Posts

Showing posts from January, 2011

Awareness on IPR

Image
Organizations like us - practically all organizations in fact - create, own, share and exploit a vast wealth of valuable information known as I ntellectual P roperty.  IP generally deserves and often requires proactive protection against threats such as plagiarism and piracy, even if it is deliberately published or disclosed: IP R ights are more than simply a confidentiality or secrecy issue. IPR infringements cause both direct and indirect impacts on the rightful IP owners, including loss of income, brand devaluation and competitive disadvantage.  These are serious commercial issues. If awareness of the risks associated with disclosing IP is an important first step on the way to securing it, finding out how to bring the risks under control and enforce your IPR is step two. IPR-related laws such as copyright, trademarks and patents are the most obvious type of IPR controls but others are covered by agreements and contracts....

The most challenging parts of ISO27k

What are the most challenging aspects of ISO/IEC 27002 implementation and ISO/IEC 27001 compliance?   The following typical issues are summarised from a paper published in the ISSA Journal by Bil Bragg, a senior consultant from Dionach Ltd., who drew up the list by examining the gap analyses conducted for 20 client organisations.  The first two concern mandatory requirements for ISO/IEC 27001 certification: 4.2  Establishing and managing the ISMS: few organizations had formally stated the scope of their ISMS or documented their risk assessment method and risk acceptance criteria in accordance with the standard. 6.0  Internal ISMS audits: only one organization had an internal ISMS audit program, and none had undertaken a management review of the ISMS. The information security controls succinctly listed in Annex A of ISO/IEC 27001 and explained in more detail in ISO/IEC 27002 are not strictly mandatory for certification but are widely implemented and genera...

Digital redaction

Receiving the first working draft of new international standard ISO/IEC 27038 on digital redaction this morning prompted me to think about the risk associated with redaction, more specifically the information security risks associated with the redaction of electronic documents and other digital data files (e.g. digital still photos and video images; spreadsheets and numeric/statistical data sets and databases). Two cups of tea and a bit of head scratching later, here's my 'top 10' list of information security risks associated with redaction: Failing to identify correctly all the sensitive data that must be redacted. Failing to delete all the sensitive data e.g. overlaying or modifying rather than actually deleting the sensitive data using methods that can be completely or partially reversed; accidentally leaving one or more copies of the sensitive data completely unredacted; partially deleting the sensitive data leaving data remnants or cached copies, or sufficient informa...

Golly, another stolen laptop and no backups

The victims of another all-too-common physical security incident involving the theft of a laptop are devastated by the loss - not so much the physical value of the Macbook taken from the back seat of a car (doh!) but the far more valuable scientific research data on prostate cancer that it held.  There were no backups.  <Pause for dramatic effect> The victims' offer of a $1,000 bounty for the return of the laptop is presumably based on the assumed value of the stolen hardware to the thief.  If what they claim about the data is true, it's a small fraction of the true value, but still a substantial sum to them (being poor research scientists) and to some crack-head opportunist. I urge all of you reading this to stop whatever you're doing for a moment and consider what will happen when your IT systems are stolen, go up in flames, get flooded out, are dropped on the concrete floor, get hit by static or struck by lightning, fail spectacularly in a strangely beautiful sh...

Casino heist

The robbery of a Vegas casino reminds us not to over-rely on high-tech security controls (such as automatic face recognition systems) if that means neglecting basic physical security. It's also a puzzle that the casinos still use chips. I wonder why they haven't migrated to electronic cash systems, using smartcards? A well-engineered and properly-implemented smartcard system would avoid the need to have cash or chips in the casino. Ah, hang on, I see the problem: 'well-engineered and properly-implemented' is a stretch even for the banks.

Fraud detection successful

Here's something we don't often see: a fraudster caught by strong anti-fraud controls . He was an IT worker for a British supermarket chain who misused his privileged systems access to set up false accounts to receive stolen loyalty card points worth over £8k.  Interestingly, he didn't try collecting on the cards until a few years later, and then just a few trial purchases. Fraudsters commonly test out their scams tentatively at first, building their confidence before pressing ahead with The Big One once they know the tests have succeeded.  Only in this case, he was caught early. For obvious reasons, we're not told much about the anti-fraud controls in the news story so what follows is pure conjecture. Due to the delay between setting up, filling and then using the cards, it looks to me as if the purchases might have triggered some additional fraud checks, perhaps because of an unusual type or value of purchases; otherwise, they may have detected the fraud initially but...

Make them concentrate harder!

A counterintuitive result emerged from experiments evaluating the best kinds of font for classroom presentations. Fonts described as 'difficult to read' presumably made students concentrate harder. They scored better on subsequent tests than their peers using elegant, easy-on-the-eye fonts such as Arial.  Of course it could also be that those 'difficult to read' fonts gave a welcome boost to the banality and blandness of most presentations. We do our level best to make our security awareness seminar slides more interesting and engaging to stand out from the norm. We mostly avoid bullet points, preferring images and mind maps to put across important information such as the relationships between parts of the topic at hand, not just the words themselves.  Where appropriate we enjoy using simple v i su a l tr ic k e r y to emphasize the most important bits, but most of all we research the content to make it relevant and hence inherently engaging to our customers' a...

Physical security incident resolved using Facebook

CSO Mag is reporting that an inept thief who stole a flat-screen TV from a US service station (after paying for his fuel with his own credit card - doh!) was befriended on Facebook by staff and asked to return the stolen set. After he refused and un-friended the staff, they passed his details, including photographs of him they had already downloaded from his Facebook page, to police who promptly arrested him. A line from the story bears repeating: "He hid the TV under his shirt and took off". That's a 27" flat screen TV!  I wonder if perhaps the cheeky chappie was somewhat circumferentially challenged? Not that I can talk after the obligatory Christmas feast. 

I must clear this debts!

Image
Normally I ignore the banale 419 & phishing emails that usually plop unceremoniously into my junk mailbox, but this one caught my attention for a couple of reasons. Firstly, it's the most bizarre hook I've seen so far - a warning email from IATA that I might not be able to fly my planes across Europe.  Mmm.  Last time I checked the IsecT hangar, our enormous fleet of extremely well-appointed executive jets was mysteriously absent.  Perhaps they are all right now circling EU airspace, negotiating with the air traffic controllers for permission? Secondly I couldn't help but notice the name of the sender.  That's either a terrible typo or a most unfortunate job title. .

Terrorist threats to physical security

A rather vacuous story in The Mirror concerning the discovery of vulnerabilities at England's Sellafield nuclear plant is a timely reminder of the extreme risks towards the right hand end of the risk-control spectrum diagram in January's security awareness module .  The news piece, such as it is, reports that after a military "red team" discovered issues at the plant, security is being 'urgently reviewed' to address the risk of a terrorist attack. "The policing watchdog, in consultation with MI5, will now carry out a review to boost protection of the site, to prevent a “terrorist spectacular”." The journalist casually mentions: "An al-Qaeda cell caught plotting to blow up jets in 2006 also had nuclear sites on its hit-list." I would have thought that 'nuclear sites' (presumably meaning nuclear generators as in this case) were rather low on the terrorist hit list, given the preponderance of much softer yet eqaully high profile cr...

Physical security issue leads to 35,000 privacy violations

InAudit reports that: "Grupo Santander, a banking firm based in Spain, has reported to the Financial Services Authority (FSA) a system glitch with its printers that led to the distribution of 35,000 bank statements to wrong recipients, risking millions of pounds in fine for the data breach." Whether this would be classed as a physical or IT or privacy incident is a moot point: there were elements of all three.  Arguably it might even represent the failure of integrity checking on the mainframe or printing subsystems that should perhaps have identified and blocked the duplication of 35,000 records. Banks generally take care over physical security - after all, it has been core business for them for centuries.  However when it comes to sending confidential information to customers, they still rely heavily on the ordinary post.  New credit and debit cards, for example, are commonly sent out by post but the recipients are normally required to acknowledge receipt in order to a...