Monday 30 June 2014

Physical security awareness module

Within the past decade or so, the practices of physical and information security have been quietly converging. Adequate physical security is a prerequisite for information security, and vice versa given that modern security and building management systems handle confidential safety- and business-critical data. Furthermore, the true value of information often far exceeds that of other corporate assets, marking a shift in the nature of the things being protected.

Historically, however, the physical and information security domains have been largely independent of each other, separately driven by their respective experts. The time is ripe to dissolve what remains of a boundary, align the functions, and make the most of the combined expertise – and perhaps start working towards further integration with related functions such as risk management and compliance.

What makes ‘adequate physical security a prerequisite for information security’? Well, consider the implications of, say, an adversary obtaining unfettered physical access to one or more of your organization’s IT systems. They might have stolen them, had them stolen to order, found them, or even bought them on eBay (it happens!). In the comfort of their office, workshop or laboratory, given enough time and resources, they and/or the data recovery specialists openly advertising their services can probably overcome all but the most powerful logical security controls – and we know that even super-strength mil-spec data encryption is not totally invulnerable. ‘Rubber hose cryptanalysis’ refers to the use of coercion or torture to force someone to reveal their passwords. If you believe that is too extreme for your adversaries (which is itself a value judgment concerning the severity of the threat: you could be wrong!), all manner of social engineering tricks and sophisticated technical attacks are conceivable, for instance using electron microscopes and sensitive power monitoring in side-channel attacks to reveal the encryption processes and/or keys employed by supposedly secure crypto-chips, or freezer spray to delay the erasure of private keys held fleetingly in RAM.

When it comes to compromising the confidentiality of paperwork and other unencrypted data storage media, brief physical access alone may be sufficient. How long does one need to snap a photo of a computer screen, a commercial contract or a customer list on, say, a cellphone’s multi-megapixel camera? How many pick-pockets have come away with credit cards, staff passes, smartphones and tablets replete with personal and commercial information? Bag snatchers and muggers are as successful as ever, and doubtless some have learnt the value of targeting high-ranking politicians, celebrities and executives. 

Meanwhile, the average site security office has been dragged into the 21st Century with networked CCTV cameras, card-access pods and miscellaneous alarms feeding high-tech integrated security management systems. Facial recognition, once the domain of sci-fi and the intelligence agencies, is becoming accessible to anyone with the will and a few thousand dollars of unspent security budget – oh and by the way, audio recognition is a much easier challenge.

So, that's the backdrop for July's physical security awareness module. We've delivered over 130Mb of content to subscribers - 3 seminars, several briefings, posters, a crossword, checklists, a board agenda, an FAQ, a quiz, a survey and more. What does your security awareness program have to say about physical security?  Bet you wish you had the time to prepare 130 megs of motivational material!

Friday 20 June 2014

7 awareness lessons care of Ponemon & NIST

I listened-in on a webinar this morning, sponsored by an application security company with a brief contribution from a PCI rep ... but mostly it was Larry Ponemon discussing the findings of a recent Ponemon survey "The State of Information Security Awareness: Trends and Developments".

Let me clear something up for starters: despite the title, the Ponemon survey specifically concerned PCI-DSS security training.

This was a sponsored survey. If you read the Ponemon survey report right to the end, you'll find an appendix stating the actual questions asked, revealing the strong bias towards PCI and hence awareness/training as a compliance issue. I have discussed vendor-sponsored surveys before on the SecurityMetametrics blog.

Larry constantly muddled up 'training' with 'awareness', and it appears the survey did too, perhaps betraying a fundamental lack of appreciation of the differences. These are in fact different activities with distinct if related goals. The report said:
"It is not uncommon for companies with more complex training requirements to implement a hybrid program consisting of multiple delivery options which can include instructor-led courses, virtual instructor-led courses, recorded live presentations, static slide decks, and many others. Additionally, companies leverage newsletters, email updates, posters and other reinforcement assets to keep security in the forefront of their staff’s minds."
By 'hybrid program', Larry evidently means different forms of training, while awareness is dismissed as 'reinforcement'. I refer my learned friend to NIST SP800-50 Building an Information Technology Security Awareness and Training Program:



... and SP800-16 which states categorically:
"Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. In awareness activities, the learner is the recipient of information, whereas the learner in a training environment has a more active role. Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate the job performance."
Larry also equated 'cybersecurity' with 'information security', but (as is so often the way) barely mentioned anything other than IT, data or technical security matters in practice e.g.:
"Focused awareness training can be developed using a tiered approach: all employees receive general content; the IT department receives a more technical layer; and the Web or Networking teams get even more specific material related to secure coding and/or the technologies they use."
The survey's findings are at the same time predictable and disheartening. Just under half of the organizations surveyed run a "formal" security awareness/training program (whatever that means), but it appears many of them deliver just one session per year lasting less than an hour .... presumably a single training course or seminar, quite likely a Computer Based Training session, and most probably compliance-driven e.g. for PCI-DSS. In other words, it's a sheep-dip exercise to tick the compliance box.

Current approaches are not well received:
"64% of survey respondents reported being less than fully satisfied with existing PCI-DSS security training"
Given the above, I am dismayed to hear that companies are spending between $10 and $100 or more per employee per year on such poorly-designed and received security awareness/training programs. That's more than just an enormous waste of money: having ticked the compliance box, management presumably thinks they are doing all they need to do, blissfully unaware of the opportunities and risks they are missing. Management's lack of understanding and engagement with the awareness program is itself a substantial constraint, a risk.

This is a chicken-and-egg situation, a.k.a. the hamster wheel of pain:
  1. Unless management is sufficiently aware, they struggle to assess the awareness and training proposals thrust under their noses.

  2. Inadequate approaches to security awareness and training do not properly address management's needs. Most completely ignore them.

  3. Management is none the wiser.

  4. Goto 1.
In a similar vein, and despite spending so much, only about one in five companies update their security awareness/training content more than once per year. The remainder, some of whom don't update the content at all, presumably view information security as static implying another fundamental failure. Hacking, malware and social engineering attacks are most effective when victims are blissfully unaware that they are being scammed or defrauded, particularly when the attacks are novel. Likewise with vulnerabilities that tend to be most exposed in the early stages, and business impacts that are not usually appreciated until after the fact. Failing to keep up to date with the rapidly-evolving information security risk landscape is another serious yet avoidable risk. As NIST put it in SP800-50:
"An organization’s IT security awareness and training program can quickly become obsolete if sufficient attention is not paid to technology advancements, IT infrastructure and organizational changes, and shifts in organizational mission and priorities. CIOs and IT security program managers need to be cognizant of this potential problem and incorporate mechanisms into their strategy to ensure the program continues to be relevant and compliant with overall objectives. Continuous improvement should always be the theme for security awareness and training initiatives, as this is one area where “you can never do enough.”"
To end, here are seven conclusions that I draw from this episode:
  1. If you think awareness is the same as training, read the NIST standards or Rebecca Herold. These are complementary approaches.

  2. Information security awareness needs to reach everyone in the organization who handles or has access to valuable information. It's not just an IT or technology issue.

  3. Information security is a dynamic topic, hence the awareness program must be kept bang up to date to avoid obsolescence.

  4. In order to secure their support and engagement for the awareness program and the broader aspects of information security, someone must make management security-aware. So start here.

  5. Information security professionals should make the effort to identify and assess modern approaches to security awareness and training before designing their programs, committing to particular approaches and pestering management for money.

  6. Management should expect the infosec pros to compare and contrast a wide range of awareness and training options, digging deep to determine what the proposed 'solutions' will actually achieve. Ask about the learning objectives and business outcomes. Demand a well-researched, well-written, cost-benefit-justified business case and pick out of it the metrics that will both measure and drive the desired results.

  7. Make what you will of sponsored surveys and webinars (and blogs!). Don't swallow them whole. Recognize and adjust for the biases. Get your brain in gear!
Taking the 7th conclusion to heart, what do YOU conclude? Comments are open. Go right ahead. The floor is yours.

* To be fair, this very blog is sponsored by IsecT but I make no bones about that. Be honest, Larry, you're just the piper. Someone else called the tune - someone whose marketing budget paid for the study, someone whose business evidently centers on PCI training. Your calling this a "seminal study" is, frankly, laughable and does your credibility as a scientific researcher no favours.

Wednesday 18 June 2014

Another day, another survey, another ten failures


An article in an eZine concerning a security survey by PwC, sponsored by Iron Mountaincaught my eye today because they offer to benchmark respondents against others. So, purely in the interest of metrics research, I had a go at the benchmark tool.

First of all, the tool asked me for an email address without explaining why. Fail #1 (see also #6 below).

Thankfully, the email address validation routine is easily fooled. Fail #2 (or possibly Success #1 depending on one's perspective!).

Next the survey asked about 20 questions, mostly lame and some badly worded. There is no explanation about why those 20 questions have been selected. They address only a small part of information security. Fail #3.

All 20 questions have the same set of 4 possible multiple-choice answers, even though the stock answers don't cover all possibilities and don't even make sense for all the questions. The survey design is poor. Fail #4.

At the end of the survey, I was presented with a comparative "index score", in my case 41 (presumably 41%), along with a nasty day-glow bar chart and the following commentary:
"Your risk level is serious. Your score is well below the PwC recommended threshold, and it is only a matter of time before serious problems occur. Your business needs to take action now to improve information security and working practices. Read this report for further insight into your business risk and gain practical advice on how you can increase your index score and reduce your risk."
Our risk level is 'serious', eh?  Spot the scare tactics! FUD! Thanks to those 20 lame questions, they know next to nothing about our true situation, yet they presume to tell me we are "well below the PwC recommended threshold". Bloody cheek! Yes, we are facing various information security threats and have various information security vulnerabilities, and no, we have not implemented all the information security controls that might be appropriate for other organizations, but that's not the same as saying we are at serious risk. As my pal Anton would say, "Context is everything". Fail #5.

Next I was asked for yet more personal information in order to access the 'personalized report'. In reality, of course, this is clearly a marketing initiative so I know what they are up to, though again they don't actually say. Failing to explain why the information is needed conflicts with at least one of the OECD privacy principles concerning personal data collection and I think would be illegal under the privacy laws in most of the world outside the US. Fail #6.  

And again the data entry validation routines are weak. Fail #7.

The 'personalized report', "Your information risk profile", compares my score against "averages" (mean scores?) from the PwC/Iron Mountain survey in a PDF report. Generating the PDF on the fly is cool ... but the actual content is poor. The scope and purpose of the PwC survey are not stated in the 'personalized report', nor is the sample size or other basic information about the survey methods. The entire basis of the benchmarking is dubious, particularly if the PwC survey that generated the comparative data also used the lame 20 question multi-choice method. It's essentially meaningless drivel. Fail #8.

For no obvious reason, the 'personalized report' includes a page stating 4 "worrying facts", the first of which being "88% consider paper to be the biggest threat to information security". Eh? In all my years of information security risk management, I have NEVER heard paper being described as an information security threat. Paper is an asset usually of negligible value, although the information content on paperwork can be extremely valuable and a few, very rare bits of paper are priceless ... oh, hang on, Iron Mountain sponsored this survey, right. Ah yes, I remember, that's the same Iron Mountain whose archive facilities have suffered several serious fires including one recently in Buenos Aires. So much for their security credentials. It could be argued that Iron Mountain is "the biggest threat to [its customers'] information security"! Fail #9.

The 'key findings - your next steps' to the 'personalized report' kind of make sense in so far as they go, but bear no obvious relation to the benchmark, survey or the data.  Although for example I'm personally in favor of step 1 'Take it to the top - Get board level support by taking a strategic approach to information management', I'm also in favor of 'Don't run with scissors' and 'Don't smoke' which make about as much sense in this context. Fail #10.

As to the actual PwC/Iron Mountain survey, I encourage you to take a critical look at the survey report, and make of it what you will. Read past the annoying repetitive references to "the mid market" (which I think must be marketing-speak for medium-sized organizations) and the wrongly-labeled graphs. Set aside the spurious references to additional information and news headlines muddled in with the survey data, and the buzzwords-du-jour. Consider the "comprehensive questionnaire" of just 34 statements and the dubious statistics arising, and see what you have left.

Then read the report's disclaimer very carefully:
"This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it."
[PwC, I'm very disappointed in you. Your work on the UK DTI/BERR security surveys has been pretty good. Your consultants and auditors are generally competent and well-respected. What on Earth possessed you to get involved in this nonsense? Are you really that hard up these days?]

Thursday 12 June 2014

IT saboteur lands 4 years in the clink


network engineer who sabotaged his employer's systems has been sentenced to 4 years and ordered to pay about $half-a-million in fines and restitution.
"In June 2012, Mitchell found out he was going to be fired from EnerVest and in response he decided to reset the company's servers to their original factory settings. He also disabled cooling equipment for EnerVest's systems and disabled a data-replication process."
Sabotage is an emotive word for an information security risk that - in my experience - isn't sufficiently considered, but then insider threats as a whole have historically been discounted or ignored. During the past year or three, the relentless onslaught of massive banner headlines and shocking TV news reports on the insider incidents involving Snowden, Manning and others finally appear to have registered with the decision makers, so at long last we are starting to see insider risks and controls being explored in risk workshops and policy meetings around the globe. We can't yet say whether there has been a genuine, permanent change in the risk tolerance levels though. Only time will tell. I'm conscious, for example, that the Terry Childs incident - big news when it happened back in 2008 - is already forgotten by most (nearly including me, by the way: I had to Google the incident to find his name!). 

Meanwhile, from a business perspective, we are relieved to see increasing interest in information security management as a whole but particularly security awareness, pre-employment screening, induction training and so on. As a long-time proponent of management-level security awareness supplementing the staff/general employee stuff, I'm delighted to see that approach going mainstream: if the 2014 CISM manual is to be believed, even sleepy ISACA gets it, at long last! I'm still fighting an uphill battle to persuade organizations to extend security awareness to their IT and other professionals though, and most of all to make awareness a continuous year-round activity, two ideas that are screamingly obvious to me, but what do I know? 

Personally, I think it is important that we, the professional information security community, milk every last drop of publicity value from all kinds of information security incidents and near-misses. Initiatives such as the Privacy Rights Clearinghouse and Data Loss DB are doing a pretty good job to raise awareness of privacy breaches, while RISKS-List consistently reports on safety and other information/IT security issues (including the EnerVest sabotage story above: that's how it came to my attention). There are all manner of aggregation sites and blogs for information security, and of course a plethora of security product vendor sites pushing antivirus, firewalls and other must-haves. I've blogged before about security surveys: few may be statistically valid and directly applicable to your situation but most at least can be used to raise awareness of (some of) the risks we are facing, as well as helping us appreciate the risks.  Staying abreast of the news, picking up on significant and relevant stories, circulating and discussing them with work colleagues and using them to calibrate corporate risk decisions is one of our core duties as information security experts, just as necessary as our ongoing professional education.

Tuesday 10 June 2014

Say that again - in English this time

"Effective security is every bit as much about leadership and organizational culture as it is about encryption and authentication. Nowhere is this more true than in dealing with the insider threat. And the C-suite is where organizational culture is generated and the overall tone set … much more so than the CISO’s office. Think about it: where are the company secrets discussed the most? On whose laptops and mobile phones are they stored? Where are spearphishing attacks commonly directed? However, because of the factors noted above, the C-suite is the place where, more often than not, internal security gets swept under the carpet."
Tom Wills' blog piece focuses on internal threats, fair enough, but I maintain that the benefits of security awareness among senior management extend well beyond that domain. A security-aware management team:
  • Demonstrates true leadership in this area, motivating and guiding the rest of the organization to manage risks to the organization's information assets plus those in its care;

  • Understands the business benefits as well as the costs of security and hence is more likely to understand the risks and hence support appropriate, ongoing investment in information security;

  • Appreciates the value and purpose of strong governance, for instance treating security policies, metrics and compliance activities as worthwhile management tools rather than mere red tape;

  • Makes all manner of security- and risk-related decisions more rationally, discussing and weighing-up the pros and cons in full knowledge of the facts;

  • Takes a strategic, holistic and proactive perspective on information security as an essential complement or enabler for the business (not just for compliance, risk management and governance); and

  • Is the motive force driving security awareness throughout the organization and in its relationships with third parties, in other words fostering a genuine security culture.
If my little list seems excessive to you, turn it on its head. A security-ignorant, incompetent or careless management team is a nightmare, taking massive unwarranted and largely unknown risks, randomly pushing and pulling the organization around with no sense of guidance or propriety and generally failing to invest sensibly in security. 'Do as I say, not what I do' is an untenable but surprisingly common management position on security, sending out precisely the wrong message. Setting the wrong tone at the top, or staying resolutely silent on important matters, is hardly a recipe for business success in any sphere of management. 

Personally, I'm convinced that mismanagement is largely to blame for most if not all of the major information security incidents that hit the headlines. Security unawareness, especially among management, is a significant risk in its own right.

As to how to treat the risk and make senior management security-aware, that's actually quite straightforward provided you have a clue about what makes senior managers tick, what motivates, interests and concerns them. It helps for instance if security awareness is a dialog, an active and engaging conversation or discussion with the audience on business issues rather than a broadcast or lecture on technical matters. Expressing security things clearly and sensibly to management and other business people in familiar terms - in plain English - is a tough challenge for some of my professional colleagues. It's one of the defining characteristics of an effective CISO. 

I'll give Tom Wills the last word:
"Awareness is good: it’s the first step in making any change, and it looks like that’s starting to spread when it comes to the insider threat. To follow through and make change actually happen … for organizations to get back ahead of the curve on security, every one will have to get outside of its own comfort zone, starting at the top."

Thursday 5 June 2014

Security metrics books

Dell security analyst Ben Knowles has reviewed and compared four information security metrics books:

  • Andrew Jaquith's Security Metrics (aka "the Treefrog book"!)
  • Caroline Wong's Security Metrics
  • Lance Hayden's IT Security Metrics
  • and ours, PRAGMATIC Security Metrics
Ben's comments are sound: while these books present differing perspectives and messages, all four have merit.  We discussed the first three books (and more) in the literature review in PRAGMATIC Security Metrics, and on SecurityMetametrics.com

Wednesday 4 June 2014

Family resettlement to Australia (419)

I've seen many 'apply for your green card' US immigration advance fee fraud/419 spams before but this is the first one I've noticed using an Australian visa as a lure:
Attn:

You have been selected for family resettlement to Australia , you are among the list of nominated for 2014 resettlement visa to Australia from our head of mission and we have granted your resettlement on the condition that you meet some basic requirements.

Please confirm if you receive this notice, then send us email so that we can give your requirements.
Start Now: Family Application - Immigration Assessment to Australia

We look forward to providing you with professional and personalized immigration support to Australia.
Should you required more information, please do not hesitate to contact us and we guarantee a prompt reply.

Our Regard,
Hon. Thomas Smith
AUSFIS - Certified Immigration Experts


As usual, there are several clues as to its lack of integrity, the unsolicited invitation and poor grammar for starters.  They want me to confirm receipt and then send email, but I'm puzzled about how to confirm receipt without sending email.  It has been suggested that despicable fraudsters are specifically targeting intellectually-challenged and naive victims.  

Sunday 1 June 2014

Database security awareness

Generally speaking, our most important IT systems are databases. Aside from the obvious - and business critical - corporate databases such as the General Ledger and Customer Database, other examples are myriad lists, inventories and semi-structured information collections, some of which are not even computerized. Phone books and contact lists on cellphones and tablets are databases, while many of us maintain databases of documents, spreadsheets and other files in the cloud.

Speaking personally, my to-do list scribbled on a handy scrap of paper is an important reminder for me: if I lose it, it’s hard for me to recall what was on it, so to some degree information security is important even for that!