When a customer suggested that we ought to cover privileges, we thought "Great idea!" ... but when we got stuck into the research for the new module, we soon realized that we couldn't really discuss privileges without also dipping into access rights ... which takes us into rights ... and compliance ... and a whole stack of other stuff. From being a narrow and specific topic, it mushroomed into an enormous beast, a far more complicated, wide-ranging awareness subject than we originally anticipated, taking in more than thirty aspects: access controls; access rights; accountability; authorization; awareness, education and training (!); compliance; controls; disclaimers; enforcement; entitlement; escalation; ethics; exceptions; exemptions; forensics; governance; granting, denying and revoking permissions; groups and rôles; identification and authentication; incident response and management; obligations and responsibilities; passes and ID cards; penetration and security testin...

The Security Executive Council has published an interesting case study concerning the review and selection of metrics relating to physical and information risks at Boeing .  [Access to the article is free but requires us to register our interest.] The case study mentions using SMART criteria and a few other factors to select metrics but doesn't go into details, unfortunately.  Nevertheless, the analytical approach is worth reading and contemplating. If we were to conduct such an assignment for a client today, we would utilize a combination of tools and techniques across six distinct phases: Background information gathering concerning Boeing's business situation, information risks, and existing metrics, using standard analytical or audit methods, clarifying the as-is situation and building a picture of what needs to change, and why. This phase would typically culminate in a report and a presentation/discussion with management. GQM (Goal-Question-Metric) assessment eloquently de...

Employees are increasingly using their personally-owned ICT devices at work, whether for personal or work purposes.  Organizations with BYOD ( Bring Your Own Device ) schemes and policies typically insist that employee's smartphones, laptops, tablets etc.  are secured and managed by IT, requiring the use of MDM (Mobile Device Management) software, AV (antivirus)  etc. So what happens as employees start bringing in their personal IoT toys (BYOT - Bring Your Own Things ) in the same way - their fitness trackers, Google Glasses and other wearables, perhaps control pods for their home IoT systems, and so forth?   Good luck to anyone trying to insist that IT installs MDM, AV and all that jazz on a gazillion things ! One approach to BYOT security I guess is to prohibit all unapproved and unauthorized devices/things from connecting to corporate networks, at the same time preventing corporate devices/things from connecting to non-corporate networks (including ad hoc  or...

A low-tech kiwi bank robber stole deposits from a bank's safety deposit box using a fishing line .  He even managed to cash a few of the stolen cheques before being lured to the counter and caught in the bank's security net. Not a malicious URL in sight. An anonymous source tells me she has found deposit envelopes containing valuable negotiables (the folding kind) in a local bank's deposit drawer, left by a previous customer who neglected to check that the deposit envelope had been swallowed up by the machinery.  The bank teller was aghast ... but evidently creating a physically secure bank deposit chute is beyond the capabilities of NZ bank' engineering wizards.  Surely some number 8 wire and a bent waratah ought to do it?   Anyway, most kiwis are far too honest to exploit vulnerabilities like this.

I spotted something interesting, if a little scary, today on the BBC. Boeing has successfully shot down 'a drone' by zapping it with a transportable high-power laser system on a test range. The article doesn't actually say but I guess this is a straightforward military weapon intended to defend, say, a battlefield camp against the enemy's military drones that approach or overfly it. It would, of course, need to distinguish friendly drones (and aircraft and shells ... and soldiers and land vehicles ...) from foe in order to avoid costly and embarrassing incidents, all in real time as things (perhaps several) fly towards or past the zapper, the more sophisticated ones running radar jammers etc . If you think about the complexities of the situation and the necessary speed of target acquisition, identification, decision making and response, it is an impressive weapon. I guess in due course, simpler civil versions of the weapon might prove valuable to defend public building...

The Internet of Things is a novel and rapidly evolving field making IoT security highly topical and yet, as with cybersecurity last month, it was something of a challenge to prepare a coherent, concise and valuable set of security awareness materials.  In researching the topic, we discovered surprisingly few companies marketing various smart and mostly geeky things , a few news articles and lightweight gee-whizz journalistic pieces, and some almost impenetrable academic and technical papers about the technologies. Enterprising hackers are already exploring IoT, discovering and exploiting security vulnerabilities ostensibly for education and demonstration purposes, at least for now. Shiny new things are appearing on the market every week to be snapped up by an eager if  our naïve  public. IoT presents a heady mix of risks and opportunities, with substantial commercial, safety, privacy, compliance and information security challenges ahead, and sociological implications for ...