Wednesday 30 September 2015

Permissions - another novel security awareness topic

When a customer suggested that we ought to cover privileges, we thought "Great idea!" ... but when we got stuck into the research for the new module, we soon realized that we couldn't really discuss privileges without also dipping into access rights ... which takes us into rights ... and compliance ... and a whole stack of other stuff. From being a narrow and specific topic, it mushroomed into an enormous beast, a far more complicated, wide-ranging awareness subject than we originally anticipated, taking in more than thirty aspects: access controls; access rights; accountability; authorization; awareness, education and training (!); compliance; controls; disclaimers; enforcement; entitlement; escalation; ethics; exceptions; exemptions; forensics; governance; granting, denying and revoking permissions; groups and rĂ´les; identification and authentication; incident response and management; obligations and responsibilities; passes and ID cards; penetration and security testing; permits and licenses; policies, procedures and guidelines; privileges; prohibition; reinforcement; rights; risks; and trust.

We settled in the end for the innocuous, all-encompassing title "permissions". It would have been counterproductive to attempt to cover all those thirty-plus facets in great detail in one module so instead we picked out the few most relevant to each of the three awareness audience groups (staff, managers and professionals) and skimmed the rest ... for now, but then we've covered most if not all of them before and will do so again at some future point, thanks to picking a different infosec topic every month.

"Permissions" is the 57th topic in our security awareness portfolio, and we're not finished yet! As far as we know*, no other commercial offering in this space is anything like as broad, nor indeed as deep. Concentrating on one topic at a time gives us the opportunity to explore things in some depth, gradually month-by-month completing the bigger picture. The monthly cycle also lets us reflect current issues and thinking, perhaps even advancing the field in our own little way. This month, for instance, we wrote a generic job description for a Permissions Manager, someone to take the lead on permissions, rights and privileges, coordinating and aligning the management of permission throughout the corporation. On reflection, how do large organizations get by without someone performing such an important role? Is this gap partly to blame for the Sony, Target, OPM and other recent headline incidents?  Hmmmm, makes you think, doesn't it?

If "awareness training" to you means an annual lecture to end-users about policies and passwords, you really should take a look at SecAware.com drop me an email, or call the office. We'd love to help you take the next step.

* If you know different, do please let me know. I'm always interested in what our competitors are getting up to. We don't have a monopoly on innovation! 

Thursday 10 September 2015

Metrics case study on Boeing


The Security Executive Council has published an interesting case study concerning the review and selection of metrics relating to physical and information risks at Boeing.  [Access to the article is free but requires us to register our interest.]

The case study mentions using SMART criteria and a few other factors to select metrics but doesn't go into details, unfortunately.  Nevertheless, the analytical approach is worth reading and contemplating.

If we were to conduct such an assignment for a client today, we would utilize a combination of tools and techniques across six distinct phases:
  1. Background information gathering concerning Boeing's business situation, information risks, and existing metrics, using standard analytical or audit methods, clarifying the as-is situation and building a picture of what needs to change, and why. This phase would typically culminate in a report and a presentation/discussion with management.

  2. GQM (Goal-Question-Metric) assessment eloquently described by Lance Hayden in IT Security Metrics. This is a more structured and systematic version of the approach outlined in the case study. A workshop approach would be useful, probably several in fact to delve into various aspects with the relevant business people and experts. The output would be a matrix or tree-root diagram illustrating the goals, questions and metrics.

  3. PRAGMATIC assessment and ranking of the metrics generated in phase 2 using the approach documented in our book. The output would be a management report containing a prioritized list of metrics ranked according to their PRAGMATIC scores, leading to a further presentation/discussion with management and, hopefully, agreement on a shortlist of the most promising metrics, those actually worth pursuing. This and the previous phase would take a creative approach, thinking about what needs to be measured, why, how, when etc., using both GQM and PRAGMATIC to firm-up the metrics that best fit the requirements  and focus groups to finalize the metrics (both existing metrics that are worth retaining possibly with some changes, and novel metrics being introduced).

  4. Planning and preparing for the implementation phase, perhaps including pilot studies (possibly involving actual pilots). 

  5. Implementation: making the changes needed to collect, analyse, report and most of all use the metrics.  This might well involve retiring or recasting some of the client's existing metrics that haven't earned their keep, in a way that teases out the last dregs of value from the data gathered previously.

  6. Ongoing metrics management and maintenance: using information from the GQM and PRAGMATIC steps to monitor and if appropriate refine or replace the metrics, ensuring for instance that they are proving valuable to the business (i.e. they should be cost-effective - one of the PRAGMATIC criteria conspicuously absent from SMART).  
In parallel with that sequence would be conventional project management activities - planning, resourcing & team building, motivation, tracking, reporting and assignment risk management.

Get in touch if you'd like some assistance to review and update your metrics: we'd love to help!

Tuesday 8 September 2015

BYOT - Bring Your Own Things - and BYOS

Employees are increasingly using their personally-owned ICT devices at work, whether for personal or work purposes.  Organizations with BYOD (Bring Your Own Device) schemes and policies typically insist that employee's smartphones, laptops, tablets etc. are secured and managed by IT, requiring the use of MDM (Mobile Device Management) software, AV (antivirus) etc.

So what happens as employees start bringing in their personal IoT toys (BYOT - Bring Your Own Things) in the same way - their fitness trackers, Google Glasses and other wearables, perhaps control pods for their home IoT systems, and so forth?  

Good luck to anyone trying to insist that IT installs MDM, AV and all that jazz on a gazillion things!

One approach to BYOT security I guess is to prohibit all unapproved and unauthorized devices/things from connecting to corporate networks, at the same time preventing corporate devices/things from connecting to non-corporate networks (including ad hoc or mesh networks formed spontaneously between IoT devices, and public networks such as open WiFi, Bluetooth and cellular networks).  Keep them logically separated, with strict enforcement using compliance measures, change and configuration management, network and device/thing security management and monitoring etc. (oh oh, I see dollar signs ticking up at this point).

Another approach is to deperimiterize - stop relying on network perimeter access controls, depending on device/thing security instead.  Treat all networks as untrustworthy if not overtly hostile.  Easy to say, tricky to do properly.

A third way involves the corporation providing open-access/public unsecured networks on its premises and encouraging employees to use those if they want to network their BYOS*.   This has the advantage of logical separation at low cost, while employees (and contractors, consultants, visitors and assorted drifters) can connect up without the cost of 3G or other public networks.  There may be legal wrinkles to this approach


"Bring Your Own Stuff" is the polite version, "Bash Your Old Ship" is slightly closer to the real definition.

Saturday 5 September 2015

Banks: watch out for fishing (and phishing)


A low-tech kiwi bank robber stole deposits from a bank's safety deposit box using a fishing line.  He even managed to cash a few of the stolen cheques before being lured to the counter and caught in the bank's security net.

Not a malicious URL in sight.

An anonymous source tells me she has found deposit envelopes containing valuable negotiables (the folding kind) in a local bank's deposit drawer, left by a previous customer who neglected to check that the deposit envelope had been swallowed up by the machinery.  The bank teller was aghast ... but evidently creating a physically secure bank deposit chute is beyond the capabilities of NZ bank' engineering wizards.  Surely some number 8 wire and a bent waratah ought to do it?  

Anyway, most kiwis are far too honest to exploit vulnerabilities like this.

Wednesday 2 September 2015

Drone-zapping


I spotted something interesting, if a little scary, today on the BBC. Boeing has successfully shot down 'a drone' by zapping it with a transportable high-power laser system on a test range.

The article doesn't actually say but I guess this is a straightforward military weapon intended to defend, say, a battlefield camp against the enemy's military drones that approach or overfly it. It would, of course, need to distinguish friendly drones (and aircraft and shells ... and soldiers and land vehicles ...) from foe in order to avoid costly and embarrassing incidents, all in real time as things (perhaps several) fly towards or past the zapper, the more sophisticated ones running radar jammers etc. If you think about the complexities of the situation and the necessary speed of target acquisition, identification, decision making and response, it is an impressive weapon.

I guess in due course, simpler civil versions of the weapon might prove valuable to defend public buildings (such as airports, parliaments, embassies, prisons and homes of the rich-n-famous) against drone 'attacks'.

Perhaps this explains the popularity of the 'laser kiwi' flag option with the people of NZ, if not our highly-paid government-sponsored flag committee?

Tuesday 1 September 2015

IoT security awareness

The Internet of Things is a novel and rapidly evolving field making IoT security highly topical and yet, as with cybersecurity last month, it was something of a challenge to prepare a coherent, concise and valuable set of security awareness materials. 
In researching the topic, we discovered surprisingly few companies marketing various smart and mostly geeky things, a few news articles and lightweight gee-whizz journalistic pieces, and some almost impenetrable academic and technical papers about the technologies. Enterprising hackers are already exploring IoT, discovering and exploiting security vulnerabilities ostensibly for education and demonstration purposes, at least for now. Shiny new things are appearing on the market every week to be snapped up by an eager if our naĂ¯ve public.
IoT presents a heady mix of risks and opportunities, with substantial commercial, safety, privacy, compliance and information security challenges ahead, and sociological implications for good measure. In a few years’ time when both things and IoT incidents have become commonplace (despite our very best efforts!), we may look back in amazement at the things we are doing today … but we are where we are, things are spreading fast and the risks are multiplying like salmonella on a Petri dish.

An IoT security awareness module is timely.

To prepare the materials, we took a back-to-basics approach, identifying and describing a wide range of risks associated with or arising from IoT as a starting point. For the staff stream, we focused on consumer things including smart home and wearables. For management, we discussed the commercial, strategic and policy concerns with IoT and IIoT (Industrial IoT). While it would have been easy just to highlight the security and privacy angle, we also discussed the business opportunities that arise from innovative things. Finding the right balance between risk and opportunity, or security and creativity, is the key to exploiting the amazing possibilities of these exciting new technologies.

The latest awareness module addresses the following generic learning objectives: 
  • Introduce IoT, an emerging and rapidly evolving field, explaining things, ubiquitous computing, mesh networks, IIoT and so forth; 
  • Outline the personal and business benefits driving IoT and IIoT adoption, touching on commercial opportunities, industry pressures and technology constraints plus wider societal issues, privacy concerns and so on; 
  • Explain the information risks arising from or relating to IoT & things, illustrating the threats, vulnerabilities and impacts with news of real-world IoT incidents, attacks and malware; 
  • Emphasize the four possible means of treating the risks (more than just security controls!);
  • Encourage the workforce to consider and ideally address the information risks, security and privacy aspects of IoT and things, going beyond mere ‘awareness’. 
IoT security is the 56th topic in our steadily growing portfolio of information security awareness materials. We're already working on another new topic for next month: 'rights and privileges' are core to IT security, crucial to logical access management, and important concepts in a much broader sense.

Could your security awareness program could do with a kick up the wotsits? Wish you had the time and energy to research and write about emerging information security challenges? Get in touch!