Saturday 29 December 2018

Awareness case study

The drone incident at Gatwick airport makes a good backdrop for a security awareness case study discussion around resilience.  

It's a big story globally, all over the news, hence most participants will have heard something about it. Even if a few haven't, the situation is simple enough for them to pick up on and engage in the conversation.

The awareness objective is for participants to draw out, consider, discuss and learn about the information risk, information or cybersecurity aspects, in particular the resilience angle ... but actually, that's just part of it. It would be better if participants were able to generalize from the Gatwick drone incident, seeing parallels in their own lives (at work and at home) and ultimately respond appropriately. The response we're after involves workers changing their attitudes, decisions and behaviors e.g.:
  • Considering society's dependence on various activities, services, facilities, technologies etc., as well as the organization and their own dependencies, and ideally reducing dependence on vulnerable aspects;
  • Becoming more resilient i.e. stronger, more willing and able to cope with incidents and challenges of all kinds;
  • Identifying and reacting appropriately to various circumstances that are short on resilience e.g. avoiding placing undue reliance on relatively fragile or unreliable systems, comms, processes and relationships;
  • Perhaps even actively exploiting situations, gaining business advantage by persuading competitors or adversaries to rely unduly on their resilience arrangements (!).
Assorted journalists, authorities and bloggers are keen to point out that the Gatwick drone incident is 'a wake-up call' and that 'something must be done'. Most imply that they are concerned about other airports and, fair enough, the lessons are crystal clear in that context ... but we have deliberately expanded across other areas where resilience is just as important, along with risk, security, safety, reliability, technology and more.

That's a lot of awareness mileage from a public news story but, as with the awareness challenge, putting the concept into practice is where we earn our trivial fees!

Friday 28 December 2018

US Dept of Commerce shutdown



Earlier this year I heard about the threatened shutdown of WWV and WWVH, NIST's standard time and frequency services, due to the withdrawal of government funding - an outrageous proposal for those of us around the world who use NIST's scientific services routinely to calibrate our clocks and radios.

Today while hunting for a NIST security standard that appears to no longer be online, I was shocked to learn that it's not just WWV that is closing down: it turns out all of NIST is under threat, in fact the entire US Department of Commerce.

Naturally, being a large bureaucratic government organization, there is a detailed plan for the shutdown with details of certain 'exempt' government services that must be maintained according to US law although how those services and people are to be paid is unclear to me. After the funding ceases, DoC employees are required (or is that requested?) to turn up for work for a few more hours to set their out-of-office notifications (on the IT systems that are presumably about to be turned off?), then piss off basically.  

To me, that's an almost unbelievably callous way to treat public servants. 

So is this fake news? Is it "just politics", brinkmanship by Mr Trump's administration I wonder? 

The root cause, I presume, is the usual disparity between the government's income and expenses, fueled by battles between the political parties plus their 'lobbyists' and the extraordinarily xenophobic pressure to spend spend spend on 'defense'. I gather US-Mexico border wall is, after all (surprise surprise) to be funded by the US, so that's yet another splash of red ink across the government's books.

Thursday 27 December 2018

Gamifying awareness

We've come up with an idea for our next awareness challenge

January's topic is 'resilience', a concept that means different things to different people. So what does it mean to workers? What is 'resilience' about? What does it imply? What are the key aspects, the things that everyone ought to know about?

The concept we have in mind for the awareness challenge is simple enough: under guidance from our security awareness materials, groups of workers discussing and exploring their understanding of the term 'resilience' will occupy the bulk of the challenge. Turning that into a practical and engaging awareness activity takes a bit more work though.

Our approach involves prompting and supporting someone - ideally an information security awareness professional - to deliver an effective session. Short of actually leading the session in person, we provide the materials and the inspiration to make the event fly, awareness by proxy you could say.

Despite our experience of being out there, doing it, the particular awareness audience and leader/presenter forms a unique combination. That's the tricky bit! It would be straightforward to prepare narrowly-scoped materials for a specific event but we have customers at different stages of maturity in their awareness and training programs, in a variety of organizations and industries or contexts ... hence we deliberately keep the awareness challenges reasonably flexible and open-ended. They may be run as one or more discrete events specifically for this purpose, or as sessions incorporated within some other event such as a briefing, training course or seminar. Online sessions are possible too, ideally in a manner that retains some social interaction. Participants should learn stuff from each other and have fun doing it.

'Having fun doing it' is not just about having a good time: do you recall those deadly dull awareness and training sessions of old where fun was simply not part of the equation? We remember the aggravation and tedium more than the content. Some of us (understandably) actively avoided or evaded the sessions while attendees generally resented being lectured-at. Overall, a very negative experience, counterproductive and ineffective. How not to do it.

The nasty neologism 'gamification' has been coined for a different approach, although exactly what it means is uncertain. To some it means literally turning awareness and training into a game, for example snakes and ladders or monopoly with playing boards and rules adapted to the subject. Climb up the security controls or slide down the risks and incidents, perhaps, or rather than buying properties, seize control of them by hacking, social engineering or malware. 

To software-based awareness companies, it evidently means crude, low-budget computer games with cartoon characters and pixellated graphics vaguely reminiscent of Pong

Either way, there is more than just a hint of treating fully-grown workers as if they are children. Picture it: "Warning! This awareness game contains scenes that may upset some people. Seek the guidance of a parent or guardian."

To us, 'gamification' is more to do with socializing information security. We provide factual and conceptual information to groups of people, encouraging them to interact with both the awareness materials and with each other in an upbeat, positive, engaging setting - such as an awareness challenge. Having fun is a valuable part of the approach, the means to an end rather than an end in itself.  If fun was THE objective, it would be easier just to send everyone to the bar to liquefy what remains of the awareness and training budget.

Wednesday 26 December 2018

Building a resilient workforce

A resilient workforce is well-prepared to cope with whatever stuff is thrown at it, all manner of challenges and incidents ... like this for instance:

Security-aware workers are an extremely important defensive control: we really ought to recognize this email for what it is - an obvious social engineering attack, a crude attempt to dupe us into opening the attachment ... but awareness is not the only control, a good thing too since we are only human. 

A truly resilient organization has a comprehensive suite of information security controls that come into effect both before, during and after the email gets delivered, even if a hapless worker receives and falls for the con, opening that attachment.

In information security, resilience is largely achieved through layered, overlapping and complementary controls. Individually none of them can totally eliminate the risks, but collectively the risks are reduced to the point that we can handle the remaining issues - at least that's the theory! Incident management is part of it, along with risk and business continuity management including resilience engineering, disaster recovery and contingency, for those unanticipated situations that we weren't expecting. 

Awareness and training support all those aspects as well. Our awareness materials directly address management and professionals, as well as the general workforce, because they have distinct roles in making the organization resilient. Managers set key objectives, define priorities and control corporate assets, particularly funding. Professionals advise, guide and assist management in those activities, and are further responsible for implementing management edicts. A security awareness and training program that ignores either or both of those audiences is like a car with neither steering nor engine: fine as long as everything is heading downhill in the right direction. 

Friday 14 December 2018

Choosing ISO27k products


On ISO27k Forum today, a new member asked for advice on whether a 'complete package' would help the organization achieve ISO/IEC 27001 certification.

It's hard to answer without knowing more about the organization and its people (especially the management and specialists), their experience and maturity in respect of information risk and security, and ISO management systems, and the business context.  For example:
  • A small engineering company is in a different position to, say, a large charity, a government department or a multinational: its complexity, information risks, information security controls and other factors vary;
  • A company in a heavily-regulated industry such as healthcare, finance or defense is probably more compliance-driven, its management and workforce more comfortable with structured and systematic ways of working than, say, a retailer or farmers' cooperative;
  • An organization that is 'surrounded' or owned by ISO27k-certified organizations may be under more pressure to implement than a pioneer, especially if there are commercial pressures or contractual/regulatory obligations in this area (e.g. for privacy reasons);
  • A patently insecure organization that has suffered one or more serious infosec incidents, breaches, compliance failures etc. is likely to be under more intense pressure to reform and 'get secure' than one which is (or believes itself to be) relatively secure, doing OK at the moment but maybe looking into ISO27k as a strategic opportunity, supporting other initiatives and complementing other management systems maybe;
  • A mature, specialized, narrowly-focused, relatively simple and stable organization (such as a steel mill) probably needs far less flexibility in its ISMS than one which is highly dynamic, growing fast, chasing different markets and proactively innovating (such as manufacturer of IoT things).
Also, despite the additional wording in the original query, I'm not at all sure what a 'complete package' is. That might mean any of the following, alone or in combination:
  • Documentation e.g.:
    • Sets of ISO27k and possibly other standards (the core set of ISO/IEC 27000, 27001, 27002, 27003 and 27005 are almost universally recommended);
    • Generic template/skeleton ISMS documentation such as scope, SoA, RTP etc.;
    • Generic infosec policies and procedures etc.;
    • Generic project/program plans, frameworks etc.;
    • Generic, structured methods/approaches etc.;
    • Tailored documentation to suit the general type/size of business, industry etc.;
    • Bespoke or heavily customized documentation, competently tailored to suit a particular organization;
  • ISMS-related consultancy-type services of various kinds e.g.:
    • Training and awareness services for individuals, teams or the entire organization;
    • Help with the program and project governance and management aspects e.g. planning, resourcing, metrics, targets, project risk management;
    • Mentoring, guidance and advice for the CISO/ISM, ISMS implementation project manager/team and perhaps others e.g. senior management, risk management, IT audit, IT, Facilities, HR, Operations, Privacy ...;
    • All manner of gap analyses, reviews, audits, benchmarks etc. to assess and report on the current situation and help determine future directions, priorities etc.;
    • Full-time hands-on ISMS project and program management leading to permanent ISM and CISO roles;
    • Part-time local and/or remote support, advice, mentoring etc. for the permanent on-site team - including perhaps assistance with the recruitment and training of such a team;
    • Business development consultancy e.g. help to re-position and market the organization as an ISO27k-certified secure, trustworthy, reliable supplier or whatever;
  • Systems e.g.:
    • IT systems specifically supporting an ISO27k ISMS, or any kind of ISMS, or more generally information risk and security-related;
    • Document Management Systems, possibly pre-loaded with [generic but hopefully customizable, relevant and suitable] ISO27k ISMS documentation;
    • Learning Management Systems, possibly pre-loaded with ISO27k-related training materials, courses, tests etc.;
    • Private, hybrid or public cloud-based apps;
    • Structured methods, frameworks and approaches in this area, with or without IT components; 
  • Something else!
Some of those options above are much more valuable than others (note: 'valuable' is not the same as 'expensive': some are free!). Comprehensive materials and support services might suit your organization (if you can afford them, and if they cover all your requirements!), but you might be better off with an appropriate selection and combination of point-solutions addressing more specific weak-points and needs, complementing and reinforcing the organization's existing resources and capabilities.

Lastly, I'll throw-in another important factor to consider: the nature, quality and value of the products (both goods and services) depends heavily on the suppliers or sources - their competence, experience, expertise (both depth and breadth), quality assurance, creativity and so forth. Are they new to the market, full of brash enthusiasm and bright ideas but short on history and perhaps credibility? Are they old, established, set-in-their-ways maybe? Are they ISO27k specialists (e.g. they ONLY offer ISO27k training courses), broader ISO27k and infosec suppliers (e.g. they provide training plus consulting plus systems) or generalists (e.g. the auditing/accounting/business consultancies)? Are they well-known and highly respected in the field with glowing customer references, or relatively unknown with dubious credentials? Oh and are you certain the products on offer are what will actually be delivered (avoiding the old bait-n-switch scam)?  

I hope this general advice helps. I appreciate that it raises far more issues than it answers ... but hopefully those questions and considerations are a lot more useful than the alternative "Well, it all depends!"

Saturday 8 December 2018

Bashing tick-n-bash

Auditing compliance or confomity with rules defined in policies, standards, laws and regulations is just one audit approach, commonly and disparagingly known as tick-n-bash auditing.
  

The rule says X
but you do Y
……. BASH!

It is like being rapped over the knuckles as a kid or zapping a trainee sheep dog through its radio-controlled shock collar. It's a technique that may work in the short term but it is crude and simplistic. The trainee/auditee is hurt and ends up resentful. Strong negative emotions persist long after the tears have dried and the bruising has gone down, making it counterproductive. It’s best reserved as a last resort, in my considered opinion.*

Certification audits are ultimately compliance audits but even they can be performed in a more sympathetic manner. The trick is to combine bashing (where justified) with explaining the requirements and encouraging compliance. It means motivating not just dragging people, and a lot more listening and observing to understand why things are the way they are.

Sometimes there are genuine, legitimate reasons for noncompliance, like for example finding better ways to do things or competing priorities. Sometimes noncompliance achieves a better outcome for the organization and other stakeholders. Actively looking for and exploring such situations turns the audit into a more positive exercise, even if it turns out that noncompliance was indeed unjustified and problematic: the investigation will often turn up root causes that deserve to be addressed, enabling us to treat the disease, not just ameliorate the symptoms. 

Competent, experienced auditors appreciate the value of downgrading relatively minor findings to ‘minor non-conformance’ status, or even on occasions ‘letting things ride’ with informal comments and motivational words of encouragement to the auditees. That then makes any remaining major issues stand out, focusing everyone’s attention on the Stuff That Really Matters – matters to the organization and other stakeholders, for legitimate business reasons. It’s no longer just a matter of “The rule says X”: there are reasons why rule X exists, reasons that deserve attention. Rule X is simply a means to an end, not an end in itself.** 

From there, it’s but a small step towards effectiveness and efficiency-based auditing, a more sophisticated and intelligent approach than crude compliance auditing. The idea is to identify sub-optimal activities that might usefully be adjusted to improve the outcomes, ultimately achieving business objectives and success. The approach focuses on the positives, on finding creative solutions that most benefit the organization (and, by the way, the individual auditees: more carrot = less stick!). The very premise that some activities might be ‘sub-optimal’ implies a deeper level of understanding about what ‘optimal’ actually means in that context, and a wider appreciation of good practices and alternatives. Being able to recite the rules verbatim, and carry a big stick, is no longer the mark of a good auditor!

In the ISO27k context, the information security controls recommended by ISO/IEC 27002 are intended to address specified control objectives. However, they aren't guaranteed always to achieve those objectives in any given situation, nor are those objectives necessarily relevant and sufficient. Both the control objectives and the controls are generic - general advice intended to suit most organizations. Both need to be interpreted in the specific context of a particular organization. Both may need to be supplemented, extended modified or ignored in various circumstances. That complexity makes it too tough for straightforward compliance auditors, apparently, demonstrating a fundamental limitation of the tick-n-bash approach. That's why an ISO/IEC 27001 certificate confirms the presence of a conformant management system for information risk and security, rather than a secure organization with all the appropriate information security controls in place, fully operational, working exactly as needed.

ISO/IEC 27001 specifies that internal audits must be performed on the Information Security Management System but does a poor job of explaining them, in particular implying that auditing is compliance auditing:





Taking my own medicine, I ask myself "Why? Why does the standard equate auditing with compliance auditing?" The answer lies with the experts responsible for the ISO27k standards, in their biases and prejudices about auditing ... which in turn reflects their experience of auditing ... which I presume is largely compliance auditing ... and so the loop continues. 

Breaking the committee out of that vicious cycle is an objective I have thus far failed to achieve but the current round of standards revision presents another opportunity, a chance to explain, persuade and hopefully convince. Not bash, oh no. 

Longer term, I'd like to push ISO27k further into the realms of assurance and accountability, and beef-up its advice on governance, information risk management, business continuity, and business for that matter. The business context and objectives for information security would be fascinating to explore and elaborate further on. One day maybe. I've learnt to pick my battles though: it takes a winning strategy to succeed in war.


* PS  I have the same philosophy in security awareness and training. To me, security awareness and training works best as a positive, motivational and inspirational technique. Dire warnings and penalties may be necessary to curb inappropriate behaviors and instill discipline but that's a last resort, best reserved for when other techniques have failed. Clearly, I'm no sadist.

** When upholding the rule becomes more important than achieving the intended outcome, that is - I think - a form of surrogation. 

Friday 7 December 2018

Who owns the silos?


Michael Rasmussen published an interesting, thought-provoking piece about the common ground linking specialist areas such as risk, security and compliance, breaking down the silos.
“Achieving operational resiliency requires a connected view of risk to see the big picture of how risk interconnects and impacts the organization and its processes. A key aspect of this is the close relationship between operational risk management (ORM) and business continuity management (BCM). It baffles me how these two functions operate independently in most organizations when they have so much synergy.”
While Michael’s perspective makes sense, connecting, integrating or simply seeking alignment between diverse specialist functions is, let's say, challenging. Nevertheless, I personally would much rather collaborate with colleagues across the organization to find and jointly achieve shared goals that benefit the business than perpetuate today's blinkered silos and turf wars. At the very least, I'd like to understand what drives and constrains, inspires and concerns the rest of the organization, outside my little silo.

Once you start looking, there are lots of overlaps, common ground, points of mutual interest and concern. Here are a few illustrative examples:
  • Information risk, information security, information technology: the link is glaringly obvious, and yet usually the second words are emphasized leaving the first woefully neglected;
  • Risk and reward, challenge and opportunity: these are flip sides of the same coin that all parts of the business should appreciate. Management is all about both minimizing the former and maximizing the latter. Business is not a zero-sum game: it is meant to achieve objectives, typically profit and other forms of successful outcomes. And yes, that includes information security!
  • Business continuity involves achieving resilience for critical business functions, activities, systems, information flows, supplies, services etc., often by mitigating risks through suitable controls. The overlap between BCM, [information] risk management and [information] security is substantial, starting with the underlying issue of what 'critical' actually means to the organization;
  • Human Resources, Training, Health and Safety and Information Risk and Security are all concerned with people, as indeed is Management. People are tricky to direct and control. People have their own internal drivers and constraints, their biases and prejudices, aims and objectives. Taming the people without destroying the sparks of creativity and innovation that set us apart from the robots is a common challenge ... and, before long, taming those robots will be the next common challenge.
Dig deeper still and you'll also find points of mutual disinterest and conflicts within the organization. Marketing, for instance, yearns to obtain and exploit all the information it can possibly obtain on prospective customers, causing sleepless nights for the Privacy Officer. Operations find it convenient or necessary to use shared accounts on shop-floor IT systems in the interest of speed, efficiency, safety etc. whereas Information Risk and Security point out that they are prohibited under corporate-wide security policies for accountability and control reasons.

You could view the organization as a multi-dimensional framework of interconnections and tensions between its constituent parts, all heading towards roughly the same goal/s (hopefully!) but on occasions pulling any which way at different speeds to get there. To make matters still more complex, the web of influence extends beyond the organization through its proximal contacts to The World At Large. That takes us into the realm of chaos theory, global politics and sociology. 'Nuff said.

All the organization's activities fall under the umbrella of corporate governance, senior managers clarifying the organization's grand objectives and optimizing the organization's overall performance by  establishing and monitoring the corporate structures, hierarchies, strategies, policies and other directives, information flows, relationships, systems, management arrangements etc. necessary to achieve them. Driving alignment and reducing conflicts is part of the governance art. Silos are governance failures.

Sunday 2 December 2018

Acceptable Use Policies

A question came up on the ISO27k Forum about an Acceptable Use Policy. I'll take this opportunity to dispense a few Hinson Tips (free, and worth every penny!). 

AUP isn’t a generally-defined and globally-agreed term. Even “policy” has a spectrum of meanings. So, regardless of what any of us might think or claim it means, what matters is the organization that’s using it – the organizational context. What does your management expect an AUP to be? To achieve? To look like? You should get some useful clues from other similar materials in other areas such as IT, HR and Finance, other functions that to some extent formally express directives. They may or may not be called AUPs, so take a look around the policy-related guidance materials, and preferably talk to the original authors about their work. You will probably pick up some useful tips, maybe even some help to knock your materials into shape. 

Some organizations use AUPs formally, stating employees' obligations for legal purposes. Personally, I prefer conventional policies and employment-related contracts, terms and conditions, rulebooks etc. for that purpose.  I treat AUPs more as guidelines than policies ... but even so that’s on the premise that a ‘guideline’ CAN and generally SHOULD incorporate obligations defined in various policies, laws and regulations – in other words, despite the name, a guideline includes and revolves around mandatory elements. Its purpose, for me, is to explain those obligations in plain language and thereby encourage people to comply. 

Employees shouldn't need to consult a lawyer to figure out what is expected of them. Management should ensure not only that employees are instructed, but they are also helped to understand and fulfill their obligations.

There are various ways to ‘explain and encourage’ employees. A useful approach is to lay out examples covering both acceptable AND unacceptable activities, hence the AUPs in our awareness and training materials look something like this little extract:







The language is reasonably simple and straightforward (avoiding the technobabble and pseudo-legalese that afflicts some of our esteemed colleagues!) and we’re using the obvious green and red color cues plus the ticks and crosses to emphasize do’s and don’ts. We try to have roughly the same number of each, countering the tendency for the whole thing to preach “Thou shalt not …” And separating the reds from the greens gives an otherwise jumbled list a little structure. We’re trying hard to encourage and make it easy for even reluctant, busy, distracted and disinterested readers to read. 

For the same reason, we also take the position that ‘less is more’, meaning that our AUPs have less than 500 words each. They are all one-pagers with a two-column layout. That’s quite a challenge for the AUP author [me!] since words are at a premium which means condensing the AUP down to essentials. Aside from careful wordsmithing, it’s worth asking “If someone barely has the time or interest to glance at this, what are the key messages we’d must put across?”. That approach in turn begs questions about what happens to the other stuff that we’re forced to leave out. For us, it’s easy enough because we also provide briefings and seminar slide decks and conventional policy templates etc., a coherent and comprehensive package of goodies and awareness activities supporting the AUP, all covering the same infosec topic ...

... Which brings up another part of our approach: we don’t try to cover everything all at once. We deliberately break things down into a series of distinct topic areas, allowing us to focus and go into a bit more depth on each topic, moving ahead month-by-month to cover the entire field. 

Consuming the elephant one bite at a time

If you think one or more AUPs would be useful in your organization but are unsure about the format, you might like to prepare or compile a variety of AUPs in different styles, giving management the chance to consider the options and choose the best ones or the best bits. As well as AUPs from within the organization, look for examples from other organizations (including ours!) to see the range of styles and formats in use. Once you get management's agreement and generate something that is acceptable to all parties, that becomes the template for others ...

... And that's how we work too. All our security awareness and training materials are prepared from templates, making it easier to adopt and stick to a consistent look-and-feel. The templates pre-set things such as:
  • Page/paper size and orientation;
  • Language for spell-checking;
  • The font, font sizes and colors, both for plain content plus the titles, headings, hyperlinks etc. using 'styles';
  • Headers and footers with titles, page numbering and our copyright notice;
  • Page layouts e.g. columns, tables;
  • Document structure e.g. cover page, main headings;
  • Boilerplate text such as sources of further information and contacts at the bottom of almost everything (sometimes customized according to the topic);
  • Miscellaneous formatting e.g. line thicknesses and colors, arrowheads;
  • Diagrammatic styles e.g. the risk-control spectrum and PIG diagrams you'll see pop up occasionally on this very blog;
  • Metadata such as tags to make it easier to search for specific kinds or items of material. 
Our full suite of templates has evolved in the course of a decade and is still being tweaked from time to time. In particular we review and where necessary modify the whole lot annually at the start of the calendar year: updating the copyright notices triggers that process. We try to keep a lid on minor changes during the year in order not to introduce noticeable inconsistencies, so the annual template re-vamp is our opportunity to address any little issues and if appropriate adopt more significant changes, sometimes retiring templates that are no longer proving useful.

Another source of change is the creation of new formats or styles of awareness materials, such as the AUP seen above. New items normally take a couple of iterations and adjustments before stabilizing and being templated, becoming part of the set. 

Finally, there are other tricks of the trade in researching, writing and polishing awareness and training materials that both are and appear professional. A suite of templates is an excellent start but just as important is the way the templates are used, and of course the quality of the information content. We take pride in our work. We care about spelling and grammar. We consider our audiences, and we learn and improve systematically. We're perfectionists by nature. That's the secret weapon that gives us an edge over the usual rather amateurish and slapdash awareness and training content that is so common out there, the stuff that gives our profession a bad reputation. We must do better, raising our game. We're doing our bit. What about you?