Things are falling rapidly into place as the delivery deadline for October's awareness module on phishing looms large. Three cool awareness poster graphics are in from the art department, and three awareness seminars are about done.  The seminar slides and speaker notes, in turn, form the basis for accompanying awareness briefings for staff, managers and professionals, respectively.   We also have two 'scam alert' one-pagers, plus the usual set of supporting collateral all coming along nicely - a train-the-trainer guide on how to get the best out of the new batch of materials, an awareness challenge/quiz, an extensive glossary (with a few new phishing-related terms added this month), an updated policy template, Internal Controls Questionnaire (IT audit checklist), board agenda, phishing maturity metric, and newsletter.  Lots on the go and several gaps to be plugged yet. Today we're ploughing on, full speed ahead thanks to copious fresh coffee and Guy Garvey singing ...

Weary of the same old stuff, day after day?  Wary of over-blown threats, confusing security controls and crude "Do it or else!" compliance demands blasted out repeatedly and loudly in the vain hope some might just stick? Us too! Those are common issues in awareness and training, betraying a lack of appreciation and respect for the audience. We can do better.  No really, we must . Awareness and training leading to understanding and genuine support for security is our way. We take the trouble to pick-apart complex issues such as phishing and pharming, explaining them straightforwardly with plenty of diagrams and examples to inform, engage and motivate three distinct audiences. We spend at least as much time exploring the broader context to the issues, explaining why they are of concern, as we do telling people how to respond, what to do and not to do. We are addressing intelligent adults through soundly-researched content, professionally crafted for this specific purpose. ...

A newcomer to the ISO27k Forum asked one of those disarmingly simple or naive-sounding questions today, the kind that turn out to be fascinating once we scratch beneath the surface. " I a m currently assigned task to perform security architecture review. Can anyone help me with reference links to start off with?" It would be inappropriate to offer suggestions and press ahead without first understanding the objectives, expectations and constraints, hence t he obvious starting point (from my perspective) would be to figure out what a “security architecture review” is - more specifically, what management (or whoever assigned the task) expects from it e.g. : What are its aims/purposes or drivers?  Where did it spring from? What triggered it? Why now? Why you? Is it business-led or IT or infosec or risk or what? Who is behind it? Who stands to benefit or be affected by it? Who are the stakeholders? Are they supportive and engaged, neutral/unaware, or reluctant and disengaged? What...

In answer to someone on CISSPforum asking for advice about the impact of various software development lifecycles, methods or (as if we need another ology) methodologies, I asserted that the SDLC method affects the way or the manner in which infosec is achieved (spec'd, built, confirmed, delivered, used, managed, monitored, maintained ...) more than how effective it ends up being. There are pros and cons to all the methods - different strengths and weaknesses, different purposes, opportunities, risks and constraints. Software or systems development involves a load of trade-off and compromises. For example, if information risks absolutely must be minimized, formal methods are a good way to achieve that ... at huge cost in terms of both the investment of money and time for the development, and the functionality and rigidity of the developed system. However, an even better way to minimize the risk is to avoid using software, sidestepping the whole issue! In most circumstances, I would ...

Today marks the end of a long but successful week. We've been slogging away at the phishing awareness topic for October's module, picking out the key issues, coming up with the awareness messages and figuring out the stories to tell. Despite technology being such a small part of phishing, it plays an important part that we can't just ignore. Multi-Factor Authentication, for example, is increasingly being used by organizations that care about identification and authentication, so workers are quite likely to have at least heard of it, even if they are not actually using it as yet. Explaining what MFA is would set them up to appreciate what it means when they are offered or required to accept it. At the same time, MFA is not a universal or ultimate solution. Managers and professionals should appreciate that there are pros and cons to implementing MFA, and lots of choices in exactly what form of MFA the organization might adopt ... but explaining all that in detail would divert...

Someone's attendance at, or absence from, a security awareness and training session or event is, at best, a rough indication of their involvement and engagement with the awareness and training program and yet it is often used as a measure, a metric. Why is that? Clearly, if someone fails to show up at all, they are hardly going to benefit from the sessions ... but a well-rounded awareness and training program will not rely solely on in-person classes, seminars and similar events: it will typically have an intranet site, maybe newsletters, emails, discussion forums, posters and more. Hence is it certainly possible for someone to be engaged with the program and highly security-aware even if they do not attend the events for some reason ( e.g.  they may be forgetful, too busy doing other stuff, disabled, working night shifts, low on energy, sick or on vacation, antisocial, not keen on that style of learning, perceived lack of value or purpose ...). Nevertheless, nonattendance generall...

In preparation for a forthcoming security awareness module, I'm researching business continuity.  Today, by sheer coincidence, I've stumbled into a business discontinuity: specifically, the website for a commercial company advertising/sponsoring a popular multi-week New Zealand radio show promotion is currently unavailable. It seems to have been so fragile that it broke. This is how the web page looks right now: Mostly white space. 502 is the standard error message number indicating a 'bad gateway', meaning that the company's website cannot be contacted by some intermediate network system. It appears to be dead. Resting maybe. The HTML code for the sparse error page is almost as sparse - just these 14 lines, half of which are comments: DownForEveryoneOrJustMe.com tells me its not just my Internet connection playing up.  The website really is unreachable. That's the NZ website. The company's Australian website is also unavailable, whereas its US site is up an...

Thanks to a heads-up from Walt Williams, I'm mulling over a report by CompariTech indicating that the announcement of serious "breaches" by commercial organizations leads to a depression in their stock prices relative to the stock market. I'm using "breach" in quotes because the study focuses on public disclosures by large US commercial corporations of significant incidents involving the unauthorized release of large quantities of personal data, credit card numbers etc . That's just one type of information security incident, or breach of security, and just one type of organization. There are many others. The situation is clearly complex with a number of factors, some of which act in opposition ( e.g. the publicity around a "breach" is still publicity!).   There are several constraints and assumptions in the study ( e.g. small samples) so personally I'm quite dubious about the conclusions ... but it adds some weight to the not unreasonable...

An otherwise unremarkable marketing email from Armor caught my beady with this: "Armor has been tracking hackers, on both English-speaking and Russian-speaking markets, and found that current prices for stolen U.K. credit cards (Visa, Mastercard and American Express), with corresponding CVV data and expiration dates runs $35 each, $30 for a European Visa, Mastercard or American Express card, and $15 for a U.S. Visa or Mastercard and $18 for an American Express card."   That's quite a range of values. I wonder why some stolen credit card details are twice as valuable as others on the black market. What makes them so attractive, relatively speaking? Possible reasons for the discrepancy: Market imperfections such as time lags between changes in supply or demand and price adjustments; Some are rarer, in relatively short supply, with consistent demand driving prices up; Vendors are simply taking advantage of 'market pricing': they charge whatever the market will bear,...

In the course of researching phishing for our next awareness module, I Googled into a   2017 cybercrime report . It makes numerous dire predictions (such as "cybercrime will cost the world in excess of $6 trillion annually by 2021") and is stuffed to the gunnels with outrageously scary statistics (using "1,300 percent", for example, rather than a mere thirteen times).  While reading and evaluating the credibility of the report, I found myself strangely distracted by page 9 on "security awareness training": "Cybersecurity Ventures expects 2018 to be the Year of Security Awareness Training  — the breakthrough year when organizations globally take the (financial) plunge and either train their employees on security for the first time or doubledown on more robust and ongoing security awareness programs. Global spending on security awareness training for employees is predicted to reach $10 billion by 2027, up from around $1 billion in 2014. Training employ...

The Global State of Online Digital Trust is a typical vendor-sponsored piece, a white paper (= marketing promotion in the guise of a 'survey') prepared by Frost & Sullivan for CA Technologies. I say 'typical' in that they have disclosed hardly any information about the survey method and sample.  A  press release   instructs us to see the report for "Full survey methodology details" but unless I'm blind, it looks to me as if someone either 'forgot' to write the materials-and-methods section or casually neglected to incorporate it in the published report.  Oh dear. A CA marketing VP called it " a survey of 1,000 consumers, 350 cybersecurity professionals and 325 business executives from all over the world" whereas the press release  referred to it as " The global online survey of 990 consumers, 336 security professionals and 324 business executives across 10 countries".  We can only guess at how they might have assigned resp...

Why do we have policies, procedures and all that jazz? What are they and what are they for ?  What do they actually achieve ?  What would happen if we didn't bother at all?  What else could we do instead - are there better ways?   Those rhetorical questions were prompted by a disarmingly simple and naive-sounding question on the ISO27k Forum this morning, viz "I am looking at implementing iso27001. How do I know if I need a policy or procedure in place?"  Good question! In relation to ISO27k and to information risk and security in general, policies and/or procedures are needed in order to: Address information risks that are of concern to the organization, or more specifically to management and other stakeholders; State or express management's intentions formally in various areas; Communicate and clarify things to the intended readers, giving them clear guidance ( e.g. work instructions, awareness and training materials); Satisfy requirements stated e...

If “insiders” are defined as the organization’s employees, “outsiders” must be everyone else, right, all those who are  not  on the payroll?  In reality from any single organization’s perspective, a huge variety and number of people qualify as outsiders.  ‘We’ are completely outnumbered by ‘them’. Leading on from August’s awareness coverage of insider threats, it’s time now to explore the information-related threats from outside the organization – both threatening outsiders and external threats that don’t involve malicious people, or indeed people, at all. The scope of September's security awareness and training module includes external events, incidents, accidents and challenges that aren’t deliberate, targeted attacks by specific people or groups – supply chain interruptions, cloud service failures and Internet drop-outs for example are external threats to the business, as are more general, widespread or social issues such as climate change, infectious disease outb...