The awareness topic for November is ‘social in security’, meaning information security and privacy risks, controls and incidents involving and affecting people : Social engineering scams and frauds, especially phishing and spear-phishing by email and phone; Harvesting of information and exploitation of people via social media, social networks, social apps and social proofing e.g. fraudulent manipulation of brands and reputations through fake customer feedback, blog comments etc.; The use of pretexts, spoofs, masquerading and coercion - social engineering tradecraft; Serious corporate risks involving blended/multimode attacks and insider threats e.g. the exploitation of colleagues through social engineering attacks by power-hungry assertive workers with personal agendas (aka “company politics”). While technical measures (such as anti-spam utilities and email software that disables links and attachments in suspicious messages) help to some extent, security awareness and training are, of ...

After 15 years of tenuous operation and months of speculation, the EU/US Safe Harbor arrangement is sunk. According to SC Magazine : "In a decision with widespread implications for the international transfer and processing of data - and the companies that provide these services - the European Court of Justice has ruled the EU-US Safe Harbour pact invalid. Experts are warning of massive disruption to international business." Safe Harbor was formally implemented by the US Department of Commerce in July 2000 : "Decisions by organizations to qualify for the safe harbor are entirely voluntary, and organizations may qualify for the safe harbor in different ways. Organizations that decide to adhere to the Principles must comply with the Principles in order to obtain and retain the benefits of the safe harbor and publicly declare that they do so. For example, if an organization joins a self- regulatory privacy program that adheres to the Principles, it qualifies for the safe har...

Tripwire blog's  The Top 10 Tips for Building an Effective Security Dashboard   is an interesting collection of advice from several people.  It's thought provoking, although I don't entirely agree with it. Tip 2 'Sell success, not fear', mentions: "For example, in the event that they cannot find personnel who come equipped with the skills needed to improve progress, security personnel can use dashboards to demonstrate the impact that well trained individuals could have on finding and resolving issues and threats, as well as to subsequently leverage that insight for training and cultivating available skills." Although somewhat manipulative, metrics can indeed provide data supporting or justifying proposed security improvements, assuming that, somehow, someone has already decided what needs to be done ... and suitable metrics can be useful for that purpose too. The thrust of tip 4 'Use compelling visualizations' is that the dashboard needs to be glos...