Long-time/long-suffering readers of this blog will know that I am distinctly cynical if not scathing about published surveys and studies in the information security realm, most exhibiting substantial biases, severe methodological flaws and statistical 'issues'. Most of them are, to be blunt, unscientific worthless junk, while - worse still - many I am convinced are conscious and deliberate attempts to mislead us , essentially marketing collateral, fluff and nonsense designed and intended to coerce us into believing conjecture rather than genuine attempts to gather and impart actual, genuine facts that we can interpret for ourselves. Integrity is as rare as rocking-horse poo in this domain.  Well imagine my surprise today to come across a well-written report on an excellent scientifically-designed and performed study - viz " The accountability gap: cybersecurity & building a culture of responsibility ", a study sponsored by Tanium Inc. and Nasdaq Inc. and conducted...

I just came across a little mobile-phone-shaped phone security awareness reminder card thing with a fairly direct in-yer-face message along the lines of "You left your phone unattended. I could have stolen it. Instead I simply accessed all the sensitive information on it because it was unlocked and unencrypted ..." The idea, I presume, is for someone (an information security/awareness professional, security guard etc.) to wander around looking for mobile phones left unattended/unguarded in public places, such as cafes or on public transport, leaving the card with the phone. Personally, while it is tempting to go down that line, I'd be very wary of adopting such sinister overtones in an awareness message. The shock value might work for some recipients but it's basically a threat, a form of coercion with distinctly negative connotations about phone thieves AND careless phone owners, not to mention the security people who printed and left the card. Such negativism and n...

Is this a spoof PayPal email (most likely a phisher) or a genuine but misguided and inept attempt by PayPal to contact me?  The message includes a log in link, pointing not to PayPal.com but to PayPal-Communication.com which could easily be a lookalike domain registered for the express purpose of fleecing naive recipients of their PayPal credentials, not to mention defrauding them of their funds.  Further down, the message suggests that addressing me by my "given surname and given name" means I should trust the message - codswallop! For a start, the correct term is "given and family names", but of course that is readily available information: phishers can easily obtain lists of email addresses complete with given and family names, and lots more personal information. Google knows billions of them. As a means of authentication, it is worthless.  So, what do you think: genuine (but inept) or fake?

Following the Montreal Protocol agreement in the 1980’s, manufacture of the c hlorofluorocarbon (CFC) extinguishant gases commonly known under the trade names “Halon” and "Freon" ceased before 1994.  Although CFCs are highly effective extinguishants that work at relatively low concentrations (8%) with low toxicity and no nasty residues, they are potent greenhouse gases. In the upper atmosphere, CFCs are broken down by sunlight slowly (over decades), releasing reactive free chlorine which destroys ozone, subjecting the earth’s surface to increasing amounts of harmful UV radiation. See https://en.wikipedia.org/wiki/Bromochlorodifluoromethane  and  http://www.bcairquality.ca/101/ozone-depletion-causes.html and http://www.enviropedia.org.uk/Ozone_Depletion/ODCs.php  (among others). For a while, Halon made before 1994 was recycled from old stocks for specific applications by organizations that could afford it. Everything possible should be done to avoid releasing the gas ...

I learnt how to audit IT facilities by doing it, initially under the wing of an experienced consultant, then with various professional colleagues but mostly under my own steam. I’ve done hundreds over the years, on many sizes of facility (ranging from SOHO and small office setups up to co location and single-company data centres the size of football pitches) and many types of organization across a variety of industries.   The information risks and hence information security control requirements can vary markedly between facilities. A bank is in a rather different situation to, say, a power station, engineering company or hospital. Separate data centres within a given organization also vary e.g. HQ versus a branch or call centre. Data centres in different countries, cities/towns, even suburbs can vary e.g. compare Kinshasa to Kansas, Mogadishu to Manchester, Auckland North Shore to South Auckland. And they all vary over time, for example Brussels and Paris are different pl...