Just-in-time security awareness

This afternoon, we completed, proofread and published a security awareness module on malware, a few short hours before our (self imposed!) end-of-month deadline. 

The atmosphere in the office has grown increasingly tense this week as the deadline loomed. Early in January we took the decision to use the Travelex ransomware incident as a very topical (live!) case study for the module, and as such we were hostage to their timeline. By sheer chance, the main Travelex websites were up and running again this very morning, neatly tying off the month's events.

Comparing and contrasting the Sony and Travelex ransomware incidents has been fascinating: they each handled the situations in their own way, and yet there are common themes - for instance they were both forced to fend off an inquisitive (hostile!) pack of journalists. Travelex also made effective use of social media, and completed the main part of their recovery roughly twice as fast as Sony, so things have moved on in the five years since Sony Pictures Entertainment were all over the headlines with salacious gossip about film stars and wild speculation about North Korean cybertage.

Meanwhile, down here in rural NZ, our 4G wireless broadband Internet connection has been playing up something rotten. It's not good at the best of times but has been notably unreliable this week until, with perfect timing, the connection dropped out entirely as I was uploading the completed awareness module to our server. You probably know that we're a micro-company. I am the network technician, the IT Department in fact. Also the Procurement, Finance, Production, Marketing and Customer Services Departments, and yes I even make the tea. I'm not doing this totally alone, quite, but we rely on third party suppliers for various essential services, such as our comms. This week I could really have done with some technical help to get the broadband connection fixed while finishing the awareness materials, but as it was I found myself lashing-up a temporary Internet connection just to deliver the module at the most stressful time of the month.

On top of that, strong winds brought down trees across the track ... and guess who is the Chainsaw Operative part of the Grounds Maintenance Department!

Such is life. Business continuity is a challenge even for a microbusiness in sleepy NZ. But, like Travelex, we made it through and live to fight another day.

Over the next few days I'll catch my breath and crack on with a long to-do list, including (I hope!) a more durable fix for the broadband, plus preparations for the next and final monthly awareness module. Although I know I'll miss the challenge, I'm really looking forward to leaping off this monthly treadmill, like an exhausted mouse. Hey, pass the cheese ...

Simplicity itself

"Simplicity is the default unless there's a good business reason to do something else. What is typically lacking are the business reasons ..."

That comment on CISSPforum set me pondering during this morning's caffeine fix. We've been chatting about some training webinar sessions recently promoted by (ISC)2. Some say they over-simplify information security to the point of trivialising and perhaps misleading people.

If you follow this blog, you'll know that this month I have been slaving away on an awareness module covering malware, a topic we've covered many times before - particularly the avoidance or prevention of infections but this year a customer asked us for something on publicly disclosing incidents in progress, a disarmingly simple request that turned into a fascinating foray into the post-malware-infection incident management and resolution phase for a change. I've been exploring and writing about what does, could or should happen after malware 'hits' - from that dramatic moment the ransomware demands appear on everyone's screens, for example. 

What follows is quite an intricate and frantic dance, in fact, involving management, IT and other staff, customers, suppliers and partners, regulators/authorities, journalists and the news + social media etc. plus the Incident Management Team, infosec and business continuity pros trying to keep everything on track, the legal team figuring out who to sue, the compliance pros wondering how not to get sued, and various hired-hands helping with forensics, disinfection and finding then retrospectively plugging whatever holes were initially exploited by the malware. All the while, the menacing hackers and cybercrims are wielding big coshes in the shape of threats to make the disruption permanent and terminal, and/or to disclose whatever juicy tidbits of corporate and personal info they've previously stolen (the CEO’s emails, or browser history perhaps?). And all the while the systems, data, business processes/activities, websites and apps are being maintained, recovered or restored. Brands and relationships are under pressure, along with all the dancers. It's an intensely stressful time for them, I'm sure. 

The approach we've taken is to explore the timeline of an actual incident, in real time as it happens (as it happens), building a case study around the ongoing Travelex ransomware incident: the sequence forms a convenient thread to lead people through the story, thinking about what's going on at each stage and imagining how it would be if a similar incident happened 'here'. I’ve drawn up a simplified Travelex incident timeline in the same style as the one I drew for the Sony Pictures Entertainment fiasco 5 years back, pointing out some of the key events plus the phases of the overall process. The new Travelex version (‘in press’!) is simpler but remarkably similar since the sequence is much the same at this fairly high level. 

My point is that pictures help. They really do ‘speak a thousand words’. We use mind maps, diagrams, screenshots, flowcharts, Ishikawa-style risk-control spectra, animated PIGs and other eye-catching visuals extensively, making frequent use of Red-Amber-Green traffic-light colours and other visual cues. Most people still need to have stuff explained to them in written or spoken words, too, but the TL;DR; version is usually graphic. The graphics act as foils or prompts as well as summaries for the written or spoken words - in fact I seem to be naturally a ‘visual thinker’: it’s easier for me to write simply about complex stuff with a picture in mind, on the screen or scribbled on a scrap. 

In other words, we reduce ‘understanding a complex topic’ down to ‘explaining and expanding upon a few simple images’.

One of the nice things about that is our approach in practice, at 'run-time' when our content is actually being used in, say, an awareness session, workshop, course or online discussion, the way the materials are used depends on the presenter, the audience, the topic and its relevance to the organization, and the context (e.g. is it a half day session in a meeting room or half minute chat in the lobby?). Diagrams are much more flexible than text - although techniques such as headings, contents pages, side-bars, pullquotes and text boxes make it easier for people to skim through the text to pick out whatever catches their eye in, say, a briefing paper or report. Generally speaking, bright, colourful, 'interesting' pictures make the best eye-catchers.

If you’ve done much teaching and coaching, or you are some other sort of social engineer (!), you probably get it, although you probably have your own style and preferences too. There are ways and means of simplifying and explaining even complex stuff, step-by-step, top-down, bottom-up, middle-out, end-to-end or whatever. The visual approach works well for me. The real trick, though, is to explore and understand the topic well enough firstly to prepare said simple versions, and secondly to be able to explain them reasonably eloquently, preferably with enough enthusiasm and presence to engage with and motivate the audience. It’s all very well me writing a tidy stack of awareness and training content, but I can’t personally present and discuss this with our customers’ employees: that’s down to their awareness and training people … who first of all have to explore and understand the awareness content themselves! That’s why our PowerPoint slide decks have extensive speaker notes, supplementing and explaining the relatively simple and largely graphical slides. 

As if that’s not enough already, we also have to bear in mind the awareness audiences. Whereas most security awareness programs only address “staff” (sometimes known as “users” or “general employees”), we’re also keen to engage “management” and “specialists” too since they are key pieces in the infosec puzzle, with their own information needs and preferences. Management, for instance, has an obvious interest in the governance, strategy, policy, compliance, continuity and assurance aspects, plus of course risks, specifically information risk management, oh and let’s not forget “the business” – all of which are relevant in the post-malware-infection module. Likewise the IT, risk, continuity and compliance professionals have their own interests and concerns. The differences extend all the way down to the individuals: Freda in Accounts might be fascinated by the numbers – the headline figures and the graphs, whereas Alice in Engineering is far too busy and distracted right now and can barely even spare a sideways glance at the screen. John from IT might be colour blind, or plain blind, so all our hard work on those diagrams is wasted unless someone can conjour up the pictures for John.

Individuals vary in our preferred modes of learning too. Some of us like to read stuff (words and/or pictures) while others prefer to listen, be shown or experience things first-hand. Some simply accept new information at face value (especially if provided by an 'expert' or 'senior') whereas some challenge or are inspired to contemplate and explore the topic as their way of internalising it. A few reject stuff by default, only ever accepting things on their own terms. And yes, some simply can't be bothered, don't understand and/or don't care. We all have our off-days and Other Stuff Going On Right Now.

I guess either those (ISC)2 webinars are not aimed at the CISSPforum-type greybeard audience, or whoever prepared them comes from a different place - a high level outline thinker rather than a details-oriented geek, maybe, or a professional educator working to a budget from a prepared brief rather than an infosec pro working from knowledge, experience and a passion for the subject.

Simplification is good but even awareness, training and teaching are more complex than they appear, once you scratch the surface.

PS  Although I'd love to supplement or even replace this blog piece with a neat little diagram, I don't have the time to simplify things right now. That's the downside of graphics: visual creativity takes time to express. Must dash, module to finish ...

Taking it to the wire

Today since before 5am I've been slaving away over a hot keyboard in a steamy hot office on a flaming hot topic: malware awareness. 

As you may have noticed here on the blog, all month long I've been systematically tracking the ongoing Travelex incident, observing from a safe distance the unsightly aftermath of another ugly malware - and business continuity - incident unfolding before our very eyes.

With our end-of-month delivery deadline looming large, it's time to draw out the lessons from the case study and weave the whole episode into a compelling tale for February's awareness module - well, three closely-related tales in fact since as always we're catering for the differing perspectives, concerns and information needs of our customers' staff, management and professional audiences. 

What have we learnt this month? 

What has happened, and why? 

What do we think might/should have been going on behind the scenes, out of the glare of the media spotlight? What were the dilemmas facing Travelex's management and IT people?

How might things have played out if the incident had been handled differently?

And, most importantly of all, what are our carry-outs, our take-home learning points and the Things We Ought to be Doing? Taking the whole sorry episode into account, what does it mean for us, our organization, right now?

You'll find a few clues to the answers in the blog ... but for the full nine yards you'll need to hang on just a few short days until the awareness module is completed and published. 

Or of course you can invest something like 250 hours of your own time researching, writing and weaving your own set of security awareness and training content on this highly topical topic. Provided you can match or exceed the quality of our content, you'll be "quids in" if your salary and costs are below two measly dollars per hour!

Mutter mutter moan moan slave labour.

"Oh we need security awareness and training" they say. "Our people are the weakest links!" they exclaim. "Woe is me!  What am I to do?"  

I'm almost too modest to answer ... but not quite that daft.

Woe betide ...

.... any organization unfortunate enough to suffer a privacy breach today, of all days, being "Data Privacy Day". 

In the unlikely event that there are no new ones today, recent newsworthy breaches are liable to be trawled up and paraded across the media, again. 

I've been writing about preparing to deal with malware incidents all this month. Managing or controlling the publicity aspects is trickier than it may appear. Sony pulled a master stroke in getting its legal team to threaten action against journalists who continued to exploit the tittle-tattle disclosed in the Sony Pictures Entertainment breach five years ago - but that's not a universally applicable approach. Travelex did well to get basic, static web pages published quickly, plus a talking-heads video explanation/apology by the CEO ... but ask their retail customers whether they feel 'informed', while the promised restoration of services is patently taking longer than anyone (except perhaps the cybercrims behind the attack) wants.

Blend in the compliance aspects as well for good measure. I suspect British Airways and Marriott International, for instance, would have much preferred to take their corporal punishment under GDPR in private, rather than baring their bottoms on News At Ten.

There's a fine line between their being directly blamed for causing the incidents, and being blamed for failing to prevent them - a line which Public Relations teams might do well to consider. The real culprits here are the cunning VXers, hackers and cybercrims, rather than their targets. Defending all points at once is undoubtedly much tougher than exploiting one or more vulnerabilities. It's not a fair fight! Too bad: that's how it is ... but maybe it wouldn't hurt to explain that.

By the way, the issues multiply when you take into account the wide range of people and organizations who want to know and/or should be kept informed. Take employees, for instance: when the screens go dark in any IT-enabled organization, workers are left wandering and wondering. What can management say to explain the situation and reassure people? How can they even get their calming messages out if the comms are down? Same thing with suppliers, customers, partners, owners and authorities. This is where preparing for serious malware incidents makes good business sense. It sure beats leaving them all wandering and wondering!

(Some) IT, comms and information services are bound to degrade in and following an incident, but it takes deliberate effort to ensure they degrade gracefully, with dignity, rather than collapsing into a blubbering, smouldering heap.

Meanwhile, deep down in the engine room, are the IT pros frantically running in circles tearing their remaining hair out, or systematically following a tried and tested process for halting the incident, maintaining resilient services, restoring others and gathering the forensic evidence that might one day be necessary to prosecute the offenders? Again, preparation is key, especially when "time is of the essence" (which is always!).

If the lights go out before anyone has thought to get a torch, good luck with your fumbling.

MD/CISO's question time

Seems I'm not the only ravenous shark circling the Travelex ransomware incident.

Over at the Institute of Chartered Accountants in England and Wales website, Kirstin Gillon points out there are learning opportunities for senior management in this "horror story".

Specifically, Kirstin suggests posing six awkward questions of those responsible for managing incidents and risks of this nature ...

Rhetorical questions of this nature are not a bad way to get management thinking and talking about the important issues arising - a valuable activity in its own right although it falls some way short of taking decisions leading to appropriate action. Admittedly, there's an art to framing and posing such questions. Kirstin's questions are along the right lines, a good starting point at least.

Faced with such questions, some Boards and management teams will immediately 'get it', initiating further work to explore the issues, evaluate the risks and controls more deeply, and if appropriate propose corrective actions to address any unacceptable risks. Others may need to be prompted, gently prodded or goaded to address these issues, particularly given the broader context of the organization's other risks, concerns and business initiatives. They all have other things on their plates.

Another possible approach, then, is for the CISO, Information Security Manager, Cybersecurity Manager, Business Continuity Manager, Compliance Officer, Privacy Office, IT Audit Manager etc. (ideally working as a team) to seize the initiative themselves by launching an internal investigation/project, or at least preparing a briefing for senior management on the current situation, preempting those awkward questions from above. Most likely the organization is already ahead of the game in some areas, behind in others so hopefully it's not all bad news. This strategy has the advantage that the professionals set the agenda and guide the discussion in ways that will probably enable them to Do What Must Be Done, while senior management can influence the outcome according to the business context, a handy combination.

[Hinson tip: most if not all six of those question can probably be answered using relevant security metrics. If your organization isn't already measuring patch latency and proactively monitoring the effectiveness of critical controls such as network and system security monitoring, backups, business continuity and supplier security management, then your problems run deeper still. You're bleeding out while the great whites are closing fast.]

A third possibility, of course, is to do nothing at all. Nil. Zip. Nowt. Look the other way, completely ignoring the entire Travelex/ransomware episode, perhaps pretending or claiming that it 'is irrelevant' and 'doesn't apply here'. Flat denial may work for some, for example if an autocratic Big Boss doesn't understand the issues, is too busy with other matters ... or is terrified he/she already knows the answers to those awkward questions and would rather not poke that particular beasty in the eye right now (especially in a way that would then make it tricky to deny accountability if a similar incident occurred). That suggests a different concern again, a governance issue.

A fourth approach involves focusing obsessively and interminably on the tiniest of wee tiny details. This is a favourite of Yes Minister's civil servants and the military administration in MASH. Avoid actually facing up to anything significant by swamping it with trivia and burying it in red tape. Get real busy paddling fast while going nowhere. This too is a governance issue, another troublesome one if it is endemic to the entire management structure ... which perhaps explains why so many municipalities have been hit hard by ransomware. Maybe they are soft targets, more willing to pay the ransom (the "cybersecurity tax"!) and hope for the best than make a genuine effort to find and fix their vulnerabilities. Or maybe they are literally incompetent, under-resourced and over-stretched, facing an impossible task.

I could continue but that's enough of this conjecture for today. I find it interesting to be heading into the area of governance, business, security and risk management, and accountability from what was initially a straightforward malware infection. Thank you Travelex (and Sony, and Norsk Hydro, and ...)

Data privacy day

On Tuesday, data privacy day, privacy will be top of the agenda.

Well, OK, not top exactly, not even very high if I'm honest.

And apart from mine, I'm not sure whose agenda I'm talking about.

Evidently it's about "data privacy", not other kinds of privacy, oh no.

If I'm coming across just a little cynically, then evidently I need to try harder.

I bumped into data privacy day while searching for something privacy related - I forget exactly what, now. Otherwise, it would surely have passed me by, and maybe you too, dear blog reader.

Anyway, data privacy day appears to date back to Jan 28th 1981 when Convention 108 was signed in conventional Europe. "The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" was among the first, if not the very first, data protection regulation, predating today's privacy laws and regs.

In 2006, the Council of Europe launched Data Privacy Day as an annual event on January 28th.

Data privacy day was later taken up by some American organizations. According to the Wikipedia page, participants in the 2016 "event" included the Anti-Phishing Working Group, Carnegie Mellon University, Cyber Data-Risk Managers, EDUCAUSE, Georgetown University, Federal Trade Commission (FTC), Federal Communications Commission (FCC), Federal Bureau of Investigation (FBI), Identity Theft Council, the Privacy Commissioner of Canada, New York State Attorney General Office, the UK Information Commissioner and Data Security Council of India. I have no idea if they are still involved this year, and frankly I can't be bothered to find out just as none of them, it appears, could be bothered to update the Wikipedia page in 4 years.

The fact that I had no idea data privacy day was coming up on Tuesday suggests that all those years of publicity haven't been entirely successful.

This year, StaySafeOnline from the National Cyber Security Alliance appears to be valiantly leading the publicity effort, although their website is playing hard to get: 

StaySafeOffline would be a more apposite domain. Well I guess that's one way to ensure data privacy: simply don't publish the data on the Interwebs. Bish bash bosh, job's a good'un.

I was hoping to take a look at the information they allegedly offer in support of data privacy day, but no such luck. However, I did find some info at a related site - StopThinkConnect, "the global awareness campaign to help all digital citizens stay safer and more secure online" - including these tips:

Protect Your Personal Information

• Lock down your login: Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media.
• Make your password a sentence: A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!
• Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.
• Write it down and keep it safe: Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer. You can alternatively use a service like a password manager to keep track of your passwords.

An interesting selection of tips that, with no mention of browser security, or patching, or antivirus, or not sending personal info by email, or only disclosing personal info to trustworthy organizations, or checking privacy policies first, or totally avoiding social media and apps (!), or ... well clearly there are lots of things that they could have said but I get it: these are supposed to be a few succinct tips, which means someone had to select the very best. Hmmm. If it were me, I don't think I'd recommend writing down passwords as a way to protect personal information, even if it does avoid the need to navigate the hazards of the forgotten password/reset process. Odd, then, that they would casually mention password managers while also recommending 'positive' and memorable pass phrases (of at least 12 characters - a number plucked out of thin air I presume, and they missed the chance to mention punctuation and deliferate mispelings), rather than suggesting people use the password generators built-in to said password managers.

Summing up, data security day is a badly publicised, ill-conceived, poorly supported and not very effective effort to ... to ... well I'm not at all sure what it is intended to achieve, on just one day a year. Although admittedly I haven't put much effort into searching, I haven't found any stated objectives, which makes it hard to guage its success or otherwise. "Maybe that's a deliberate ploy to avoid accountability" said the cynical voice in my head.

I wish them well in their endeavour. I sincerely hope the day far exceeds my very low expectations. 

(\CYNICAL)

Information, data, knowledge And All That

On the ISO27k Forum lately we've been discussing something that comes up repeatedly, a zombie topic you could say since the discussion is never really settled to everyone's complete satisfaction. There's always more to say.

The discussion concerns the disarmingly simple phrase "information asset", used in some but no longer defined in any of the ISO27k standards. Among other things, we've discussed whether people/workers can be classed as information assets, hence information risks associated with people potentially fall within scope of an ISO27k ISMS.

Yesterday, Mat said:

"Knowledge is generally broken down into three different types - explicit, implicit, and tacit. When we are talking about classing employees as an asset or simply treating the information that they know as an asset, I think maybe this can be broken down further using these different knowledge types.

Explicit knowledge is knowledge that is easily transferable, can be recorded and stored. Things like standard work instructions, guides, procedures, policies. Due to the nature of this information, it seems obvious to class the information itself as the asset here - you can mitigate the risk of information loss simply by recording the information.

Implicit knowledge is the practical application of explicit knowledge. This can include knowing your way around a particular security product, or a particular piece of equipment. This type of knowledge is difficult to record, however, things like best practices are the best attempt although it's difficult to include the entire background knowledge of the best practice. Due to this, loss of this information is difficult to completely mitigate, and hence, I think the employee here could be classed as the information asset. The best mitigation is to keep the employee.

Tacit knowledge is the practical application of implicit knowledge. Examples of this are knowing not only a particular security product but how and why this product fits into your infrastructure. The small details which make the infrastructure whole - having the history of decisions and incidents which led to this point directly on hand. This type of knowledge is inherently most difficult to record and I think due to this, the employee would again be classed as the information asset. The best mitigation is to keep the employee."

That breakdown, described back in 1991 in the Harvard Business Review, makes sense in theory but things are rarely so neat and simple in practice. Information, data, knowledge And All That defies simplification.

Information that is ‘captured’ in some lasting physical form (Mat's ‘explicit knowledge’, captured in documentation, written words, diagrams, doodles, audio or video recordings, computer data, program code, emails, bloggings etc.) is never truly comprehensive or complete. Even War and Peace must surely have had parts where the author or editors trimmed it back, or decided not to go into details! However, once captured, information is more easily:

• Stored
• Communicated/passed on to others ... or withheld from them
• Copied
• Accumulated
• Valued, sufficient for accounting, sales or other purposes
• Disputed or challenged
• Analysed
• Expanded upon
• Protected by intellectual property laws ... or pirated, plagiarized and disclosed inappropriately
• Submerged, hidden, stolen, damaged/modified, garbled, deliberately mis-stated or destroyed in that physical form. It can certainly still be misunderstood or misinterpreted (ask any lawyer about the 'precision' of even formally-worded statutes and contracts!).

While physical storage media are not free, the real value of, say, a book or a computer disk comes from the information stored on it - the information content. I believe the same is true of people, particularly knowledge workers whose brains are more highly valued than their brawn.

Information that is presently ‘uncaptured’ (Mat's implicit and tacit knowledge) can still be withheld or communicated in an ephemeral form – such as someone shaking their head or nodding gently, or groaning, or clapping, or failing to step in and stop proceedings, when someone else is pondering some choice or decision. Those actions may never be permanently recorded or captured as such, just ephemerally observed (or missed!) by someone else.

Furthermore, the way or manner in which things are expressed is itself a form of information, meta-information you could call it. Shouting “STOP!!!” means something different to a muttered or whispered “stop”! The plain written instruction "Stop" leaves a lot unsaid ("Should I simply take my foot off the accelerator, or change quickly down through the gears, gently or forcibly apply the brakes or slam them on hard, deploy the parachute/anchor and brace for impact?").

Implicit and tacit knowledge includes 'thoughts', 'concepts' and 'ideas', ‘experience’, ‘expertise’, ’understanding’, ‘comprehension’, ‘wisdom’, 'creative works' such as art and inventions … and more, much more. It includes the frameworks and patterns that organise and interrelate, link or distinguish things as part of 'the bigger picture', including both the narrow and the broader context. Generally, this all accumulates during a person’s life, for some more than others. Some bits can be taught and learnt, others have to be internalized, or drawn out and refined through practice, or appear to be inherent capabilities or innate skills. Try as I might, I will never be an Olympic gymnast, chess grand master or concert violinist … but I believe I have a reasonable grasp of information risk and security, picked up over the decades – and I enjoy passing it on and debating things here and elsewhere (e.g. in conversations, presentations, courses, books, websites, articles, reports, emails …), partly because I enjoy thinking about and expressing things, contemplating the topic and learning new stuff from other people, expanding my own knowledge-bank at the same time. It's give and take.

Specifically, Mat twice said “The best mitigation is to keep the employee.” There are several issues with that. For a start, not all knowledge workers or sources are employees. Some are paid advisors or contractors, teachers etc., some are colleagues, peers, gurus or ‘thought leaders’ in a much more general way. Where would we be without Google, eh? Secondly, and more importantly, simply ‘keeping’ employees is seldom sufficient. They (we!) are neither possession nor pets. They need to be looked after, nurtured, rewarded, encouraged, challenged, given opportunities, pushed a little, cut some slack, guided, motivated, brought back in line, told to "stop waffling and get to the bloody point, Gary" and so on, in order to get the best of them. This is far from easy for those managing 'knowledge workers' and those whose knowledge seems to be locked inside them, out of reach, including people suffering stress and mental illness or ... whatever. The point is that we're all different, individuals, so a generic/simplistic approach is, at best, sub-optimal.

Circling back to the topic, in business and virtually all other contexts, information even in the form of intangible, ephemeral, implicit or tacit knowledge can obviously be an asset - something of value. If it's missing or damaged, we are poorer. Most of us make substantial efforts to gain it, even consciously investing in it. And, just like other investments, its value can vary: riskier investments generally offer higher returns but you may get back less than you invest.

“If I send my people on training courses to get better qualified, they’ll leave!” the reluctant manager explained. “Ah but”, said the wise advisor, “what if you don’t train them … and they stay?”

Is a worker the information asset, or is it their knowledge that is the information asset? Interesting question! Using Mat's breakdown:

• Their explicit knowledge is already captured, making it available to exploit even without the person ... provided the knowledge capture is sound (accurate and complete - integrity properties) and available when needed;
  
  
• Their implicit knowledge may be captured and then exploited so long as the person is there and is cooperating, and so long as someone (possibly the same person) has the inclination, resources and capacity to 'capture' it with integrity - which is far from certain;
  
  
• Their tacit knowledge can be exploited but would be difficult or impossible to capture, or at least it would take an extraordinary effort to do so, and the worker must be available, willing to cooperate and able to disclose the knowledge or unable to prevent its disclosure.

The process of 'capturing' a worker's knowledge, then, turns out to have information security implications. There's much more to it than simply requiring the worker to "document what you do" or "write stuff down", especially as some of the most valuable knowledge is conceptual, complex, difficult to express in any form, particularly in writing (and here I am, struggling to express my thoughts and complete this little inconsequential blog piece!). Furthermore, knowledge that is valuable to the organization may well be of value to others, hence there are confidentiality aspects to it as well. Captured knowledge can be locked away in a vault but, oddly enough, workers generally resent being treated that way, their implicit and tacit knowledge becoming both harder to capture and less valuable during incarceration.

OK, that's more than enough rambling from me for now. I've got Things To Do, knowledge to capture and secure, animals to feed, a crust to earn. ... but somehow I suspect I'll return to this topic more than once. Perhaps on my business card, I should call myself a "Zombie wrangler".

Awareness quiz on malware

Trawling through our back catalogue for content worth recycling into next month's awareness module, I came across a quiz we set in 2017. The challenge we set the group was this:

Aside from malware (malicious software), what other kinds of “wares” are there?

The idea was to prompt the group to come up with a few obvious ones (such as software), then start digging deeper for more obscure ones. Eventually they would inevitably start to improvise, making up 'ware' terms but, if not, here are our tongue-in-cheek suggested answers, provided for the quiz master in case the group needed prompting towards more creative, lateral thinking: 

• Abandonware – software long since given up on by its author/support krew and left to rot 
• Adware – software that pops up unwelcome advertisements at the least appropriate and most annoying possible moment
• Anyware - web-based apps that can be used while in the office, on the road, in the bath, wherever ... provided the Internet is accessible
• Beggarware – smelly, homeless software that periodically rattles its virtual cup, begging loose change "for a cup of tea"
• Bloatware – software that has grown fatter than a week-old beached whale with ‘features'
• Botware - software to stop the bots  becoming bored and naughty
• Brochureware – over-hyped marketing, promotional or advertising copy about alleged new software (also known as vaporware, neverneverware and noware)
• Courseware – software for courses
• Coarseware – software for curses
• Crapware – software so badly designed and written as to be worth flushing away
• Crimeware – software used by criminals for various nefarious purposes
• Crippleware – cheap or free software with deliberately restricted functionality to coerce users into buying the full version
• Firmware – low level software burnt into microchips and embedded in hardware, or possibly Viagra spam
• Floppyware – software delivered on floppy disk, or maybe yet more spam about Viagra
• Freeware – software generously given away by its owners, some of it worth every penny
• Glassware – highly fragile software, likely to smash to smithereens with the slightest knock
• Groupware - software supporting group activities (work-related, not sex, oh no)
• Hardware – computer equipment, IT stuff, equipment, kit
• Houseware – IT stuff at home, including all those IoT things that have quietly snuck in while our backs were turned
• Malware – malicious software: viruses, worms, Trojans, ransomware, APTs and so forth
• Middleware – a layer of software linking applications to other applications, operating systems and hardware, not as sweet but just as messy as the jam in a sandwich
• Ransomware – malware that coerces victims into paying a handsome ransom for the safe return of their loved ones - their invaluable IT systems and data; may involve 'proof of life' in the form of decrypted content
• Scareware – scary malware that terrifies victims into needlessly paying a trumped-up “fine” 
• Shareware – software shared among evaluators, cheapskates, skinflints and pirates
• Shelfware – policies and procedures that languish unread and unloved on the shelf, collecting dust
• Sneakerware – software delivered on foot e.g. on a potentially infectious USB stick
• Software – computer programs, apps and other fluffy stuff
• Spyware – sneaky, spooky, voyeuristic software that secretly spies on the user
• Tupperware – branded plastic containers carrying blank CD-RWs or lunch 
• Underwear – undies, frillies, lingerie, pants, togs, daks, knickers,  cheese-cutters, unmentionables ... offering a very personal form of privacy
• Warez – ripped-off software stolen and traded by pirates who evidentally cant spel
• Wetware – human beings, being mostly water and sometimes full of steam
• Ware's Wally?  Malware is usually well hidden, although it doesn't wear stripy tops, attempting to blend in with massive crowds on stripe-day
• Workware –  uniforms and clothes used by workers … plus intrepid social engineers 

There was a genuine learning objective behind all that (familiarity with the terms of art) but to be honest the main purpose was for the group to loosen-up and have a laugh ... before pressing ahead with a second, more serious challenge:

Which of those “wares” could be used to exploit our organization?  Think of realistic incidents or scenarios in which this has happened or might occur. 

We provided no 'suggested answers' for the second part, hoping that the now relaxed group and quiz master would take it wherever they wanted to go, chatting on until they ran out of time or inspiration. The broad learning objective here was for the group to gain a deeper understanding of the terms and risks in this area, particularly around malware incidents that the organization had experienced: we have no idea what they might be, but hopefully those present would recount some interesting stories, real or imagined.

This informal, open-ended style of quiz or challenge is something we've developed into a routine part of our awareness service. Most months there are similar opportunities for the group to draw up lists of terms, incidents, risks, controls or whatever relating to the particular month's information security topic. Sometimes we've asked them to draw mind-maps, sketch out ideas or fill in the gaps on process flows: again, these are really just excuses to get the group chatting and having fun in the general area of information security, while hopefully learning things along the way. As I'm sure you appreciate, this can be a tediously dry, dull and boring topic area otherwise, so we'll grab any opportunity to lighten-up and get people smiling. Aside from anything else, it makes teaching the subject just a bit more enjoyable.

PS  Leaving aside the very silly ones, there are at least 50 legitimate 'wares'.

Further lessons from Travelex

At the bottom of a Travelex update on their incident, I spotted this yesterday:

Customer Precautions

Based on the public attention this incident has received, individuals may try to take advantage of it and attempt some common e-mail or telephone scams. Increased awareness and vigilance are key to detecting and preventing this type of activity. As a precaution, if you receive a call from someone claiming to be from Travelex that you are not expecting or you are unsure about the identity of a caller, you should end the call and call back on 0345 872 7627. If you have any questions or believe you have received a suspicious e-mail or telephone call, please do not hesitate to contact us. 

Although I am not personally aware of any such 'e-mail or telephone scams', Travelex would know better than me - and anyway even if there have been no scams as yet, the warning makes sense: there is indeed a known risk of scammers exploiting major, well-publicised incidents such as this. We've seen it before, such as fake charity scams taking advantage of the public reaction to natural disasters such as the New Orleans floods, and - who knows - maybe the Australian bushfires.

At the same time, this infosec geek is idly wondering whether the Travelex warning message and web page are legitimate. It is conceivable that the cyber-criminals and hackers behind the ransomware incident may still have control of the Travelex domains, webservers and/or websites, perhaps all their corporate comms including the Travelex Twitter feeds and maybe even the switchboard behind that 0345 number. 

I'm waffling on about corporate identity theft, flowing on from the original incident.

I appreciate the scenario I'm postulating seems unlikely but bear with me and my professional paranoia for a moment. Let's explore the hypothetical information risks and see where it leads.

Firstly, corporate identity theft may not be as well publicised as personal identity theft but it is a genuine risk, as demonstrated through incidents such as: 

• Scammers seizing control of DNS records to redirect traffic from corporate websites to their own; 
• Scammers using fraudulently obtained or fake digital certificates, or exploiting browser vulnerabilities, to undermine HTTPS controls; 
• Phishing where victims are socially-engineered into believing they are interacting with the lure organization's website; 
• Fake apps, spyware and bank Trojans designed to steal login credentials and other confidential information while maintaining the facade of normality; 
• Cybersquatters registering domains similar to legitimate corporate domains with different extensions, typos or lookalike characters, intending to mislead visitors; 
• Counterfeiting, where branding, logos, packaging etc. are used to dupe victims (consumers and sometimes also retailers and corporate customers) into buying fake and usually substandard products; 
• Various telephone, email and social media scams involving misrepresentation and other social engineering methods to mislead and defraud victims who mistakenly believe they are dealing with legitimate companies, authorities or other trusted bodies. 

Secondly, the breadth and depth of network security compromise involved in major ransomware and other malware incidents suggests an even more sinister threat: the ransom demand is merely a dramatic, shocking point in the course of the incident, an incident that started at some prior point when the first corporate system was hacked or infected. Since then, possibly for days, weeks or months, the perpetrators would presumably have been surreptitiously roaming around the network 'behind enemy lines', exploring the topography and mapping out controls, installing and preparing to trigger the ransomware (perhaps also disabling the backups), stealing and exfiltrating corporate information to reinforce the ransom demands (perhaps selling or disclosing it for kicks, or stashing it away for a rainy day) and who knows what else. 

It is feasible, then, for the cybercriminals to have taken command of Travelex's external relations, including the website, the current holding pages and Tweets. They could all be fakes, the hackers pressing home management's powerlessness. How would we tell? Even the Travelex CEO's talking-heads videoblog concerning the incident could be part of the scam. Like many of their retail customers, I have no idea whether the person we've seen in the video is really their CEO or an actor, an imposter, perhaps a deepfake video animation.

Even if you find that lurid scenario untenable, there are less extreme possibilities worth considering. The fact is it's no simple matter to lock down a complex global corporate network following such a compromise, shutting out the hackers while also releasing official information, patching and securing systems, recovering compromised data and services, resuming internal corporate comms and keeping various external stakeholders in touch with developments. Maybe the hackers still have partial access (e.g. through covert backdoors) and limited control, enough to observe and meddle with the recovery activities, discredit and disrupt comms and so restrict management's freedom of action.

As with the Sony incident 5 years ago, there's a lot we can learn from Travelex's misfortune, through a blend of observation, analysis and supposition. All it take is some appreciation of the information risk and security aspects, a vivid imagination, and the ability to draw out general lessons from the specific case. For example, under crisis conditions, normal internal and external corporate communications may be disrupted and untrustworthy ... so what can be done now to prepare for that eventuality? Recovering from a major cyber incident takes rather more than just 'invoking the IT disaster recovery plan'! February's security awareness module will have a gripping story to tell, for sure!

Exceptions vs exemptions

In the context of information risk and security management, I define and use the terms "exemption" and "exception" quite deliberately.

“Exceptions” are unauthorized non-conformance or non-compliance situations.  For example if the organization has a policy to use multi-factor authentication for all privileged system accounts, a privileged account that only has single-factor auth for some reason (maybe an oversight or a practical issue) would constitute an exception, something that has not [yet] been officially notified to, risk-assessed and accepted, authorized, permitted or granted by management. 

Depending on the circumstances and the nature of the information risks, identified exceptions may be classed as issues or events, perhaps even incidents worth reporting and managing as such.

“Exemptions” are where management has formally considered and risk-assessed non-conformance or non-compliance situations and explicitly authorized or agreed that they should continue – perhaps with compensating controls, for a defined limited period, and with clear accountability for the associated risks. So, for instance, the information risks associated with only having single-factor auth on a test system may be acceptable to management if the control costs are deemed excessive in that situation … but the exemption might be only for the duration of the testing, and on the condition that the test system only has access to test data not live/production data, with the Test Manager accepting personal accountability for the associated information risks. 

Exemptions do not constitute issues, events or incidents unless: 

• The situation at hand varies substantially from that authorized e.g. if the compensating controls are not actually in operation, or if the authorized exemption period has expired (yes, even exemptions have to be complied with ... perhaps implying the need for compliance checks and other control measures if the information risks are significant);
• The information risks are materially different from those accepted e.g. if they were misunderstood or misstated/misrepresented when someone applied for the exemption. If incidents have occurred on the test system that would have been prevented by multifactor auth, that suggests the need for management to revisit the authorization of the exemption and perhaps hold the Test Manager to account for the incidents, demanding appropriate corrective action.

The distinction implies processes or activities for identifying, evaluating and treating the information risks - conventional risk management, in fact, applied rationally according to the differing circumstances. 

The critical distinction between exemptions and exceptions is not the amount of risk, or management's knowledge of the situation, or even the authorization: the distinction ultimately comes down to accountability. There are information risks associated with both exemptions and exceptions, but with exemptions an individual explicitly accepts the risks, whereas with exceptions the risks are left floating in mid-air ... which means 'management' as a whole accepts them implicitly and severally, since they fall within management's governance obligations.

Travelex vs Sony shootout

The Travelex ransomware case study is coming along nicely. Over the dull grey NZ weekend, I prepared a timeline of the ongoing incident to compare and contrast against the Sony Pictures Entertainment ransomware incident at the end of 2014. 

Already, Travelex is well ahead on points, restoring UK customer services within 3 weeks of the attack with more on the way. The incident timeline is substantially compressed relative to Sony's: they are getting through whatever needs to be done more quickly.

Travelex has done well to keep its retail customers updated throughout, from the initial rapid disclosure on Twitter through to brief informational pages on the web, an FAQ, plus a statement and talking-head videoblog by its CEO on Friday just gone. Full marks from me!

As far as I'm concerned, Travelex has managed the disclosures and public comms well, releasing professionally-crafted, informative briefings about the evolving situation, reassuring customers and not trying to cover things up or hide away. The CEO fronting-up is notable, confirming beyond doubt that senior management is on top of things, facing up rather than shying away. As with city's most senior policeman fielding a press briefing very shortly after the London bombings of July 2005, impeccably dressed, confident and impressive, the reassurance is very valuable, damping down rather than fanning the flames.

Although admittedly I have not hunted for them specifically, I haven't yet come across any informal/unauthorized disclosures by Travelex workers, such as those mobile phone photos of the scary skeleton threats plastered over Sony's screens. Despite what must surely be a tense atmosphere in the offices, the Travelex workforce is evidently pressing on with the job, all hands to the pumps. Good on them too!

In parallel, Travelex management must have been busy liaising with and reassuring its commercial customers/partners, industry regulators and the global news media too, while the fairly rapid restoration of services hints at a huge amount of work under way down in the IT engine room (presumably a disaster recovery approach, rebuilding servers from backups?).

Most likely there are incident investigation and information security activities going on as well, and possibly communications with the cyber-crims behind the attack and the authorities. We know virtually nothing about that aspect at present, which is to be expected since it is commercially sensitive and might be forensically relevant. Further information may or may not emerge over the forthcoming months and years ...

... which reminds me: this incident is some way short of being 'resolved' at this point. Even when all Travelex's customer services are fully operational, there will still be loose ends to tie off, business relationships to rebuild and lessons to be learned. Meanwhile, thank you Travelex (and Sony and the Metropolitan Police and others) for teaching us a thing or two about handling serious incidents.