Cryptography gives us powerful and yet fragile information security controls.  Strong confidentiality and authentication mechanisms are wonderful provided they are well designed, implemented, used, managed and maintained … but cryptographic controls have a nasty tendency of failing open, sometimes becoming spectacularly insecure - which is just one of the information risks associated with cryptography.  Since this is ‘only’ a security awareness module, we’ve avoided delving into the advanced mathematics that underpins cryptography, while at the same time giving enough information for the module to be both interesting and actionable. Cryptography is a complex, technical topic, for sure, but that's no reason for the awareness program to ignore it and hope for the best! Even if you have the expertise and interest to research and prepare your own awareness materials, wouldn't you rather spend your valuable time interacting with your colleagues, spreading the word about information...

27k: Security Summit for the Americas will cover security metrics in the context of the ISO/IEC 27000 Information Security Management Sytems standards .  It's a 2-day conference plus optional workshops the day before and training courses afterwards, in the final week of September at a smart purpose-built conference facility on the outskirts of San Francisco airport, not far beyond the boundary fence I think.  Standing speakers may need to duck, and shout. There will be  sessions on: ISO27k basics ISO27k implementation ISO27k for cloud security Integrating ISO 22301 (business continuity) with ISO27k ISO27k metrics … and more. Walt Williams of Lattice, Richard Wilshire (ISO/IEC JTC1/SC27 project leader for the total revamp of ISO/IEC 27004 on “Monitoring, measurement, analysis and evaluation”), and Jorge Lozano from PwC are all presenting on metrics at the conference, and FWIW me too.  I’m hoping to persuade Krag Brotby to attend as well.    Aside from th...

It strikes me as deeply ironic when a peer acknowledges that the most important thing in cyber security is not the technology but the people . The irony is deeper still, given that the comments stem from a Gartner conference. Anyway, I see a feint glimmer of hope that, finally, the cybersecurity bandwagon might be trundling out of town. And good riddance! Frankly, I'll be glad to see the back of it. Cybersecurity may be a gigantic feeding trough but it is so 20 th Century. Way back in the 80s when I started my professional career, "computer security" was just becoming the thing. The reasoning was simplistic: computing was a costly and new/risky investment that had to be protected. However as mainframes gave way to minis and then micros, mainstream IT gradually became a humdrum commodity. Admittedly, there is still competitive advantage to be gained by strategic investments in IT, including old-school systems and software development (as opposed to merely assembling and ...

My PC has been going steadily downhill for the past week or two, until finally at the weekend it plummeted off the cliff's edge into the deep blue. The symptoms were confusing: it would freeze up randomly, sometimes thawing and sometimes slowing to a crawl but occasionally becoming totally unresponsive, requiring a reboot. There were no error messages, at least none that I noticed. The Windows error log was no help, and there was no obvious pattern to it. I couldn't pin it on any specific app or situation - even reverting a recent software update on an app that I run 24x7 made no difference. There are no reported viruses. The PC isn't overheating and the mains supply is reliable. Well, with 20/20 hindsight, there were some little clues about the underlying cause. Saving fairly large files sometimes took a bit longer than normal due to the PC pausing for breath in mid-save. MP3 music would sometimes stutter, endlessly repeating a few seconds like a scratched vinyl record or ...

Having accidentally sent a journalist an ineptly redacted document, the Public Health Agency of Canada is - quite rightly - roasting uncomfortably in the glare of the media spotlight  today: "Raphael Satter, an Associated Press correspondent in Paris, was dumbfounded when he received files from the Public Health Agency of Canada that were censored using only Scotch tape and paper ... He was able to see the redacted confidential information simply by peeling back the paper." There are at least 11 information risks or types of incident associated with redaction: Making bad decisions about the data to be redacted, the technical methods or process to be used and/or the suitability (primarily competency and diligence) of those tasked to do it; Failing to identify correctly  all  the sensitive data that must be redacted (both the individual data items and the files); Failing to render the redacted data totally unrecoverable, for example: Using inapprop...

June’s awareness module covers trust and ethics - no ordinary, run-of-the-mill awareness topic ... but then ours is no ordinary, run-of-the-mill awareness service! The module draws out important awareness messages that are directly relevant to information risk and security. 'Ethics' is a pervasive self-control underpinning many others. Ethical people think and behave honorably in ways generally considered correct and appropriate. They are open and honest, respectful of others and concerned about ‘doing the right thing’ and ‘doing things right’. In respect of information security, ethical behavior reinforces procedural controls – for instance, unethical people who disregard the principles and ignore policies and flaunt the procedures materially weaken the organization’s information security. Trust and trustworthiness form the basis for collaborating with and depending on others, without the costs, disruption and aggravation implied by distrust and untrustworthiness.  As well as...

When someone foolishly lets Marketing loose on cybersecurity products, you end up with this kind of mishmash in your inbox: "[Our product] can help you pinpoint the exact vulnerabilities that are currently active in your IT environment. Since not all vulnerabilities are threats to your organisation’s security, it’s important to focus on fixing the high-risk ones first—and fast. [Our product] gives you the intelligence to prioritise your remediation efforts to address the vulnerabilities that pose the highest risk of compromise." It has been stuffed with a bunch of keywords to such an extent that it no longer makes sense, obscuring the value of the product. I believe there might actually be a decent new product lurking beneath all that tripe but, speaking personally, I'm not prepared to rummage through the entrails to find it. Ho hum.