We've just delivered our first awareness module for 2017 with a few brief hours left until the new year.   Updating the awareness module on Internet security turned out to be a mammoth task: we've basically rewritten it from scratch, such is the pace of change in this area. We could probably have continued writing for another month, in which time I'm quite sure further issues would have emerged ... so we had to call a halt to the writing in order to hit our self-imposed delivery deadline. We can always come back later for another bite at the cherry and, to be fair, most security awareness topics touch on the Internet in some fashion. "Fake news" is a recurring theme in the materials, picking up on media reports following the US presidential election. Today, we completed the final piece for the module, the awareness newsletter, drawing on a US CERT - DHS - FBI alert about GRIZZLY STEPPE  published yesterday. Two Russian hacking groups used Remote Access Trojans to ...

According to KPMG, the answer is ... I've picked out just one of a plethora of gaudily-colored horizontal bar charts from KPMG's 2016 Global CEO Outlook , which I encourage you to download and read. The  Now or Never   report blends insightful analysis with survey data and anecdotal comments. It's well-written, glossy and eminently readable. The reason I chose to illustrate this blog piece with that particular chart is that it confirms what I already thought about risks of concern - in other words, I openly admit my 'confirmation bias'. The same could be said for most of the rest of the charts, and indeed the report as a whole, which at least partially explains why I'm blabbering on about it here. It was on-topic for me, interesting enough to read, consider ... and then pick holes in. Even if you disagree with the report's findings, or have little to no interest whatsoever in the subject matter, it's still worth reading in respect of the manner in which ...

The " 2017 Global Cybersecurity Assurance Report Card " reports on a web-based survey of 700 IT security people from mid to large organizations. The survey was sponsored by Tenable and conducted by CyberEdge.  It makes a reasonable job of measuring concerns and opinions within the narrow constraints of the specific questions posed. For example here's one of the survey questions: The 5 categories of response (1-5) and the 7 listed items (a-g) constitutes a Likert scale , a commonplace opinion survey approach with both strengths (primarily low cost) and weaknesses. In respect of just that question, methodological concerns include: The question stem is a little ambiguous, referring to 5 being "highest" when it presumably means "of greatest concern" or whatever. The 1-5 values are ordinals and do not indicate absolute value or relative proportions. A value of 4 does not literally mean "twice as concerned" as a value of 2.  A value of 1 is not ...

... your favourite hot drink is URL grey tea ... Chewbacca, Ytterbium and Hal are the names of just three of your many servers ... your Myers Briggs Personality Type starts with INT - as in integer ... you know what a Myers Briggs Personality Type is, even without Googling it ... assorted acquaintances and relatives genuinely expect you to be fully expert in whatever quaint technologies are currently giving them problems ... you've had the same PC for well over a decade, with 3 different cases, 4 different PSUs, 5 different motherboards, 6 different CPUs and at least a dozen new hard drives, now all solid state (naturally) ... you welcome the moniker 'geek', whereas other lesser beings may think it perjorative ... you play IT Top Trumps comparing processor architectures and memory bandwidth ... you spot technical errors in TV portrayals of geeks .. you care about stuff that others don't even notice ... friends and family ask you to explain your Christmas wish-list in wo...

A substantially improved version of the security metrics standard ISO/IEC 27004 has just been published. The standard covers "Information security management ― Monitoring, measurement, analysis and evaluation", a direct reference to clause 9.1. of ISO/IEC 27001 ... in other words, it is primarily about the metrics needed to make management decisions about, and systematically improve, an ISO27k-style Information Security Management System. These are the main sections: Rationale - explains the value of measuring stuff  e.g.  to increase accountability and performance; Characteristics - what to measure, monitor, analyze and evaluate, when to do it, and who to do it; Types of measures - performance (efficiency) and effectiveness measures; Processes - how to develop, implement and use metrics. Annex B catalogs 35 metrics examples using a typical metrics definition form. These are not exactly shining demonstrations of the art, in fact some of the examples are of poor quality. I...

ComplianceDictionary.com is an online dictionary of terms defined in various standards, laws, regulations etc ., maintained by UCF, the Unified Compliance Framework . I have a lot of respect for the UCF and have blogged about them before. They systematically collate and analyze a wide variety of laws, regulations and standards, helping clients identify the areas of commonality that equate to both savings and good practice . If a given security control satisfies numerous compliance obligations or expectations, it make business sense to implement it properly, once. It may even qualify as a critical control. Just in case you are wondering, I have no financial interest in UCF and don't earn any commission from them. I do however admit to being envious of the idea underpinning UCF! The Compliance Dictionary is essentially a search engine that spews out both informal and formally-defined explanations for information security-related terms. The first term I entered to check it out gave ...

According to an article in The Register , Gartner has pointed out that 'proportion of IT budget spent on IT security' is not a good metric. One can determine any metric's strengths and weaknesses systematically and objectively using the PRAGMATIC method , so here goes: P redictiveness: at a superficial level of analysis, the budget obviously affects the amount that can be spent on, or invested in, anything, hence there is bound to be some relationship between the money spent and the amount achieved ... but that is not a direct, linear relationship (in practice a somewhat vague correlation I suspect). Organizations with tight budget constraints have to spend more carefully, and naturally focus their efforts on optimizing the value they obtain. Furthermore, many would acknowledge the preponderance of snake oil salesmen in the IT security field, hence spending more might even, in some cases, be counterproductive. Score: 50% R elevance: the metric may be relevant to IT securi...

Friends, Given my profession, I am of course utterly opposed to spam and dedicated to fighting the scourge, which makes it especially annoying when some noxious spammer uses one of my email addresses as the From: address for their nasty spam. I usually discover this when assorted email servers send me error messages along the lines of "Sorry we could not deliver your spam".  Those reflected messages are just the tip of the iceberg, though, since I presume many other poor sods received the spam with my email address at the top.  Some of them probably cursed me. Just in case any of them are reading this, I'd like to confirm that I am most certainly not a spammer.  I share your annoyance but it wasn't my fault!

Privacy, our security awareness topic for December, is a nebulous concept, more complex and involved than perhaps you might have thought if you accept that it includes concerns such as: Compliance , obviously enough. Compliance with privacy or data protection laws and regulations was once described by Gartner as 'exceedingly complex', making it a significant challenge, especially for multinational organizations plus web-based companies and other with customers, suppliers and business contacts around the world. Workers' noncompliance with corporate privacy policies and procedures is another potential nightmare for management (with an obvious  need for awareness - at least it is glaringly obvious to us!), while privacy-related contractual clauses concerning privacy and/or information security are hopefully not just put there to keep the lawyers occupied. Privacy is a substantial concern with professional services (such as outsourced HR or payroll) and cloud-computing services...