Sunday 30 April 2017

Email and messaging security awareness materials published


May's awareness materials have been delivered to customers, a ~50Mb zip file of awareness content on email and messaging security.

If you have been following this blog over the past month, you'll have a good idea about what's in the new module.

I make no bones about it: this is an extremely important topic for all security awareness programs. Given the prevalence and impact of issues such as phishing, malware and privacy breaches, any organization that foolishly ignores the risks and leaves its employees to flounder in the dark deserves what it gets!

Home straight

As today is the last day of April, we've been running flat out in top gear all week to complete May's awareness materials on email and messaging security before our self-imposed delivery deadline. There is just one more paper to prepare today while the proofreading is in progress, then we'll package and deliver the materials before taking a breather.

The final paper to cross the line this month will be a management-level awareness piece about security metrics for email and messaging. 

It should take two or three hours to prepare, on the basis that I write at about one A4 page per hour on average. If that sounds slow, my excuse is that a lot of thinking and creative effort goes into each piece: I'm not just typing frantically - far from it. The shortest, most succinct and high level awareness items often seem to take the longest to prepare, especially the ones with diagrams and figures.

The starting point for all our materials is a template, an MS Word template in this case with a little boilerplate text, page header and footer, the section headings and two tables in which to develop and describe the metrics. 


A quick search-and-replace is all it takes to drop 'email and messaging security' in place of the template's 5 'title' placeholders, and we're off and running.

There's a handy set of Word styles in the template too which I find invaluable in practice: using styles, it's easy to make the document look professional and polished. The fonts, font size, margins, page headers and footers etc. are consistent, both within each document and across the entire module. If for some reason I feel the need to adjust the spacing (e.g. to squeeze an extra line onto a page), I update the style's settings to have it instantly applied to all the text using that particular style.

The really nice thing about styles is that customers can just as easily adopt their own corporate look-and-feel. Changing the main text from 12 point Calibri to, say, 11 point Ariel or 12 point Times New Roman, and making the headings 20 point italics instead of 16 point bold simply involves modifying or replacing the styles accordingly. It's a small but important part of making the awareness materials 'theirs'. 

We actively encourage customers to replace our logo with their own, whether a corporate logo or one specifically for information security. The idea is both to brand and bind all the awareness materials as a coherent set, and to link them to the organization, specifically, rather than being some generic product. Simple customization (such as mentioning relevant corporate functions, policies etc.) is straightforward too, so the awareness content that eventually goes out to their employees appears to have been prepared in-house by their information security people. It should resonate with the audiences better than some anonymous newsletter or sterile infographic.

Our templates and styles have evolved over the years that we've been doing this stuff. We've invested time into getting them right, with a payoff every time we use them. I noticed yesterday that cutting-and-pasting slides between, say, the staff and management PowerPoint presentations doesn't always go smoothly: for some reason, the pasted-in slide titles and numbers don't consistently pick up the destination styles correctly. When I get the chance, I need to investigate the reasons and sort that out.

That's it for now though. The metrics template awaits. How would you measure email and messaging risks and security?

Saturday 29 April 2017

Awareness posters

Yesterday we almost completed the general employee materials aimed at workers in general. 

Six fantastic new awareness posters are in from the art department. Despite having come up with the brief so we had more than just an inkling of what to expect, I laughed out load at the artists' creative interpretations of the concepts. Once again they have brought a spark of life, humor and visual impact to our dull words. Having developed a strong working relationship with our graphics people over several years, it's still getting better month-by-month. It's a pleasure to collaborate, each of us contributing our respective expertise and complementary skills to generate high quality products. Thanks to effective teamwork, the total is greater than the sum of the parts. 

That said, I've mentioned before that posters and the dreaded infographics are only part of the awareness collateral. About 20+ years ago, to a lot of organizations, awareness programs were posters and vice versa - not just on IT and information security, but also health and safety and other topics. 

In World War II, the Ministry of Information used posters effectively to spread the word, using simple, direct, vaguely amusing language ("Loose lips sink ships") and striking poster-art images reminiscent of Andy Warhol. That was literally the state of the art, 6 decades ago. These days, we rarely use posters in isolation for awareness purposes: we have progressed to 'campaigns', communicating messages through multiple media and mechanisms in parallel.

Advertising and public safety can teach us a lot in security awareness. A neat example that springs to mind is the New Zealand government-backed "Get ready, get through" national safety awareness campaign concerning earthquakes, eruptions and tsunamis, real and present dangers for Kiwis. 

The campaign makes use of TV, newspapers, radio, posters, leaflets, social media, face-to-face instruction (e.g. training for Civil Defense staff and volunteers plus lessons for schoolkids) and broader experiential learning in the form of public exercises - an integrated approach involving coordination between public services, local councils, broadcasters, Civil Defense and more. 

Posters alone won't cut it, but they are integral parts. This is true multimedia - not just video+sound. Our resilience and readiness to cope with natural disasters is so important that we, the people of New Zealand, invest (heavily!) in a comprehensive and ongoing educational approach.

Is information security important enough for your organization to invest (lightly, very lightly!) in a comprehensive and onoing multimedia educational approach, or do you still think the odd dog-eared and tacky poster or infographic will suffice?

Friday 28 April 2017

The security awareness cascade

Awareness and training in general are successful if they change people's attitudes and decisions sufficiently to change their behaviours. Getting them to do things differently (not just 'be aware' in some vague sense) is the aim, the bit that pays off. In the case of information security awareness, if successful it leads to people behaving more securely - stopping or avoiding insecure things, and starting or doing more secure things. Not falling for phishing attacks is a topical example, just one of many. 

Knowing how to spot, avoid and minimize incidents is only part of it. Actually doing so is what generates benefits, as phishing incidents fall in number and severity. Workers diligently reporting incidents and especially near misses is a strong indication of a mature level of awareness, with still more benefits for the organization.

We think of security awareness as a process - a cascade or logical sequence of several discrete stages rather than a single nebulous whole:
  1. First we inform workers about stuff, providing information in forms they can assimilate and relate to. Years ago, informative posters were generally thought to be the way to 'do' security awareness. Today's equivalent, for some at least, is 'infographics': both suffer the same constraints. The information alone achieves little without the remaining stages. It is necessary but not sufficient.

    [By the way, planning and preparing the awareness program, deciding what that 'stuff' is, who 'workers' are, how we are going to reach them etc., and managing the program is a parallel activity that starts before stage 1.]

  2. Next we pique their interest, catch their attention and get them to focus on various aspects of information risk and security, for a fleeting moment at least. Workers are busy with their day jobs - we know that and we have to be realistic in our expectations. They are also individuals with individual preferences and needs, in unique personal circumstances, facing situations, challenges and opportunities that are both different to other people's and often dynamic. The personal interaction that happens through facilitated presentations, seminars, workshops, webinars, training courses, quizzes, discussion groups etc. helps lift the information off those static posters, policies and briefings, and resonate with the audiences ... leading naturally in to the next stage ...

  3. So long as we have their attention, we have the opportunity to persuade and hopefully convince them that there is something they need to do. In Kurt Lewin's classic change model, this is the "unfreeze" step, freeing things up so that change can occur. Crucially, this involves motivating workers, providing the impetus for change. Whereas stage 1 was fact-based, stage 3 aims to elicit an emotional or visceral response. This is probably the hardest and longest challenge in the whole sequence, especially for the rational thinkers among us (as many of us are in IT, information security and security awareness). Workers (human beings!) can't be reprogrammed like robots. We have preconceptions, biases, prejudices, desires, habits and constraints. We have other things on our plates, at home and at work. Some of us resent being told to do anything, and may passively or actively resist (especially if we feel the pressure is inappropriate, excessive or not in our interest). Most of us need a little time and breathing space to consider and internalize things, perhaps chatting them through with others and 'learning by doing'. The surrounding context is important too, for example if our peers and other colleagues are generally supportive and encouraging, we are more willing to go with the flow than if the atmosphere is generally cynical or negative towards information security and the awareness program. In other words, culture has a strong influence, at all levels from national to corporate to team/group/office cultures.

  4. Provided the preceding stages went to plan and were effective, change for the better occurs here. We stop ourselves clicking dodgy links, sending sensitive messages or firing off angry, inappropriate emails. We start noticing and reacting appropriately to actual and potential threats. We report incidents and near misses. We assist, support and encourage our peers in the same vein, further improving the culture (we hope!). The primary business benefits of security awareness are generated in this stage. The organization becomes more secure, reducing costs and exploiting valuable business opportunities that would otherwise be too risky. We mature.

  5. Through compliance activities, we lock-in ("re-freeze") beneficial behaviors and generally keep things moving along in the right direction. I've blogged before about the value of reinforcing desired behaviors by encouraging and rewarding workers who do the right thing, complementing the more usual compliance approach of enforcement by penalizing undesirable behaviors. Either way, it is necessary for someone to notice and react to the behaviors (good or bad), an area where good metrics excel. Tests, audits, post-incident reviews and so on are all very well, but the broader cultural aspect comes into play here too. When was the last time you thanked a security guard for doing their job, called the Help Desk back to show your appreciation for assistance in your time of need, congratulated a colleague on reacting to a stray visitor, or spread the good news about a crisis averted? It's not simply a matter of being friendly, polite and considerate: positive communication between people further enhances the culture, security gradually becoming the norm not the exception, "just the way we do things around here".

  6. The frozen state may not last long before it's time to focus on another issue (the next month's security awareness topic in our case) - lather, rinse, repeat.

Thursday 27 April 2017

The security awareness plate-spinning extravaganza

The awareness module on 'email and messaging security' is coming along nicely, with just 4 days until our usual end-of-month delivery deadline.

We could easily consume at least another month refining the materials, getting further into some of the technical issues and digging up more news, security controls and related issues to discuss ... but in the end we'd still only have a single awareness module on a particular topic, focusing on a small part of the information risk landscape. It's better to complete and deliver what we have, then turn the awareness spotlight to illuminate a different part of the landscape next month.

Yesterday I read "Be Compromise Ready: Go Back to the Basics - 2017 Data Security Incident Response Report", a glossy survey report by BakerHostetler that started out strongly by acknowledging the value of employees as part of an organization's cyberdefense:
"Employees are often cited as a company’s greatest asset. In the cybersecurity arena, they can also be a liability. While these numbers reinforce the ongoing need to focus on effective employee awareness and training, they also show that a defense-in-depth approach is necessary because even the best trained employees can make mistakes or be tricked." 
Unfortunately, the report went on to "recommend both new hires and current employees receive annual training regarding the dangers of phishing emails": how would you interpret that? I suspect many readers would take it at face value, coming away with the idea that training employees (staff, I guess) once a year on phishing is both necessary (I agree - it is a real and present danger) and sufficient (I strongly disagree).

On the 'defense in depth' point, for instance, do they honestly expect the IT, HR, risk, security and compliance people to appreciate and fulfil their roles in adding, strengthening and maintaining the layers of protection? How and why, when they have so many other things to do? And are management expected to 'just know' the value of information security in enabling the achievement of business objectives, having picked that up through some diffuse/obscure educational process? No wonder so many information security pro's often complain about lack of management support and funding. Evidently either it doesn't even occur to them to inform and persuade management, or they don't put nearly enough effort into management-level security awareness.

As to the idea that "annual training" is enough to teach people anything important, well that's plain crazy. Imagine if road speed limits were scrawled on bits of paper or cardboard, displayed along the roads once a year then left to rot. Imagine if everyone was required to attend a once-a-year stern lecture on the "Dangers of smoking", with no further warnings or education. 

And what about all the other cybersecurity incidents and controls identified in the report besides phishing, let alone those not even mentioned (important stuff such as risk management, ethics and accountability)? It would have been more helpful if the report acknowledged that phishing is AN awareness topic, not (as strongly implied) THE ONLY THING worth covering.

With over 60 information security topics in our awareness portfolio already, we're busily spinning plates on sticks, hoping none of them fall. As if the show isn't dramatic enough already, we're spinning up new plates from time to time ... such as a brand new module on 'cybersecurity' to come in 3 months' time. 

Although it isn't even vaguely mentioned as a possible security awareness topic, the BakerHostetler survey report does mention cyber insurance, dispensing a few bullets of basic advice (see page 17). Having just started to research the topic in preparation for designing and preparing another awareness module for delivery in August, it's already clear that there's much more to say. We've picked up the stick and plate, and soon we'll set it a-spinnin'. But first, the email and messaging security plate is not quite up to speed and several others are wobbling alarmingly!

Wednesday 26 April 2017

Catering for multiple audiences


We've used the professionals' seminar as a donor to kick-start the staff and management seminars. Copying seminar slides into new templates and fiddling around with the layout and formatting is the easy bit: adapting the presentations to suit the different audiences takes a bit more thought.

Most managers are unlikely to have an interest in the techical details of email encryption, for instance, but they ought to appreciate that there are options in that regard, each having pros and cons for the organization. We need to give them just enough context and background to be able to take this up with their IT, risk and information security professionals - some questions to pose, perhaps, as well as a basic grounding in the concepts and terminology to facilitate meaningful communications. The awareness module will also contain management briefings, a sample policy and a paper on email and messaging security metrics, encouraging managers to contemplate the strategic, governance, compliance and other business aspects. 

Managers also, of course, make good use of email and other business comms, which means they are users as well as managers of the associated technologies ... hence they need to be aware of the information risks and use the security controls themselves. Despite the title, awareness materials in the 'staff' stream are, in fact, aimed at all workers, not just staff, not even just employees: contractors, consultants, temps and others may well be using the organization's email, phone and other messaging systems routinely, and everyone has some level of access to corporate information, perhaps personal info too. We might have named it the 'users' stream, except that the term is strongly linked to IT (and drugs!) whereas information security is relevant to IT and non-IT users alike. Not everyone uses email or phones, but we all communicate.

Meanwhile, we have a little communications issue of our own. What are we going to call this awareness module? The working title "email and inter-personal messaging security" is unwieldy and a bit formal. "Helping people communicate securely" is more accessible but still not quite right.  Hmmmmmm.

Tuesday 25 April 2017

Getting back on track

After a busy week away at the ISO27k meeting, I'm catching up with the day-job, working flat out to complete the email security awareness module by the end of this month.

Yesterday, the professionals' seminar slide deck came together nicely:




















It's not quite finished yet but the 'story' behind/linking the slides is taking shape.

We've incorporated a mixture of graphic images, diagrams and recent press clippings to illustrate and enhance the content. Notice the near absense of bullet points, avoiding 'death by PowerPoint'. There are a few paragraphs of text quoted in the press clippings (which, we believe, are relevant, topical, interesting and worth it) but most slides use striking visual imagery and strong colors. The idea is for a seminar leader, presenter or facilitator to explain and talk about each slide, conversing and interacting with the audience, where appropriate expanding on the literal content of the slides, interpreting things in the particular context of the organization, the audience and the individuals present, perhaps going off-script to pick up on specific matters of concern and interest. 

If we simply wrote out a bunch of bullet points or paragraphs, there would be a tendency for presenters to read them out word-by-word, a very tedious and boring approach for all concerned. Worse still, it would be harder for them to ad lib, for instance picking up on corporate strategies and policies, current incidents, applicable laws and regulations etc

Someone (who shall remain nameless) actually did that at the ISO27k meeting last week. He read out the entire contents of several wordy slides, verbatim, distracting us from reading and contemplating the content ourselves and so, in a sense, detracting from the value of the slides. We would have been better off without the presenter! To give him his due, it was a formal meeting and I strongly suspect he was asked to present someone else's unfamiliar content. He did seem uncomfortable in that position, a shame given his presence, expertise and ability to project quite strongly. Personally, I got far more value from the nature of the presentation than from the content.

Anyway, the slides above illustrate a distinctly different approach. The scope diagram, risk graphics and mind map, for instance, are meant to intrigue as well as inform the audience. The 'speaker notes' accompanying each slide (not shown here) pick out the key points that we hope the presenter will emphasize, preferably NOT by literally reading out the speaker notes verbatim! We want everyone to contemplate the meaning for themselves: in so doing, they will internalize the key messages, reconsider/adjust their perspectives and ultimately behave more securely, which is of course the ultimate aim of security awareness. 

If the awareness approach has no impact - if the materials and activities don't improve workers' decisions and behaviors, we might as well not bother. To put that another way, lame (as in inept, inappropriate, ineffective, boring ...) security awareness and training approaches destroy value.  This is why some people say awareness doesn't work. They're doing it wrong!

To be fair, it takes a lot of effort to design and develop good seminar materials, to find, incorporate and reference those press clippings, prepare the risk graphics and mind maps etc., and most importantly clarify the 'story' and the messages we want to express. We've had lots of practice, producing at least 3 awareness slide decks per month for many years and presenting frequently at conferences and courses ... and also (as noted above) attending and critiquing presentations by others. Aside from the conferences and courses we have attended as punters, we have given and received numerous management and group presentations (e.g. audit reports, board presentations, phone meetings and video conferences), webinars and sales pitches over the years, and we've read the odd website, article and book concerning presentation and communications techniques. We observe TV and radio presenters doing their thing, thinking about their differing approaches and styles. We are still learning and improving, all the time discovering new techniques to explore and adopt as well as those to avoid like the plague. We're continually investing not just in the product but also the production methods, approaches and tools, not least our own competencies and skills. Genuine, honest, especially constructive feedback from others (yes, you!) is gold dust for us.

Hopefully you are getting useful hints and ideas from this blog. Thank you for taking the time to read this. I hope I've made you think. Anything you'd like to add? Comments are open ... over to you ...

Saturday 22 April 2017

ISO27k meeting report

A plenary concluded the main business of the ISO/IEC JTC 1/SC 27 WG1 meeting in Hamilton, NZ.  This was a formal session to vote on and record decisions and progress made during the week, including deadlines for the next tranche of work.

The next SC 27 meeting will be in Berlin at the end of October 2017, then Wuhan in China in April 2018.

The main resolutions from this meeting were:
  • A minor revision will update ISO/IEC 27000:2016 to reflect the recent publication of 27002, 27004 and 27011.
  • Governmental/regulatory use of 27001 will become Standing Document 7 and will be maintained for internal committee use.
  • 27002 revision project will generate two versions of the standard demonstrating alternative structures for commenting at the next stage.
  • 27005 will produce a revised design specification for the revision work, plus a corrigendum for the current standard.
  • 27007 will produce revised text for FDIS, requesting a project extension to complete this.
  • 27008 will produce revised text for a DTS.
  • 27009 will be revised early rather than issuing a corrigendum, and the accompanying 'use cases' will become a SD.
  • 27014 SP on information security governance will generate a NWIP to revise the standard, with an outline document.
  • 27019 will produce revised text for FDIS.
  • 27021 on ISMS professionals' competencies will also go to FDIS (despite four disapprovals, indicating concerns with this standard).
  • 27102 on cybersecurity insurance will produce a first working draft next.
  • Cybersecurity frameworks and cybersecurity resilience work will be combined initially into an SD which will then become a PDTR.
  • Risk Handling Library will produce a Standing Document.
  • Terminology Working Group will hold a Webex meeting to discuss definitions, and is developing conceptual maps.
  • Several liaison statements will be produced to inform and align WG1's work with various other committees and bodies.

ISO/IEC 27003 ISMS implementation guide published

ISO/IEC 27003:2017 has been published.  This is a fully revised version of the Information Security Management System (ISMS) implementation guide, originally published in 2010.

The new version is a significant improvement on the 2010 version.  It follows the structure of ISO/IEC 27001, providing pragmatic advice section-by-section on how to satisfy the requirements. I'm happy to recommend it.

The following core ISO27k standards are a sound basis on which to design and implement a management system to manage information risks (for historical reasons, termed "information security risks" or "cybersecurity risks" in the standards):
Unfortunately, ISO/IEC 27005 on information risk management is out-of-line with the set. A revised version of '27005 is not expected to surface for at least a couple of years. Meanwhile, '27003 gives useful advice in this area, while ISO 31000:2009 (a well respected de facto risk management standard) is readily applied to information risks. There are several other information risk management standards, methods and approaches as well, all of which have their advantages and disadvantages: if your organization is already familiar with and using some other approach to risk management, it can probably be applied directly or adapted to suit information risk management.

For more information on the ISO27k standards, ISMS implementation, information risk management and so forth, please browse the ISO27k FAQ. If you are active in this area, you are very welcome to join the 3,500-strong ISO27k Forum. Although it is not 'official' ISO information, it is FREE.

Friday 21 April 2017

ISO27k meeting progress report

ISO/IEC TR 27019 concerns Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry. 27019 identifies information security controls that are either specific to the energy utilities, or are critical in that domain and perhaps need to be bolstered.

The 2013 standard is currently being revised and will be published as a full International Standard, possibly later this year. There are some formatting issues to resolve with ITTF but the content is stable enough to move forward to FDIS.

The SC27 project on cybersecurity insurance is developing a standard explaining cyberinsurance concepts to information security professionals, and cybersecurity concepts to insurance professionals, forming a common basis for specifying, discussing and adopting cyberinsurance. The Study Period has developed a solid donor document with plenty of meaty content.

The SC27 Study Period on Risk Handling Library (RHL) resolved to develop and then maintain an SC27 Standing Document that references ISO27k and other standards that concern or mention information security risk. The next step is to call for contributions to help flesh out the initial SD.

A minor revision of ISO/IEC 27000 may be required as a result of publishing 27003, 27004 and 27011.

The SC27 Terminology Working Group resolved to develop a new approach to the management of terminology, using 'concept maps' (similar in style to mind maps) as a way to clarify and distinguish terms and their relationships. A half-day workshop is proposed, possibly for the next SC27 meeting in Berlin in October.

The SC27 Annex SL special working group is preparing to respond to possible changes pushed by JTCG concerning the common/boilerplate text for all the ISO management systems standards. JTCG will be circulating a questionnaire to national standards bodies concerning the possible changes.

A cybersecurity standard will initially become an SC27 Standing Document 27103 that may then go forward as PDTR 27103.

Tomorrow's plenary session will include formal voting on these projects and activities. This evening, though, we are visiting Hobbiton for a tour and gala dinner.

Thursday 20 April 2017

ISO/IEC 27005 and 27014 revisions

The study period researching the possibility of revising ISO/IEC 27005 on 'information security risk' has resolved to limit the scope of the revised standard primarily to supporting and expanding on sections 6 and 8 of ISO/IEC 27001:2013, with some consideration of other standards including ISO 31000.

An outline/skeleton document structure has been developed as part of the design specification, although it is hard even to assess it without the corresponding content. It is likely to change as the project proceeds. It was agreed to request a further 6 months to prepare a more complete draft standard before proposing a new work item.

The study period considering the revision of ISO/IEC 27014 is proposing various improvements to make the standard more generally applicable and useful. 

Wednesday 19 April 2017

SC27 interim sit-rep

27001 ISMS for government use - comments agreed, Standing Document to be produced.

27001 ISMS defect concerning 'risks and opportunities' should have covered risks to the ISMS not to information security.  Issue was slopy-shouldered to 27005 revision project (then promptly rejected by them!). Decision to defer this to next planned revision of this standard.  

27002 security controls revision SP - challenging meeting. Plan to develop 2 versions of a template standard: (1) with the controls laid out in the front part in 4 categories with various 'views' of the controls appended according to the attributes; (2) with the views up front and the controls laid out in a catalogue as an annex. SP to be extended another 6 months, giving time for expert comments. [Meeting ongoing]

27005 information security risks - challenging meeting and robust discussion. 27005 scope changed again to support 27001 clauses on 'Risks and opportunities' plus 'risk assessment and treatment' only (not the rest of information risk management). [Meeting ongoing]

27007 ISMS auditing - all comments resolved.  Standard to go to FDIS next, plus a justification to extend the deadline by 6 months to allow finalization.

27008 technical auditing - comments resolved, some issues to be held over to next revision. All agreed.

27009 use cases SP - comments agreed, except for a problem with clause numbering using letters (falls foul of the ISO Directives).  Plan to issue a SD not an IS.

27011 telecomms security - simple defect reported, one subsection title to be corrected from 'Classification guideline' to 'Classification of information' to align with 27002.

27015 ISMS for financial services - 91% approval to withdraw, so that's it really.

27021 infosec management competencies - comments resolved, moves towards completion. All bar 1 vote turned to yes, hopefully will move to FDIS next. 

Cyber security/resilience - a robust discussion. Agreed to merge SPs and continue another 6 months as cybersecurity SP. New Call For Contributions to be prepared soon.

IEC liaison - waiting for/working on liaison statements. Published standard 62443-2-4 covers certification for IACS solution providers. 62443-2-1 is being revised, but alignment with ISO/IEC 27001 is problematic. It can still provide a useful catalogue of controls for a 27001 ISMS.

STRATUS project: NZ government+industry funded research project on cloud security, in conjunction with CSF and others. Research aims include data provenance, data protection, situational awareness and business continuity. See stratus.org.nz for more info. STRATUS wants to engage with, use and support SC27 activities through a 'category A' liaison.

ISO/IEC 27002 revision

It should be obvious from my previous comments here on this blog, on www.ISO27001security.com and on the ISO27k Forum, that the last revision of ISO/IEC 27002 was less than satisfactory in my jaundiced opinion. When released in 2013, the standard was already out of date (e.g. it pretty much ignores cloud computing, BYOD and IoT - all topical issues that were emerging at the time the standard was being revised) and had some serious flaws  (e.g. in the garbled continuity section). What may not be quite so clear is that the team responsible for the revision is a top-rate international group of experts in the field - experienced, intelligent, committed professionals. 

It wasn't the team that let it down so much as the tortuous revision process we had to follow.

The next revision of 27002 could easily go down the same muddy path but there's hope, now, for a different approach. A major stumbling block, to date, has been the structure of 27002, derived from the original donor security policy that became first BS 7799, then ISO/IEC 17799, then 27002. Things have moved on some way since the 1970's and 80s! It's high time to update the structure. The crucial question we are tackling right now is how to update it. 

Yesterday we considered and discussed seven proposed structures, plus an eighth straw-man option (i.e. no structure is perfect so we could forget about the structure to concentrate solely on the content). The favoured option, currently, is two-fold: 
  1. The standard could be structured into the following 'themes' (categories or types of control): organizational security; behavioural security; technical security; physical security; and third party security. Most information security controls would fit quite naturally and easily into one or other of those categories (or 'themes'), leaving relatively few ambiguous or complex controls to be allocated arbitrarily between them (or simplified and perhaps split up). Few if any controls would be orphaned, being out of place in all those options. The explicit names for the categories are not cast in stone but the structure works better than the other options considered so far ... 

  2. ... while those other structural options could be taken into account anyway in the form of 'attributes' or 'tags' for the same controls e.g. aside from where they are placed in the main structure, we could also tag the controls as preventive/detective/corrective, confidentiality/integrity/availability etc., reflecting the other classifications or structures considered.
If this proposal is agreed, the work to define, classify and tag the security controls can start as soon as the revision project is approved. Admittedly, there may still be disagreements about the classification and tagging, but hopefully most of the discussion will be more productive in connection with the controls themselves - what they are and how they are described - rather than where they should sit in the standard.

Offsetting the advantages, there would be additional work in this approach including:
  • Carefully defining the criteria or rules for classification and tagging
  • Classifying and tagging the existing controls 
  • Reviewing and revising the existing controls
  • Retiring controls that are no longer applicable
  • Adding new controls in areas that are weak
  • Addressing any anomalies, gaps and duplicates
  • Dealing with controls that are already documented adequately in other ISO27k and non-ISO27k standards (e.g. ISO/IEC 27001, 27003, 27004, 27005, ISO 22301 etc.)
  • Generating one or more appendices (possibly just a table) with the controls grouped by or referencing their respective tags 
  • Mapping the controls from ISO/IEC 27002:2015 to the new structure, so current users can migrate more easily
  • Coordinating and leading the overall effort to ensure that the end product is user-friendly, comprehensive, accurate, valuable, up-to-date, maintainable, fit for purpose and on time.  That's a tough job, whatever approach is taken!
ISO/IEC 27008 is close to being finalized. The standard concerns auditing or reviewing/assessing "technical" controls, a subset of all information security control - fair enough. There is a remaining issue to align and reformat an annex on auditing cloud services with the rest of the document, possibly in the form of a worked example illustrating the audit/review approach described in the main body of the standard.

Tuesday 18 April 2017

ISO27k meeting

The ISO/IEC JTC 1/SC 27 meeting is under way in Hamilton. After a stormy couple of weeks in NZ, the weather is fine and sunny so hopefully delegates will have some time to see the country after the meeting.

Work on the ISO/IEC 27000-series information security management standards ("ISO27k") standards this week includes:

27000 (glossary & intro) - terminology working group to review process for maintaining terms

27001 - its use in governments and regulators is going well, may become a SD as it demonstrates the value of 27001

27002 - structure & future to be discussed in depth this week, particularly the ~5-10 themes (chapters or sections of the standard, the logical sequence, classes of control) and control attributes (tags, categories) that may form the basis of a revised, smaller, more usable 27002

27005 - reported defect to be discussed and resolved; revision project to be discussed too

27007 - comments to be discussed and resolved this week: should go to DIS stage after the meeting. 

27008 - comments to be discussed and resolved this week: should go to DIS stage after the meeting.

27009 - reported defect to be discussed and resolved; use cases to be discussed

27011 - technical defect to be discussed

27015 - withdrawal to be discussed

27019  - comments to be discussed and resolved this week: should go to DIS stage after the meeting

27021 - comments to be discussed and resolved this week: should go to DIS stage after the meeting

27102? - cyber insurance SP, likely to go ahead to IS

Other cybersecurity stuff - may be combined

I'll be providing updates during the week as I attend various meetings and talk to other delegates.

Monday 17 April 2017

ISO/IEC JTC 1/SC 27 meeting

Today I'm off to the University of Waikato in Hamilton for the SC 27 meeting. 

I'm planning to catch up with developments on most if not all of the ISO27k standards, in particular:
  • ISO/IEC 27000 - is this going to be dropped in favour of an online glossary? What happened to the definitions for 'information asset', 'information risk' and 'cyber'? 
  • ISO/IEC 27001 - how did the boilerplate section on 'risk & opportunity' get hijacked as information risk?
  • ISO/IEC 27002 - how is the idea of tagging the controls going to work out? Is that just another recipe for interminable 
  • ISO/IEC 27003 - new version due soon, all done?
  • ISO/IEC 27005 - any chance of this being updated and published soon/ever? And if it is fast-tracked, where next - 'information risk management' maybe?
  • ISO/IEC 27007 - new version due soon, all done?
  • ISO/IEC TR 27008 - new version nearing completion, ready to finalise?
  • ISO/IEC 27017, 27018, 27036 and others - where are we with cloud security standards?
  • ISO/IEC 27021 - is the competency framework well thought out? How will this drive the ISO27k training & qualifications?
  • ISO/IEC 27031 - where does this stand in relation to ISO 22301?
  • ISO/IEC 27034 - is application security getting there?
  • IoT and IIoT security - what's happening?
There are some general issues I'm hoping to chat about too, such as:
  • High level, generic information risk and security principles or axioms as a unifying theme and structural framework
  • SC 27 project governance e.g. requiring all NWIPs to be accompanied by reasonably complete WD1 drafts of proposed standards or be canned; perhaps splitting 27002 into static and dynamic parts, or reducing it to a controls overview standard supported by as many detailed controls standards (i.e. the remainder of the ISO27k suite plus others) as necessary
  • Non-technical, non-IT, non-cyber information, information risks and information security controls, the meaning of 'cyber', and revisiting the scope and purpose of SC 27
  • Explicitly describing the information risks addressed by each of the ISO27k standards
  • Collaborative working practices, filling-in the gaps between SC 27 meetings with discussion and joint development, making the committee more responsive to surging market demands
  • ISO27k marketing e.g. reducing the price of the core standards for a trial promotional period; bulk pricing for sets of standards; advertising; branding; sales and certification figures
  • NZ and Australia shadow committees & collaboration
Most importantly, I'm really looking forward to socialising with committee members from around the world, welcoming them to NZ, renewing old friendships and establishing new ones. About 400 delegates are expected to attend, a massive challenge for someone as shy and retiring as me!

I'll be blogging from Hamilton this week as time permits.

Sunday 16 April 2017

CERT insider threat guide

The fifth edition of the Common Sense Guide to Mitigating Insider Threats was published at the end of 2016 by the CERT Insider Threat Center.  As we've come to expect from CMU/SEI & CERT), it's an impressive, well-written piece of work.

In short, these are the 20 best practices they recommend:
  1. Know and protect your critical assets. 
  2. Develop a formalized insider threat program. 
  3. Clearly document and consistently enforce policies and controls. 
  4. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior. 
  5. Anticipate and manage negative issues in the work environment. 
  6. Consider threats from insiders and business partners in enterprise-wide risk assessments.
  7. Be especially vigilant regarding social media.
  8. Structure management and tasks to minimize unintentional insider stress and mistakes. 
  9. Incorporate malicious and unintentional insider threat awareness into periodic security training for all employees. 
  10. Implement strict password and account management policies and practices. 
  11. Institute stringent access controls and monitoring policies on privileged users. 
  12. Deploy solutions for monitoring employee actions and correlating information from multiple data sources.
  13. Monitor and control remote access from all end points, including mobile devices.
  14. Establish a baseline of normal behavior for both networks and employees.
  15. Enforce separation of duties and least privilege.
  16. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
  17. Institutionalize system change controls.
  18. Implement secure backup and recovery processes.
  19. Close the doors to unauthorized data exfiltration. 
  20. Develop a comprehensive employee termination procedure.
The guide expands substantially on each of those, explaining the challenges, describing case studies and offering quick wins for many of them. Pre-hiring background checks, for instance, aren't mentioned in the list above but feature several times in the guide.

I've picked out practice 9 for special attention, given my interest in security awareness. In the main body, the guide states:
"Without broad understanding and buy-in from the organization, technical or managerial controls will be short lived. Periodic security training that includes malicious and unintentional insider threat awareness supports a stable culture of security in the organization."
Well said! It goes on to note several warning signs:
"Security awareness training should encourage employees to identify malicious insiders not by stereotypical characteristics but by their behavior, including
  • threatening the organization or bragging about the damage the insider could do to the organization or coworkers 
  • downloading sensitive or proprietary data within 30 days of resignation 
  • using the organization’s resources for a side business or discussing starting a competing business with co-workers 
  • attempting to gain employees’ passwords or to obtain access through trickery or exploitation of a trusted relationship (often called “social engineering”) 
Awareness training for the unintentional insider threat should encourage employees to identify potential actions or ways of thinking that could lead to an unintentional event, including
  • level of risk tolerance—someone willing to take more risks than the norm
  • attempts at multi-tasking—individuals who multi-task may be more likely to make mistakes
  • large amounts of personal or proprietary information shared on social media
  • lack of attention to detail"
I'm intrigued by the concept of 'unintentional' insider threats.
"We define unintentional insider threats as a current or former employee, contractor, or other business partner who:
  • has or had authorized access to an organization’s network, system, or data and 
  • had no malicious intent associated with his or her action (or inaction) that caused harm or substantially increased the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems."
Seems to me that covers almost everyone since we humans all experience the odd errors and accidents, but I guess it's a matter of degree: most of us catch our typoos etc. in time, without precipitating global meltdowns.

The advice includes "Training programs should create a security culture appropriate for the organization and include all personnel" - OK so far on both points. "The training program should be offered at least once a year" is not so good if it is taken to mean a single annual event or session is sufficient, but I'm relieved that it goes on to mention 'refresher training'.

The recommendations are sound:
"All organizations:
  • Develop and implement an enterprise-wide training program that discusses various topics related to insider threat. The training program must have the support of senior management to be effective. Management must be seen participating in the course and must not be exempt  from it, which other employees could see as a lack of support and an unequal enforcement of policies. 
  • Train all new employees and contractors in security awareness, including insider threat, before giving them access to any computer system. Make sure to include training for employees who may not need to access computer systems daily, such as janitorial and maintenance staff. These users may require a special training program that covers security scenarios they may encounter, such as social engineering, active shooter, and sensitive documents left out in the open. 
  • Train employees continuously. However, training does not always need to be classroom instruction. Posters, newsletters, alert emails, and brown-bag lunch programs are all effective training methods. Your organization should consider implementing one or more of these programs to increase security awareness. 
  • Establish an anonymous or confidential mechanism for reporting security incidents. Encourage employees to report security issues and consider incentives to reporting by rewarding those who do.
 Large organizations:
  • The information security team can conduct periodic inspections by walking through areas of your organization, including workspaces, and identifying security concerns. Your organization should bring security issues to the employee’s attention in a calm, nonthreatening manner and in private. Employees spotted doing something good for security, like stopping a person without a badge, should be rewarded. Even a certificate or other item of minimal value goes a long way to improving employee morale and increasing security awareness. Where possible, these rewards should be presented before a group of the employee’s peers. This type of program does not have to be administered by the security team but could be delegated to the employee’s peer team members or first-level management."  
The quotes above are just part of the 6 pages on that one practice area, a small fraction of the guide's 175 pages - well worth the trouble to read if your organization has humans on the payroll, or depends on third party personnel for that matter - those nice people who do their level best to keep the lights on whatever the weather, for instance. 


PS  If anyone from CERT reads this blog, please stop referring to awareness and training as if they are the same thing. They aren't. See NIST SP800-50 and SP800-16 ... or ask me!