, it was deliberately and consciously using the software to snoop on the student concerned.  Snooping facilities of this nature are normally intended to obtain evidence and so help recover stolen computers. This begs questions about whether such evidence might open the door to privacy complaints by those accused of stealing or using stolen computers. Furthermore, this case potentially has implications for other situations in which an organization, or indeed an individual...

Compliance with information security and privacy-related laws, regulations, standards and policies may be a rather dry subject, but it's an increasingly important one and as such is definitely worth covering in security awareness programs - unless, that is, you truly believe that your technical security controls alone are sufficient (in which case, you are either a unique technical genius or sadly deluded!). We have just delivered an awareness module all about security compliance, some 67Mb of stimulating awareness content that, to be perfectly honest, barely scratches the surface.  We freely admit we are not legal experts.  We don't know all the ins and outs of our customers' legal obligations, the rules imposed by their industry regulators, or their corporate policies towards security.  But we do know about security awareness, about motivation and creativity.  And in many ways our international perspective lets us see beyond the narrow confines of any individual or...

Bob Carr, CEO of Heartland Payment Systems, spoke openly about their massive 2007/2008 security breach at the SC World Conference in 2009 .  Whether you work in the financial industry or in information security, it's well worth setting aside 45 mins or so to watch him present and think carefully about the underlying risk, security and commercial issues. Essentially, Bob's point is that the payment card industry is clinging to a fundamentally flawed security model. Card numbers taken from magstripes, or presumably from chip-n-PIN cards, are passed through the point of sale systems, the merchant back-office systems, and card processors such as Heartland, all the way to the card issuers. For a good part of this journey, the card numbers are unencrypted and hence are vulnerable to being captured by the bad guys. PCI DSS attempts to lock down all these intermediate points, but so long as the underlying data are in the clear, there is always going to be a risk of unauthorized or inap...

Remarks towards the end of a blog piece by Andy Ellis reminded me about a key difference between awareness and training.  He and I may be concerned with information security awareness specifically but the principle is not limited to a single topic.  Safety awareness is not the same as safety training.  Being commercially aware is different to undergoing commercial training courses.  You get the point. Andy said: "But much more importantly, we weave security awareness into a lot of activities. Listen to our quarterly investor calls, and you'll hear our executives mention the importance of security. Employees go to our all-hands meetings, and hear those same executives talk about security. The four adjectives we've often used to describe the company are "fast, reliable, scalable, and secure". Social engineering attempts get broadcast to a mailing list (very entertaining reading for everyone answering a published telephone number). And that doesn't ...

This morning’s strength 7.1 earthquake in central Christchurch , South Island, New Zealand, is a reminder that contingency and continuity plans are not just tedious red tape.  With the IsecT office being hundreds of miles away in North Island NZ, we didn’t feel the earth move as such but we certainly felt the shock on seeing the news.  It leaves us wondering about our own readiness to survive a similar disaster, not least because of our proximity to Napier, another NZ city devastated by a similar quake in the 1930s.  Today it's a fabulous Art Deco city having been almost entirely rebuilt.  In the 1930s, it was a scene of death and destruction. From a security perspective, the Christchurch quake is an awareness opportunity.  Carpe diem (seize the day)!   It's all over the news.  Employees can see for themselves what a real incident looks like and, with a bit of judicious prompting, imagine themselves in just such a disastrous situation, struggling firs...

"Phone companies know where their customers' cellphones are, often within a radius of less than 100 feet. That tracking technology has rescued lost drivers, helped authorities find kidnap victims and let parents keep tabs on their kids. But the technology isn't always used the way the phone company intends. One morning last summer, Glenn Helwig threw his then-wife to the floor of their bedroom in Corpus Christi, Texas, she alleged in police reports. She packed her 1995 Hyundai and drove to a friend's home, she recalled recently. She didn't expect him to find her. The day after she arrived, she says, her husband "all of a sudden showed up." According to police reports, he barged in and knocked her to the floor, then took off with her car. The police say in a report that Mr. Helwig found his wife using a service offered by his cellular carrier, which enabled him to follow her movements through the global-positioning-system chip contained in her cellphone .....

According to Domain-B , Deloitte's information security of 60+ Indian organizations raised an interesting point: "Optimistically, information security awareness and training is among the top three security initiatives indicated by the resspondents [sic]. However, most security awareness programmes start with an e-learning module, which raises awareness and knowledge, but does not necessarily alter behaviour." It amuses me that so many organizations think they can just splash out some money on an e-learning package about information security, and that's it.  Compliance box ticked.  Management off the hook.  They've 'done something'.  Let's all live happily ever after. I'm not saying that e-learning packages are worthless, quite the opposite in fact.  They are a valuable part , supplement or addition to a comprehensive security awareness program, the point being that, taken in isolation, watching a somewhat stilted video session and maybe answeri...

Aren’t wireless networks wonderful? So convenient to use, flexible and cheap to deploy, they’re great!  No longer are we tied to our desks by the network, keyboard and mouse  cables.  Wireless technologies enable laptops and other mobile computers to be connected to the corporate networks and the Internet, while distant locations can be linked-up using microwave radio over point-to-point or satellite links.  Travelers use public WiFi hotspots or 3G USB sticks to keep up with email and social networks while on the move, and use GPS geolocation/mapping systems to find their way.  Organizations use RFID tags to monitor valuable items, track their mobile inventories and manage logistics.  Most of us these days rely heavily on our mobile phones and PDAs which are, in fact, sophisticated digital radios using the 3G and other wireless networks.  Many of us have Bluet...

Rebecca Herold has written an excellent list of typical physical security issues in the average office, or indeed other information-rich workplaces. She suggests conducting physical security reviews out-of-hours. I have done this kind of review hundreds of times myself, as part of "installation audits" using ISO/IEC 27002 as a benchmark for the kinds of controls expected. Doing them in the daytime or out-of-hours makes little difference - if anything, during the daytime the number of issues is magnified by the things employees typically do while at work, such as: Leaving work-in-progress all over their desks and screens, not just while they are actively working on it but while they go to coffee or lunch; Leaving desks, filing cabinets, and even safes open; Chatting merrily away to each other on on the phone about sensitive personal or commercial matters, with no regard to who else might be listening; Leaving personal stuff (mobile phones, PDAs, USB sticks, wallets/purses, h...

An article in Psychology Today , of all places, recounts several more old industrial espionage stories, making the point that this cloak-n-dagger stuff has been going on for thousands of years.  Major incidents have changed the course of history.

All the Tea in China recounts a nineteenth Century industrial espionage story, concerning the British plant collector Robert Fortune. Fortune collected (stole?) tea plants from China to launch the British tea plantations in India, so ending the Chinese stranglehold on the world's supply of tea.

Richard A. Clarke evidently has a knack for writing contentious books on information and national security topics.  His latest co-authored book, Cyber War: The Next Threat to National Security and What to Do About It , prompts the federal government and corporate America to wake up to the threat. Writing about the book for Bloomberg BusinessWeek , Rochelle Garner says one of Clarke's key messages is: "Get serious about industrial espionage. Clarke says many companies aren't aware of how common trade-secret theft has become, partly because the federal government doesn't keep track of the financial consequences. He says the U.S. needs to be more like the U.K. More than a year ago, the security agency MI5 told the biggest 300 companies in Britain to assume their computers had been hacked by the Chinese and then met with executives to discuss the breaches it knew about and how to prevent future ones." As with many other US authors, the implication seems to ...

A short piece about competitors using industrial espionage to steal information about cars under development suggests that the practices are widespread. The article specifically mentions: Information obtained and disclosed through networks of moles, friends and acquaintances Use of helicopters to spy on a rival's road tests Intelligence functions within the organization Social engineering Hidden microphones & cameras 'Clandestine visits to sensitive places' Reverse engineering i.e. dismantling a new vehicle to find out how it is made [That's a far from exhaustive list.  I wrote about others in our latest newsletter and awareness materials.] I find it intriguing that stories of this nature have been circulating for years.  There's one on the go now about Chery and GM .  On the rather weak basis that there's no smoke without fire, there does seem to be a particular fascination with industrial espionage in the auto industry.  Why is that, I wonder?  Perhaps for...

We often read about security incidents involving personal information in the newspapers or online.  Multi-million dollar credit card and social security number exposures grab the headlines and consume many column inches.  There are even websites dedicated to totting-up the sordid numbers .  There are laws and regulations to protect personal data, and most of us accept that our privacy is inherently worth protecting, no question. When it comes to protecting confidential proprietary information belonging to corporations, however, the situation is less clear.  Someone taking, say, their former employer’s customer list to a new job may be ‘frowned upon’ but evidently this practice is often tolerated and is probably fairly common in practice.  Indeed professional résumés boast of prior work experiences and major projects, with the implication that proprietary knowledge and ex...

David Lacey’s book concerns the influence of people in protecting information assets and is excellent value.   It covers a surprisingly wide range of topics relating to the human aspects of information security, mostly from management and operational perspectives.  The book has depth too, while remaining generally pragmatic in style. I highly recommend the book for all information security professionals, particularly CISOs and Information Security Managers who are not entirely comfortable with the social elements of information security, and for information security MSc students who want to boost their understanding in this area.  The book is particularly valuable also for information security awareness and training professionals who necessarily deal with human factors on a daily basis, and need to understand how best to work with and influence their organizational cultures...

An email from Garrison Continuity pointed me to a neat 2-page Adobe PDF file with tips to ensure that business continuity arrangements won't falter as many employees will soon be on holiday. Truth is, the holiday period thing is just a timely prompt to ensure the arrangements are sound: the plans should be checked and exercised periodically throughout the year.  It's one of the regular activities for the Business Continuity Manager, providing additional assurance that the plans will function properly whenever a major incident strikes.

A new 'how to' piece on eHow.com titled Information Security Awareness & Training is curiously deficient.   I'm puzzled that someone who presumably feels they have expertise in the subject would write such a piece that refers almost exclusvely to technical IT security controls.  There is no significant mention of human factors, nor any pragmatic help on how to plan, organize, develop, deliver, measure and maintain an infosec awareness & training program.  It's so bad, I hardly know where to start criticising it.

Regardless of whether your security awareness program is barely off the ground or has been running for a while, we all come up against barriers from time to time.  It can be very dispiriting for those of us tasked with “doing awareness”, leading to a drop in our morale and energy but fear not brave awareness person!   With a bit of creative or lateral thinking, there are all sorts of things you can do to bring your program back on track.  Here are six ways to tackle those barriers. 1.  Hit the barrier head-on This is exactly what we normally do.  We ‘try harder’ and ‘have another go’.  Sometimes it works but occasionally, when we’ve hit our heads against the barrier and bruised our ego once too often, we realize it is no longer working and something has to change.  This is the trigger to take stock of the situation and plan something different – whether subtly or radically different is up to you. 2.  Overwhelm the barrier This involves more than s...

A DarkReading article caught my attention today: Demolition firm Ferma nearly failed because its employees lacked a proper security policy. In mid-2009, an employee at the California firm clicked on a link in an e-mail message and ended up at a malicious website. The site, run by online thieves, used a vulnerability in Internet Explorer to load a Trojan horse on the employee's system. With control of the machine, which was used for much of the firm's accounting, the thieves gathered data on the firm and its finances. A few days later, the thieves used 27transactions to transfer $447,000 from Ferma's accounts, distributing the money to accounts worldwide. "They were able to ascertain how much they could draw, so they drew the limit," said Ferma president Roy Ferrari in an interview at the time. It was that opening line that stood out for me.  Was this incident truly due to the lack of a "proper security policy", in fact?  If so, what would that "pro...

A throwaway comment in a convoluted machine-translated blog led me to a fascinating Wikipedia piece about Jeff Cooper , father of the "modern technique" of handgun shooting, in particular the concept of "condition white". Condition white describes the state of mind of someone who is totally oblivious to a serious threat to their personal safety. Cooper used it in relation to situations involving violent assault where the potential victims don't even appreciate that they are in danger and hence are not in the least bit alert to the signs of impending attack. The attacker therefore has the element of surprise. The Wikipedia piece describes four levels recognized by Cooper: "White - Unaware and unprepared. If attacked in Condition White, the only thing that may save you is the inadequacy or ineptitude of your attacker. When confronted by something nasty, your reaction will probably be "Oh my God! This can't be happening to me." Yellow - Rela...

News that DEFCON, a hacker conference, will include a Capture The Flag contest using social engineering techniques has sparked a fearful reaction from a US financial services industry regulator, warning their clients to be on their guard during the contest. In fact, all organizations should must be constantly on their guard against social engineering attacks , contest or no contest.  If the contest serves to raise awareness of the widespread, easily exploited vulnerabilities created by naive and unattentive people, then I am all in favor of it.  Good on yer!  There should be one every month!  A big one, with headline coverage in all the news media!  With special prizes for the organizations that successfully resisted the social engineering attacks for a specified period! Social engineering is of course one of the central issues in this month's security awareness materials on human factors in information security. With people attacking people, it's self evident...

The rôle of human beings is arguably the most important topic in information security.  July's security awareness materials explain what it means to develop a “culture of security”, for example changing employees’ attitudes towards security, encouraging them not to tolerate insecurity but to comply with security policies and make things secure by design, and in general encouraging employees to behave more securely in whatever they are doing. This was an enjoyable module to write, being our home territory, and I hope the topic resonates with our customers. Reducing the number and/or severity of security incidents (compared to a culture of insecurity) is the aim, of course, which is about creating genuine business value.  Cost-effectiveness makes a huge difference between improving security by changing employee behaviors compared to changing IT systems and implementing additional technical controls.  Security awareness and training activities are significantly cheaper...