We often read about security incidents involving personal information in the newspapers or online.  Multi-million dollar credit card and social security number exposures grab the headlines and consume many column inches.  There are even websites dedicated to totting-up the sordid numbers .  There are laws and regulations to protect personal data, and most of us accept that our privacy is inherently worth protecting, no question. When it comes to protecting confidential proprietary information belonging to corporations, however, the situation is less clear.  Someone taking, say, their former employer’s customer list to a new job may be ‘frowned upon’ but evidently this practice is often tolerated and is probably fairly common in practice.  Indeed professional résumés boast of prior work experiences and major projects, with the implication that proprietary knowledge and ex...

David Lacey’s book concerns the influence of people in protecting information assets and is excellent value.   It covers a surprisingly wide range of topics relating to the human aspects of information security, mostly from management and operational perspectives.  The book has depth too, while remaining generally pragmatic in style. I highly recommend the book for all information security professionals, particularly CISOs and Information Security Managers who are not entirely comfortable with the social elements of information security, and for information security MSc students who want to boost their understanding in this area.  The book is particularly valuable also for information security awareness and training professionals who necessarily deal with human factors on a daily basis, and need to understand how best to work with and influence their organizational cultures...

An email from Garrison Continuity pointed me to a neat 2-page Adobe PDF file with tips to ensure that business continuity arrangements won't falter as many employees will soon be on holiday. Truth is, the holiday period thing is just a timely prompt to ensure the arrangements are sound: the plans should be checked and exercised periodically throughout the year.  It's one of the regular activities for the Business Continuity Manager, providing additional assurance that the plans will function properly whenever a major incident strikes.

A new 'how to' piece on eHow.com titled Information Security Awareness & Training is curiously deficient.   I'm puzzled that someone who presumably feels they have expertise in the subject would write such a piece that refers almost exclusvely to technical IT security controls.  There is no significant mention of human factors, nor any pragmatic help on how to plan, organize, develop, deliver, measure and maintain an infosec awareness & training program.  It's so bad, I hardly know where to start criticising it.

Regardless of whether your security awareness program is barely off the ground or has been running for a while, we all come up against barriers from time to time.  It can be very dispiriting for those of us tasked with “doing awareness”, leading to a drop in our morale and energy but fear not brave awareness person!   With a bit of creative or lateral thinking, there are all sorts of things you can do to bring your program back on track.  Here are six ways to tackle those barriers. 1.  Hit the barrier head-on This is exactly what we normally do.  We ‘try harder’ and ‘have another go’.  Sometimes it works but occasionally, when we’ve hit our heads against the barrier and bruised our ego once too often, we realize it is no longer working and something has to change.  This is the trigger to take stock of the situation and plan something different – whether subtly or radically different is up to you. 2.  Overwhelm the barrier This involves more than s...

A DarkReading article caught my attention today: Demolition firm Ferma nearly failed because its employees lacked a proper security policy. In mid-2009, an employee at the California firm clicked on a link in an e-mail message and ended up at a malicious website. The site, run by online thieves, used a vulnerability in Internet Explorer to load a Trojan horse on the employee's system. With control of the machine, which was used for much of the firm's accounting, the thieves gathered data on the firm and its finances. A few days later, the thieves used 27transactions to transfer $447,000 from Ferma's accounts, distributing the money to accounts worldwide. "They were able to ascertain how much they could draw, so they drew the limit," said Ferma president Roy Ferrari in an interview at the time. It was that opening line that stood out for me.  Was this incident truly due to the lack of a "proper security policy", in fact?  If so, what would that "pro...

A throwaway comment in a convoluted machine-translated blog led me to a fascinating Wikipedia piece about Jeff Cooper , father of the "modern technique" of handgun shooting, in particular the concept of "condition white". Condition white describes the state of mind of someone who is totally oblivious to a serious threat to their personal safety. Cooper used it in relation to situations involving violent assault where the potential victims don't even appreciate that they are in danger and hence are not in the least bit alert to the signs of impending attack. The attacker therefore has the element of surprise. The Wikipedia piece describes four levels recognized by Cooper: "White - Unaware and unprepared. If attacked in Condition White, the only thing that may save you is the inadequacy or ineptitude of your attacker. When confronted by something nasty, your reaction will probably be "Oh my God! This can't be happening to me." Yellow - Rela...

News that DEFCON, a hacker conference, will include a Capture The Flag contest using social engineering techniques has sparked a fearful reaction from a US financial services industry regulator, warning their clients to be on their guard during the contest. In fact, all organizations should must be constantly on their guard against social engineering attacks , contest or no contest.  If the contest serves to raise awareness of the widespread, easily exploited vulnerabilities created by naive and unattentive people, then I am all in favor of it.  Good on yer!  There should be one every month!  A big one, with headline coverage in all the news media!  With special prizes for the organizations that successfully resisted the social engineering attacks for a specified period! Social engineering is of course one of the central issues in this month's security awareness materials on human factors in information security. With people attacking people, it's self evident...