We've just delivered our first awareness module for 2017 with a few brief hours left until the new year.   Updating the awareness module on Internet security turned out to be a mammoth task: we've basically rewritten it from scratch, such is the pace of change in this area. We could probably have continued writing for another month, in which time I'm quite sure further issues would have emerged ... so we had to call a halt to the writing in order to hit our self-imposed delivery deadline. We can always come back later for another bite at the cherry and, to be fair, most security awareness topics touch on the Internet in some fashion. "Fake news" is a recurring theme in the materials, picking up on media reports following the US presidential election. Today, we completed the final piece for the module, the awareness newsletter, drawing on a US CERT - DHS - FBI alert about GRIZZLY STEPPE  published yesterday. Two Russian hacking groups used Remote Access Trojans to ...

According to KPMG, the answer is ... I've picked out just one of a plethora of gaudily-colored horizontal bar charts from KPMG's 2016 Global CEO Outlook , which I encourage you to download and read. The  Now or Never   report blends insightful analysis with survey data and anecdotal comments. It's well-written, glossy and eminently readable. The reason I chose to illustrate this blog piece with that particular chart is that it confirms what I already thought about risks of concern - in other words, I openly admit my 'confirmation bias'. The same could be said for most of the rest of the charts, and indeed the report as a whole, which at least partially explains why I'm blabbering on about it here. It was on-topic for me, interesting enough to read, consider ... and then pick holes in. Even if you disagree with the report's findings, or have little to no interest whatsoever in the subject matter, it's still worth reading in respect of the manner in which ...

The " 2017 Global Cybersecurity Assurance Report Card " reports on a web-based survey of 700 IT security people from mid to large organizations. The survey was sponsored by Tenable and conducted by CyberEdge.  It makes a reasonable job of measuring concerns and opinions within the narrow constraints of the specific questions posed. For example here's one of the survey questions: The 5 categories of response (1-5) and the 7 listed items (a-g) constitutes a Likert scale , a commonplace opinion survey approach with both strengths (primarily low cost) and weaknesses. In respect of just that question, methodological concerns include: The question stem is a little ambiguous, referring to 5 being "highest" when it presumably means "of greatest concern" or whatever. The 1-5 values are ordinals and do not indicate absolute value or relative proportions. A value of 4 does not literally mean "twice as concerned" as a value of 2.  A value of 1 is not ...

... your favourite hot drink is URL grey tea ... Chewbacca, Ytterbium and Hal are the names of just three of your many servers ... your Myers Briggs Personality Type starts with INT - as in integer ... you know what a Myers Briggs Personality Type is, even without Googling it ... assorted acquaintances and relatives genuinely expect you to be fully expert in whatever quaint technologies are currently giving them problems ... you've had the same PC for well over a decade, with 3 different cases, 4 different PSUs, 5 different motherboards, 6 different CPUs and at least a dozen new hard drives, now all solid state (naturally) ... you welcome the moniker 'geek', whereas other lesser beings may think it perjorative ... you play IT Top Trumps comparing processor architectures and memory bandwidth ... you spot technical errors in TV portrayals of geeks .. you care about stuff that others don't even notice ... friends and family ask you to explain your Christmas wish-list in wo...

A substantially improved version of the security metrics standard ISO/IEC 27004 has just been published. The standard covers "Information security management ― Monitoring, measurement, analysis and evaluation", a direct reference to clause 9.1. of ISO/IEC 27001 ... in other words, it is primarily about the metrics needed to make management decisions about, and systematically improve, an ISO27k-style Information Security Management System. These are the main sections: Rationale - explains the value of measuring stuff  e.g.  to increase accountability and performance; Characteristics - what to measure, monitor, analyze and evaluate, when to do it, and who to do it; Types of measures - performance (efficiency) and effectiveness measures; Processes - how to develop, implement and use metrics. Annex B catalogs 35 metrics examples using a typical metrics definition form. These are not exactly shining demonstrations of the art, in fact some of the examples are of poor quality. I...

ComplianceDictionary.com is an online dictionary of terms defined in various standards, laws, regulations etc ., maintained by UCF, the Unified Compliance Framework . I have a lot of respect for the UCF and have blogged about them before. They systematically collate and analyze a wide variety of laws, regulations and standards, helping clients identify the areas of commonality that equate to both savings and good practice . If a given security control satisfies numerous compliance obligations or expectations, it make business sense to implement it properly, once. It may even qualify as a critical control. Just in case you are wondering, I have no financial interest in UCF and don't earn any commission from them. I do however admit to being envious of the idea underpinning UCF! The Compliance Dictionary is essentially a search engine that spews out both informal and formally-defined explanations for information security-related terms. The first term I entered to check it out gave ...

According to an article in The Register , Gartner has pointed out that 'proportion of IT budget spent on IT security' is not a good metric. One can determine any metric's strengths and weaknesses systematically and objectively using the PRAGMATIC method , so here goes: P redictiveness: at a superficial level of analysis, the budget obviously affects the amount that can be spent on, or invested in, anything, hence there is bound to be some relationship between the money spent and the amount achieved ... but that is not a direct, linear relationship (in practice a somewhat vague correlation I suspect). Organizations with tight budget constraints have to spend more carefully, and naturally focus their efforts on optimizing the value they obtain. Furthermore, many would acknowledge the preponderance of snake oil salesmen in the IT security field, hence spending more might even, in some cases, be counterproductive. Score: 50% R elevance: the metric may be relevant to IT securi...

Friends, Given my profession, I am of course utterly opposed to spam and dedicated to fighting the scourge, which makes it especially annoying when some noxious spammer uses one of my email addresses as the From: address for their nasty spam. I usually discover this when assorted email servers send me error messages along the lines of "Sorry we could not deliver your spam".  Those reflected messages are just the tip of the iceberg, though, since I presume many other poor sods received the spam with my email address at the top.  Some of them probably cursed me. Just in case any of them are reading this, I'd like to confirm that I am most certainly not a spammer.  I share your annoyance but it wasn't my fault!

Privacy, our security awareness topic for December, is a nebulous concept, more complex and involved than perhaps you might have thought if you accept that it includes concerns such as: Compliance , obviously enough. Compliance with privacy or data protection laws and regulations was once described by Gartner as 'exceedingly complex', making it a significant challenge, especially for multinational organizations plus web-based companies and other with customers, suppliers and business contacts around the world. Workers' noncompliance with corporate privacy policies and procedures is another potential nightmare for management (with an obvious  need for awareness - at least it is glaringly obvious to us!), while privacy-related contractual clauses concerning privacy and/or information security are hopefully not just put there to keep the lawyers occupied. Privacy is a substantial concern with professional services (such as outsourced HR or payroll) and cloud-computing services...

A big earthquake at midnight last night on the Northern end of South Island New Zealand was a major incident with various implications for incident/disaster management. I'd like to pick up on a few security awareness aspects while the incident is fresh in my mind and still playing out on the NZ media as I write this. There is a lot of effort put into preparedness for such events, across the whole country. For instance, the central safety message " Drop, cover, hold " is simple, widely repeated and used consistently in a variety of media and situations. Even the iconic images and colours (lots of black-and-yellow, warning colours with a strong biological basis) are consistent. Schools run classroom teaching on it. Websites and public safety demonstrations repeat it, frequently. There are flyers and leaflets, plus local, regional and national exercises to practice the actions, with extensive media coverage. "Get ready, get thru" is a strong theme. Full marks!  [I ...

We're working hard on the next awareness module concerning privacy, in particular we're exploring the changes coming with GDPR (the EU General Data Protection Regulation ).   Two concepts from article 23 of GDPR caught my beady eye this afternoon: Privacy by design is the idea that privacy should be an integral or inherent part of the design of a new system, service or process, from the outset (as opposed to being tacked-on later, with all the compromises and drawbacks that normally entails); and Privacy by default - where there are options or alternative paths, the ones offering the greatest privacy should be selected automatically unless the user or data subject explicitly chooses otherwise.   It occurs to me that conceptually those are not a million miles from 'secure by design' and 'secure by default', two strategic approaches with substantial benefits for information security as a whole, including most of privacy ... which hints at the intriguing possibi...

If your annual cycle matches the calendar year, you’re probably working hard on a 2017 budget proposal to secure the funding for all you need to do on information security, cybersecurity, information risk management, compliance, business continuity and so on - doing it yourself or maybe helping the boss. Is security awareness and training part of the plan, hopefully not just a single line item but an integral part of virtually everything you are proposing to do?  If not, don't be surprised if, once again, you struggle to make much headway in information security in 2017. Security awareness is not just an optional extra but an essential prerequisite for success ... and the magic starts with senior management having sufficient knowledge, understanding and appreciation of what information security is all about to approve an adequate budget. With that in mind, do you see the conundrum? Awareness is needed to gain funding for ... awareness and the rest of information security. How is t...

The following bullet-points were inspired by another stimulating thread on the ISO27k Forum , this one stemming from a discussion about whether or not people qualify as "information assets", hence ought to be included in the information asset inventory and information risk management activities of an ISO27k ISMS. It's a crude list of people-related information risks: Phishing, spear-phishing and whaling, and other social engineering attacks targeting trusted and privileged insiders; ‘Insider threats’ of all sorts – bad apples on the payroll or at least on the premises, people who exploit information gained at work, and other opportunities, for personal or other reasons to the detriment of the organization; ‘Victims’ – workers who are weak, withdrawn and easily (mis)lead or coerced and exploited by other workers or outsiders; Reliance on and loss of key people (especially “knowledge workers”, creatives and lynch-pins such as founders and execs) through various causes (resi...