We have just published a security awareness module on hacking and cracking. It was an interesting challenge to write on such a technical topic without either losing most of the audience in the technobabble, or perhaps giving them the keys to the kingdom by teaching them how to hack.  We've carefully trodden a fine line this month. I'm particularly pleased with the quiz.  We typically offer deliberately open-ended quiz questions to encourage people to discuss the topic in some depth for the most beneficial learning experience, preferably in a social setting. Having struggled for a while, a sudden burst of inspiration led me to base the hacking quiz on hacking the quiz.  The question is essentially "If you were so inclined, how would you cheat at this quiz?"  I can just picture a bunch of slightly inebriated teams having a lot of fun with that deceptively simple idea. By the way, what do you think of our word-art padlock graphic?  It's one of the poster images in ...

Security Metric of the Week #67: number of unapproved or unlicensed software installations identified on corporate IT equipment This is a simple compliance metric, a count of inappropriate or pirated software installations discovered on the network.  Using software to audit the network, the base data are easy enough to gather once the data collection clients are in place, although reconciling the automated findings against license records is a different matter unless the organization has a strong license management system.  That in turn requires a strong culture of compliance with corporate policies and procedures concerning the correct procurement and licensing of software and updating the license database accordingly ... which is probably one of the key goals for this metric, supporting the more obvious and direct objective to crack down on unlicensed software. When considering the merits of this metric, ACME Enterprises Inc. was not in a particularly strong position with re...

Lloyd's Risk Index 2013 is getting a fair bit of coverage in the information/IT security press since it ranks cyber risk the third most significant business risk this year, up from twelfth and nineteenth places in 2011. It is lower than the risks of high taxation (which I guess refers to the political risk of higher tax rates being introduced, since tax rates are known and have a probability of close to 1) and loss of customers (which is of course bad news for any business in terms of the impact, and is more likely when times is hard). The following chunk caught my eye within page 11 on cyber risks: "According to a report published in April 2013 by the Insurance Information Institute, employee negligence is responsible for 39% of data breaches, system glitches for 24% and malicious or criminal attacks for only 37%. That leaves nearly two-thirds of incidents caused by issues which should reasonably be within a business’ control." It's not entirely clear what they mean...

Information Security Metric of the Week #66: the organization's economic situation An organization that is in dire straits, financially, is essentially forced to dig-in, concentrating its remaining resources on sheer survival.  As such, it is likely to minimize its expenditure in all discretionary areas, including some (but hopefully not all!) aspects of information security.  Cutbacks may be severe, creating a depressing atmosphere that leads to the best people leaving, hastening the vicious downward spiral.  Conversely, an organization that is riding high, financially, is likely to have its infrastructure well in hand with enough cash left over to invest in whatever people and projects management sees fit to support. Proposals to refine its information security arrangements towards best practice are far more likely to gain support in this situation, while it is more likely that the organization can afford the quality of people to make things happen.   So, at this s...

Example Information Security Metric of the Fifth Quarter The PRAGMATIC scores for another 3-month's worth of information security metrics examples are as follows: Example metric P R A G M A T I C Score Information access control maturity 90 95 70 80 90 80 90 85 90 86% Security policy management maturity 90 95 70 80 88 85 90 82 88 85% Number of important operations with documented & tested security procedures 95 96 91 85 95 84 62 90 60 84% Information security budget variance 70 90 85 77 80 77 80 90 95 83% % of information assets not [correctly] classified 75 75 97 85 90 80 80 80 80 82% Policy coverage of frameworks such as ISO/IEC 27002 70 75 90 69 85 76 72 65 85 76% % of policy statements unambiguously linked to control objectives 92 91 64 60 85 65 45 75 75 72% Rate of change of emerge...

Security Metric of the Week #65: information access control maturity Controlling access to information - permitting authorized and appropriate access while denying or preventing unauthorized and inappropriate access - is undeniably a core concern in information security.  It's pretty much all that old-skool IT security tried to achieve in terms of controlling access to data.  Back then, the overriding concern was confidentiality.   These days the scope of our activities is much wider.  Restricting access to information remains important, but we also appreciate the need to disclose and use information where appropriate.  A data file locked away in a high security vault is certainly confidential but in most cases there's not a lot of point denying it to third parties unless we can use it ( i.e. it is available to us as and when we need it) and unless it is sufficiently accurate, trustworthy, complete and up-to-date (the integrity property).   If management e...

Security Metric of the Week #64: patching policy compliance The idea behind this metric is to compare and reconcile the actual software patching status of corporate IT systems against the corporate policies and procedures on patching and vulnerability management.   Clearly the details of the comparison and reconciliation depend largely on precisely what the policies and procedures demand, while the assessor (metricator) may be somewhat selective in assessing compliance.  So-called vulnerability assessment tools, for instance, typically search systems for installed software, determine the versions installed, then look up a database of known latest versions to see whether the software is up to date.  The process is almost entirely automated making it quite cheap and easy to run ... but Acme's corporate policies and procedures require rather more than just "Always install the latest versions of software", such as: Acme must maintain a database of installed software on all co...