We've just completed and delivered  our security awareness and training module about hackers - a topic we haven’t covered specifically for a few years, although most of the awareness modules at least touch on hacking – some more than others, The hacking risks have changed perceptibly in that time. The rise of state-sponsored (spooky!) hacking is of great concern to those of us who care about critical national infrastructures, human society and world peace. The United Nations is due to meet in a couple of weeks to discuss the possibility of reaching agreement on the rules of cyberwarfare, mirroring those for conventional, nuclear and biological warfare. Let’s hope they manage to align the ~200 countries represented at the UN – a tough task for the diplomats, politicians and cyberwar experts. That aspect gives a distinctly sinister tinge to the awareness module, and yet I hope we’ve succeeded in keeping the materials reasonably light, interesting and engaging as ever, a del...

September's security awareness module is rapidly falling into place with lots of juicy content for all three streams already: For the general/staff audience, we'll be giving an overview, an outline of the main information risks and information security controls, and promoting ethics;  For professionals, there's a bit more technical content, still without giving too much away (we're trying to encourage people to control against, not commit, hacking!); For management, we've updated the anti-hacking policy template to mention the bug bounty idea; All three streams emphasize the need for detective and corrective controls, supplementing the preventive controls because they are fallible.  The sheer variety of risks and controls is overwhelming, so we'll pick out a few topical aspects to discuss, such as using  bug bounties as a technique to both encourage (ethical) disclosure  and  improve information security, a nice combination.  Hardware hacking will make an a...

Yesterday I promised to share some ideas for looping intros on your PowerPoint presentations, primarily but not exclusively for security awareness seminars and the like.  Rather than wasting the time between opening the door and starting the session, it's a mini awareness opportunity you can exploit. Here  are 20 ways to use your loopy intros: Show short security awareness videos , maybe ‘talking heads’ clips of people talking about current threats, recent incidents, new policies etc .; Quotes from attendees at past awareness events, possibly again as video or audio clips or written quotations in their own words ; A slide-show of still photos from previous awareness and training events, preferably showing people having a good time and enjoying a laugh; Awareness posters : you do have plenty of these, right?; Clips from your intranet Security Zone  - just a few headline items, not whole pages, with the Zone 's URL; Clips from your security policies and procedures – litt...

Don't let metrics undermine your business  by Harris and Taylor is a thought-provoking piece in the wonderful Harvard Business Review. It concerns a tough old problem, that of metrics themselves  becoming the focus of attention within the organization rather than the objects of measurement and, more importantly still, the business activities for which the metrics are intended to support improvement. "Every day, across almost every organization, strategy is being hijacked by numbers ... It turns out that the tendency to mentally replace strategy with metrics — called  surrogation  — is quite pervasive. And it can destroy company value." According to  Wikipedia , Charles Goodheart advanced the idea in 1975, although I suspect people have been manipulating metrics and duping each other pretty much since the dawn of measurement.  My eyes were opened to the issue by Hauser and Katz in  Metrics: you are what you measure!  Krag Brotby and I wrote about...

This morning, "PS" asked the ISO27k Forum for advice about reviewing access rights. " I just got a minor NonConformity for not showing compliance with review of user access rights control. At present, a report containing leavers is reviewed by servicedesk to ensure removal of access. This process supplements the leaver process owned by department managers. But an auditor has insisted that we should retrieve all access reports and review them. So question is how do demonstrate compliance with this control in your organisation? Appreciate your guidance ..." Some respondents duly mentioned typical controls in this area, while some of us spotted an issue with the issue as described. Why did the auditor raise a minor non-conformity? On what basis did the auditor insist that they should ‘retrieve and review all access reports’ - if in fact he/she did? With a little creative/lateral thinking, it turns out there are several  intriguing possibilities in the situation descri...

Friends, Romans, customers, lend me your screens.  I come to bury NoticeBored, not to praise it. Sadly, the time has come to draw a lengthy chapter in our lives to a close. Our monthly  security awareness and training subscription service will cease to be early next year. As of April 2020,  it will be no more.  It will be pushing up the daisies.  We'll be nailing it to the perch and sending it off to the choir invisibule. Beautiful plumage though. The final straw and inspiration for the title of this piece was yet another exasperating phisher: ... and the realisation that suckers will inevitably fall for scams as ridiculous as that, no matter what we do. There will always be victims in this world. Some people are simply beyond help ... and so too, it seems, are organizations that evidently don't understand how much they need security awareness and training. "It's OK, we have technology" they say, or "Our IT people run a seminar once a year!" and sure en...

We are delighted to announce the birth of another ISO27k standard :  ISO/IEC 27102:2019 — Information security management — Guidelines for cyber-insurance The newest, shiniest member of the ISO27k family nearly didn't make it into this world. Some in the insurance industry are concerned about this standard muscling-in on their territory. Apparently, no other ISO/IEC standards seek to define categories of insurance, especially one as volatile as this. Despite some pressure not to publish, this standard flew through the drafting process in record time thanks mostly to starting with an excellent ‘donor’ document and a project team tightly focused on producing a standard to support and guide this emerging business market. Well done I say! Blaze that trail! This is what standards are all about. ‘Cyber’ is not yet a clearly-, formally- and explicitly-defined prefix, despite being bandied about willy-nilly, a solid-gold buzzword. It is scattered like confetti throughout but unfortunately...

Purely by chance, I discovered today that this blog has been nominated in the "Most entertaining security blog" 2019 category at Security Boulevard. What a nice surprise!  Regardless of the eventual outcome of the voting, it's humbling to make it onto the nominations list alongside several excellent blogs that I enjoy reading. Please visit the voting page to see what I mean, browse the nominated blogs and vote for your favorites [you can suggest blogs in addition to those nominated]. Meanwhile, the bloggings will continue ... PS  If you're on the lookout for infosec blogs worthy of your attention, take a look at this excellent shortlist from VPNmentor .

The C enter for I nternet S ecurity has long provided helpful free advice on information (or cyber) security, including a " prioritized list of 20 best practice security controls " addressing commonplace risks . In the 'organizational controls' group, best practice control 17 recommends " Implement a security awareness and training program ". Sounds good, especially when we read what CIS actually means by that: "It is tempting to think of cyber defense primarily as a technical challenge, but the actions of people also play a critical part in the success or failure of an enterprise. People fulfill important functions at every stage of system design, implementation, operation, use, and oversight. Examples include: system developers and programmers (who may not understand the opportunity to resolve root cause vulnerabilities early in the system life cycle); IT operations professionals (who may not recognize the security implications of IT artifacts and lo...

Information security revolves around reducing unacceptable risks to information, in particular significant or serious risks which generally involve especially valuable, sensitive, critical, vital or irreplaceable information.   Those are the ‘information assets’ most worth identifying, risk-assessing and securing.   That seems straightforward but it is more complicated than it sounds for many reasons e.g. : Information exists in many forms, often simultaneously e.g. computer data and metadata (information about information), knowledge, paperwork, hardware designs, molds, recipes, concepts and ideas, strategies, policies, understandings and agreements, experience and expertise, working practices, contacts, software, data structures, intellectual property (whether legally registered and protected or not) … any of which may need to be secured; Information is generally dynamic, hence there is a timeliness aspect to its value ( e.g. breaking vs old ...

Way back in the 1990's, BS 7799 introduced to the world a brilliant yet deceptively simple concept, the "control objectives".   Control objectives are short, generic statements of the essential purpose or goal of various information security controls. At a high level, information security controls are intended to 'secure information' but what does that actually mean? The control objectives explain. Here's an example: 7. System access control   7.1 Business requirement for system access Objective:  To control access to business information. Access to computer services and data should be controlled on the basis of business requirements.  This should take account of policies for information dissemination and entitlement. At first glance, this control objective is self-evident in that the objective of an access control is obviously to control access but look again: the objective explicitly refers to ' business information' and the following notes emphasize...

This is a classical step-wise view of the conventional ISO27k approach to managing information risks: Identify your information risks; Assess/analyze them and decide how to treat them (avoid, share, mitigate or accept); Treat them - apply the chosen forms of risk treatment; Monitor and manage, reviewing and taking account of changes as necessary. As an example, most organizations have some form of user registration process to set up network computer accounts (login IDs) for workers. The controls outlined in ISO/IEC 27001 Annex A section 9.2.1, described in more detail in ISO/IEC 27002 section 9.2.1, are part of the suggested means of mitigating the risks associated with inappropriate user access to information and information systems, one of the four forms of risk treatment at step 3  in the risk management process. Ah but what happened to  steps 1 and 2 ? Oh oh. Working backwards from step 3 , management appear to have decided that the A.9.2.1 controls are required in...

ISO/IEC JTC 1/SC 27 is currently getting itself all hot-under-the-collar about cloud security certificates, certifying compliance with standards that were neither intended nor written for certification purposes.  The ISO27k cloud security standards ISO/IEC 27017 and ISO/IEC 27018 are not written as formally as certifiable standards such as ISO/IEC 27001 ... and yet I gather at least one accredited certification body has been issuing compliance certificates anyway, implying that the auditors must have used their discretion in interpreting the standards and deciding whether the organizations fulfilled the requirements sufficiently well to 'deserve' certificates. The trustworthiness of those certificates, then, depend in part on the competence and judgement of the certification auditors, not just on the precise wording of the standards. In other words, there's an element of subjectivity about it. The key issue is that, in this context, compliance certification is a formal ...

Normally in an awareness seminar or training course, we display a static title slide on the screen as people wander into the room, sipping coffee and chatting among themselves then settling down for the show. The title slide tells them they are in the right place at the right time but it's a boring notice. So, how about instead showing something more interesting to catch their eyes (and ears?) as they arrive? It's not too hard to set up a looping mini-presentation by following these instructions . Essentially, you add the loopy slides to the start of your conventional slide deck, set them to automatically advance every few seconds and 'repeat until escape'. The 'escape' can be achieved by adding an action button to the loopy slides, that when clicked launches the main part of the presentation. An alternative approach is to separate the loopy from main presentations. Run the loopy presentation as people arrive. When everyone is settled down, terminate it and laun...