We've just completed and delivered a brand new awareness module for January 2016 concerning  the tools supporting information risk and security : Scope of the awareness module There are literally thousands of tools in the information risk and security space. One of the more technical awareness papers in the module discusses some 68 types of tool - that not merely 68 actual products but 68 categories with numerous tools in each. We could have kept going but 12 pages was more than enough for a 'briefing'! In scoping, researching and preparing to write the module, we faced up to the possibility that the awareness materials might inadvertently spark an interest in the dark side among our customers' workforces. Many of the sexiest tools in the toolbox could be classed as dual-use weapons technology, valuable for good and evil purposes. In fact, many of them owe their very existence to the crucible of creativity and passion that is hacking . Our response was to be open abou...

If someone from Air Canada calls you about a flight booking , there's a good chance it's a social engineer trying to steal your credit card number and/or other valuable info. I guess the scammers in this case might be calling people totally at random on the off-chance that some of them have recently booked flights on Air Canada, but given the specificity of the scam, it's more likely they are working their way through a list of Canadians who routinely travel by air, or at the very least people with Canadian phone numbers. Possibly they have discovered a way to identify specifically those people who have booked with Air Canada. Maybe the info is deliberately published on a public website or service for some reason (e.g. for passenger safety or visa checking?). Maybe Air Canada's booking systems have been compromised/hacked, or those of an intermediate such as a travel agent, booking agency, flight scheduling company, airport, loyalty card scheme, or ISP or .... well that...

In line with common practice, we've covered "information security risk" previously in the security awareness materials. Virtually all the awareness modules cover information security, so this time around we've refocused the module on information risk, information risk management (IRM) especially. The diagram below sums up the guts of the classic IRM process: identify then assess information risks, choose how to treat them, implement the treatments, then loop back to pick up and respond to changes. There's more to it than that, for instance information must flow to and from management ( e.g. information risk levels, business priorities and risk appetite) while suitable metrics are necessary to manage and improve the process systematically. Talking of which, I'm currently reading a fascinating account of how High-Reliability Organizations (HROs) use Highly Reliable Security Programs (HRSPs) to drive improvements in their information risk and security management...

A new public alerting scheme for terrorism was introduced in Australia this week, with the 5 color-coded levels shown here. The previous scheme, introduced in 2003, had 4 levels (low, medium, high and extreme), primarily reflecting the scale or severity of the threat.  The new scheme's levels primarily reflect the probability of an attack. I'm puzzled because, as generally understood, risk reflects both aspects - the likelihood, probability or chance of an incident coupled with its scale, severity, consequences or impact. With the new system, even if a threat is deemed "certain" and coded red, the scale gives us no idea of the likely scale of the incident/s.  Are we talking about a lone gunman on the rampage in one location, a coordinated series of attacks across a number of locations, or what? Should I suggest the Analog Risk Assessment method  to the Australian government?

With hindsight, perhaps it wasn't such a bright idea for an information security company to send out an email promoting phishing awareness, encouraging its readers to click an embedded blog link ... pointing to a different domain than the address of the sender of said email:

If you had the requisite access, skills and opportunity to defraud or otherwise exploit your employer (which, I suspect, many of us in this profession do), would you be tempted to take advantage? Not even a tiny bit?  What if the ‘social contract’ with your employer was seriously strained for some reason - something had soured the relationship, putting your nose out of joint, once too often?  If you were so inclined, how much effort would you be willing to expend to 'get your own back'? Would you feel justified in causing material harm? Would you be willing to break the law? Would it matter if you worked for a bank, the government, a charity or family business? And how cautious/subtle/sneaky would you be about it? What if the potential prize on offer was, say,  more than $10 million : how tempting would that be? How much caution and risk mitigation would $10m buy you? Stories like that make me wonder idly about my personal integrity and ethics. If everyone has their pric...

Metrics in general are valuable because, in various ways, they support decisions. If they don't, they are at best just nice to know - 'coffee table metrics' I call them. If coffee table metrics didn't exist, we probably wouldn't miss them, and we'd have cut costs. So, what decisions are being, or should be, or will need to be made, concerning information risk and security? If we figure that out, we'll have a pretty good clue about which metrics we do or don't want. Here are a few ways to categorize decisions: Decisions concerning strategic, tactical and operational matters, with the corresponding long, medium and short-term focus and relatively broad, middling or narrow scope; Decisions about risk, governance, security, compliance ...; Decisions about what to do, how to do it, who does it, when it is done ...; Business decisions, technology decisions, people decisions, financial decisions ...; Decisions about departments, functions, teams, systems, proje...

While listening to a couple of ISSA webinars on security awareness and idly scribbling notes to myself, I've been mulling over the common refrain that 'We just don't have the resources for security awareness'.  One of the speakers said something along the lines of "I've never had the luxury of anyone on the payroll to do security awareness, except me and I'm always busy. I don't think we'll ever have anyone to do it full time, maybe a quarter FTE next year if we're lucky".  This is for a healthcare organization with over 20,000 employees.  That struck me as a depressing, almost defeatist attitude. I honestly struggle to believe that their management doesn't support security awareness, given how absolutely crucial it undoubtedly is to meet their security and privacy obligations and business challenges. How can they possibly afford NOT to do security awareness? I suspect the real problem lies not so much with management's resistance ...

I wonder if any far-sighted organizations are using a database/systems approach to their metrics? Seems to me a logical approach given that there are lots of measurement data swilling around the average corporation (including but not only those relating to information risk, security, control, governance, compliance and privacy). Why not systematically import the data into a metrics database system for automated analysis and presentation purposes? Capture the data once, manage it responsibly, use it repeatedly, and milk the maximum value from it, right? If you think that's a naive, impracticable or otherwise krazy approach, please put me straight. What am I missing? Why is it that I never seem to hear about metrics databases, other than generic metrics catalogs (which are of limited value IMNSHO) and Management Information Systems (which were all the rage in the 80s but strangely disappeared from sight in the 90s)? Conversely, if your organization has a metrics database system, how ...

Look what just fell into my inbox.  Legit, crude spear-phish or just plain nuts? I already own ISO27001security.com which is presumably why they think I might be interested in iso27k.com (I'm not!), but this is such an obvious con, I'd have to be a complete mindless idiot to fall for it. [I've crudely redacted their URL: please don't try to reconstruct and visit it unless you actually  want your system to be compromised - and don't blame me!]

The awareness topic for November is ‘social in security’, meaning information security and privacy risks, controls and incidents involving and affecting people : Social engineering scams and frauds, especially phishing and spear-phishing by email and phone; Harvesting of information and exploitation of people via social media, social networks, social apps and social proofing e.g. fraudulent manipulation of brands and reputations through fake customer feedback, blog comments etc.; The use of pretexts, spoofs, masquerading and coercion - social engineering tradecraft; Serious corporate risks involving blended/multimode attacks and insider threats e.g. the exploitation of colleagues through social engineering attacks by power-hungry assertive workers with personal agendas (aka “company politics”). While technical measures (such as anti-spam utilities and email software that disables links and attachments in suspicious messages) help to some extent, security awareness and training are, of ...

After 15 years of tenuous operation and months of speculation, the EU/US Safe Harbor arrangement is sunk. According to SC Magazine : "In a decision with widespread implications for the international transfer and processing of data - and the companies that provide these services - the European Court of Justice has ruled the EU-US Safe Harbour pact invalid. Experts are warning of massive disruption to international business." Safe Harbor was formally implemented by the US Department of Commerce in July 2000 : "Decisions by organizations to qualify for the safe harbor are entirely voluntary, and organizations may qualify for the safe harbor in different ways. Organizations that decide to adhere to the Principles must comply with the Principles in order to obtain and retain the benefits of the safe harbor and publicly declare that they do so. For example, if an organization joins a self- regulatory privacy program that adheres to the Principles, it qualifies for the safe har...

Tripwire blog's  The Top 10 Tips for Building an Effective Security Dashboard   is an interesting collection of advice from several people.  It's thought provoking, although I don't entirely agree with it. Tip 2 'Sell success, not fear', mentions: "For example, in the event that they cannot find personnel who come equipped with the skills needed to improve progress, security personnel can use dashboards to demonstrate the impact that well trained individuals could have on finding and resolving issues and threats, as well as to subsequently leverage that insight for training and cultivating available skills." Although somewhat manipulative, metrics can indeed provide data supporting or justifying proposed security improvements, assuming that, somehow, someone has already decided what needs to be done ... and suitable metrics can be useful for that purpose too. The thrust of tip 4 'Use compelling visualizations' is that the dashboard needs to be glos...

When a customer suggested that we ought to cover privileges, we thought "Great idea!" ... but when we got stuck into the research for the new module, we soon realized that we couldn't really discuss privileges without also dipping into access rights ... which takes us into rights ... and compliance ... and a whole stack of other stuff. From being a narrow and specific topic, it mushroomed into an enormous beast, a far more complicated, wide-ranging awareness subject than we originally anticipated, taking in more than thirty aspects: access controls; access rights; accountability; authorization; awareness, education and training (!); compliance; controls; disclaimers; enforcement; entitlement; escalation; ethics; exceptions; exemptions; forensics; governance; granting, denying and revoking permissions; groups and rôles; identification and authentication; incident response and management; obligations and responsibilities; passes and ID cards; penetration and security testin...

The Security Executive Council has published an interesting case study concerning the review and selection of metrics relating to physical and information risks at Boeing .  [Access to the article is free but requires us to register our interest.] The case study mentions using SMART criteria and a few other factors to select metrics but doesn't go into details, unfortunately.  Nevertheless, the analytical approach is worth reading and contemplating. If we were to conduct such an assignment for a client today, we would utilize a combination of tools and techniques across six distinct phases: Background information gathering concerning Boeing's business situation, information risks, and existing metrics, using standard analytical or audit methods, clarifying the as-is situation and building a picture of what needs to change, and why. This phase would typically culminate in a report and a presentation/discussion with management. GQM (Goal-Question-Metric) assessment eloquently de...

Employees are increasingly using their personally-owned ICT devices at work, whether for personal or work purposes.  Organizations with BYOD ( Bring Your Own Device ) schemes and policies typically insist that employee's smartphones, laptops, tablets etc.  are secured and managed by IT, requiring the use of MDM (Mobile Device Management) software, AV (antivirus)  etc. So what happens as employees start bringing in their personal IoT toys (BYOT - Bring Your Own Things ) in the same way - their fitness trackers, Google Glasses and other wearables, perhaps control pods for their home IoT systems, and so forth?   Good luck to anyone trying to insist that IT installs MDM, AV and all that jazz on a gazillion things ! One approach to BYOT security I guess is to prohibit all unapproved and unauthorized devices/things from connecting to corporate networks, at the same time preventing corporate devices/things from connecting to non-corporate networks (including ad hoc  or...

A low-tech kiwi bank robber stole deposits from a bank's safety deposit box using a fishing line .  He even managed to cash a few of the stolen cheques before being lured to the counter and caught in the bank's security net. Not a malicious URL in sight. An anonymous source tells me she has found deposit envelopes containing valuable negotiables (the folding kind) in a local bank's deposit drawer, left by a previous customer who neglected to check that the deposit envelope had been swallowed up by the machinery.  The bank teller was aghast ... but evidently creating a physically secure bank deposit chute is beyond the capabilities of NZ bank' engineering wizards.  Surely some number 8 wire and a bent waratah ought to do it?   Anyway, most kiwis are far too honest to exploit vulnerabilities like this.

I spotted something interesting, if a little scary, today on the BBC. Boeing has successfully shot down 'a drone' by zapping it with a transportable high-power laser system on a test range. The article doesn't actually say but I guess this is a straightforward military weapon intended to defend, say, a battlefield camp against the enemy's military drones that approach or overfly it. It would, of course, need to distinguish friendly drones (and aircraft and shells ... and soldiers and land vehicles ...) from foe in order to avoid costly and embarrassing incidents, all in real time as things (perhaps several) fly towards or past the zapper, the more sophisticated ones running radar jammers etc . If you think about the complexities of the situation and the necessary speed of target acquisition, identification, decision making and response, it is an impressive weapon. I guess in due course, simpler civil versions of the weapon might prove valuable to defend public building...

The Internet of Things is a novel and rapidly evolving field making IoT security highly topical and yet, as with cybersecurity last month, it was something of a challenge to prepare a coherent, concise and valuable set of security awareness materials.  In researching the topic, we discovered surprisingly few companies marketing various smart and mostly geeky things , a few news articles and lightweight gee-whizz journalistic pieces, and some almost impenetrable academic and technical papers about the technologies. Enterprising hackers are already exploring IoT, discovering and exploiting security vulnerabilities ostensibly for education and demonstration purposes, at least for now. Shiny new things are appearing on the market every week to be snapped up by an eager if  our naïve  public. IoT presents a heady mix of risks and opportunities, with substantial commercial, safety, privacy, compliance and information security challenges ahead, and sociological implications for ...

Lean manufacturing  or  kaizen  is a philosophy or framework comprising a variety of approaches designed to make manufacturing and production systems as efficient and effective as possible, approaches such as: Design-for-life  - taking account of the practical realities of production, usage and maintenance when products are designed, rather than locking-in later nightmares through the thoughtless inclusion of elements or features that prove unmanageable; Just-in-time delivery of parts to the production line at the quantity, quality, time and place they are needed (kanban), instead of being stockpiled in a warehouse or parts store, collecting dust, depreciating, adding inertia and costs if product changes are needed; Elimination of waste (muda) - processes are changed to avoid the production of waste, or at the very least waste materials become useful/valuable products, while wasted time and effort is eliminated by making production processes slick with smo...

Let me start by acknowledging that passwords are a weak means of authenticating people, for all sorts of reasons. I know passwords suck ... and yet passwords are by far the most common user authentication method in use because of two factors (pun intended): 1) Passwords are conventional, well-understood, commonplace, and the natural default 'no-brain' option. People are used to them and [think they] understand them. Passwords or PIN codes are almost universally built-in to operating systems and many apps, websites etc .   2) Compared to other methods, passwords are fairly cheap to implement, manage and use. There is no need to invest in biometric sensors, PKI, crypto-tokens or whatever unless  you need multifactor authentication ... in which case you probably still need passwords.  That said, there are many different ways of employing passwords for user authentication, many design parameters, most of which affect the level of security achieved in practice. Designing and i...