Get out of jail free card

Here's a type of policy I've not seen before, appended to the specification sheet for an electronic component made by National:

LIFE SUPPORT POLICY

NATIONAL’S PRODUCTS ARE NOT AUTHORIZED FOR USE AS CRITICAL COMPONENTS IN LIFE SUPPORT DEVICES OR SYSTEMS WITHOUT THE EXPRESS WRITTEN APPROVAL OF THE PRESIDENT AND GENERAL COUNSEL OF NATIONAL SEMICONDUCTOR CORPORATION. As used herein:

1. Life support devices or systems are devices or systems which, (a) are intended for surgical implant into the body, or (b) support or sustain life, and whose failure to perform when properly used in accordance with instructions for use provided in the labeling, can be reasonably expected to result in a significant injury to the user.

2. A critical component is any component of a life support device or system whose failure to perform can be reasonably expected to cause the failure of the life support device or system, or to affect its safety or effectiveness.

I'm looking forward to reading my first "Critical business support policy" on the specification for a bit of IT ...

Information Security Management Metrics

If you are keen to learn about security metrics and perhaps even design or at least refine your own information security measurement system, I recommend Krag Brotby's thought-provoking book Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement.  Managing information security properly demands the use of suitable metrics at all levels from defining security strategy and governance, through prioritizing resources and investing in security, down to decision support for a million day-to-day operational security management decisions.  Krag's book won't give you a checklist of things to measure, but it will lay the groundwork and set you up to define your own metrics shortlist. 

If you are using the ISO27k standards and plan to adopt the metrics advice in ISO/IEC 27004, make the time to read Krag's book before you dive right in at the deep end.

Vishing attacks on New Zealand

A neighbour called me yesterday about a suspicious phone call she received from someone claiming that she had a problem with her PC.  The caller, who apparently sounded Indian, asked her to switch on her PC so he could help her sort it out.  Thanksfully she had the awareness to notice something amiss.  The caller mumbled who he was working for and wouldn't clarify.  When she told him she needed to verify his identity, he terminated the call .... and presumably went on to try to scam some less-savvy sucker.

The NZ government's ScamWatch site is warning of this exact scam: 

"Scamwatch continues to receive a steady stream of reports from consumers about out-of-the-blue phone calls from scammers wanting remote access to your computer to 'get rid of viruses' or to 'fix' your computer ... The calls, which appear to be originating overseas, ask consumers for remote access to their PC to 'see if their computer is infected'.  The scammer claims to be from an IT support helpdesk, or some have even claimed to be from Microsoft.  If you give remote access, the scammer may go on to plant malware on the computer; or go on to offer to fix the computer for a fee – paid by credit card over the phone."

The scammers are presumably using Skype or some other free VOIP service to both conceal their origins and cut their costs, hence it's known as "Vishing" - phishing by voice calls. 

The scammer knew my neighbour's name and phone number - not exactly hard to find as she is listed in the phone book, but that little piece of information was nearly enough to catch her out ("How come he knew my name?" she asked me!).

Make sure your friends, family know how prevalent these social engineering attacks are.  Forewarned is definitely forearmed.

Come along Google, keep up

News that Google employees are to be treated to a security awareness program from next month is a positive move, but makes me wonder exactly what the sleepy giant has been doing up til now. 

Google has been rightly criticized for several privacy breaches already, with the WiFi data captured by Google's snooper vans a recent example that is still rumbling on. 

The news piece on TechShout implies that Google's awareness program will cover privacy, but makes no mention of the myriad other information security issues. 

Personally, given Google's lackluster response to the privacy complaints, I get the distinct feeling that Google's management just don't get security. I just hope Google's awareness program has messages for management as well as the workforce.