I love it when a plan comes together!   We're close to completing the 'outsider threats' security awareness module for September, checking and finalizing the materials. Things are getting tense as the IsecT office clock ticks away the remaining hours. Normally, we develop awareness briefings for each of the three audience groups from the corresponding three awareness seminar slide decks, using the graphics and notes as donor/starter content and often following a similar structure.  Having finished the staff seminar this morning, I anticipated using that as the basis for a staff briefing as usual ... but, on reflection, I realized that we have more than enough content to prepare a lengthier A-to-Z guide to outsider threats instead.  The sheer number and variety of outsider threats and incidents is itself a strong awareness message. Listing and (briefly) describing them in an alphabetical sequence makes sense.  This will be an interesting read for awareness and tr...

The wide variety of threatening people, organizations and situations Out There, and the even wider variety of outsider incidents, is quite overwhelming ... which means we need to simplify things for awareness purposes. If we try to cover too much at once, we'll confuse, overwhelm and maybe lose our audiences, if not ourselves. On the other hand, that variety is itself an important lesson from September's awareness module. It's not sufficient, for instance, for the cybersecurity team to lock down the corporate firewall in order to block hackers and malware while neglecting other outsider threats such as intellectual property theft and disinformation. Organizations are in a difficult position, trying to avoid, prevent or limit all manner of outsider incidents, some of which are particularly difficult to even identify let alone control. It's soot-juggling really. With our start-of-month delivery deadline imminent, we're currently finalizing September's slide decks ...

It is hard to authenticate someone's claimed identity: Quickly; Consistently and reliably to the same criteria at all times; Strongly, or rather to a required level of confidence; Cheaply, considering the entire lifecycle of the controls including their development, use and management; Practically, pragmatically, feasibly, in reality; On all appropriate platforms/systems/devices (current, legacy and future) and networks with differing levels of trustworthiness and processing capabilities; Under all circumstances, including crises or emergencies; For all relevant people (insiders, outsiders and inbetweenies), regardless of their mental and physical abilities/capacities, other priorities, concerns, state of health etc., while also failing to authenticate former employees, twins (evil or benign), fraudsters, haXXors, kids, competitors, crims, spooks, spies, pentesters and auditors on assignment; Using currently viable technologies, methods, approaches and processes; and Without relyin...

This morning I'm continuing to develop a generic penetration testing policy template.  As always, it takes me more time and effort to write short, formal pieces such as a new policy than longer run-o-the-mill awareness briefings. The actual writing part is straightforward: knowing what to incorporate and what to leave out requires more thought. A policy on pentesting presents particular challenges: I think I know what it has to say but what else should it say? How should it be said and what can be safely left unsaid? The few published pentest policies Google has found me so far all differ in style, naturally, but also vary in purpose and content. Most are quite narrowly focused on specific aspects or types such as the vulnerability scanning performed under PCI-DSS . They have prompted me to consider aspects I might otherwise have neglected but I can improve on them by incorporating good ideas from all sources including my own experience in this area (such as it is!) and security st...

There are parallels between quality assurance and information security. For example, we all partly depend on various suppliers for their [quality|security], hence we need assurance as to the suppliers’ [quality|security] arrangements.   In ISO-land, the preferred approach to this is systematic i.e. we: Identify and consider the [quality|information|business] requirements and risks associated with the relationships, supplies, services etc ., separately and perhaps in conjunction with the suppliers; Evaluate the risks (obtaining further information if needed), deciding what to do about them, prioritizing and resourcing things accordingly; Treat them appropriately according to the risks themselves, the level of assurance required and the business situation; Manage, monitor and maintain the arrangements, occasionally reviewing the risks and controls etc . In more detail, there are several forms of treatment.   We can: Review, inspect or audit the suppliers in sufficient ...

A vulnerability is an inherent weakness in something (a device, system, process, situation, person  etc .) that might be exploited by a threat , perhaps causing an impact of some sort.  Vulnerability exists regardless of the presence or absence of controls: the lack of control is a separate matter, a fundamentally different concept although often confused by non-experts and even by some so-called experts. Take, for instance, the risk of being burgled at home.  The primary threat is the burglars - the criminals who might just pick a given  home to burgle. There are other threats too ( e.g. untrustworthy visitors and opportunists) but let's leave it at that for now.  The primary impact on the homeowner is the loss of their assets - the valuables that are stolen. Again, there are other impacts ( e.g. the traumatic feelings of their personal space being violated, and the implied or actual safety threat).  The impacts of burglary differ according to one's persp...

Today, I'm meandering (rambling!) on from Friday's post about systematically managing outsider threats, returning to an older theme about using P robability I mpact G raphs (PIGs) for both risk analysis and security awareness purposes. One of the more unusual information risks on our radar for September's outsider threats awareness module is xenophobia - the fear of strangers.  It has a deep biological basis: most animals naturally congregate and live with others of their kind, forming social groups (families, flocks, tribes etc. ) while excluding those who are 'different' - most obviously predators. The differences aren't always obvious to us humans. Sheep, for instance, recognize each other more by sound and smell than by color. Compared to other risks in this domain, xenophobia is fairly widespread, putting it roughly half way along the probability scale. But what of the business impacts of xenophobia afflicting employees? Hmmm, not so easy. As is often the w...

The ISO27k "information security risk management" standard ISO/IEC 27005:2011 has been revised and re-published ... but you'll be hard pushed to see any difference. This is an 'interim update' reflecting the 2013 revisions of ISO/IEC 27001 and 27002. Yes, 2013, five years ago. The original 27005 update project fell off the rails, leading eventually to this minimal revision, kind of like a program patch to address shortcomings rather than a new version with improved functionality. A full revision is now in the works, so with luck the next version of 27005 might just be released to coincide with updates to the core ISO27k standards 27001 and 27002. Ever the optimist, I like to think there's a fighting chance the next version will be a major improvement with changes such as: Defining ‘information risk’ formally (properly), clearly, helpfully and without the torture and ambiguity of the current gibberish around 'information security risk', explaining it in...

September's awareness seminar for management on "outsider threats" is coming along nicely. This week I've been researching the web (well, OK, Googling) and exploring opinions, firstly on what "outsider threats" are, and secondly what to do about them. It has been a frustrating few days, digging up the odd insightful nugget hidden under piles of tripe gently steaming away in Google-land.  A disappointing majority of commentators seem oblivious to the distinctions between "threat", "vulnerability" and "risk", their confused language more than merely hinting at a fundamental lack of understanding of the concepts that underpin the field. One piece in particular made me laugh out loud, muddling up impacts with exposure.  [To be clear, over-exposure to the sun makes you red and sore.  Melanoma is the impact.  Muddle them up at your peril!] Several are stubbornly and myopically focused on cyber, a few even defining "outsider threa...

With ISO/IEC JTC 1 / SC 27 still hopelessly bogged down trying to figure out what cybersecurity means, today I bumped into perhaps the most lucid cyber-definitions I've found to date in CNSS (Committee on National Security Systems) Instruction number 4009 , a glossary of US government terms last updated in 2015.   Here are most of the cyber-related terms from CNSSI 4009:  active cyber defense  Synchronized, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities. Source: DSOC 2011 cyber incident  Actions taken through the use of an information system or network that result in an actual or potentially adverse effect on an information system, network, and/or the information residing therein. See incident. See also event, security-relevant event, and intrusion.  cybersecurity Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire commu...

We're pretty busy  in the IsecT office  but it's not all work. While the Northern hemisphere seems to be burning up, the arrival of our first Spring lamb this morning signals our emergence from the depths of a chilly wet NZ Winter. It's a boy, weighing about 3 kilos I guess. Mother and son are doing fine. She's always had knock-knees that one! He stays close - already into safety and security at about 8 hours old. 

The next awareness and training module trundling into sight on the conveyor belt concerns "outsider threats" - principally malicious threats to corporate information that originate externally, coming from outside the organization's notional boundary.   It's the obvious follow-up, a twin for August's module on " insider threats ". This month's scope is reasonably straightforward except that once again we face the issue of people and organizations spanning organizational boundaries - contractors, consultants, temps, interns, ex-employees  etc. plus outsiders colluding with, socially engineering, manipulating, fooling or coercing insiders. Maybe there's enough there for a further awareness module at some future point, turning the twins into triplets! For now we'll stick to Plan A, focusing on threatening outsiders of which there are many, quite a variety in fact.  For completeness, we should probably mention benign, accidental or incidental out...

This week I’ve been chatting with Aussie infosec blogger Endre about security policies. Although Endre elaborated very eloquently on the tradecraft of policy-writing , I don't think he had considered the variety of audiences/users of policies and their purposes. That diversity should be borne in mind when writing policies and supporting materials (guidelines, courses  etc. ), and when designing and documenting the associated processes/activities (awareness, training, oversight, compliance, metrics …) - an additional level of finesse to the tradecraft. Today, a similar issue cropped up on the ISO27k Forum : Jose asked whether his organization might prepare, say, a single scoping document for multiple Management Systems sharing the same scope.  Chris pointed out that there are several audiences for the MS documents, saying  "You can structure the documents however you want as long as you are meeting the requirements of the standard but don’t forget that these docu...