With near-perfect timing, we're into the final stages of polishing off January's awareness module on IoT and BYOD security.   I say near- perfect because this is the last weekend of 2017 with just over a day remaining until 2018. After a week of chilly and miserable weather, an unseasonal polar blast, I'd rather be out enjoying the fine weather and getting ready for the traditional new year's eve celebrations!  The last section of writing took a bit longer than planned, but I'm confident we'll hit the delivery deadline.  Updates to the website are in hand and we'll be packaging and sending the materials to subscribers tomorrow, electronically that is. Looking forward, we've selected awareness topics for first few months of 2018 and written them up on our distinctly low-tech office whiteboard. We deliberately don't plan too far ahead (who knows what will crop up?) but it takes time to research and draft the materials. Having working titles and outline...

As the end of month deadline looms, we're close to finishing January's awareness module on IoT and BYOD security.  Today I'm working on the awareness seminar slide deck and accompanying briefing paper for the audience group we call 'professionals', blue-collar workers essentially, specialists in IT, risk, security, audit, facilities, control, compliance etc. We dig a bit deeper into topic for that audience, but not too deep. The overriding awareness objective is to inform, intrigue, motivate and set them talking to their colleagues (other professionals plus the general and management audiences) about and around the topic. Awareness is not training, although there is a grey area and the terms are often confused.  Ultimately, we hope the pros will pass on some of their knowledge and enthusiasm for the topic to others, preferably with more than just a casual nod towards the information risk and security aspects.  IoT and BYOD are obviously IT-related, so the pro materi...

Normally in security circles, the word 'exploitation' has the distinctly negative and foreboding connotation of some evil miscreant wantonly attacking and taking advantage of us ... but we'll be using the word in a much more positive sense in the IoT and BYOD security awareness materials for January. The topic presents a golden opportunity to point out that information security mitigates the substantial information risks associated with IoT and BYOD, risks that would otherwise reduce, negate or even reverse the business advantages. It's not entirely plain sailing, though, since the risks are context-dependent. Someone needs to identify and evaluate the risks and the corresponding security controls, in order to determine firstly whether the risks are truly of concern to the organization (they can't be avoided or accepted), and secondly whether the security controls are necessary and justified since there are costs as well as benefits. We've pump-primed the proces...

An updated version of the N ew Z ealand I nformation S ecurity M anual (NZISM) - in effect the government's information security policy manual, or at least the public non-secret element - was released this month: NZISM is painstakingly maintained and published by the G overnment C ommunications S ecurity B ureau (GCSB) - our spooks in other words. It is a substantial tome, well over six hundred A4 pages split across two volumes. Part 1 (365 pages) covers: A brief introduction to the topic and the manual, in the NZ government context; Governance arrangements including overall controls such as accountability and responsibility, and compliance through system certification and accreditation, audits and reviews; Policies, plans,  S tandard O perating P rocedures plus emergency and incident response procedures; Change management; Business continuity and D isaster R ecovery management;  Physical security; Personnel security (including security awareness; Infrastructure securit...

Over on the ISO27k Forum , we've been discussing one of my favourite topics: auditing, or more precisely the question of auditor independence.  How independent should an auditor be? What does that even mean, in this context?  SPOILER ALERT : there's rather more to it than reporting lines. My experienced IT auditor friend Anton posted some relevant definitions from ISACA, including this little gem: "Independence of mind: the state of mind that permits the expression of a conclusion without being affected by influences that compromise professional judgement, thereby allowing an individual to act with integrity and exercise objectivity and professional scepticism." While I agree this is an extremely important factor, I have a slightly different interpretation. 'Independence of mind', to me, is the auditor's mental capacity to examine a situation free of the prejudice or bias that naturally afflicts people who have been in or dealing with or managing or indee...

Surveys typically show that:  Most organizations have some form of BYOD scheme encouraging or permitting workers to use their own laptops, smartphones and tablets for work; and IoT is spreading fast but still has a long way to go before it peaks. We infosec geeks may throw up our hands in horror ... but the facts remain: BYOD and IoT are popular, now. They are here to stay  and almost certain to expand . It's too late now for us to bleat on about the information risks and security concerns*. The train has long since left the station. So how should we handle this situation? An obvious approach is to retrospectively identify, assess and treat the information risks as best we can, emphasizing threats such as hackers, malware, theft or loss of information, and inappropriate disclosure, and promoting security controls such as - well, that's where it gets tricky because we have limited options for technical controls, and (despite our best efforts!) security awareness is never going ...

From a worker's perspective, BYOD is 'simply' about being allowed to work on his/her own ICT devices, rather than having to use those owned and provided by the organization.  What difference would that make? It's straightforward, isn't it? Good questions! There are numerous differences in fact, some of which have substantial implications for information risk, security and privacy. For example, ownership and control of the device is distinct from ownership and control of the data: so what happens when a worker leaves the organization (resigns or is 'let go'), taking their devices with them? Aside from any corporate data on the devices, they had been permitted access to the corporate network, systems, apps and data.  The corporate IT support professionals had been managing the devices, and probably had access to any personal data on them.  Lines are blurred. In a similar vein, IoT is more than just allowing assorted things to be accessed through the Internet a...

I've been a bit distracted the past day or two by the arrival of a calf called Nellie.  Amelia, her mum, had been waddling dejectedly around the paddock for ages, almost as wide as she is tall, complaining about her sore back, craving chocolate olives and practicing her breathing exercises. After the heat of recent weeks, the weather has now turned a bit cooler, wet and stormy which is probably a nice change for Amelia but a bit of a challenge for little Nellie, so w e're keeping a close eye on them both. The joys of rural NZ!

Today we've been working on model policies concerning IoT and BYOD security. We offer two distinct types of policy: Formal information security policies explicitly defining the rules, obligations and requirements that must be satisfied, with a strong compliance imperative relating to management's authority.  These are the internal corporate equivalent of laws ... although we go to great lengths to make them reasonably succinct (about 3 sides), readable and understandable by everyone, not just lawyers familiar with the archaic and arcane legal lexicon (such as has heretofore in the present clause been ably demonstrated, m'lud). Informal - or at least semi-formal - Acceptable Use Policies that are more advisory and motivational in nature. These compare pragmatic examples of acceptable (in green) against unacceptable (red) uses to illustrate the kinds of situation that workers are likely to understand.  They are even more succinct - just a single side of paper. So, we now have...

What's hot in toyland this Christmas? Way back when I was a kid, shortly after the big bang, it was Meccano and Lego for me. I still value the mechanical skills I learnt way back then. Give me a box of thin metal strips full of holes, a plentiful supply of tiny nuts and bolts, and some nobbly plastic bricks, and I'll build you an extraordinary space station complete with spinning artificial gravity module. Or I might just chew them. Today's toys supplement the child's imagination with the software developers'. There are apps for everything, running on diminutive devices more powerful than those fridge-sized beige boxes I tended for a hundred odd scientists (some very odd) in my first real job. Writing about tech toys in the shops this Christmas , Stuart Miles says: "For many, the days of just building a spaceship out of Lego or playing a game of Monopoly are long gone. Today, kids want interactive tech toys that are powered by an app or that connect to the inte...

Conceptual diagrams ('mind maps') are extremely useful for awareness purposes.  This one, for instance, only has about 50 words but expresses a lot more than could be said with ~50 words of conventional prose: Despite it being more than 7 years since I drew that diagram, it immediately makes sense. It still tells a story.  Working clockwise from 1 o'clock, it steps through the main wireless networking technologies that were common in 2010, picking out some of the key information security concerns for each of them.  It's not hard to guess what I was thinking about. The arrows draw the reader's eye in the specified direction along each path linking together related items. Larger font, bold text and the red highlight the main elements, leading towards and emphasizing "New risks" especially.  Sure enough today we have to contend with a raft of personal, local, mesh, community and wide area networks,   in addition  to the those shown.  When the diagram was ...

Today we went on a tiki-tour of the forest in search of a few pine saplings of just the right size, shape and density to serve as Christmas trees. Naturally, the best ones were in the brambles or on the side of a near vertical slope but, hey, that's all part of the fun. I guess ' Web-enabled remotely-controllable LED Christmas tree lights ' are The Thing this year.  Ooh the sheer luxury of being able to program an amazing light show from your mobile phone! So what are the information risks in that scenario? Let's run through a conventional risk analysis. THREATS Elves meddling with the light show, causing frustration and puzzlement. Pixies making the lights flash at a specific frequency known to trigger epileptic attacks. Naughty pixies intent on infecting mobile phones with malware, taking control of them and stealing information, via the light show app. Hackers using yet-another-insecure- Thing as an entry point into assorted home ... and corporate networks (because, ...

Social-Engineer.com's newsletter is a useful source of information about social engineering methods. The latest issue outlines some of the tricks used by phishers to lure their victims initially. "It is not breaking news that phishing is the leading cause of data breaches in the modern world. It is safe to ask why that is the case though, given how much of this email gets caught up in our spam filters and perimeter defenses. One trick sophisticated attackers use is triggering emotional responses from targets using simple and seemingly innocuous messaging to generate any response at all. Some messaging does not initially employ attachments or links, but instead tries to elicit an actual reply from the target. Once the attackers establish a communication channel and a certain level of trust, either a payload of the attacker’s choosing can then be sent or the message itself can entice the target to act." That same technique is used by advertisers over the web in the form of...

Today I've been hunting  for word-art programs or services. We've been happily using Wordle for a good while now. It has worked well, despite a few minor niggles: It runs in Internet Explorer, but not Chrome; It creates cloud shapes, blobs not distinct shapes; It feeds on word lists, not URLs. There are several alternatives. The hands image above was generated quite simply in WordArt . WordClouds is another option. There are more: Google knows where to find them.   I'll be trying them out during December. The combination of words and graphics amuses me, and hopefully catches a few eyes out there too. Catching eyes and imaginations is what we do.

Next up on our production conveyor belt is an awareness module on the security aspects of BYOD and IoT. Aside from being topical IT acronyms, both (largely) involve portable ICT devices - wireless-networked self-contained portable electronic gizmos.  We've covered BYOD and IoT security before, separately, but it makes sense to put them together for a change of focus. As things steadily  proliferate, workers are increasingly likely to want to wear or bring them to work, and carry on using them. The security implications are what we'll be exploring in the next module.

We close off the year with a fresh look at social engineering, always a topical issue during the holiday/new-year party season when we let our hair down.  Generally speaking, we are less guarded and more vulnerable than usual to some forms of social engineering.  The sheer variety of social engineering is one of the key messages in this month’s awareness materials.  This module concerns: Social engineering attacks including phishing and spear-phishing, and myriad scams, con-tricks and frauds; The use of pretexts, spoofs, masquerading, psychological manipulation and coercion, the social engineers’ tradecraft; Significant information risks involving blended or multimode attacks and insider threats. The awareness module is designed to appeal to virtually  everyone  in the organization , regardless of their individual preferences and perspectives.  A given individual may not value  everything  in the module, but hopefully there will be  something...

We've been busier than ever the past week or so, particularly with the awareness materials on social engineering. It is a core topic for security awareness since workers' vigilance is the primary control, hence a lot of effort goes into preparing materials that are interesting, informing, engaging and motivational. It's benign social engineering!  The materials are prepared and are in the final stage now, being proofread before being delivered to subscribers later today. This is a bumper module with a wealth of content, most of which is brand new. I blogged previously about the A-to-Z guides on social engineering scams, con-tricks and frauds, methods and techniques, and controls and countermeasures. I'll describe the remainder of the materials soon, once everything is finished and out the door.  Meanwhile, I must get on: lots to do!

Figuring out how to organize, resource and conduct internal audits of an ISO/IEC 27001 Information Security Management System can be awkward for small organizations. Independence is the  overriding factor in auditing of all forms. For internal auditing, it’s not just a question of who the auditors report to and their freedom to ‘say what needs to be said’ (important though that is), but more fundamentally their mindset, experience and attitude. They need to see things with fresh eyes, pointing out and where necessary challenging management to deal with deep-seated long-term ‘cultural’ issues that are part of the fabric in any established organization. That’s hard if they are part of the day-to-day running of the organization, fully immersed in the culture and (for managers in small organizations especially) partly responsible for the culture being the way it is. We all have our biases and blind spots, our habits and routines: a truly independent view hopefully does not - at le...

I didn't quite finish the A-to-Z on social engineering methods yesterday as planned but that's OK, it's coming along nicely and we're still on track.  I found myself dipping back into the A-to-Z on scams, con-tricks and frauds for inspiration or to make little changes, and moving forward to sketch rough notes on the third and final part of our hot new security awareness trilogy: an A-to-Z on the controls and countermeasures against social engineering . Writing that is my main task for today, and all three pieces are now progressing in parallel as a coherent suite. It's no blockbuster but I have a good feeling about this, and encouraging feedback from readers who took me up on my offer of a free copy of the first part. Along the way, a distinctive new style and format has evolved for the A-to-Zs, using big red drop caps to emphasize the first item under each letter of the alphabet. I've created and saved a Word template to make it easier and quicker to write A...

On a roll from yesterday's A-to-Z catalog of scams, con-tricks and frauds, I'm writing another A-Z today, this time focusing on social engineering techniques and methods .   Yesterday's piece was about what they do.  Today's is about how they do it. Given my background and the research we've done, it's surprisingly easy to find appropriate entries for most letters of the alphabet, albeit with a bit of creativity and lateral thinking needed for some ( e.g. "Xtreme social engineering"!).  That's part of the challenge of writing any A to Z listing ... and part of the allure for the reader.  What will the Z entry be? As of this moment, I don't actually know but I will come up with zomething! Both awareness pieces impress upon the reader the sheer variety of social engineering, while at the same time the alphabetical sequence provides a logical order to what would otherwise be a confusing jumble of stuff. Making people aware of the breadth and dive...