Within the past decade or so, the practices of physical and information security have been quietly converging. Adequate physical security is a prerequisite for information security, and vice versa given that modern security and building management systems handle confidential safety- and business-critical data. Furthermore, the true value of information often far exceeds that of other corporate assets, marking a shift in the nature of the things being protected. Historically, however, the physical and information security domains have been largely independent of each other, separately driven by their respective experts. The time is ripe to dissolve what remains of a boundary, align the functions, and make the most of the combined expertise – and perhaps start working towards further integration with related functions such as risk management and compliance. What makes ‘adequate physical security a prerequisite for information security’? Well, consider the implications of, say, an adversa...

I listened-in on a webinar this morning, sponsored by an application security company with a brief contribution from a PCI rep ... but mostly it was Larry Ponemon discussing the findings of a recent Ponemon survey " The State of Information Security Awareness: Trends and Developments ". Let me clear something up for starters: despite the title, the Ponemon survey specifically concerned PCI-DSS security training . This was a sponsored survey. If you read the Ponemon survey report right to the end, you'll find an appendix stating the actual questions asked, revealing the strong bias towards PCI and hence awareness/training as a compliance issue. I have discussed vendor-sponsored surveys before on the SecurityMetametrics blog . Larry constantly muddled up 'training' with 'awareness', and it appears the survey did too, perhaps betraying a fundamental lack of appreciation of the differences. These are in fact different activities with distinct if relate...

An article in  an eZine   concerning a security survey by PwC, sponsored by Iron Mountain ,  caught my eye today because they offer to benchmark respondents against others. So, purely in the interest of metrics research, I had a go at the benchmark tool. First of all, the tool asked me for an email address without explaining why. Fail #1 (see also #6 below). Thankfully, the email address validation routine is easily fooled. Fail #2 (or possibly Success #1 depending on one's perspective!). Next the survey asked about 20 questions, mostly lame and some badly worded. There is no explanation about why those 20 questions have been selected. They address only a small part of information security. Fail #3 . All 20 questions have the same set of 4 possible multiple-choice answers, even though the stock answers don't cover all possibilities and don't even make sense for all the questions. The survey design is poor. Fail #4 . At the end of the survey, I was presented with a compa...

A  network engineer who sabotaged his employer's systems  has been sentenced to 4 years and ordered to pay about $half-a-million in fines and restitution. "In June 2012, Mitchell found out he was going to be fired from EnerVest and in response he decided to reset the company's servers to their original factory settings. He also disabled cooling equipment for EnerVest's systems and disabled a data-replication process." Sabotage is an emotive word for an information security risk that - in my experience - isn't sufficiently considered, but then insider threats as a whole have historically been discounted or ignored. During the past year or three, the relentless onslaught of massive banner headlines and shocking TV news reports on the insider incidents involving Snowden, Manning and others finally appear to have registered with the decision makers, so at long last we are starting to see insider risks and controls being explored in risk workshops and policy meetin...

"Effective security is every bit as much about leadership and organizational culture as it is about encryption and authentication. Nowhere is this more true than in dealing with the insider threat. And the C-suite is where organizational culture is generated and the overall tone set … much more so than the CISO’s office. Think about it: where are the company secrets discussed the most? On whose laptops and mobile phones are they stored? Where are spearphishing attacks commonly directed? However, because of the factors noted above, the C-suite is the place where, more often than not, internal security gets swept under the carpet." Tom Wills' blog piece focuses on internal threats, fair enough, but I maintain that the benefits of security awareness among senior management extend well beyond that domain. A security-aware management team: Demonstrates true leadership in this area, motivating and guiding the rest of the organization to manage risks to the organization's i...

Dell security analyst Ben Knowles has reviewed and compared four information security metrics books : Andrew Jaquith's Security Metrics (aka "the Treefrog book"!) Caroline Wong's Security Metrics Lance Hayden's IT Security Metrics and ours, PRAGMATIC Security Metrics Ben's comments are sound: while these books present differing perspectives and messages, all four have merit.  We discussed the first three books (and more) in the literature review in PRAGMATIC Security Metrics , and on SecurityMetametrics.com

I've seen many 'apply for your green card' US immigration advance fee fraud/419 spams before but this is the first one I've noticed using an Australian visa as a lure: Attn: You have been selected for family resettlement to Australia , you are among the list of nominated for 2014 resettlement visa to Australia from our head of mission and we have granted your resettlement on the condition that you meet some basic requirements. Please confirm if you receive this notice, then send us email so that we can give your requirements. Start Now: Family Application - Immigration Assessment to Australia We look forward to providing you with professional and personalized immigration support to Australia. Should you required more information, please do not hesitate to contact us and we guarantee a prompt reply. Our Regard, Hon. Thomas Smith AUSFIS - Certified Immigration Experts As usual, there are several clues as to its lack of integrity, the unsolicited invitation and poor gramma...

Generally speaking, our most important IT systems are databases. Aside from the obvious - and business critical - corporate databases such as the General Ledger and Customer Database, other examples are myriad lists, inventories and semi-structured information collections, some of which are not even computerized. Phone books and contact lists on cellphones and tablets are databases, while many of us maintain databases of documents, spreadsheets and other files in the cloud. Speaking personally, my to-do list scribbled on a handy scrap of paper is an important reminder for me: if I lose it, it’s hard for me to recall what was on it, so to some degree information security is important even for that!