The New Zealand Stock Exchange is having a rough week.  Under assault from a sustained DDoS attack, its web servers have crumpled and fallen in an untidy heap again today, the fourth day of embarrassing and costly disruption. DDoS attacks are generally not sophisticated hacks but crude overloads caused by sending vast volumes of data to overwhelm the servers.   The Host Error message above shows "RedShield" which appears to be a security service remarkably similar to a Web Application Firewall (although the company claims to be producing something far better) ... If so, RedShield appears to be passing DDoS traffic to the stock exchange web servers which can't cope. Presumably, this particular DDoS attack does not fit the profile of the attacks that RedShield is designed to block, in other words RedShield is patently not preventing the DDoS. I don't know whether RedShield is supposed to block DDoS traffic and is failing to do so, or if DDoS protection is simply not pa...

A couple of days ago I blogged about MURAL, just one of many creative tools supporting collaborative working. If you missed it, please catch up and contemplate about how you might use tools such as that right now for teamworking during the COVID lockdowns. Today I've been thinking about 'the new normal' as the world emerges from the pandemic, inspired by the intersection of two threads. Firstly, thanks to a Zoom session with participants and presenters from Queensland, I've been reading-up on "industry 4.0". I'm not totally au fait with it yet but as I see it the key distinguishing features are: Ever-increasing automation of manufacturing, with smart devices and robotics supplementing the capabilities of both manual and knowledge workers; Industrial IoT, coupling sensors and actuators on the production line with each other, allowing workers to interact with the machinery through screens and keyboards etc. and a growing  layer of automation smarts and netwo...

Systematically checking through ISO/IEC 27001 for all the documentation requirements is an interesting exercise. Some documents are identified explicitly in the standard and are clearly mandatory, while many others are only noted in passing, often in ambiguous terms or merely alluded-to ... which can make it tricky to both comply with the standard and persuade the certification auditors of that. Here's an example, one of the document templates from SecAware ISMS Launchpad : That succinct one-pager addresses two requirements from the standard: Clause 9.2 (c) says (in part) "The organisation shall plan, establish, implement and maintain an audit programme(s)" - an explicit documentation requirement that the certification auditors will definitely check for compliance; Clause 9.3 says (in part) "Top management shall review the organization's information security management system at planned intervals to ensure its continuity suitability, adequacy and effectiveness....

Yesterday I started preparing an  ISMS communications plan to satisfy  ISO/IEC 27001 :2013 clause 7.4, with a little help from the Web. Naturally I started out with the standard itself. Clause 7.4 doesn't literally demand that organisations must have a "communications plan" as such, otherwise it would have been one of the mandatory documents included in SecAware ISMS Launchpad . Oh no, it's more circumspect: the standard says "the organization shall determine the need for internal and external communications relevant to the information security management system"  ... and proceeds to outline - yes, you guessed it - a "communications plan". ISO/IEC 27003:2017 confirms our assessment by stating explicitly: "Documented information on this activity and its outcome is mandatory only in the form and to the extent the organization determines as necessary for the effectiveness of its management system" . In other words, a documented comms plan ...

Inspired by a heads-up from a colleague on LinkeDin, I bumped into MURAL today. MURAL is a 'digital workspace for visual collaboration' by virtual teams.    The animated demonstration on their home page caught my beady eye. Here's a static snapshot as a small group of people are busy placing/moving blobs on a graphic, presumably while discussing what they are doing on a parallel channel (e.g. Zoom): Replacing the static monochrome graph with one of our colourful red-amber-green Probability Impact Graphics, a Risk-Control Spectrum, Universal Awareness Device, mind map, word cloud, process flowchart, any form of metric, clustered Post-It Notes, architecture diagrams, conceptual designs, strategy maps ... or ... whatever ... the approach would work nicely. MURAL looks like a creative, fun and productive way for groups or teams working from home to collaborate virtually as if they were physically present in one of those soulless corporate meeting rooms lined with whiteboards ...