We are in the process of delivering next month's security awareness materials on Insidious Insiders. This topic has turned a shade darker since we last covered it, thanks to a number of research studies and warnings from the likes of CERT and the FBI indicating to us that insider threats are escalating. If you've caught the news this week, you probably saw the unfolding drama at the Vatican concerning leaks of confidential internal matters to the Italian press and allegations that the Pope's butler was involved.  So much for trust and ethics as security controls!  If your organization relies heavily on the trustworthiness and ethics of insiders, perhaps it's time to dust-off your insider threat analysis and review where you really stand.   For a few years now, the news media, researchers and various official sources have been consistently playing-up the use of industrial espionage by China, in particular, although I'm quite certain that China is not the only bad bo...

Security Metric of the Week #8: measuring the organization's security culture Culture is such a simple word for such a huge amount of complexity and ambiguity.  Fostering a 'culture of security' within the organization sounds like an excellent idea, but it's a lot easier to say than to do.  Perhaps metrics can help drive things in the right direction? Culture can be measured in various ways ranging from informally observing and describing things, through to scientific research methods used in sociology and psychology.  Common surveys fall in the middle somewhere: their A ccuracy depends on how well they are designed and conducted.   The I ndependence of the surveyors is another factor: using a specialist team of competent, scientifically trained, professional assessors is an option but will dramatically impact the T imeliness and  C osts, compared to using internal auditors and students.  Self-administered intranet surveys may be the way ...

Security Metric of the Week #7: Discrepancies between physical location and logical access location Correlating records (log entries) between physical and logical access control systems will often reveal curious discrepancies, such as someone logging in remotely (e.g. from home, a remote office or via the Interweb) whereas their staff pass has recently been used to access the office locally.  Did they shoot home from the office, without swiping their pass on exit?  Have they loaned their staff pass or login credentials to someone?  Has someone duplicated their staff pass or hacked their network credentials?  Or are they for some reason logging in at the office through a 3G or other mobile network, instead of using the conventional LAN cable dangling out of the wall?  Correlating the logs to find such discrepancies may or may not provide more specific answers to questions of this nature, depending on how much information is available and how reliable it i...

Security Metric of the Week #6: Information security policy coverage Corporate information security policies don't normally exist in splendid isolation but to some extent build upon internal and external sources such as: Identified information security risks (threats, vulnerabilities and potential impacts) or issues of concern to the organization;  Other policy statements and/or other requirements mandated by management; Security-relevant compliance obligations imposed by applicable laws, regulations, contracts, agreements, moral codes etc .; Good practice security advice from p ublic information security standards, models and frameworks such as ISO27k and the NIST SP800-series , plus the vendors of IT system and software, consultants, textbooks, industry advisories etc ., plus of course the advice of competent and experienced employees ( e.g. IT audit, risk management and information security professionals). This week's example metric therefore seeks to measure coverage of...

An email appeared out of nowhere in my inbox today with no message content, just a very long subject line and a dodgy attachment. The subject reads: "This mail was intended to you only because your surname seems similar to my late client. A client in our Bank died Five Years ago leaving behind Capital amount {US$17.5M}Read the attached copy and get back to me.Thanks Spencer Clayton". It's hard to believe anyone would still fall for such a lame attempt at social engineering, but I guess there's a sucker born every minute.  

Like most of its kind, the latest information security breaches survey is stuffed with security-related statistics (metrics), mostly used to identify issues, compare trends relative to previous surveys and to contrast responses between certain categories of organizations.  Some of them could potentially be adapted for use as security metrics within one organization, but which (if any) would make worthwhile corporate security metrics?  The PRAGMATIC method gives us a rational way to address the issue. Suppose, for example, that management is concerned about the organization's security policy - or rather its policies since there are several in fact.  Maybe there is a general feeling that, although the policies are formally written and mandated, employees are paying scant attention to their security obligations.  Are there any metrics in the breaches survey that we might use or adapt for internal corporate use? The breaches survey tells us on page 6: "Possession of a s...

Security Metric of the Week #5: ratio of number of IT system accounts (user IDs) to number of employees  The mean number of IT system accounts or user IDs per employee is one measure of how well an organization controls the issue, maintenance and withdrawal of IDs, which in turn is an indicator of its maturity towards IT security.   If user IDs are essentially unmanaged, they are created on a whim (implying a lack of control over the privileged IDs needed to create IDs) and seldom reviewed or removed, even when employees change jobs or leave the organization.  Over time, the number of redundant (no longer required) IDs builds up, creating further issues such as the possibility of IDs being re-used inappropriately, and difficulties reviewing and reconciling IDs to people due to the amount of junk. If they are well managed, all user IDs have to be justified and linked to individual people performing specific roles.   Effective user ID administration processes e...

This year's UK information security breaches survey is, as always, a useful source of statistics concerning how real-world organizations are dealing with information security.  It is also, as always, a depressing read for those of us promoting good security practices, partcularly (in my case) ISO27k and human factors.  So, 44% of organizations gave additional staff training after their worst breach - presumably they realized that their existing training (and awareness?) activities were lacking.  But what of the other 56%: they either thought their training (and awareness?) was OK (wishful thinking?), or it didn't even occur to them that they might need reinforcement. 26% of organizations "believe" their staff have a very good understanding of their security policy.  Bravo!  However, I can't help but wonder how many of those actually have data to support their belief.  How many of them have the metrics to know?  And what of the remaining 74% of organi...

Yesterday I was in Wellington to see Bruce Schneier speak about his latest book, Liars and Outliers .  For about an hour, he discussed the concepts covered in the book: Security exists to enable us to trust each other (both individually and institutionally), where 'trust' is a complex issue In addition to morals, reputation and legal controls, security gives society some control over those who behave selfishly, furthering their own personal interests rather than those of society as a whole, helping to stabilise the societies Real life is far more complex than this imiplies - for instance, individuals belong and have allegiance to multiple overlapping "societies" e.g . family, groups of friends and colleagues, organizations, nations, cultures and professions It will be interesting to read whether the book discusses the fragility of many human societies, for instance the looting that commonly occurs when civil disobedience leads to rioting.  Many of us are evidently pre...