The Insecurity of Things, our latest security awareness module, is winging its way to customers this afternoon.  The zip file totals about 70Mb, containing all these goodies ... If you can only dream of running an effective security awareness program, get in touch. We'd be happy to do the labour-intensive prep-work, leaving you the fun of interacting with your colleagues, informing and persuading them. We can get your program up and running in no time. Will you set off with the basic  Information Security 101  module, the Insecurity of Things or something else from our bulging security awareness portfolio? Don't delay!  Insecure things are proliferating like cockroaches.  

June's  IoT awareness module will soon be ready for packaging and  delivery. While proofreading continues, s ix new posters are winging their way to us and the newsletter will be completed in the next few hours.  The primary purpose of the newsletter is to bring readers bang up to date with the current state of the art - tricky in such a fast-moving field as IoT.  Having been  systematically researching IoT security for quite some time though, we have amassed plenty of relevant news clips and quotable comments to weave into a coherent story. We always  try  to present a reasonably comprehensive, accurate and balanced perspective on the monthly topic.  Clued-up readers may spot errors or omissions and we're OK with that. If they talk things through with their less well informed colleagues (even if they poke holes in the content or disagree with us), they will be spreading awareness ... which is exactly what we want to achieve - awareness-by-proxy a...

The Insecurity of Things awareness module is nearly complete. I thought the management stream was done and dusted over the weekend, but today in the course of preparing the awareness seminar for professionals, I developed a simple 3-step process flow for the management of IoT risks, then expanded on each of the steps and realized that the approach is strategic ... which meant re-opening and revising the management seminar and briefing to expand on the strategy, realigning the management and professional streams. Such iterations are common for us. Developing awareness content is not a straightforward sequential or linear process - more like a spiral. Producing each item in the set forces us to consider things from the perspective of its intended audience, sometimes suggesting different angles to other awareness items. Round and round we go until the bell signals the end of month deadline and it's time to change mode: tidy things up, close off loose ends and stop forever elaborating ...

One of the IoT security issues we explore in June's awareness module is the use of compromised things as platforms for further attacks - for example not just spying on people but spreading malware or launching exploits against corporate systems and networks, including other things .   While the preceding brief paragraph hopefully makes perfect sense to those who already have a reasonable understanding or appreciation of IoT security, it won't resonate with everyone. Although 'compromise', 'platform', 'attack' and 'exploit' are ordinary everyday English words, we're using them here in a particular context with quite specific meanings. The distinction is important in awareness because we are addressing people with varying levels of knowledge and understanding, ranging from next-to-nothing up to expert. It's fine for them to take away different things from the awareness materials just so long as they all have a reasonable grasp of the same ...

We're turning the corner into the final straight for June's awareness module on IoT security: I'll take some time off at the weekend, recharging my built-in lithiums ready for a photo finish next week.  This module looks like it will go to the line on Wednesday May 31 st ... and we may even need to refer to UTC rather than NZ time to hit our deadline, one of the advantages of being just to the West of the international date line. Must go, things to do, awareness to raise.

Ours is not the only subject area that benefits from awareness in a corporate context. Typical organizations run several awareness programs, initiatives or activities in parallel, hopefully covering i nformation risk and security (or security, IT security, or cybersecurity, or whatever they call it)  plus : IT/tech awareness; Privacy awareness, and other compliance awareness concerning both external legal/regulatory and/or internal policy/strategy obligations; Health and safety awareness; Project and change awareness ( e.g. new business initiatives, new systems, new ways of working ...); Commercial/business/corporate awareness; Strategy/vision/values awareness; Brand/marketing/competitor/industry awareness; Risk awareness; Fraud awareness; Financial/accounting awareness; Management awareness; Human Resources awareness, including discrimination, employment practices, motivation, team working, violence in the workplace, disciplinary processes, capability development, stress managemen...

News relating to the WannaCry incident is still circulating, although a lot of what I'm reading strikes me as perhaps idle speculation, naive and biased reporting, politically-motivated 'fake news' or simply advertising copy. Take for instance this chunk quoted from a piece in Cyberscoop under the title " Mounting evidence points to North Korean group for global ransomware attack ": "In the aftermath of a global ransomware attack, which impacted more than 300,000 computers in over 150 countries, a small, select group of security researchers announced they had found evidence suggesting a group previously linked to the North Korean government was likely behind the international cyber incident. Their theory gained new found credibility Monday when U.S. cybersecurity firm Symantec said it too discovered “strong links” between WannaCry ransomware and the so-called Lazarus Group." Cybersecurity incidents such as WannaCry are often blamed on ("attributed t...

Ticks are rapidly infesting the contents listing as the Insecurity of Things awareness module falls into place.   I've just updated the ICQ ( I nternal C ontrols Q uestionnaire - an audit-style checklist supporting a review of the organization's IoT security arrangements) that we wrote way back in August 2015 - eons ago in Internet time. On top of the issues raised then, we've come up with a few more ( e.g. ownership of things  plus the associated information risks  and  the health and safety implications in some cases).  Updating the ICQ took about half an hour, whereas writing it from scratch in the first place must have taken several hours plus the research and prep time, neatly illustrating the value of our awareness content. Customers are welcome  actively encouraged to customize the materials to suit their circumstances and awareness needs, saving them  many hours of time in the process - hopefully freeing them up to work on the awareness activit...

This plopped unceremoniously into my inbox today: It's hard to imagine anyone falling for such a lame appeal ... but then perhaps the scammer's real aim was to be blogged about, and I've been phooled. I presume neither "Gilda Ancheta" nor uhn.ca (the University Health Network based in Toronto, Canada, apparently) have anything to do with this email, especially as the reply-to address (not shown above but embedded in the email header) is [somebody]@rcn.com I've forwarded the message to abuse@rcn.com.  Tag!

In the course of a routine eye checkup yesterday, the optician took and showed me high-definition digital images of both my retinas. Fascinating!  This morning while in the dual-purpose creative thinking + showering cubicle, I idly wondered about the information risks. Could I trust the optician to have properly secured their systems and networks, and to have encrypted my retinal images to prevent unauthorized disclosure? If not, what impact might such disclosure cause, and what are the threats?  I don't personally use retina-scanning biometric authentication, and I seriously doubt anyone would be desperate enough to steal and use my retinal images to clone my identity (given other much easier ways to commit identity fraud) so I'm not that fussed about it - it's a risk I'm willing to accept, not being entirely paranoid.  I'm curious about the risk on a wider level though: are opticians and other health professionals adequately securing their systems, networks, apps ...

A BBC piece about the fallibility of a bank's voice recognition system annoyed me this evening, with its insinuation that the bank is not just insecure but incompetent. The twin journalists are either being economical with the truth in order to make a lame story more sensational, or are genuinely naive and unaware of the realities of ANY user authentication system. This is basic security stuff: authentication systems must strike a balance between false negatives and false positives. In any real-world implementation, there are bound to be errors in both directions, so the system needs to be fine-tuned to find the sweet spot between the two which depends, in part, on whether the outcome of false negatives is better or worse than for false positives.  It also depends on the technology, the costs, and the presence of various other, compensating controls which the journalists don't go into - little things such anti-fraud systems coupled with the threat of fraudsters being prosecute...

The Insecurity of Things awareness module is gradually taking shape, the staff stream in particular: I have some ideas in mind for both the management and professional streams too, so the dearth of ticks there is not alarming. A couple of the IoT security incidents I've come across concern hackers compromising smart sex toys, which creates a conundrum for the awareness program. Do we mention them because they are relevant and eye-opening cases, or do we ignore them because they may be inappropriate for some customers? On balance, I think we will cover them but delicately and in ways that customers can easily remove or skip them if they are deemed too contentious (politically incorrect) for corporate communications. As with the rest of the awareness content, cutting down or customizing the content is much easier and quicker than preparing it. 

A passing security advisory caught my beady eye this morning. It warns about a privilege escalation flaw in Intel's A ctive M anagement T echnology, Small Business Technology and Intel Standard Manageability hardware subsystem incorporated into some of their CPU chips, ostensibly to facilitate low-level system management. For convenience, I'll call it AMT. 18 days ago, Intel disclosed a design flaw in AMT that creates a severe vulnerability allowing hackers to gain privileged access to systems using the Intel “Q series” chipset, either locally or through the network depending on the particular technology. In plain English, hackers and viruses may be able to infect and take control of your Intel-based computer through the Internet. It's similar to the WannaCry ransomware situation, only worse in that they don't need to trick you into opening an infectious email attachment or link first: they can just attack your system directly. The wisdom of allowing low-level privile...

Part of security awareness is situational or contextual awareness - being alert to potential concerns in any given situation or context. At its core, it is a biological capability, an inherent and natural part of being an animal.  Think of meercats, for instance, constantly scanning the area for predators and other potential threats. We humans are adept at it too, particularly in relation to physical safety issues. The weird creepy feeling that makes the hairs stand up on the back of your neck as you wander down a dark alley is the result of your heightened awareness of danger triggering hormonal changes. A rush of adrenaline primes you for the possible fight or flight response. I'm talking here about reflexes acting a level below conscious thought, where speed trumps analysis in decision-making. When 'something catches your eye', it's often something towards the edge of your visual field: peripheral light receptors coupled with the sophisticated pattern-recognition cap...

After the weekend's WannaCry excitement, we're pressing on with the IoT security materials. I've been thinking about developing a model IoT security policy for the module. What policy axioms/principles and policy statements would be appropriate in this area?  Identifying, analyzing and treating the associated information risks is a sensible, generic approach aligned with ISO27k, but the technological/cybersecurity controls typically employed in other contexts are somewhat challenging or impossible on many current-day IoT devices. Situations where the tech controls simply aren't sufficient to mitigate the risks perhaps ought to be covered as a policy matter. Giving up on IoT security and accepting the residual risks just because other options are too hard is not smart.  Another angle is assurance. If an IoT supplier claims their thing uses strong authentication and encryption, it may or may not be appropriate to take it on trust and accept the assertions at face value,...

Yesterday I mentioned that I was preparing a quick update for customers in the aftermath of the WannaCry ransomware worm virus outbreak incident cyber hack nightmare (evidently I'm not sure what to call it, neither are the journalists).  Having taken another look at the awareness materials we delivered on this topic already - particularly the ransomware awareness module - it turns out we've said all that needs to be said, really. For example, we used this PIG (probability impact graph) to discuss current malware risks, locating ransomware up there in the red zone: Trust me, I haven't altered the figure. That is exactly how it was delivered at the end of February 2017. I'm not claiming to have magical fortune-telling powers, however: the graphic is based on information that was in the public domain prior to March 1st.   All we did was to research and analyze the information, present it in an eye-catching Visio graphic, and use it in the seminar slides and briefings to dr...

As the dust settles after yesterday's excitement, we're putting together a quick awareness update on the ransomware incident for our subscribers. US CERT is already on the case with a well-written, straightforward guide and advice on how to mitigate the risk.  Good stuff! To supplement the more technical advisories already circulating, I am preparing a simple one-pager awareness briefing for general employees, plus a management briefing focusing on the information risk management, assurance and governance aspects. Our recent 'ransomwareness' module has materials we can adapt/update to reference the latest incident - an advantage of having a comprehensive library of awareness materials.

Reading between the lines a bit, it seems to me that despite the scary headlines the security controls have worked on the whole: as initially reported, the ransomware has had limited effects on a relatively small number of UK National Health Service sites.  Without adequate information security, it could have been much worse. The NHS is huge  and complex, with lots of interconnections and interdependencies between lots of IT systems (patient records, diagnostic systems, booking/scheduling systems, life support systems,  things ...), many of which are critical, across lots of sites, businesses and departments, used and managed by  lots of people ... so a virulent worm carrying ransomware must be a huge threat. The vulnerabilities are obvious (well some at least!), as are the impacts, in other words this is a significant risk. It’s another nice case study in the making, useful for anyone struggling to convince management of the need to pay attention to information ri...

Here are ten reasons why security policies fail: The policies are impracticable or simply unworkable - they get in the way of doing business. They are so badly written that they literally don't make sense and aren't entirely understood. They are out of date, irrelevant, inapplicable ... and hence widely ignored. They conflict in various ways (internally, with other policies and directives or laws and regulations, with reality, with common sense, with good practice, with sound ethics  etc. ). People honestly don't know about them, or can reasonably deny knowledge of them, or for some reason don't believe them to be applicable. The corporate culture is neutral or even toxic towards (policy) compliance - the policies themselves perhaps being presented as mere formalities, the rulebook, red-tape for appearance' sake or to satisfy the auditors. There are no actual or perceived benefits in compliance, for example little to no chance of being caught and sanctioned for nonc...

Yesterday my afternoon mysteriously disappeared thanks to a trip to the dentist and time spent cutting up and transporting trees felled by the recent cyclone. This morning, I've found myself distracted by the ISO27k Forum , responding to some kind person wanting to donate content to the ISO27k Toolkit , proofreading and commenting on the glossary section of the NZ government information security manual , and drafting a new version of my paper on building the business case for an ISMS. All those activities are ongoing and need more of my time. I've also been 'attending to business' - running the company - and catching up with emails. I just rescued a goat with its head stuck through the deer fencing. Again.  Time is my most valuable resource. Multi-tasking is the norm as I try to squeeze more things into less time ... thinking about stuff and eating my lunch as I update this blog, for instance. I realise I'm not alone in that. We all lead busy lives today, even retir...

Thinking up creative yet practical graphic designs for 6 awareness posters was particularly tough this month. The information risk, security and related issues with IoT are not easy to express pictorially. One approach that sort of worked, in the end, was a play on words. Previously I mentioned the 'Insecurity of Things' working title for the next awareness module, a phrase that will appear on the red wax-seal blobs that brand all our posters. Along similar lines, I've come up with poster ideas around the Internet of Nothing, Anything, Something or Everything. Whether those will actually work out in practice is hard to say: mostly it depends on whether our graphics wizards can come up with appropriate images. We rely on their artistry and some appreciation of the topic area. We'll see, literally. Another issue we're grappling with right now is to identify changes in the IoT risk and security domain since we first covered this awareness topic two years ago. IoT was a...

A pal put me on to the work of David Slater concerning the validity of risk matrices, heat maps and PIGs (Probability Impact Graphs). Google found a paper by Ben Ale and David Slater on " Risk matrix basics " published in 2012 (I think) at RiskArticles.com discussing the mathematical theory behind different kinds of PIG e.g. whether the axes are linear or logarithmic, and whether the probability axis is or is not cumulative (giving a Complementary Cumulative Distribution Function, apparently). The introduction refers to financial, environmental, health and safety, project and engineering risks. In those domains, there is a wealth of risk data concerning the frequencies of incidents and the costs, returns etc. collected over hundreds of years in relatively stable markets. However, in information risk, we're working with a paucity of data in a field that is rapidly evolving ... which is part of the reason I'm still dubious about mathematical/scientific approaches to inf...