These are some of the key resources we use routinely to find out about and learn from information security incidents: Google , of course.  We search often using the Google toolbar in our browser.  We have learnt to craft more effective queries by exploiting Google’s search syntax including the advanced search functions .  Google Alerts are a helpful way to trawl the Web daily for specific news and tidbits relevant to the monthly topics, especially since we discovered how to integrate alerts into our RSS/blog reader … Google Reader is, currently, our RSS/blog reading weapon of choice.  Have you spotted the not-too -subtle pattern here?  Google rocks!  Hyperlinks embedded within other sources. Blogs, particularl...

Information security incident management processes are meant to help the organization contain and recover more efficiently from incidents.  Well-designed processes also enable the organization to understand the risks that materialized, analyze and identify the root causes, and make improvements to the security controls in order to reduce the risk of further incidents. The School of Hard Knocks is an effective but rather brutal institution.  We can certainly learn from the information security incidents we suffer directly, but they can be costly - devastating even.  The worst can literally threaten the organization’s survival.  Hard knocks indeed!   The awareness materials this month extend the idea of learning from our own information security incidents to take in lessons from incidents affecting third parties.  The idea is to gain the knowledge without actually suffering the adverse impacts of information security failures.  It’s obvious when yo...

Security Week invites readers to complete a checklist/questionnaire to figure out whether their security awareness programs are "good enough".  I was pleased to rate myself in the top-scoring category: "If you scored 55 or more “yes” answers, you already know this stuff and have yourself under control. You could probably be teaching other organizations how to design and implement security awareness programs. You have a well-defined and executed program that pretty consistently exceeds standards of due care. Maintain your program and stay vigilant on quality updates." Well yes, in a sense I am 'teaching other organizations how to design and implement security awareness programs' through our awareness service so the high score is to be expected. In fact, we deliver rather more than the checklist requires*, but it got me thinking about whether it is realistic to expect our customers, or indeed less fortunate organizations :-) to adopt all the awareness practic...

An unusual news item in the Federal Times says that the US DoD is proposing to impose information security requirements on defense contractors regarding un classified information, supplementing those for classified information.  The article goes on about blurring the distinctions between classified and unclassified information, and claims the compliance costs across the industry will be enormous, but if so I'm puzzled at the implication that such information is not already being adequately protected by contractors.  Surely any organization that handles classified military information is well aware of information security risks and controls, so I would be very surprised if unclassified information is as insecure as the journalist suggests.

A well-presented video tutorial from the OWASP team explains in simple terms how one form of XSS - cross site scripting - works. XSS is a bit tricky to explain.  The video makes good use of graphics to put the message across, without getting too technical. If you are a web developer, you should be well aware of XSS, in sufficient depth to know how to prevent this form of attack on visitors to your websites.  The tutorial barely hints at the technical controls needed but future editions will go into more depth.  Meanwhile, the excellent OWASP site includes lots more information and even some code snippets to give you a head start on securing your site.

... while we force you to enter your passphrase into your computer to decrypt the data potentially comprising or incriminating evidence. According to the cNet article : "Prosecutors stressed that they don't actually require the passphrase itself, meaning Fricosu would be permitted to type it in and unlock the files without anyone looking over her shoulder. They say they want only the decrypted data and are not demanding "the password to the drive, either orally or in written form." The ramifications of governments 'allowing' 'ordinary' 'citizens' access to strong encryption are many and varied. What if citizens have the nerve to protect information which they consider highly confidential but which the government desires to access? Of course the government has the resources to try to defeat the cryptosystem, whether by brute-force attack or cryptanalysis. It also has the resources and means to attempt to steal passphrases using Trojans or o...

Engendering a culture of security is something we normally talk about in relation to organizations and parts thereof (for example, changing the culture within management or within the IT department).  I'm sure that most people who have actually tried to do this would agree that it's a tough challenge.  It's not even entirely obvious how to define, let alone influence or change corporate cultures. It's one of those things that is easier to say than to do. OK, now imagine your task is to engender a culture of security across a massive public body - like for example the UK's National Health Service.  According to a piece in SC Magazine , the Information Commissioner is calling for changes in the NHS: “The sector needs to bring about a culture change so that staff can give more consideration to how they store and disclose data. Complying with the law needn't be a day-to-day burden if effective measures are built in and then become second nature." Actually, t...