We've been busier than ever the past week or so, particularly with the awareness materials on social engineering. It is a core topic for security awareness since workers' vigilance is the primary control, hence a lot of effort goes into preparing materials that are interesting, informing, engaging and motivational. It's benign social engineering!  The materials are prepared and are in the final stage now, being proofread before being delivered to subscribers later today. This is a bumper module with a wealth of content, most of which is brand new. I blogged previously about the A-to-Z guides on social engineering scams, con-tricks and frauds, methods and techniques, and controls and countermeasures. I'll describe the remainder of the materials soon, once everything is finished and out the door.  Meanwhile, I must get on: lots to do!

Figuring out how to organize, resource and conduct internal audits of an ISO/IEC 27001 Information Security Management System can be awkward for small organizations. Independence is the  overriding factor in auditing of all forms. For internal auditing, it’s not just a question of who the auditors report to and their freedom to ‘say what needs to be said’ (important though that is), but more fundamentally their mindset, experience and attitude. They need to see things with fresh eyes, pointing out and where necessary challenging management to deal with deep-seated long-term ‘cultural’ issues that are part of the fabric in any established organization. That’s hard if they are part of the day-to-day running of the organization, fully immersed in the culture and (for managers in small organizations especially) partly responsible for the culture being the way it is. We all have our biases and blind spots, our habits and routines: a truly independent view hopefully does not - at le...

I didn't quite finish the A-to-Z on social engineering methods yesterday as planned but that's OK, it's coming along nicely and we're still on track.  I found myself dipping back into the A-to-Z on scams, con-tricks and frauds for inspiration or to make little changes, and moving forward to sketch rough notes on the third and final part of our hot new security awareness trilogy: an A-to-Z on the controls and countermeasures against social engineering . Writing that is my main task for today, and all three pieces are now progressing in parallel as a coherent suite. It's no blockbuster but I have a good feeling about this, and encouraging feedback from readers who took me up on my offer of a free copy of the first part. Along the way, a distinctive new style and format has evolved for the A-to-Zs, using big red drop caps to emphasize the first item under each letter of the alphabet. I've created and saved a Word template to make it easier and quicker to write A...

On a roll from yesterday's A-to-Z catalog of scams, con-tricks and frauds, I'm writing another A-Z today, this time focusing on social engineering techniques and methods .   Yesterday's piece was about what they do.  Today's is about how they do it. Given my background and the research we've done, it's surprisingly easy to find appropriate entries for most letters of the alphabet, albeit with a bit of creativity and lateral thinking needed for some ( e.g. "Xtreme social engineering"!).  That's part of the challenge of writing any A to Z listing ... and part of the allure for the reader.  What will the Z entry be? As of this moment, I don't actually know but I will come up with zomething! Both awareness pieces impress upon the reader the sheer variety of social engineering, while at the same time the alphabetical sequence provides a logical order to what would otherwise be a confusing jumble of stuff. Making people aware of the breadth and dive...

A productive couple of days' graft has seen what was envisaged to be a fairly short and high-level general staff awareness briefing on social engineering morph gradually into an A-to-Z list of scams, con-tricks and frauds . It has grown to about 9 pages in the process. That may sound like a tome, over-the-top for awareness purposes ... and maybe it is, but the scams are described in an informal style in just a few lines each, making it readable and easily digestible. The A-to-Z format leads the reader naturally through a logical sequence, perhaps skim-reading in places and hopefully stopping to think in others. For slow/struggling readers, there are visual cues and images to catch their eyes but I'll be honest: this briefing is not for them. They would benefit more from seminars, case studies, chatting with their colleagues and getting involved in other interactive activities ... which we also support through our other awareness content. The awareness mind maps and posters, for...

A  report for the UK Institute of Directors by Professor Richard Benham  encourages IoD members to develop “a formal cyber security strategy”. As is so often the way, 'cyber' is not explicitly defined by the authors although it is strongly implied that the report concerns the commercial use of IT, the Internet, digital systems and computer data (as opposed to cyberwar perpetrated by well-resourced nation states - a markedly different interpretation of 'cyber' involving substantially greater threats). A 'formal cyber security strategy' would be context dependent, reflecting the organization's business situation. That broader perspective introduces other aspects of information risk, security, governance and compliance. All relevant aspects need to be considered at the strategic level, including but not just 'cyber security'.  Counteracting or balancing the desire to lock down information systems and hence data so tightly that its value to the business...

Looking back, I see that I've blogged quite a few times in different contexts about color. For example, most of the security metrics I discuss are colored, and color is one of several important factors when communicating metrics, drawing the viewer's eye towards certain aspects for emphasis.  We talk of  white hats and black hats ,  red teams  and so on. Traffic light RAG coloring (Red-Amber-Green) is more or less universally understood to represent a logical sequence of speed, intensity, threat level, concern or whatever - perhaps an over-used metaphor but effective nonetheless. Bright primary colors are commonly used on warning signs and indications, sometimes glinting or flashing for extra eye-catchiness. Red alert is a pleonasm ! Jeff Cooper, father of the "modern technique" of handgun shooting, raised the concept of Condition White, the state of mind of someone who is totally oblivious to a serious threat to their personal safety.  Cooper's Color Code...

Security awareness involves persuading, influencing and you could say manipulating people to behave differently ... and so does social engineering.  So could social engineering techniques be used for security awareness purposes? The answer is a resounding yes - in fact we already do, in all sorts of ways.  Take the security policies and procedures, for instance: they inform and direct people to do our bidding. We even include process controls and compliance checks to make sure things go to plan. This is manipulative. Obviously the motivations, objectives and outcomes differ, but social engineering methods can be used ethically, beneficially and productively to achieve awareness.  Exploring that idea even reveals some novel approaches that might just work, and some that are probably best avoided or reversed. Social engineering method, technique or approach Security awareness & training equivalents Pretexting: fabricating plausible situations Case st...

I'm delighted that this blog has been featured among the 50 Best Information Security Blogs . Fantastic! Thank you, top10vpn.com ... and congrats to the other top blogs on the list, many of which I read and enjoy too. It's humbling to be among such august company. We update this blog frequently in connection with the security awareness materials we're preparing, on security awareness techniques in general, or on hot infosec topics of the day. Blogging helps get our thoughts in order and expand on the thinking and research that goes into our security awareness modules. More than just an account of what's going on, updating the blog (including this very item) is an integral part of the production process. A perennial theme is that it's harder than it appears to security awareness properly. Anyone can scrabble together and push out a crude mishmash of awareness content (typically stealing or plagiarizing other people's intellectual property - tut tut) but if they ...

So much of human interaction involves techniques that could legitimately be called social engineering that we're spoilt for choice on the awareness front for December.   December's topic exemplifies the limitations of "cybersecurity" with its myopic focus on IT and the Internet. Social engineers bypass, undermine or totally ignore the IT route with all its tech controls, and that's partly what makes them such a formidable threat.  IT may be a convenient mechanism for identifying, researching and communicating with potential victims, for putting on the appearance of legitimate, trustworthy individuals and organizations, and for administering the scams, but it's incidental to the main action: fooling the people. Maybe it's true that you can't fool all of the people all of the time, depending on precisely what is meant by 'all'. I think it's fair to say that we are all (virtually without exception) prone, predisposed or vulnerable to social e...

This colorful image popped onto my screen as I searched our stash of security awareness content for social engineering-related graphics. It's a simple but striking visual expression of the concept that security awareness is not the ultimate goal, but an important step on the way towards achieving a positive outcome for the organization.  A major part of the art of raising awareness in any area is actively engaging with people in such a way that they think and behave differently as a result of the awareness activities.  For some people, providing cold, hard, factual information may be all it takes, which even the most basic awareness programs aim to do.  That's not enough for the majority though: most of us need things to be explained to us in terms that resonate and motivate us to respond in some fashion. In physical terms, we need to overcome inertia. In biology, we need to break bad habits to form better ones. Social engineering is a particular challenge for awareness s...

The past few days have been very successful.   Yesterday, at last, I fixed the water pipe feeding water to the stock tanks in the nick of time before the animals went thirsty, a mammoth job for this long-time office worker (!).  The pipe is an old galvanized steel pipe, laid when this was a working farm, well before it became a pine forest. An ancient Lister diesel engine and piston pump sends water in two directions, either to the house tanks or to the stock tanks.  The house line was fine, luckily but the stock line wasn't, and evidently hadn't been maintained in a long time. Just getting to the start of the line across the stream was a mission with a 60 degree muddy incline going up about 8m, then a strip of native bush, then the pines ... which had been toppled by a cyclone back in April.  What would once have been just forest is now a forest clearing with a few hundred near full-sized trees laying on the ground, toppled like the matchsticks some of them wer...

[This piece was prompted by a question on the ISO27k Forum about ISO27k certification auditors checking information security controls, and a response about compliance audit requirements. It's a backgrounder, an essay or a rant if you like. Feel free to skip it, or wait until you have a spare 10 mins, a strong coffee and the urge to read and think on!] “Sampling” is an important concept in both auditing and science. Sampling ( i.e. selecting a sample of a set or population for review) is necessary because under most circumstances it is practically impossible to assess every single member  – in fact it is often uncertain how many items belong to the set, where they are, what state they are in etc. There is often lots of uncertainty. For example, imagine an auditor needs to check an organization’s information security policies  in the course of an internal audit or more formal certification/compliance audit. Some organizations make that quite easy by having a policy library or ...