This afternoon, we completed, proofread and published a security awareness module on malware, a few short hours before our (self imposed!) end-of-month deadline.  The atmosphere in the office has grown increasingly tense this week as the deadline loomed. Early in January we took the decision to use the Travelex ransomware incident as a very topical (live!) case study for the module, and as such we were hostage to their timeline. By sheer chance, the main Travelex websites were up and running again this very morning, neatly tying off the month's events. Comparing and contrasting the Sony and Travelex ransomware incidents has been fascinating: they each handled the situations in their own way, and yet there are common themes - for instance they were both forced to fend off an inquisitive (hostile!) pack of journalists. Travelex also made effective use of social media, and completed the main part of their recovery roughly twice as fast as Sony, so things have moved on in the five...

"Simplicity is the default unless there's a good business reason to do something else. What is typically lacking are the business reasons ..." That comment on CISSPforum set me pondering during this morning's caffeine fix. We've been chatting about some training webinar sessions recently promoted by (ISC) 2 . Some say they over-simplify information security to the point of trivialising and perhaps misleading people. If you follow this blog, you'll know that this month I have been slaving away on an awareness module covering malware, a topic we've covered many times before - particularly the avoidance or prevention of infections but this year a customer asked us for something on publicly disclosing incidents in progress, a disarmingly simple request that turned into a fascinating foray into the post-malware-infection incident management and resolution phase for a change. I've been exploring and writing about what does, could or should happen after malw...

Today since before 5am I've been slaving away over a hot keyboard in a steamy hot office on a flaming hot topic: malware awareness.  As you may have noticed here on the blog, all month long I've been systematically tracking the ongoing Travelex incident, observing from a safe distance the unsightly aftermath of another ugly malware - and business continuity - incident unfolding before our very eyes. With our end-of-month delivery deadline looming large, it's time to draw out the lessons from the case study and weave the whole episode into a compelling tale for February's awareness module - well, three closely-related tales in fact since as always we're catering for the differing perspectives, concerns and information needs of our customers' staff, management and professional audiences.  What have we learnt this month?  What has happened, and why?  What do we think might/should have been going on behind the scenes, out of the glare of the media spotlight? What we...

.... any organization unfortunate enough to suffer a privacy breach today, of all days, being "Data Privacy Day".  In the unlikely event that there are no new ones today, recent newsworthy breaches are liable to be trawled up and paraded across the media , again.  I've been writing about preparing to deal with malware incidents all this month. Managing or controlling the publicity aspects is trickier than it may appear. Sony pulled a master stroke in getting its legal team to threaten action against journalists who continued to exploit the tittle-tattle disclosed in the Sony Pictures Entertainment breach five years ago - but that's not a universally applicable approach. Travelex did well to get basic, static web pages published quickly, plus a talking-heads video explanation/apology by the CEO ... but ask their retail customers whether they feel 'informed', while the promised restoration of services is patently taking longer than anyone (except perhaps the cy...

Seems I'm not the only ravenous shark circling the Travelex ransomware incident. Over at the Institute of Chartered Accountants in England and Wales website , Kirstin Gillon points out there are learning opportunities for senior management in this "horror story". Specifically, Kirstin suggests posing six awkward questions of those responsible for managing incidents and risks of this nature ... Rhetorical questions of this nature are not a bad way to get management thinking and talking about the important issues arising - a valuable activity in its own right although it falls some way short of taking decisions leading to appropriate action. Admittedly, there's an art to framing and posing such questions. Kirstin's questions are along the right lines, a good starting point at least. Faced with such questions, some Boards and management teams will immediately 'get it', initiating further work to explore the issues, evaluate the risks and controls more deeply,...

On Tuesday, data privacy day , privacy will be top of the agenda. Well , OK, not top exactly, not even very high if I'm honest. And apart from mine, I'm not sure whose agenda I'm talking about. Evidently it's about "data privacy", not other kinds of privacy, oh no. If I'm coming across just a little cynically, then evidently I need to try harder. I bumped into data privacy day while searching for something privacy related - I forget exactly what, now. Otherwise, it would surely have passed me by, and maybe you too, dear blog reader. Anyway, data privacy day appears to date back to Jan 28th 1981 when Convention 108 was signed in conventional Europe. " The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data " was among the first, if not the very first, data protection regulation, predating today 's privacy laws and regs. In 2006, the Council of Europe launched  Data Privacy Day  as an annual event ...

On the ISO27k Forum lately we've been discussing something that comes up repeatedly, a zombie topic you could say since the discussion is never really settled to everyone's complete satisfaction. There's always more to say. The discussion concerns the disarmingly simple phrase "information asset", used in some but no longer defined in any of the ISO27k standards. Among other things, we've discussed whether people/workers can be classed as information assets, hence information risks associated with people potentially fall within scope of an ISO27k ISMS. Yesterday, Mat said: "Knowledge is generally broken down into three different types - explicit, implicit, and tacit. When we are talking about classing employees as an asset or simply treating the information that they know as an asset, I think maybe this can be broken down further using these different knowledge types. Explicit knowledge is knowledge that is easily transferable, can be recorded and stor...

Trawling through our back catalogue for content worth recycling into next month's awareness module, I came across a quiz  we set in 2017. The challenge we set the group  was this: Aside from malware ( mal icious soft ware ), what other kinds of “wares” are there? The idea was to prompt the group to come up with a few obvious ones (such as software), then start digging deeper for more obscure ones. Eventually they would inevitably start to improvise, making up 'ware' terms but, if not, h ere are our tongue-in-cheek suggested answers, provided for the quiz master in case the group needed prompting towards more creative, lateral thinking:  Abandonware – software long since given up on by its author/support krew and left to rot  Adware – software that pops up unwelcome advertisements at the least appropriate and most annoying possible moment Anyware  - web-based apps that can be used while in the office, on the road, in the bath, wherever ... provided the Internet...

At the bottom of a Travelex update on their incident , I spotted this  yesterday: Customer Precautions Based on the public attention this incident has received, individuals may try to take advantage of it and attempt some common e-mail or telephone scams. Increased awareness and vigilance are key to detecting and preventing this type of activity. As a precaution, if you receive a call from someone claiming to be from Travelex that you are not expecting or you are unsure about the identity of a caller, you should end the call and call back on 0345 872 7627. If you have any questions or believe you have received a suspicious e-mail or telephone call, please do not hesitate to contact us.  Although I am not personally aware of any such 'e-mail or telephone scams', Travelex would know better than me - and anyway even if there have been no scams as yet, the warning makes sense: there is indeed a known risk of scammers exploiting major, well-publicised incidents such as this. We'...

In the context of information risk and security management, I define and use the terms "exemption" and "exception" quite deliberately. “ Exceptions ” are unauthorized non-conformance or non-compliance situations.  For example if the organization has a policy to use multi-factor authentication for all privileged system accounts, a privileged account that only has single-factor auth for some reason (maybe an oversight or a practical issue) would constitute an exception, something that has not [yet] been officially notified to, risk-assessed and accepted, authorized, permitted or granted by management.  Depending on the circumstances and the nature of the information risks, identified exceptions may be classed as issues or events, perhaps even incidents worth reporting and managing as such. “ Exemptions ” are where management has formally considered and risk-assessed non-conformance or non-compliance situations and explicit...

The Travelex ransomware case study is coming along nicely. Over the dull grey NZ weekend, I prepared a timeline of the ongoing incident to compare and contrast against the Sony Pictures Entertainment ransomware incident at the end of 2014.  Already, Travelex is well ahead on points, restoring UK customer services within 3 weeks of the attack with more on the way. The incident timeline is substantially compressed relative to Sony's: they are getting through whatever needs to be done more quickly. Travelex has done well to keep its retail customers updated throughout, from the initial rapid disclosure on Twitter through to brief informational pages on the web, an FAQ , plus a statement and talking-head videoblog by its CEO on Friday just gone. Full marks from me! As far as I'm concerned, Travelex has managed the disclosures and public comms well, releasing professionally-crafted, informative briefings about the evolving situation, reassuring customers and not trying to cover th...