Showing posts with label Awareness. Show all posts
Showing posts with label Awareness. Show all posts

Thursday 28 March 2024

An evolutionary revolution?


"Mitigation and adaptation are required together to reduce the risks and impacts of climate change, including extreme weather events. Mitigation refers to actions taken to limit the amount of greenhouse gas emissions, reducing the amount of future climate change. Adaptation refers to actions taken to limit the impacts of a changing climate. Mitigation and adaptation together provide co-benefits for other environmental and social goals."

That paragraph by Lizzie Fuller, Climate Science Communicator for the UK's Met Office, plucked from another excellent digest of lessons learned from various UK resilience exercises and initiatives, obviously concerns climate change ... but it occurs to me that 'mitigate and adapt' might be a novel approach to information risks and impacts as well.

Tuesday 12 March 2024

A nightmare on DR street


A provocative piece on LinkeDin by Brian Matsinger caught my beady eye and sparked my fertile imagination today. I'm presently busy amplifying the disaster recovery advice in NIS 2 for a client. When I say 'amplifying', I mean generating an entire awareness and training piece on the back of a single mention of 'disaster recovery' in all of NIS 2. Just the one. Blink and you'll miss it.

Oh boy.

Anyway, Brian points out that recovering from disasters caused by 'cyber attacks' requires a different DR approach than is usual for physical disasters such as storms, fires and floods. Traditional basic DR plans are pretty straightforward: essentially, the plans tell us to grab recent backups and pristine systems, restore the backups onto said systems, do a cursory check then release services to users. Job's a good 'un, off to the pub lads.

Tuesday 27 February 2024

Mil-spec management lessons

 

"A calamity can often strike without warning. Whether it be generated by humans or a natural disaster, leaders need to be ready to direct their teams in the aftermath. In order to be ready for crisis, leadership skills, like any others, must be practised over and over beforehand. So the way you lead in the quiet times helps to build the skills you need when you have to dig deep."

That paragraph plucked from this month's impressive NZ Airforce newsletter about the military response to the devastating flooding caused by cyclone Gabrielle here in Hawkes Bay caught my beady eye this morning. 

The idea of practicing incident management as well as incident handling or operations on relatively small incidents makes perfect sense.

Friday 15 September 2023

Checklust security


"
Seventy Questions to Assess Cybersecurity Risk on a Rapidly Changing Threat Landscapeis an ISACA 'industry news' article by Patrick Barnett. 

Whereas normally I give 'industry news' and checklists a wide berth, Patrick is (according to the article) highly qualified and experienced in the field, so I took a closer look at this one. The prospect of condensing such a broad topic to a series of questions intrigued me. I'm not totally immune to the gleaming allure of well-conceived checklists.

Patrick says:

"There are 70 questions that can be asked to determine whether an enterprise has most defensive principles covered and has taken steps to reduce risk (and entropy) associated with cybersecurity. If you can answer “Yes” to the following 70 questions, then you have significantly reduced your cybersecurity risk. Even so, risk still exists, and entropy must be continuously monitored and mitigated. There is no specific number of layers that can remove all risk, just as there is nothing in the physical universe that does not experience entropy."
Hmmm. OK. Despite the definitive initial statement, I take that introduction as an implicit acknowledgement that there may be more than 70 questions ... and indeed many of the 70 are in fact compound/complex questions, such as "35. Do you prevent the disclosure of internal IP address and routing information on the Internet?" Most of us would instinctively answer "Yes" to that ... but look more closely: the question concerns "IP address" and "routing information", meaning both not either part. What qualifies as "routing information" anyway? And what about other network traffic apart from IP? What is 'disclosure'? What does Patrick mean by 'prevent'? And are we only concerned about 'the Internet'? If you are serious about addressing the information risks relating to NAT and all that (all that), you surely appreciate the naivete of question 35. If this is all Greek to you, maybe not. 

Thursday 10 August 2023

Hyperglossary published!


Having declared it officially 'done', the SecAware information security hyperglossary is finally self-published as an eBook in PDF format. More than three thousand terms-of-art are defined in the areas of:
  • Information risk 
  • Information security 
  • Cybersecurity (IT/Internet security)
  • ICS/SCADA/OT security
  • Artificial Intelligence
  • Privacy, data protection, personal information
  • Governance
  • Conformity and compliance
  • Incidents 
  • Business continuity
  • and more. 
It has taken me three decades so far to compile the glossary, initially just as a reference for my personal use, then for our security awareness clients, and now for anyone with a little cash to spare and an interest in the field.

Thursday 27 July 2023

Hyper-glossary nearing completion (?)

My next book will be a 'hyper-glossary' of terms relating to information security, including closely related aspects such as information risk management, governance, compliance ... and more ... and there's the rub: I'm struggling to catch up/keep up with developments in the field, not least because of the rate at which novel concepts are introduced and new terms are coined.

Here's an example of a definition originally added a couple of years ago and most recently amended today:

There I've defined "Deep fake", one of several terms washed up in the AI tsunami. The underlined terms are hyperlinked to their definitions ... and so on forming an extensive web within the document.

Monday 17 July 2023

Pro services under attack

Among all the other bad news in the excellent Cy-Xplorer 2023 report from Orange Cyberdefense, this nugget of threat intelligence poked me in the eye:



I've become increasingly concerned about the information risks relating to professional services in recent years. They seem obvious targets for malicious cyber attacks, given:

Wednesday 12 July 2023

A pragmatic alternative to the SuperCISO [L O N G]


Yet again this morning, something on the ISO27k Forum caught my imagination, firing-up my sleepy caffeine-deprived neurons. We have been chatting lately about what is expected of the Chief Information Security Officer role - namely an exceptional mixture of knowledge, skills and competences possessed by the 'SuperCISO'. 

Today, Nigel Landman referred us to an interesting article by JC Gaillard at Medium.com 

JC's repeated assertions that 'cybersecurity is not purely technical' caught my beady eye: the 'cyber' bit clearly suggests that it is 100% purely tech ... but those of us who have swallowed the ISO27k pill recognise that information security requires more than just securing the bits-n-bytes. This is yet another example of the confusing use of language - specifically 'cyber'. Many professionals immersed in the field take 'cyber' implicitly to include technology plus other aspects but the general perception Out There is very strongly and perhaps exclusively technical. 

For the majority, cybersecurity equates to IT security or, more specifically still, it refers to hacker attacks and malware infections via the Internet. For that reason, the recently revised and reissued standard ISO/IEC 27032, formerly on 'cybersecurity', was re-titled to clarify that it covers Internet security, specifically - an important part of the information security landscape and cyber area, but not the whole thing. It falls short on intellectual property protection, for instance, plus insider threats and plan ol' fashioned accidents that cause a significant number of incidents, despite not being 'attacks'.    

[\rant]

As to whether we need CISOs at Exec Committee or Board level, I agree with JC.

Wednesday 10 May 2023

eWaste safety hazards and information risks


A warning in the New Zealand Information Security Manual caught my beady eye yesterday:
“Electrical and electronic equipment contains a complex mix of materials, components and substances, many which can be poisonous, carcinogenic or toxic in particulate or dust form. Destruction and disposal of WEEE [Waste from Electrical and Electronic Equipment] needs to be managed carefully to avoid the potential of serious health risk or environmental hazard.”
Disposing of eWaste presents environmental and safety hazards arising from noxious/toxic/carcinogenic chemicals such as gallium arsenide (GaAs) and polychlorinated biphenyls (PCBs), plus the obvious dangers when handling sharp-edged metal or plastic chassis fragments, wires, printed circuit boards and CD/DVD discs plus leaky electrolytic capacitors and old batteries. While there may be money to be made by extracting and recycling valuable metals and reusable componentssubsystems and modules, that's really a job for specialists with the requisite knowledge, tools, safety gear and market.

Oh, and the appropriate security controls. 

Thursday 13 April 2023

Hinson tip on ChatGPT


When using ChatGPT and its ilk, don't forget that the AI robot's contribution
 is generic and not necessarily smart, accurate, sufficient or appropriate, despite the beguiling use of language that makes it 
appear logical, credible and reasonable at face value
... but is it, really?

Or is it short on integrity?


When, for instance, a real-world client reads a human expert advisor's report or consultant's recommendation, they are generally:

  • Thinking critically about it, considering what is and what is not stated and how it is expressed;

  • Posing additional questions for clarity (e.g. "On what basis do you believe we can achieve all that in 8 months, given that there's only one of me and I'm stretched thin as steam-rollered chewing gum?") or credibility ("How long did your last client take for this?") and perhaps arguing the toss ("8 months? You're kidding, right? We only have 4!");

  • Taking advantage of knowledge and experience within the particular context, both their own and the advisor/consultant's;

  • Maybe offering other considerations and discussing alternative approaches*.

Sunday 2 April 2023

To what extent do you trust the robots?

This Sunday morning, fueled by two strong coffees, I'm cogitating on the issue of workers thoughtlessly disclosing all manner of sensitive personal or proprietary information in their queries to AI/ML/LLM systems and services run by third parties, such as ChatGPT.

This is clearly topical given :
(1) the deluge of publicity and chatter around ChatGPT right now, coupled with 
(2) our natural human curiosity to explore new tech toys, plus 
(3) limited appreciation of the associated information risks, and 
(4) the rarity of controls such as policies and Data Leakage Protection technologies. 

Furthermore, even if we do persuade our colleagues (and, let's be honest, ourselves!) to be more careful and circumspect about whatever we are typing or pasting into various online systems, the possibility remains that the general nature of our interests and queries is often sensitive.

Thursday 30 March 2023

ISO 27001 templates and services on sale


For organisations planning to implement ISO/IEC 27001 for the first time, the standard's requirements can be confusing, especially given the amount of dubious advice available on the web. For instance, one issue that crops up frequently on the ISO27k Forum and here on the blog is that the information security controls in Annex of the standard A are not required - in fact, they are not even recommended or suggested, despite what some non-experts advise. Annex A is provided as a checklist, a prompt to ensure we have considered a wide range of information risks. 

The standard's main body clauses, in contrast, formally specify the functional requirements for an Information Security Management System. In order for an organisation to be certified, the ISMS must be designed to fulfil the specified requirements, and must be operational, managing whatever information security controls and other treatments are appropriate given the organisation's information risks. 

In short, implementing '27001 is not a simple box-ticking compliance exercise. 

This Easter, we are offering:
  • ISMS Launchpad - a complete set of templates for all the essential ISMS documents such as the scope, Risk Treatment Plan, Statement of Applicability and a corporate information security policy (on sale at US$239, normally $399). Every certified organisation needs these docs, at least.

Tuesday 7 March 2023

Preparing managers to be ISO27001 certified

This morning, a new member of the ISO27k Forum asked us some questions about his organisation's upcoming ISO/IEC 27001 certification audit (paraphrased below). 

Since these are commonplace issues, I address them here on SecAware blog for the benefit of others in the same situation now ... or at earlier stages. Management being ready for the certification audit has implications for the way an ISO/IEC 27001 Information Security Management System was originally initiated/conceived, scoped, planned and approved, as well as how it is managed once it comes into operation.


1. Does the auditor need to talk to the CEO or would another member of Top Management such as the COO or a VP be sufficient?

That is for the auditor to decide. CEOs are invariably busy people ... but the CEO's non-involvement (even before being asked!) hints at a lack of support or engagement from senior management*. If other senior managers are more willing and able to be interviewed, that should suffice, especially if they subtly or directly confirm that the CEO supports the ISMS, or if the CEO has overtly supported the ISMS (e.g. by personally endorsing or mandating the information security policy). See also Q4 below.


2. Approximately how much time is required for an audit interview?

Sunday 4 December 2022

COVID information risk analysis - retrospective

Two and a half years ago in March 2020 as we were fast approaching our first lockdown, I published the following Probability Impact Graph depicting my analysis of the information risks relating to COVID:


The PIG reports the information risks I identified at the time, thinking about COVID from the general societal perspective as opposed to a personal or organisational perspective.

Thursday 3 November 2022

Tuesday 1 November 2022

Putting policies under pressure


A note on LinkeDin led me to an intriguing scientific research study that tested the following five hypotheses:

  1. People who receive instructions via a written policy about rules will have better knowledge of these rules than those that do not. 

  2. People who receive a shorter form version of policy about the rules with less text will have better knowledge of the rules than those who receive a longer training form. 

  3. People who receive a written policy outlining the rules in a more vernacular and less legal technical language will have better knowledge of the rules than those presented with a more formal-legal-styled training text. 

  4. People with better knowledge of rules will also comply more with such rules.

  5. The more legal rules align with people’s personal and social norms, the higher people score in their knowledge of these legal rules.  

Monday 17 October 2022

Security awareness month


Since October is cybersecurity awareness month in the USA, we've seized the opportunity to update SecAware.com with additional information on our security awareness material. 

SecAware's information security awareness modules explore a deliberately wide variety of individual topics in some depth:

Wednesday 14 September 2022

Complete security is an oxymoron

An interesting Kiwi business startup caught my beady eye today. Without being too specific, they are offering a financial service, making me curious about the legal and regulatory hoops they presumably had to clear in order to do so.

Checking their shiny new website hasn't exactly inspired me with confidence. The home page claims to be using a completely secure platform ... which is, I suspect, a bit of a porky, an exaggeration, stretching the truth. Maybe they have been carried away by their own marketing. Perhaps they are just naive.

I have never come across a totally secure system, and seriously doubt there is such a beast. Sure, I've dealt with many highly secure systems, all of which were vulnerable in various ways. None of the organisations concerned had the nerve to claim they were totally secure however, since (with a little guidance from pro's like me!) management accepted that there were residual risks, despite all our efforts. 

Paradoxically, by claiming total security, they are painting a large target on themselves, setting themselves up for a fall - and that's a shame because, as I said, they are a Kiwi startup with an interesting business product that the founders have personally invested in getting to market. I'm not naming the company to avoid adding fuel to the fire. I would love them to soar, not crash and burn. I wish them well.

It gets worse: I can't find any further information about their security arrangements on the website, partly due to some broken links. That's not a good look for any business - ourselves included but we aren't offering financial services and don't claim to be totally secure. The security bar is set higher for them.

[Hint: integrity and availability are both core parts of information security.]

So, what next? I guess I'll try contacting them about this, softly-softly. I'd rather they considered me a friend than a threat. 

Tuesday 6 September 2022

Ten tips on tackling a thorny infosec issue

A member approached the ISO27k Forum this morning for advice:

"What would you recommend to do if our warnings as ISMS department specialists/auditors are not taken into account?"

What can realistically be done if management isn't paying sufficient attention to information risks that we believe are significant

This is a thorny issue and not an uncommon challenge, particularly among relatively inexperienced or naïve but eager information risk and security professionals, fresh out of college and still studying hard for their credentials. It can also afflict the greybeards among us: our passion for knocking down information risks can overtake our abilities to convince managers and clients.

Here are ten possible responses to consider: 

Saturday 6 August 2022

CISO workshop slides

The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):