That's it, we're done! The 2018 malware awareness module is on its way to subscribers, infecting customers with ... our passion for the topic. There are 28 different types of awareness and training material, in three parallel streams as always: Stream A: security awareness materials for staff/all employees 1.       Train-the-trainer guide on malware MS Word document   4 pages START HERE!   Creative ideas to boost your security awareness program 2.       Awareness seminar on malware MS PowerPoint presentation    15 slides with speaker notes Outlines today’s malware threats, plus pragmatic advice on how to reduce the risk 3.       Awareness posters on malware 3 high-resolution JPG images Eye-catching images 4.       Awareness briefing on malware 2018   8 pages + cover Writ...

The awareness module now nearing completion discusses the cryptomining malware that has come to prominence since the materials were last updated a year ago.   It is hard to get terribly worked up about the theft of CPU cycles and joules while we're still battling ransomware, spyware and APTs ... but scratch a little deeper to discover that crypominers are more symptom than cause,  the tip of a very chilly iceberg. Q: How do systems get infected with cryptominers?   A: Through the usual malware infection mechanisms i.e. security vulnerabilities in the IT systems and the people who use them. Q: How do the crooks benefit? A: Victims generate money for them, plainly ... but they also  expose themselves and their systems to further compromise and exploitation.  Ahhhh. There are shades of the 'fraud recovery' frauds which trick the victims of 419 advance fee frauds into also spending out for mythical 'compensation' and 'lawyers fees'.  You'd have thou...

The 2018 malware update awareness module is a Work In Progress. We've all but completed the awareness materials for the general staff audience, and today we'll crack on through the management and professional streams. Every year I wonder what we are going to say in the malware module, given that we've covered this topic so many times before. I worry that we might not find anything new to add, forcing us to re-hash the same old stuff in the hope of making it interesting enough to resonate with the audiences.  Yet again I needn't have worried. The malware threat is constantly mutating, much like a biological virus in fact. As fast as we discover and get to grips with each form, novel attacks and new challenges arise. There's no shortage of new things to say. Cryptomining malware emerged from its lair in the middle of last year. As it happens, it's one of the more benign forms that merely consumes resources, reduces performance and increases costs, as opposed to de...

Today I've been scouring the web for news on cryptominer incidents to incorporate into next month's awareness materials on malware. As well as the usual doom-n-gloom reports from assorted antivirus companies bigging-up the cryptominer threat, I came across an interesting letter from a US hospital, formally notifying patients about an incident . The infection was identified back in September 2017, and eradicated within 4 days of detection. Although the malware infection was a relatively benign cryptominer, the hospital sent a  formal notification letter  to patients at the end of January 2018  since the infected system held their medical data.   Full marks to the hospital management for 'fessing up to the incident and publicly disclosing it, and for apparently handling the incident in a professional and reasonably efficient manner (although arguably 4 months is an age in Internet time). They have offered  free credit monitoring services, more appropriate in ...

Last month I blogged about consciously adopting a different style of awareness writing, with succinct tips-n-tricks supplementing, perhaps even replacing, conventional descriptive paragraphs. At the risk of becoming recursive, one of the tips included in March's malware awareness module will be for customers to solicit tips from their colleagues who have suffered malware incidents recently.   The idea is for the security awareness people to: Find out what happened, to whom, when and how; Speak, discreetly, to the people involved or implicated in the incidents; Explore the consequences, both for the business and for them personally; Tease out the tips - lessons worth sharing with others; Share them. Such an approach would work extremely well in some organizational cultures, but in others people can be reluctant to admit to and open up about their issues. Although it is feasible to draw out and express the key learning points anonymously, without identifying those directly ...

Integrity  is a universal requirement, especially if you interpret the term widely to include aspects such as: Completeness of information; Accuracy of information; Veracity, authenticity and assurance levels in general e.g. testing and measuring to determine how complete and accurate a data set is, or is not (an important control, often neglected); Timeliness (or currency or ‘up-to-date-ness’) of information (with the implication of controls to handle identifying and dealing appropriately with outdated info – a control missing from ISO/IEC 27001 Annex A, I think); Database integrity plus aspects such as contextual appropriateness plus internal and external consistency (and, again, a raft of associated controls at all levels of the system, not just Codd’s rules  within the DBMS); Honesty, justified credibility, trust, trustworthiness, ‘true grit’, resilience, dependability and so forth, particularly in the human...