Tuesday 28 September 2010

Security compliance - new awareness module released

Compliance with information security and privacy-related laws, regulations, standards and policies may be a rather dry subject, but it's an increasingly important one and as such is definitely worth covering in security awareness programs - unless, that is, you truly believe that your technical security controls alone are sufficient (in which case, you are either a unique technical genius or sadly deluded!).

We have just delivered an awareness module all about security compliance, some 67Mb of stimulating awareness content that, to be perfectly honest, barely scratches the surface.  We freely admit we are not legal experts.  We don't know all the ins and outs of our customers' legal obligations, the rules imposed by their industry regulators, or their corporate policies towards security.  But we do know about security awareness, about motivation and creativity.  And in many ways our international perspective lets us see beyond the narrow confines of any individual organization.

The new security compliance module is designed to inform and motivate staff, managers and IT professionals, three distinct audiences with differing perspectives and needs:
  • Managers and directors have both strategic and tactical leadership roles and governance obligations in respect of information managment, IT, information security, privacy, and of course compliance. 

  • IT pro's are faced with a confusing mess of technical and non-technical requirements imposed by barely comprehensible laws such as SOX, standards such as ISO27k, corporate security standards written by the egg-heads in information security/risk and security policies written, in the main, by non-technical managers.

  • Staff just want to go about their jobs.  Security compliance is something that crops up occasionally but barely registers with them, unless sufficient effort is made to raise their awareness of, and ideally fulfill, their security obligations.

Friday 24 September 2010

Heartland CEO on their breach

Bob Carr, CEO of Heartland Payment Systems, spoke openly about their massive 2007/2008 security breach at the SC World Conference in 2009.  Whether you work in the financial industry or in information security, it's well worth setting aside 45 mins or so to watch him present and think carefully about the underlying risk, security and commercial issues.

Essentially, Bob's point is that the payment card industry is clinging to a fundamentally flawed security model. Card numbers taken from magstripes, or presumably from chip-n-PIN cards, are passed through the point of sale systems, the merchant back-office systems, and card processors such as Heartland, all the way to the card issuers. For a good part of this journey, the card numbers are unencrypted and hence are vulnerable to being captured by the bad guys. PCI DSS attempts to lock down all these intermediate points, but so long as the underlying data are in the clear, there is always going to be a risk of unauthorized or inappropriate disclosure.

He contrasts this with ATM PIN codes which are encrypted as they are entered, decrypted and re-encrypted with the issuer's PIN in a physically secure security module, and so pass through the downstrream systems and networks encrypted. Leaving aside various security concerns such as card skimmers, compromised PIN pads and compromised security modules, this approach does at least take the burden off the ATM companies and retail banks: they don't have clear access to the PINs. The encrypted PIN data stream is just another chunk of data to be moved around.  No worries.

Towards the end, Bob also makes some deeply worrying comments about the PCI DSS QSA (Qualified Security Assessor) audit process. The QSAs are basically checking PCI DSS compliance, a checklist of 280 items according to Bob, for a fixed price. If they suspect security issues beyond the narrow scope of PCI DSS, it's not in their interests to explore further as a typical internal or external IT audit might do: not only do the QSAs want to retain their customers (which means, of course, giving them a clean bill of health, i.e. "You are fully compliant" ), they also need to move on to the next fixed-price job ASAP.

There's a lot more security issues swimming around just under the surface layer of this presentation but I won't spoil it for you.  Put your feet up, click the link and think on.

Monday 6 September 2010

Osmotic security

Remarks towards the end of a blog piece by Andy Ellis reminded me about a key difference between awareness and training.  He and I may be concerned with information security awareness specifically but the principle is not limited to a single topic.  Safety awareness is not the same as safety training.  Being commercially aware is different to undergoing commercial training courses.  You get the point.

Andy said:
"But much more importantly, we weave security awareness into a lot of activities. Listen to our quarterly investor calls, and you'll hear our executives mention the importance of security. Employees go to our all-hands meetings, and hear those same executives talk about security. The four adjectives we've often used to describe the company are "fast, reliable, scalable, and secure". Social engineering attempts get broadcast to a mailing list (very entertaining reading for everyone answering a published telephone number). And that doesn't count all of the organizations that interact with security as part of their routine.  And that's really what security awareness is about: are your employees thinking about security when it's actually relevant? If they are, you've succeeded. If they aren't, no amount of self-enclosed "awareness training" is going to fix it. Except, of course, to let you check the box for your auditors."
Though not using the actual term, he's talking about achieving a widespread culture of security throughout the organization, and in fact in a still wider sphere taking in its customers, business contacts and even dare I say its auditors.  You can't put all those people through security training as such, but you can create a level of awareness.  As he puts it, 'weaving security in to routine activities' is one way to make it an inherent part of the organization's fabric.  Here's a few more suggestions:
  • Informing and motivating managers, and indeed other influential/powerful people (like auditors) to pay attention to information security matters, and pass on their concern to staff ('walking the talk' and 'leading by example' actually work!);
  • Encouraging IT professionals to support the cause of information security when interacting with IT systems and, yes, even with real living, breathing people;
  • Using marketing, advertizing and promotional techniques to create a security brand, ideally forming an integral part of the organization's overall branding, positioning and corporate image;
  • Using creative awareness materials on interesting information security topics for a vibrant and memorable campaign;
  • Making the campaign an ongoing, continuous, year-round program of awareness activities, helping to embed and reinforce the cultural change as a permanent fixture, not a one-off event just to satisfy compliance obligations.
Summing that all up is the concept of osmosis, essentially steeping the entire organization gently in a warm bath of information security so that everyone gradually absorbs the messages.  Slowly, behaviors change to follow changing attitudes, and before you know it, you have a security culture.

Saturday 4 September 2010

Carpe diem!

This morning’s strength 7.1 earthquake in central Christchurch, South Island, New Zealand, is a reminder that contingency and continuity plans are not just tedious red tape.  With the IsecT office being hundreds of miles away in North Island NZ, we didn’t feel the earth move as such but we certainly felt the shock on seeing the news.  It leaves us wondering about our own readiness to survive a similar disaster, not least because of our proximity to Napier, another NZ city devastated by a similar quake in the 1930s.  Today it's a fabulous Art Deco city having been almost entirely rebuilt.  In the 1930s, it was a scene of death and destruction.

From a security perspective, the Christchurch quake is an awareness opportunity.  Carpe diem (seize the day)!  It's all over the news.  Employees can see for themselves what a real incident looks like and, with a bit of judicious prompting, imagine themselves in just such a disastrous situation, struggling first to survive and then to recover.  This is not merely 'ambulance chasing' but a genuine chance to help colleagues consider and probably improve the contingency and disaster recovery plans, including their own personal plans e.g. who would you contact first, and how?  Given that you could be anywhere when it happened, where would you go?  What things would most help your survival and recovery, and do you actually have them to hand right now?

We encourage NoticeBored customers to dust-off the contingency planning awareness module released in February 2008.  There are briefings, presentations and posters in there you can use immediately.  We will be updating and re-issuing the module shortly.

Those of you elsewhere on the Pacific rim are probably already thinking about your own earthquake, tsunami and volcano survival plans, but in fact the principle is universal.  We encourage you all to get your colleagues talking about the incident and imagining something equally dramatic happening to them - a major fire, flood, bomb, storm, IT meltdown or some other serious crisis.  What would be your first priority - communicating with friends and family, probably, but how will you actually do that if the landlines and cellphones are out?  If infrastructure services are badly disrupted, what would you actually do?  How would you cope?

Remember, now is the time to prepare for disaster: when the walls are falling, the tide is rising and the flames flickering, it’s too late to pop down the road for bandages, food and water ...

We are re-checking the office "eathquake kit" and disaster plans today and thinking more seriously about additional backup datacommunications facility such as 3G USB modems.  We already have emergency two-way radio capabilities, backup mains power, emergency water and food supplies, even spare IT facilities, but perhaps a tent would be worthwhile too if the buildings are damaged or unsafe.  Living rough under a tarpaulin for more than just a night or two would be hard going, especially in a miserable wet cold winter like this one.  I don't want to look back and think "If only I had arranged a decent shelter"!

What if anything are you doing about contingency and disaster planning in the wake of the Christchurch quake?   We'd love to hear back from you.