‘Integrity’ is a fascinating property of information, multi-faceted, more complex and more widely applicable in information security that it might seem. It involves aspects and issues such as: Factual correctness of information (objectivity versus subjectivity, plus the huge grey area in between and issues arising such as impartiality and perspective); Relevance of information to the matter/s at hand and the substantiality or weight of evidence ( e.g. 'contemporaneous notes' recorded in the policeman’s pocket book at the time of an alleged offence may carry more weight in court than later, verbal or written accounts and recollections, but audio/video footage and other evidence captured at the scene with all the right controls in effect tends to be even stronger, even weightier); Completeness of information (which also touches on context and scope issues, and practicalities in a legal setting: there isn't time to present, consider and take ...

In a discussion thread on the ISO27k Forum about engaging corporate Risk Management functions with the information security work, Nigel Landman mentioned that  ‘Everything becomes a business risk’ ... which set me thinking. Managing risks to the organization is a significant element of business management – in fact it is possible to express virtually everything about management in terms of managing risks and opportunities (upside risks).  It's a very broadly-applicable and fundamental concept. Given the importance and value of ‘information’ in any business, it’s hard to imagine any full-scope Risk Management function failing to be concerned about information risk and security, unless for some reason they are limited to specific categories or types of risk ( e.g. financial, strategic, compliance, competitive etc. ) and for some reason haven’t (yet!) made the connection with information risks in those areas … in which case exploring, explaining and elaborating on the informati...

Imagine that you bump into a senior manager - an executive, maybe the CEO or MD or someone else who sits at the helm of your organization - presenting you with a fleeting opportunity to communicate. Imagine that you have concerns about the organization's approach to cloud computing - what it is doing or not doing, the way things are going, the strategies and priorities, objectives and resources, that sort of thing. Now imagine how you might put across your concerns and interests in that moment that either just occurs (a chance meeting in the elevator, perhaps), or that you engineer in some way (maybe targeting and snaring your prey en route to or from the Executive Suite, or lunch). What would you say?  I'm not asking 'what would you talk about' in a sweeping hand-waving cloudy sort of way but more precisely what are the few key points you want to express, and exactly how would you do that?   The challenge is similar to writing an executive summary on a management repor...

" Asking for a Friend: Evaluating Response Biases in Security User Studies " is a lengthy scientific research paper exploring consumer software update behavior. Authors Elissa M. Redmiles, Ziyun Zhu, Sean Kross, Dhruv Kuchhal, Tudor Dumitras, and Michelle L. Mazurek conclude, in part, that people don't in fact update their systems as promptly as they say they do, or should do. The study is primarily concerned with the methods used to survey human behaviors. The authors acknowledge the extensive body of scientific research concerning survey methods and common biases. In respect of discrepancies between lab tests and real-world results, they acknowledge typical reasons such as:  Sub-optimal study designs; Inadequate survey population sampling; Cognitive biases by respondents, including a reluctance to admit to socially unacceptable behavior; and  Other issues with some approaches ( e.g. online surveys). They actively countered some of the biases in this study, for examp...

CERT NZ (apparently) has once again circulated an email warning about phishing, containing a distinctly phishy link to "READ MORE INFORMATION". The hyperlink leads from there to certnz.cmail20.com with a tracker-type URL tail. Unlike most of the intended audience, I guess, I'm cyber-smart enough to check out the whois record: cmail20.com domain is registered to Campaign Monitor Pty Ltd of New South Wales - presumably a legitimate mass emailer/marketing company whose services are being used by CERT NZ to circulate the warnings - but that's not the point: the fact is that the embedded link target is patently not CERT NZ's own domain. What's more, the body of the email is a rather vaguely-worded warning, not entirely dissimilar to many a classic phisher. "Nasty stuff is going to happen unless you do something" just about sums it up.  It isn't even addressed to me by name, despite me being required to supply my name and email address when I signed u...

In preparation for a forthcoming security awareness and training module on business continuity, I'm re-reading The Power of Resilience by Yossi Sheffi (one of my top ten books I blogged about the other day).  It's a fascinating, well-written and thought-provoking book. Yossi uses numerous case studies based on companies with relatively mature approaches to business continuity to illustrate how they are dealing with the practical issues that arise from today's complex and dynamic supply chains - or rather supply networks or meshes. Risk assessment is of course an important part of business continuity management, for example: Identifying weak, unreliable or vulnerable parts of the massive global 'system' needed to manufacture and supply, say, aircraft or PCs; Determining what if anything can be done to strengthen or bolster them; and  Putting in place the necessary arrangements (controls) to make the extended system as a whole more resilient. Yossi covers the probabi...

We're slaving away this month on a set of awareness materials about the information security aspects of cloud computing - an approach that was new and scary when we first covered it just a few years back. These days, cloud computing has become an accepted, conventional, mainstream part of the IT and business worlds.  Some of the information risks have materially changed but most are simply better understood today, meaning we are better able to predict their probabilities and impacts. Hence I am re-drawing the generic P robability I mpact G raph for cloud security, shifting the identified risks around, checking and adjusting the wording and hunting for any new ones.   Those 'new ones' include information risks that: We simply didn't identify when we last performed the risk analysis - oversights, failures in our risk identification process; We identified but didn't include explicitly on the PIG, most likely because we didn't understand them well enough to figure t...

As a bookworm, these are my top ten information security books, the ones I have found most insightful and provocative: The Cuckoo’s Egg by Clifford Stoll – the whodunnit that first got me seriously interested in hacking and IT security. A gripping story of intrigue and perseverance. Codebreakers by Hinsley & Stripp – the extraordinary tale of WWII cryptanalysis at Bletchley Park, and ultra-secrets. Secrets and Lies by Bruce Schneier – Bruce’s writing is always stimulating, thought-provoking. S&L was the first I read, and would remind me of the books that followed. The Art of Intrusion by Kevin Mitnick – as with Bruce, the first book reminds me of the series. More social engineering than hacking, but ingenious nevertheless. The hacker mindset laid bare. Information Paradox by John Thorp – the book that changed my way of thinking, treating IT and information as business tools. Underpins ISACA’s ValIT method. Managing an Information Security and Privacy Awareness and Training...

It's out: a fully revised (almost completely rewritten!) awareness and training module on phishing. Phishing is one of many social engineering threats, perhaps the most widespread and most threatening. Socially-engineering people into opening malicious messages, attachments and links has proven an effective way to bypass many technical security controls. Phishing is a business enterprise, a highly profitable and successful one making this a growth industry. Typical losses from phishing attacks have been estimated at $1.6m per incident, with some stretching into the tens and perhaps hundreds of millions of dollars. Just as Advanced Persistent Threat (APT) takes malware to a higher level of risk, so Business Email Compromise (BEC) puts an even more sinister spin on regular phishing. With BEC, the social engineering is custom-designed to coerce employees in powerful, trusted corporate roles to compromise their organizations, for example by making unauthorized and inappropriate wire tr...