If your organization conducts background checks on candidates prior to employing them into roles involving access to highly classified information, or when promoting employees to more responsible and trusted positions (good on yer!), your security probably depends heavily on those checks and hence on the checkers.  Given the risks inherent in the process, you should definitely ensure that the process controls are adequate. For example, if you outsource your background checks, is the outsourcer competent and diligent?  Do you need to check up on them?  If so, how, and how often, should you check?  Who, within your organization, is accountable for the quality of the checks and for any security incidents that result if the checks prove inadequate? I'm asking these questions because it has been known for background checkers to falsify evidence of the checks they are supposed to have conducted .  Incidents of this nature are hard to uncover, expensive to investigate ...

Our security awareness topic for July is "information protection", a deliberately nonsspecific title covering a wide-range of subjects such as:  ownership and accountability for information assets; classification and  baseline security.

Writing in the Courier Mail , journalist Mike O'Connor takes a particularly cynical view of  the Auditor-General's latest official report into information systems governance and security at the Queensland Government : "IF YOU ran a business that spent $1.5 billon a year on information technology systems that contained highly sensitive, confidential data, then you would very likely take care that you were getting your money's worth.  You might also ensure the best-practice security systems were in place and that your staff knew what to do and how to do it.  The Queensland Government, however, takes a more relaxed approach to the value it gets for its $1.5 billion, one best characterised by those two delightful Australian synonyms for incompetence and ineptitude, "She'll be right'' and "No worries''."  The audit report identified issues such as: Weaknesses in the overall governance of IT; No clear business owners for whole-of-gove...

A report by Jeanette Fitzgerald, Epsilon Data Management's General Counsel, to the U.S. House of Representatives' Committee on Commerce, Manufacturing, and Trade outlines the sequence of events involved in the Epsilon data breach on March 30th that compromised names and email addresses on the mailing lists of about 50 Epsilon clients .  Epsilon's business is to provide the infrastructure enabling massive email marketing campaigns for its clients.  While that may sound to some rather like legitimized spamming, Epsilon refers to it as "permission-based marketing" since recipients supposedly opt-in to the campaigns (albeit perhaps by failing to deselect the relevant option hidden deep in some marketing materials or during an inquiry or sales transaction) and have the ability to opt-out later.  The hackers and scammers now in possession of the stolen personal information are unlikely to respect opt-in or opt-outs however.  There have been gloomy predictions of spea...

The New York Times has reported on a state-funded US program to help 'dissidents' establish covert wireless networks and Internet connections without relying on the government-controlled facilities. There are significant risks with such a venture, including the political issue of being seen to support subversion and destabilization of foreign governments: "Mrs. Clinton has made Internet freedom into a signature cause. But the State Department has carefully framed its support as promoting free speech and human rights for their own sake, not as a policy aimed at destabilizing autocratic governments. That distinction is difficult to maintain, said Clay Shirky, an assistant professor at New York University who studies the Internet and social media. “You can’t say, ‘All we want is for people to speak their minds, not bring down autocratic regimes’ — they’re the same thing,” Mr. Shirky said." Another risk concerns the creation of 'dual use technology' that c...

Emailing confidential personal data to the wrong addressees cost Surrey County Council a fine from the Information Commissioner's Office of £40k ... for each of the three times it happened in less than a year. Somewhat belatedly, the council said: " Measures have already been taken to reduce the risk of sensitive personal data being wrongly addressed and extra training on handling data securely has been given." If only they had done that before the first incident!

Spear-phishing email attacks are a serious concern, a risk that is probably increasing. The attacks work by fooling victims into doing something inapppropriate/unwise, such as visiting a dodgy website or opening a dodgy attachment. 'Fooling victims' is the crux of it, and email is just one of many possible ways of perpetrating the fraud. The 'spear' part of the name refers to messages that narrowly target specific individuals, using information about them or their interests to hook them. The most obvious way to tackle the spear phishing threat is to explain it, help potential victims limit the amount of potential lure material they release, recognize when they are being speared, and show them how to respond. Security awareness in other words. It's what we do. Anti-malware is another part of the defense, along with various other security controls to limit the damage after a victim is fooled. And now, if you have $130-150k to spare, you can even buy an " applianc...

A research project at UCal has determined that just three credit card processors are responsible for processing most credit card purchases responding to a sizable sample of spam advertisements, suggesting the possibility of persuading them to block purchases associated with spam campaigns. While I like their creative approach to this intractable problem, I can see some issues with the proposal.  First someone would need to identify the transactions corresponding to spams, differentiating them from transactions for the same or similar goods that are not the result of spamming.  Secondly, they would need to persuade the processors to block the transactions, presumably cutting their fee income in the process.  Thirdly, the spammers seem likely to respond to such an attack, for example by diversifying their card processing, so it would turn into a cat-n-mouse chase. That aside, the article includes some interesting spam stats: "Spam has proved notoriously difficult to defeat...

"Targeted emails that tempt a user to click a hyperlink are among the most prevalent methods of infecting computers with malware or of stealing information," Top Layer's Paquette told TechNewsWorld. Spear phishing is all over the infosec news at the moment, with Google disclosing spear phishing attacks against Gmail users , and then various infosec/antivirus companies following up with stories about phishing attacks on other webmail users. The truth is that spear phishing has been around for several years, and it is known to be effective using all forms of email and in fact other messaging systems, not just webmail: the common factor is that the recipient is a human being.  How they get the message is irrelevant.  Even a note on the windshield would work.  The really worrying part is that some of the attacks are almost certainly so stealthy that victims don't even know they have been hit.  Colour me paranoid ("You're a paranoid infosec freak, Gary!!...

Thanks to contributions by generous members of the ISO27k Forum , today we published an Excel file containing two spreadsheets : one concerns the gap between the organization's security management practices and those formally specified in ISO/IEC 27001.  The other concerns which of the information security controls recommended by ISO/IEC 27002 management deems relevant to the organization's risks. For anyone designing and implementing an ISO27k-compliant Information Security Management System, both aspects are of interest. Both spreadsheets incorporate simple unweighted counts of the number of items in each category (i.e. management system requirements fully, partially or not implemented, and information security controls fully, partially or not applicable).  Despite being so simplistic, these are surprisingly useful metrics for ISO27k implementation projects.  The Excel file is part of the free ISO27k Toolkit .  Enjoy!

A blog piece by David Lineman emphasizes the importance of having explicit corporate policies regarding private/personal use of corporate IT facilities.  David outlines three cases in which employees claimed that their emails were private, even though they were using the company systems and network.  His conclusion is straightforward enough: "All of these cases have happened within the last year, and they are likely to continue. The message for employers is clear: You must have acceptable use policies that cover internet and email, including the use of personal email accounts. In every case, employees had an uphill battle when there were policies in place." I would add two things.  Firstly, email is not the only issue here - as well as using the corporate email systems for personal reasons, employees often use the ICT facilities to access their webmail, and for SMS/TXT, IM, ICQ and other forms of person-to-person messaging.  Our model policy on person-to-person...