December 2019 sees the release of our 200 th  security awareness and training module, this one covering social engineering. The topic was planned to coincide with the end of year holiday period - peak hunting season for social engineers on the prowl, including those portly, bearded gentlemen in red suits, allegedly carrying sacks full of presents down chimneys.  Yeah right! I'm fascinated by the paradox at the heart of social engineering. Certain humans threaten our interests by exploiting or harming our information. They are the tricksters, scammers, con-artists and fraudsters who evade our beautiful technological and physical security controls, exploiting the vulnerable underbelly of information security: the people. At the same time, humans are intimately involved in protecting and legitimately exploiting information for beneficial purposes. We depend on our good people to protect us against the bad people. Vigilance is often the only remaining hurdle to be overcome, m...

Of information risk management, "It's dynamic" said my greybeard friend Anton Aylward - a good point that set me thinking as Anton so often did. Whereas normally we address information risks as if they are static situations using our crude risk models and simplistic analysis, we know many things are changing ... sometimes unpredictably, although often there are discernible trends. On P robability- I mpact G raphics, it is possible to represent changing risks with arrows or trajectories, or even time-sequences.   I generated an animated GIF PIG once showing how my assessment of malware risks had changed over recent years, with certain risks ascending (and projected to increase further) whereas others declined (partly because our controls were reasonably effective).   [Click the PIG to watch it dance] It's tricky though, and highly subjective ... and the added complexity/whizz-factor tends to distract attention from the very pressing current risks, plus the uncertainti...

Although 7 Ways to Improve Employee Development Programs by Keith Ferrazzi in the Harvard Business Review is not specifically about information security awareness and training, it's straightforward to apply it in that context. The 7 ways in bold below are quoted from Keith's paper, followed by my take. 1. Ignite managers’ passion to coach their employees.   I quite like this one: the idea is to incentivize managers to coach the workforce. As far as I'm concerned, this is an inherent part of management and leadership, something that can be enabled and encouraged in a general manner not just through explicit (e.g. financial) incentives. For me, this starts right at the very top: a proactive CEO, MD and executive/leadership team is in an ideal position to set this ball rolling on down the cascade - or not. If the top table is ambiguous or even negative about this, guess what happens! So, right there is an obvious strategy worth pursuing: start at, or at the very least, includ...

For some weeks now on the ISO27k Forum we've been vigorously and passionately debating whether an I nformation S ecurity M anagement S ystem should, or should not, include the organization's compliance with "information security-related" laws, regulations and other obligations such as contractual clauses specifying compliance with PCI-DSS. The issue arises because: The relevant infosec compliance section is tucked away at the end of  ISO/IEC 27001  Annex A, which has an ambiguous status with respect to '27001 certification. Although Annex A is discretionary rather than mandatory, certifiable organizations must  use Annex A as a checklist to confirm that their ISMS incorporates all the information security controls necessary to address the information risks within scope of the ISMS. Interpret that paradox as you will ... and hope that the certification auditors take the same line; It could be argued that, in a very broad sense,  all the  laws, regs, contract...

Keeping ISO27k I nformation S ecurity M anagement S ystems tight, constrained within narrow scopes, avoiding unnecessary elaboration, seems an admirable objective. The advantages of ISMS simplicity include having less to design, implement, monitor, manage, maintain, review and audit. There's less to go wrong. The ISMS is more focused, a valuable business tool with a specific purpose rather than a costly overhead.  All good. However, that doesn't necessarily mean that it is better to have fewer ISMS documents. In practice, simplifying ISMS documentation generally means combining docs or dispensing with any that are deemed irrelevant.   That may not be the best approach for every organization, especially if it goes a step too far. Take information security policies for example.   Separate, smaller policy docs are easier to generate and maintain, {re}authorize and {re}circulate individually than a thick monolithic “policy manual”.   It’s easier for authors, authori...

Physical penetration testing is a worthwhile extension to classical IT network pentests, since most technological controls can be negated by physical access to the IT equipment and storage media. In Iowa, a pentest incident that led to two professional pentesters being jailed and taken to court  illustrates the importance of the legalities for such work.  A badly-drafted pentest contract and 'get out of jail free' authorization letter led to genuine differences of opinion about whether the pentesters were or were not acting with due authority when they broke into a court building and were arrested.  With the court case now pending against the pentesters, little errors and omissions, conflicts and doubts in the contract have taken on greater significance than either the pentest firm or its client appreciated, despite both parties appreciating the need for the contract. They thought they were doing the right thing by completing the formalities. Turns out maybe they had...

While Googling for something else entirely, I chanced across this statement on an old forum thread : "The essence of my job as an information security architect is to understand the balance between risk (legal, practical, and otherwise) and the need for an organization to conduct business efficiently. I think a lot of what I do really does boil down to seeing the other side of things; I know what the “most secure” way is, but I also have to understand that implementing it might mean debilitating restrictions on the way my employer does business. So what I have to do is see their point of view, clearly articulate mine, and propose a compromise that works. There’s a reason a lot of IT security folks become lawyers." Nicely put, Darren! While personally I'd be reluctant to claim that I 'know what the most secure way is', the point remains that an information security - or indeed any professional's job revolves around achieving workable compromises. For us, it...

There's an old old joke about a passing stranger asking for directions to Limerick.  "Well," says the farmer, "If oi was you, oi wouldn't start from here". So it is with infosec strategies. Regardless of where your organization may be headed, by definition you set out from a less than ideal starting point. If it was ideal, you wouldn't be heading somewhere else, would you? T hat naive perspective immediately suggests two alternatives: Given where you are today, planning your route accordingly. Regardless of where you are today, focus exclusively on the destination and how best to get there. Actually, those are just two of many possibilities. It's even possible to do both: strategic thinking generally includes a good measure of blue-sky idealist thinking, tempered by at least a modicum of reality and pragmatism. 'We are where we are'. We have a history and finite resources at our disposal ... including limited knowledge about our history, curr...

ISO 22301, already an excellent standard on business continuity, has just been revised and republished.  Advisera has a useful page of info about ISO 22301 here . There’s quite a bit of common ground between business continuity and information risk and security, especially as most organizations are highly dependent on their information, IT systems and processes.  T he most significant risks are often the same, hence it makes sense to manage both aspects competently and consistently.   The ISO ‘management system’ structured approach is effective from the governance and management perspective.   Aligning/coordinating the infosec and business continuity management systems has several valuable benefits since they are complementary.  Extending that thought, it occurs to me that most if not all other areas of management also have information risk and security implications: Physical site security and facilities management ( e.g.  reliable power and cooling for the...

Today I find myself poring through ISO/IEC 27000:2018 looking for quotable snippets to use on our awareness posters in January. Although there’s plenty of good content, I can’t help but notice a few rough edges, such as this: “Conducting a methodical assessment of the risks associated with the organization’s information assets involves analysing threats to information assets, vulnerabilities to and the likelihood of a threat materializing to information assets, and the potential impact of any information security incident on information assets. The expenditure on relevant controls is expected to be proportionate to the perceived business impact of the risk materializing.” [part of clause 4.5.2]. First off, here and elsewhere the ‘27000 text uses the term “information asset” which is no longer defined in the standard since the committee couldn’t reach consensus on that.   Readers are left to figure out the meaning for themselves, with the possibility of differing interpretations ...

The next awareness topic is one of our regular annual topics. Social engineering has been around for millennia - literally, in the sense that deliberate deception is a survival strategy adopted by many living beings, right back to primordial times. So, what shall we cover this time around?  last time, we took a deep dive into phishing, a modern-day scourge ... but definitely not the only form of social engineering, despite what those companies pushing their 'phishing solutions' would have us believe. We picked up on 'business email compromise' as well, another name for spear-phishing.  In 2017, we explored 'frauds and scams' in the broad, producing a set of 'scam buster' leaflets explaining common attacks in straightforward terms, illustrated with genuine examples and offering pragmatic advice to avoid falling victim to similar tricks. Back in 2016, the 'protecting people' module covered: s ocial engineering attacks, scams and frauds, such as phi...