Know your enemy

Paraphrasing the key conclusions of Organised Crime in the Digital Age, a study into digital crimes by BAE Systems Detica and the John Grieve Centre for Policing and Community Safety:

• Digital crimes are superceding drug crimes.
  
  
• 80% of digital crime is conducted by organised groups rather than lone criminals.
  
  
• Group structures vary (clustered, hierarchical etc).
  
  
• Two thirds of organized digital criminals are over 25.
  
  
• The median size of groups is 6 members, while one quarter are 11+.  However, even small groups can inflict significant damage.
  
  
• A quarter of active groups are new (in operation less than 6 months).
  
  
• Traditional criminals are increasingly using digital tools/techniques 

There are implications for governments and the police, naturally, but also perhaps for the potential targets/victims of organised e-crimes and those whose services are being used by them - particularly social media and financial services.  However, it's far from obvious (from the summary report anyway) how to respond.

Office security awareness

Offices are where most knowledge workers do our thing – it’s where we hang out, creating our stuff, pushing papers, processing information.  We mostly take our space for granted but have a quick look around at your own workspace.  Is your cubicle a paragon of security?  Everything neat and tidy, all sensitive information safely locked away while not actually in use?  Or is it more like mine - a mess, a dumping ground for all manner of paperwork, computer equipment and media?  Do you eat lunch “al desko”, dropping crumbs in the keyboard?  How many times have you spilt coffee and gummed-up your mouse?  Or is it just me?

Rather than inhabiting the rat-run that is the average corporate office block, maybe you are one of the growing band of road-warriors and home workers.  Your office may be a spare room, an Internet café or airport departure lounge, or a laptop and cell phone in a car, hotel room or rent-by-the-hour serviced office space.  

Perhaps you are a nurse or a factory worker, using a shared workstation tucked away in a corner somewhere.  The location and type of office does of course affect the nature and significance of the security risks, but through the office security awareness materials this month we emphasize the common factors and generic security controls that apply to most.

Business continuity example

Here's a neat illustration of the different elements or phases of business continuity management in action.

When the standby generators failed during a power cut, surgeons in a Canadian hospital completed an operation by flashlight, M*A*S*H-style.

The power grid is designed for, and in fact generally achieves extremely high levels of, resilience. As a whole, it is a well-engineered high availability system and a massive investment for Canada.

The first standby generator is a recovery mechanism for the hospital.  It takes over when the grid fails.

The second standby generator is a further recovery mechanism.  It's not entirely clear from the article whether the second generator is run in parallel wth the first, sharing the load, or a full-capacity system available as a backup if the first fails. 

The flashlights located around the hospital, along with the willingness of employees to remain focused on getting the job done and do whatever it took, despite the adverse circumstances, are contingency arrangements. They demonstrated resourcefulness in the absense of resources.

Sure, they need to look at the generator failures (reportedly they overheated, which implies either inadequate cooling or more likely overloading - a common problem in this IT-enabled age) but the contingency arrangments saved the day. The article doesn't specifically mention UPSs which are another resilience option to maintain critical electrical supplies such as life support systems, along with battery-powered emergency lighting, but I suspect that's just the journalist's oversight. The UPSs would need to be generator-backed in any case to cope with extended grid failures, so the genny failures would have been a problem anyway.

Physically securing your smartphone

A short item on the Symantec blog introduces a 'honey stick'-type experiment with smartphones.  The project, part of the honeystick initiative, abandoned 50 phones in public places in US and Canadian cities and tracked their use (using 'phone home' type dummy apps and GPS) to see what happened when they were found.  Although half of the finders made some attempt to return them (good on yer!), nearly all finders snooped around on the phones.  Some finders might have been simply trying to establish ownership, others seem to have been exploring for sensitive information.  A few might have gone beyond simple curiosity.

Blogger Kevin Haley recommends three controls:

1. Use the screen lock feature ... 
   
   
2. Use security software ...
   
   
3. Make sure that the mobile devices remain nearby and are never left unattended ...

Fair enough though somewhat banale, but Kevin hints at another useful control in saying "It is also a good idea to make sure that they can differentiate their device from others that might be sitting in the immediate vicinity by adding distinguishing features, such as a sticker or a case."  So why not state your contact information (e.g. an email address or landline number, NOT your address or cellphone number!) on the outside of the phone case, and perhaps offer a reward for the finder to return the phone? That way, an ethical finder doesn't need to rifle through the contents to find the owner's details. Alternatively, polite instructions to "hand the phone in to the nearest police station" would work for some, leaving the police with the job of tracing the owner (not too hard if the loser knows roughly where the phone was lost, and calls the local police to log the fact).

The Symantec report, focusing more on corporate aspects, recommends policies and awareness - again, rather banale.

Best of all, don't lose your phone! Keep it physically attached to your belt or clipped in your purse, and avoid storing sensitive information unnecessarily on your portable devices. For example, the iPhone 4's heavily promoted ability to link and synchronize with your iPad and desktop has the nasty side-effect of significantly increasing the risk of your private and/or work information being compromised.  It may be cool but is it smart?

PS  Speaking as a scientist, I'm deliberately turning a blind eye to the methodology used in the study.  That it was sponsored by an antivirus company speaks volumes.

Book review: Asset Protection through Security Awareness

Provided you are not expecting detailed guidance on how to raise security awareness, this book gives reasonable introductory-level coverage of network/ICT security including a few aspects that are barely mentioned in some similar texts.

While the cover blurb refers to providing "a high-level overview of how to protect your company's physical and intangible assets ... [that] explains the best ways to enlist the assistance of your employees as the first line of defense in safeguarding company assets and mitigating security risks", the book is primarily concerned with network/ICT security: human factors and security awareness are covered but not in much depth.

The level of detail varies between and within chapters. "Diplomacy", "Interdepartmental security", "Physical security" and "Computer and network forensics" are not universally covered by network/ICT security books, making these chapters welcome additions. Emphasizing the human aspects of information security balances out the more IT/technical security content, although arguably leaving the technical side a bit light in places (e.g. there is not much about firewalls, and almost nothing about application security). This is not a detailed, highly technical book. The information security guidance is a little naive at times, and occasionally off-base. The style is not unlike a summary-level revision manual for CISSP or a similar information security qualification, laying out what ought to happen without much regard to the practicalities.

As an introductory or intermediate level text, the book is readable and a worthwhile introduction to the topic, if a bit patchy in its coverage and variable in depth. I would definitely recommend additional reading for information security professionals. For advice on doing security awareness, I unreservedly recommend Rebecca Herold's Managing an Information Security and Privacy Awareness and Training Program.  David Lacey's Managing the Human Factor in Information Security is strong on the human and cultural aspects of security, while for network/ICT/technical security I would suggest Ross Anderson's Security Engineering and books by CISCO and Microsoft authors. CISSP/CISM study guides such as the Official (ISC)2 Guide to the CISSP CBK and ISACA's CISM Review Manual are good all-rounders for students.

The book presently costs US$61 from Amazon.

Malware awareness materials released

Malware has been around since the Creeper virus of the early 1970’s and the Morris Worm of 1988.  Journalists refer to all types of malware (malicious software) as “viruses” but we prefer to distinguish actual viruses from worms, Trojans, spyware and other privacy-compromising software, logic bombs, ransomware, backdoors and trapdoors, rootkits and exploit kits. 

For those not already familiar with malware, that’s a bewildering list of nasties: through this month’s information security awareness materials (including a 5-page hyperlinked glossary), we patiently explain the nature of the malware threat and encourage employees to help the organization by reducing malware vulnerabilities.