Infosec policy development

We're currently preparing some new information risk and security policies for SecAware.com.  It's hard to find gaps in the suite of ~80 policy templates already on sale (!) but we're working on these four additions:

1. Capacity and performance management: usually, an organization's capacity for information processing is managed by specialists in IT and HR.  They help general management optimise and stay on top of information processing performance too.  If capacity is insufficient and/or performance drops, that obviously affects the availability of information ... but it can harm the quality/integrity and may lead to changes that compromise confidentiality, making this an information security issue.  The controls in this policy will include engineering, performance monitoring, analysis/projection and flexibility, with the aim of increasing the organisation's resilience. It's not quite as simple as 'moving to the cloud', although that may be part of the approach.
   
   
2. Information transfer: disclosing/sharing information with, and obtaining information from, third party organisations and individuals is so commonplace, so routine, that we rarely even think about it.  This policy will outline the associated information risks, mitigating controls and other relevant approaches.
   
   
3. Vulnerability disclosure: what should the organisation do if someone notifies it of vulnerabilities or other issues in its information systems, websites, apps and processes? Should there be mechanisms in place to facilitate, even encourage notification? How should issues be addressed?  How does this relate to penetration testing, incident management and assurance?  Lots of questions to get our teeth into!
   
   
4. Clear desks and screens: this is such a basic, self-evident information security issue that it hardly seems worth formulating a policy. However, in the absence of policy and with no 'official' guidance, some workers may not appreciate the issue or may be too lazy/careless to do the right thing. These days, with so many people working from home, the management oversight and peer pressure typical in corporate office settings are weak or non-existent, so maybe it is worth strengthening the controls by reminding workers to tidy up their workplaces and log off.  It's banale, not hard! 

The next release of ISO/IEC 27002 will call these "topic-specific information security policies" focusing on particular issues and/or groups of people in some detail, whereas the organisation's "information security policy" is an overarching, general, high-level framework laying out (among other things) the fundamental principles. Our corporate information security policy template is a mature product that already includes a set of principles, so it may not need changes to comply with the updated ISO/IEC 27002 when published later this year or early next ... but we'll seize the opportunity to review it anyway. 

March 20 - COVID-19 infosec awareness special

Today I trawled through our back catalog of information security awareness content for anything pertinent to COVID-19. The "Off-site working" security awareness module published less than a year ago is right on the button. 

"Off-site working" complements the "on-site working" awareness module, about the information risk and security aspects of working on corporate premises in conventional offices and similar workplaces. Off-site concerns the information risk and security aspects of working from home or on-the-road (e.g. from hotels or customer premises), often using portable IT equipment and working independently ... which is exactly the situation many of us are in right now.

Off-site working changes the information risks compared to working in purpose-built corporate offices. Mostly, the risks increase in line with the complexities of remote access, portability and physical dispersion … but offsetting that, off-site working can be convenient, productive and popular, and patently there are business continuity advantages in working through incidents such as COVID-19. 

Implementing appropriate security controls makes it work, on the whole, with security awareness being an essential part of the mix. People need to know about and follow the rules.

Several other awareness modules may also be pertinent. Even if you have home working security awareness covered already, there's plenty more worth saying!

March 20 - COVID-19 PIG update

Here's today's update to my COVID-19 information risk Probability Impact Graphic:

I've slightly shifted and revised the wording of some of the risks but there's nothing really new (as far as I know anyway). 

Reports of panic buying from the UK and US are concerning, given the possible escalation to social disorder and looting … but hopefully sanity will soon return, aided by the authorities promoting “social distancing” and “self-isolation”. Meanwhile, I hope those of you responsible for physically securing corporate premises have appropriate security arrangements in place. Remotely monitored alarms and CCTV are all very well, but what if the guards that would be expected to do their rounds and respond to an incident are off sick or isolated at home? Do you have contingency arrangements for physical security?

‘Sanity’ is a fragile condition: there is clearly a lot of anxiety, stress and tension around, due to the sudden social changes, fear about the infectious disease etc., which is my rationale for including ‘mental health issues’ in the middle of the PIG. There is some genuinely good news in the medical world concerning progress on coronavirus testing, antiviral drugs and vaccines, although it’s hard to spot among the large volume of dubious information and rumours sloshing around on social media (another information risk on the PIG). 

There’s even some good news for infosec pro’s. COVID-19 is a golden opportunity for those of us with an interest in security awareness and business continuity. Essentially, we are in the midst of a dramatic case study. I encourage you to think about the information risk and security aspects of this, and perhaps make little notes as reminders of the lessons to be learnt when the storm blows over. 

Here's one of mine. Toilet roll shortages are a handy leading indicator of panic buying and perhaps more substantial physical security threats ahead i.e. a predictive physical security metric. 

For some reason buried deep in the human psyche, a perceived shortage of toilet rolls and other “essentials” precedes, perhaps even triggers the cascading social disorder that we are now experiencing … so this is a gentle reminder to maintain stocks of “essentials” even in good times. Here in NZ, we are urged to maintain our earthquake kits ready for major incidents that can happen without warning. Having a sensible stock of toilet rolls, water, pasta, soup, soap etc. in the kit reduces the pressure to join the plague of locusts clearing the supermarket shelves, and frees us up for other things – not least, being able to think straight and focus on what matters: helping ourselves, our families, friends and colleagues get through this. 

I'm doing my best to maintain a sense of perspective, keeping a balanced, level-headed view of what's going on and spreading what I hope is sensible and helpful information right here.

Yet more good news: so far, the IT and comms services have held up quite well through the crisis, aside from the odd collaborative working wobble … although those ‘increased cyber risks working from home’ shown on the PIG remain a concern. I expect there will be incidents involving malware, hacking and social engineering due to weaknesses in the preventive controls, while incident detection and recovery may also be challenging. In your organization, are you on top of all of this? Do you have reliable VPNs, network security monitoring, antivirus controls, patching and backups all sewn-up for your off-site workforce using corporate kit or BYOD? Do you have the appropriate policies and procedures in place, including incident responses? What about the IT workers we rely upon to keep everything running smoothly: how are they bearing up under the strain?

Security awareness for off-site workers

Hot off the production line comes May's security awareness and training module about working off-site.

The 69th topic in our portfolio was inspired by a subscriber asking for something on home working.

It ended up covering not just working at home but the information risk and security implications of working on the road (digital nomads), in hotels, on supplier or customer sites and so forth, touching on online collaboration and other related areas along the way.

Module #193 is 95% brand new, prepared from scratch during April and blended-in with a little updated content recycled from previous modules on workplace security and portable ICT security, plugging the gap, as it were.

I'm proud of the guideline (item #04), part of the staff awareness stream. At 16 pages, it is lengthier than normal due to the sheer variety. With the odd touch of humor and stacks of pragmatic security tips for home and mobile workers, it would make a neat little awareness booklet or eDoc for people to leaf through as they wait for planes and buses, or “work” in front of the TV. It's a good read.

The module's management stream has quite a bit to say about achieving balance. There are clearly business and personal benefits to working off-site, provided the associated risks and costs are managed and kept in check. Compliance is particularly challenging as the workforce escapes the confines of the office, powerful ICT devices in hand, dispersing valuable yet vulnerable information assets across the globe. Resilience and flexibility are substantial plus-points.

Extending the working day or week can increase productivity to a point, beyond which over-stressed workers (staff and management!) plummet toward exhaustion and burn-out. In strategic terms, senior management has to make the right choices in order for the organization to reach the peak but not overdo it - and, for that matter, so do individual workers. Just because we can stay constantly in-touch doesn't mean we have to. There are further strategic and governance implications of the evolving nature of work, hence quite a bit of sociology in May's module.

The professional/specialist awareness materials get further into the IT or cyber security aspects such as security administration of mobile devices. Recent news about the discovery of exploitable flaws in WPA3 has risk implications for mobile workers using Wi-Fi, particularly in potentially hostile environments such as busy shopping areas, stations and cafes. On the other hand, anyone who has followed the sorry tale of Wi-Fi security woes since the beginning should not be surprised. WEP, WPA and WPA2 have their vulnerabilities too, as do Bluetooth, cellular networks, Ethernet and the rest.

If off-site working is becoming or has become the norm for your organization, let's tease out and tackle the associated information risks through creative security awareness and training materials, helping you strike the balance between risk and opportunity, pain and gain. Over to you!

IoT and BYOD security awareness module released

The Internet of Things and Bring Your Own Device typically involve the use of small, portable, wireless networked computer systems, big on convenience and utility but small on security.  Striking the right balance between those and other factors is tricky, especially if people don’t understand or willfully ignore the issues – hence education through security awareness on this topic makes a lot of sense.

From the average employee’s perspective, BYOD is simply a matter of working on their favorite IT devices rather than being lumbered with the clunky corporate stuff provided by most organizations. In practice, there are substantial implications for information risk and security e.g.:

• Ownership and control of the BYOD device is distinct from ownership and control of the corporate data and IT services;
• The lines between business use and personal life, and data, are blurred;
• The organization and workers may have differing, perhaps even conflicting expectations and requirements concerning security and privacy (particularly the workers' private and personal information on their devices);
• Granting access to the corporate network, systems, applications and data by assorted devices, most of which are portable and often physically remote, markedly changes the organization’s cyber-risk profile compared to everything being contained on the facilities and wired LANs;
• Increasing technical diversity and complexity leads to concerns over supportability, management, monitoring etc., and security of course.  Complexity is the information security manager's kryptonite.

IoT is more than just allowing assorted things to be connected to and accessed through the Internet and/or corporate or home networks.  Securing things is distinctly challenging when the devices are technically and physically diverse, often inaccessible with limited storage, processing and other capabilities (cybersecurity in particular).  If they are delivering business- or safety-critical functions, the associated risks may be serious or grave.

It strikes me as odd that risks to the critical national infrastructure resulting from the proliferation of IoT things are not higher up the public agendas of various governments. I have the uneasy feeling that maybe the authorities are wary of drawing attention to the issue, except (hopefully!) in private dealings with the utilities plus defense, finance and healthcare industries. Conversely, I could be mistaken in believing that IoT is substantially increasing information risks in industrial situations: perhaps the risks are all fully under control. Perhaps pigs have wings.

Visit SecAware.com to boost your security awareness program and catch imaginations with creative content.

The start is nigh

With near-perfect timing, we're into the final stages of polishing off January's awareness module on IoT and BYOD security.  

I say near-perfect because this is the last weekend of 2017 with just over a day remaining until 2018. After a week of chilly and miserable weather, an unseasonal polar blast, I'd rather be out enjoying the fine weather and getting ready for the traditional new year's eve celebrations! 

The last section of writing took a bit longer than planned, but I'm confident we'll hit the delivery deadline. Updates to the website are in hand and we'll be packaging and sending the materials to subscribers tomorrow, electronically that is.

Looking forward, we've selected awareness topics for first few months of 2018 and written them up on our distinctly low-tech office whiteboard. We deliberately don't plan too far ahead (who knows what will crop up?) but it takes time to research and draft the materials. Having working titles and outline scopes in mind keeps us focused and on-track. 

If a particularly dramatic information security incident occurs, we can always drop the current work to pick up on it, pushing the original plan out a month. With 60-plus information risk and security-related topics in the portfolio, there's not a lot we haven't covered already, to some extent. Our security awareness back catalog is as much a source of inspiration as content, though, since the field is constantly moving. On top of that, our own interests and preferences are gradually evolving too.

Slowly slowly catchee monkey

As the end of month deadline looms, we're close to finishing January's awareness module on IoT and BYOD security. 

Today I'm working on the awareness seminar slide deck and accompanying briefing paper for the audience group we call 'professionals', blue-collar workers essentially, specialists in IT, risk, security, audit, facilities, control, compliance etc.

We dig a bit deeper into topic for that audience, but not too deep. The overriding awareness objective is to inform, intrigue, motivate and set them talking to their colleagues (other professionals plus the general and management audiences) about and around the topic. Awareness is not training, although there is a grey area and the terms are often confused. 

Ultimately, we hope the pros will pass on some of their knowledge and enthusiasm for the topic to others, preferably with more than just a casual nod towards the information risk and security aspects. 

IoT and BYOD are obviously IT-related, so the pro materials are IT-centric this month. The awareness poster image above mentions "latest hi-tech goodies" specifically to catch the eyes of geeks and technophiles, people who just love hot new gadgets - reading about them, drooling over the adverts, sometimes buying and using/playing with them, showing them off to their less fortunate playmates ... and occasionally hacking them to figure out how they really work.

An article about hacking building management systems (things!) caught my beady eye today, for several reasons. It's right on-topic, for starters, exactly the kind of intriguing tech content that appeals to the pro audience we have in mind. The author's hacker mentality rings out. He has spent countless hours exploring their capabilities and vulnerabilities for more than a decade. To most of us, that's unnaturally obsessive behaviour but to him it's a hobby, a fascination or passion, fun even. I'm sure he'd do it even if he wasn't being paid to hack (he's a professional penetration tester by day).

I'd love to inspire such intense passion among our customers' employees on the defensive side ... but it's hard given that I'm not there in person and anyway security awareness has a broader and more realistic goal. Some workers may be fired-up by something I've written, although for many the most we can sensibly hope to achieve is to spark an interest. Getting the light to flicker on, occasionally, is the starting point. From there, we can work on making it flicker more often and glow more brightly, gradually changing attitudes, beliefs, behaviours and decisions ... but first we need to open eyes, ears and brains to the fundamentals. The pro audience helps us do that, at first hand.

"A culture of security takes time"

Dan Swanson 

Inspirational security awareness

Normally in security circles, the word 'exploitation' has the distinctly negative and foreboding connotation of some evil miscreant wantonly attacking and taking advantage of us ... but we'll be using the word in a much more positive sense in the IoT and BYOD security awareness materials for January.

The topic presents a golden opportunity to point out that information security mitigates the substantial information risks associated with IoT and BYOD, risks that would otherwise reduce, negate or even reverse the business advantages.

It's not entirely plain sailing, though, since the risks are context-dependent. Someone needs to identify and evaluate the risks and the corresponding security controls, in order to determine firstly whether the risks are truly of concern to the organization (they can't be avoided or accepted), and secondly whether the security controls are necessary and justified since there are costs as well as benefits.

We've pump-primed the process by doing the risk and security analysis in a generic way - a starting point for subscribers to consider and take forward. We don't pretend to know all about all the information risks each customer faces, nor the information security control options open to them. We're definitely not attempting to do the analysis for them, rather to inspire them to do it themselves. The awareness materials are the prompt to set them thinking and the motivation to get them going.

Sticky ends

Surveys typically show that: 

1. Most organizations have some form of BYOD scheme encouraging or permitting workers to use their own laptops, smartphones and tablets for work; and
   
   
2. IoT is spreading fast but still has a long way to go before it peaks.

We infosec geeks may throw up our hands in horror ... but the facts remain: BYOD and IoT are popular, now. They are here to stay and almost certain to expand.

It's too late now for us to bleat on about the information risks and security concerns*. The train has long since left the station.

So how should we handle this situation? An obvious approach is to retrospectively identify, assess and treat the information risks as best we can, emphasizing threats such as hackers, malware, theft or loss of information, and inappropriate disclosure, and promoting security controls such as - well, that's where it gets tricky because we have limited options for technical controls, and (despite our best efforts!) security awareness is never going to be a total cure for employees being incautious or careless. Being so negative and constrained, it's hardly a convincing argument. You could say it's also behind the times, fighting the last war as it were.

Instead, we're taking a more proactive and upbeat line in the awareness content for January. There are business opportunities in going with the flow, embracing BYOD and IoT (where appropriate), making the best of the rapidly evolving technology and forging ahead. Maybe we can't fix everything today, but we surely can make tomorrow better. 

Here's a single example: if a company's widgets can be smartened-up and networked, they might just catch the wave. Innovation is a vital component of brand value for many organizations, a common strategic driver. Provided the technology, security and privacy aspects are sufficiently well addressed, smart, networked widgets may be used to gather information about how the widgets are used in practice by real customers, en masse, giving valuable insight to drive further product development and innovation - a positive feedback loop. 

Finding and exploring other similarly motivational examples and potentially attractive business opportunities has kept us happily occupied today. If we successfully express that excitement in the awareness materials, it should energize and motivate the audiences to get to grips with the risk and security aspects of BYOD and IoT. They will at least set off on the journey in a more positive frame of mind than the more usual "We must improve security or the world will come to a sticky end", or worse still the cynical "Stop everything: for security reasons, the answer is NO!".

* PS  In fact we did raise the information risk and security aspects of IoT and BYOD previously, several times, in the awareness materials. We try hard to keep up with, if not stay ahead of, new developments in this field. Some of our customers, though, have rather more inertia than they'd like to admit!

The complexities of simplification

From a worker's perspective, BYOD is 'simply' about being allowed to work on his/her own ICT devices, rather than having to use those owned and provided by the organization.  What difference would that make? It's straightforward, isn't it?

Good questions! There are numerous differences in fact, some of which have substantial implications for information risk, security and privacy. For example, ownership and control of the device is distinct from ownership and control of the data: so what happens when a worker leaves the organization (resigns or is 'let go'), taking their devices with them? Aside from any corporate data on the devices, they had been permitted access to the corporate network, systems, apps and data.  The corporate IT support professionals had been managing the devices, and probably had access to any personal data on them.  Lines are blurred.

In a similar vein, IoT is more than just allowing assorted things to be accessed through the Internet and/or corporate networks. Securing things is distinctly challenging when the devices are diverse, often inaccessible and have limited storage, processing and other capabilities ... but if they are delivering business- or safety-critical functions, the associated risks may be serious.

The complexities beneath the surface make this a challenging topic for security awareness: we need to help workers (general staff, managers and specialists, remember) appreciate and address the underlying issues, without totally confusing them with techno-babble. That means simplifying things just enough but no more, a delicate balancing act.

In reality, dividing the awareness audience into those three groups lets us adjust the focus, nature and depth of the materials accordingly. Managers, for instance, have a particular interest in the risk management, compliance and governance aspects that are of little concern to workers in general. 

At the same time, the awareness materials should generate opportunities for the three audience groups to interact, which means finding common ground and shared interests, points for discussion. That's what we're working on now.

IoT & BYOD security policies

Today we've been working on model policies concerning IoT and BYOD security.

We offer two distinct types of policy:

1. Formal information security policies explicitly defining the rules, obligations and requirements that must be satisfied, with a strong compliance imperative relating to management's authority.  These are the internal corporate equivalent of laws ... although we go to great lengths to make them reasonably succinct (about 3 sides), readable and understandable by everyone, not just lawyers familiar with the archaic and arcane legal lexicon (such as has heretofore in the present clause been ably demonstrated, m'lud).
   
   
2. Informal - or at least semi-formal - Acceptable Use Policies that are more advisory and motivational in nature. These compare pragmatic examples of acceptable (in green) against unacceptable (red) uses to illustrate the kinds of situation that workers are likely to understand.  They are even more succinct - just a single side of paper.

So, we now have four security policy templates for IoT and BYOD.

Although they don't contain huge volumes of content and are relatively simple, it takes a fair bit of time and effort to research, design and prepare them. Part of our challenge is that we don't have a particular organization in mind - these are generic templates giving customers a reasonably complete and hopefully useful starting point that they can then customize or adapt as they wish. 

Those customers who already have policies covering IoT and BYOD might find it helpful to compare theirs against ours, particularly in terms of keeping them up to date with ever-changing technologies and risks, while also being readable and pragmatic. Having been developing policies for close to 30 years, I've learnt a trick or two along the way!

The policies will be delivered in January's security awareness module, and are available to purchase either individually or as a suite from us.  Contact me (Gary@isect.com) for details.

Things in Santa's sack

What's hot in toyland this Christmas?

Way back when I was a kid, shortly after the big bang, it was Meccano and Lego for me. I still value the mechanical skills I learnt way back then. Give me a box of thin metal strips full of holes, a plentiful supply of tiny nuts and bolts, and some nobbly plastic bricks, and I'll build you an extraordinary space station complete with spinning artificial gravity module. Or I might just chew them.

Today's toys supplement the child's imagination with the software developers'. There are apps for everything, running on diminutive devices more powerful than those fridge-sized beige boxes I tended for a hundred odd scientists (some very odd) in my first real job.

Writing about tech toys in the shops this Christmas, Stuart Miles says:

"For many, the days of just building a spaceship out of Lego or playing a game of Monopoly are long gone. Today, kids want interactive tech toys that are powered by an app or that connect to the internet. They want animals that learn and grow as you play with them, or robots that will answer back."

Some toys are autonomous while others are networked - they are things.  Microphones and cameras are often built-in for interaction, and we've already seen a few news reports about them being used for snooping on families.  All fairly innocuous, so far ... but what about those high-tech toys we grownups are buying each other this year?  Some will find their way into the office, the home office at least, where snooping has different implications.

Cybersecurity awareness story-telling

Conceptual diagrams ('mind maps') are extremely useful for awareness purposes.  This one, for instance, only has about 50 words but expresses a lot more than could be said with ~50 words of conventional prose:

Despite it being more than 7 years since I drew that diagram, it immediately makes sense. It still tells a story. 

Working clockwise from 1 o'clock, it steps through the main wireless networking technologies that were common in 2010, picking out some of the key information security concerns for each of them.  It's not hard to guess what I was thinking about.

The arrows draw the reader's eye in the specified direction along each path linking together related items. Larger font, bold text and the red highlight the main elements, leading towards and emphasizing "New risks" especially. Sure enough today we have to contend with a raft of personal, local, mesh, community and wide area networks, in addition to the those shown. 

When the diagram was prepared, we didn't know exactly what was coming but predicted that new wireless networking technologies would present new risks. That's hardly ground-breaking insight, although pointing out that risks arise from the combination of threats, vulnerabilities and impacts hinted at the likelihood of changes in all three areas, a deliberate ploy to get the audience wondering about what might be coming, and hopefully thinking and planning ahead.

It's time, now, to update the diagram and adapt it to reflect the current situation for inclusion in January's awareness module. The process of updating the diagram is as valuable as the product - researching and thinking about what has changed, how things have changed, what's new in this space etc. qualifies as fun for this geek! Take yesterday's blog piece, for instance: back in 2010, I probably would not have believed it possible that today we'd be configuring our Christmas tree light shows from Web-based apps on our mobile phones ... and that's merely a trivial, seasonal example. The information risk and security angles to IoT and BYOD go on and on.

Technology is the gift that keeps on giving.

Santa's elves bearing gifts

Today we went on a tiki-tour of the forest in search of a few pine saplings of just the right size, shape and density to serve as Christmas trees. Naturally, the best ones were in the brambles or on the side of a near vertical slope but, hey, that's all part of the fun.

I guess 'Web-enabled remotely-controllable LED Christmas tree lights' are The Thing this year.  Ooh the sheer luxury of being able to program an amazing light show from your mobile phone!

So what are the information risks in that scenario? Let's run through a conventional risk analysis.

THREATS

• Elves meddling with the light show, causing frustration and puzzlement.
• Pixies making the lights flash at a specific frequency known to trigger epileptic attacks.
• Naughty pixies intent on infecting mobile phones with malware, taking control of them and stealing information, via the light show app.
• Hackers using yet-another-insecure-Thing as an entry point into assorted home ... and corporate networks (because, yes, BYOD doubtless extends to someone bringing in Web-enabled lights to brighten up the office Christmas tree this year).

VULNERABILITIES

• Irresistibly sexy new high-technology stuff. Resistance is futile. Christmas is coming. Santa is king.
• Inherently insecure Things (probably ... with probability levels approaching one). 
• Blind-spots towards information risk and security associated with Things, especially cheap little Things in all the shops. Who gives a stuff about cybersecurity for web-enabled Christmas tree lights? Before you read this blog, did it even occur to you as an issue? Are you still dubious about it?  Read on!
• Does anyone bother security-testing them, or laying down rules about bringing them into the home or the corporation?
• Ineffective compliance enforcement of safety and security standards for low value high volume retail stuff flooding the markets.
• Widespread dependence on "the authorities" to protect "us" from "them".  A naive and potentially reckless abdication of our own responsibility.

IMPACTS

• Theft of valuable and confidential information.
• Disruption or loss of valuable data, networks and devices.
• [Further] loss of control over network access points, leading to exploitation of other connected systems and data.
• Fire from badly engineered and manufactured knock-em-out-and-pile-em-high cut-price electronics connected to the mains power and dangled among increasingly flammable dead pine trees.
• Distractedly driving into the back of stationary traffic while trying to re-program the light show on your way home from the office, at the insistence of a back-seat-load ("a pester" is the collective noun) of over-excited kids on a massive sugar high. A rather more dramatic form of impact, that!

Taking that all into account, there are definitely information risks in the scenario, but as to whether you consider them significant enough to worry about depends on your perspective. 

OK so I admit I'm going out on a limb by analyzing information risks for web-enabled Christmas tree lights but the risk analysis is much the same for a zillion other Things quietly invading our homes and businesses. It's the zombie apocalypse.

Aside from all those high-tech toys soon to be piled up under the Christmas tree, the modern hi-tech kitchen and lounge is already replete with Web-enabled whiteware and entertainment systems, and almost everything that moves or goes ping in the office (including the workers!) is wirelessly networked.

Remember, kids, information security is for life - not just for Christmas.

Next topic

Next up on our production conveyor belt is an awareness module on the security aspects of BYOD and IoT.

Aside from being topical IT acronyms, both (largely) involve portable ICT devices - wireless-networked self-contained portable electronic gizmos. 

We've covered BYOD and IoT security before, separately, but it makes sense to put them together for a change of focus.

As things steadily proliferate, workers are increasingly likely to want to wear or bring them to work, and carry on using them. The security implications are what we'll be exploring in the next module.

Security awareness lessons from Pokemon

August's security awareness topic is "pocket ICT security", referring to the information risks associated with portable Information and Communications Technology devices: the smartphones, laptops, tablets, USB sticks, wearables and other high-tech stuff we carry about our person.

Risks such as walking into the road and being hit by a car.

Yes, seriously. 

It is both on-topic and highly topical in the case of Pokemon Go players, young and old, being so focused on the virtual world on the smartphone screen that they neglect the real world hazards around them. The lucky ones are spotted and avoided by alert drivers. The unlucky ones are injured, perhaps even mown down by a vehicle driven by a similarly distracted driver.

Distraction is the more general information risk, a modern-day affliction. The more portable ICT we use, the more distracted we become. Wearables are the latest trend, long predicted but curiously slow to take off, perhaps because of the distraction factor? Or is it just that the Killer App has yet to appear?

August's awareness module delivers another 200 Mb of fresh awareness content, almost all of it researched and prepared within the past few weeks:

• A train-the-trainer guide with creative advice on making good use of the materials;
  
  
• A newsletter, using recent news clippings to illustrate the risks;
  
  
• Three awareness seminar slide decks (one each for staff, managers and professionals), mostly graphical with few words on the slides and detailed speaker notes;
  
  
• Six high-resolution awareness posters and six diagrams (mind maps and example metrics) suitable for professional printing, or to incorporate into other materials;
  
  
• Three security policies and a procedure;
  
  
• Several awareness briefings explaining things that are relevant to and hopefully resonate with the intended audiences;
  
  
• A security metrics paper proposing and discussing several relating to portable ICT - useful whether you want to prove that everything is under control or to identify and justify systematic security improvements;
  
  
• An FAQ, word-search challenge, awareness survey, quiz and case study supporting the learning process and awareness program;
  
  
• A comprehensive hyperlinked glossary of information risk and security terms, highlighting those that are especially pertinent to pocket ICT;
  
  
• An ICQ (Internal Controls Questionnaire) with which to review or audit the organization’s risks and controls in this area.

The materials are mostly MS Office files, supplied camera ready but unlocked (without Digital Rights Management), making it simple for subscribers to tweak or customize themselves ... in fact we actively encourage them to adapt the materials to their specific requirements. That might be as straightforward as selecting a few bits-n-pieces, replacing the placeholder logo with their own security awareness branding and updating the 'contact us for more info' details in each of the materials, or it could involve more substantial changes (e.g. if BYOD is totally forbidden, rather than being authorized by management as appropriate). 

Either way, it's much easier and cheaper just to adapt the supplied content than to research, prepare, proof-read and finalize everything from scratch, assuming a suitable technical author is immediately to hand - someone who has the qualifications, experience, competence, creativity and track-record in security awareness. Good luck finding someone suitable and willing to step into that role for anything remotely approaching the cost of our materials. Industry surveys tell us the information security jobs market is heating up rapidly as demand outstrips supply. One year's salary for an infosec awareness professional would buy the average organization enough awareness materials for decades, literally.

BYOT - Bring Your Own Things - and BYOS

Employees are increasingly using their personally-owned ICT devices at work, whether for personal or work purposes.  Organizations with BYOD (Bring Your Own Device) schemes and policies typically insist that employee's smartphones, laptops, tablets etc. are secured and managed by IT, requiring the use of MDM (Mobile Device Management) software, AV (antivirus) etc.

So what happens as employees start bringing in their personal IoT toys (BYOT - Bring Your Own Things) in the same way - their fitness trackers, Google Glasses and other wearables, perhaps control pods for their home IoT systems, and so forth?  

Good luck to anyone trying to insist that IT installs MDM, AV and all that jazz on a gazillion things!

One approach to BYOT security I guess is to prohibit all unapproved and unauthorized devices/things from connecting to corporate networks, at the same time preventing corporate devices/things from connecting to non-corporate networks (including ad hoc or mesh networks formed spontaneously between IoT devices, and public networks such as open WiFi, Bluetooth and cellular networks).  Keep them logically separated, with strict enforcement using compliance measures, change and configuration management, network and device/thing security management and monitoring etc. (oh oh, I see dollar signs ticking up at this point).

Another approach is to deperimiterize - stop relying on network perimeter access controls, depending on device/thing security instead.  Treat all networks as untrustworthy if not overtly hostile.  Easy to say, tricky to do properly.

A third way involves the corporation providing open-access/public unsecured networks on its premises and encouraging employees to use those if they want to network their BYOS*.   This has the advantage of logical separation at low cost, while employees (and contractors, consultants, visitors and assorted drifters) can connect up without the cost of 3G or other public networks.  There may be legal wrinkles to this approach

* "Bring Your Own Stuff" is the polite version, "Bash Your Old Ship" is slightly closer to the real definition.

Yet another information security awareness case study

Controversial plans to replace two Surrey/South London hospitals with a new one were prematurely and inappropriately disclosed on a train:

"The proposals were revealed by management consultants who held a conference call on a commuter train after meeting the trust chief executive Daniel Elkeles.  The call was heard and recorded on a mobile phone by a BBC London reporter."

Someone being overheard discussing sensitive stuff on their mobile phone in a public place is nothing new, an everyday common-or-garden information security incident.  The factors that make this particular one notable include:

• The disclosure involved trusted third parties possessing (and disclosing!) valuable information belonging to an organization, having been disclosed to them by senior management.  This begs lots of questions about roles and responsibilities, compliance obligations, non-disclosure agreements, ethics, accountability and governance, as well as the information risks and security controls.
  
  
• The disclosed information was particularly sensitive.  Aside from the patients and staff who are directly impacted by the proposals being discussed, the hospitals are landmarks, important assets for their two local communities which, by the way, are several miles apart and socially diverse.  The issue has been a political hot potato in the area for at least a decade.
  
  
• The management consultants concerned should have known better. Whatever their reasoning or justification, this was an embarrassing and perhaps costly incident, quite unprofessional and avoidable.  We can but wonder what damage it might have caused to their ongoing client relationships and future business prospects.
  
  
• 'Conference call' implies this may have been an open discussion on speakerphone, making it likely to be overheard by everyone in the vicinity.
  
  
• It was overheard by a reporter/journalist and perhaps other local commuters in the carriage, any of whom may have found the information relevant and fascinating.
  
  
• Recording the discussion captured at least some of the content, providing undeniable evidence, non-repudiation and the opportunity to transcribe, analyze and share the information more widely.  By the way, virtually every commuter these days has the technical capability to record or transmit such information discreetly if not covertly using a veritable panoply of portable ICT devices.
  
  
• The disclosed information was published and broadcast by the news media. It is now out there in the public domain, beyond the control of the administrators and politicians and doubtless causing concern in the area - not least for the chief executive, the management consultants and various others involved/implicated in or directly affected by the fiasco.

I'll leave it as an exercise for you, dear reader, to explore and evaluate the threats, vulnerabilities and impacts in this incident, and to consider how it might have been avoided or mitigated.  [Hint: as with the Sony hack, this is another excellent case study to discuss in a information risk workshop setting, or indeed a realistic, highly credible scenario for incident management or business continuity exercises, tests, audits and reviews.]

While I feel sorry for those adversely impacted by the incident, I am grateful for yet another free but valuable information security awareness and improvement opportunity as a result of the incident being disclosed.   We can all learn from incidents of this nature.  The trick as always is for someone to identify and consider them as case studies, teasing out the underlying information risk and security issues, and ultimately persuading the organization to make whatever changes and improvements might be necessary and appropriate to analyze and treat the information risks.  It's not enough to nod sagely, say "tut-tut" and ponder: what are you actually going to do differently as a result of reading about this?  At the very least, has it altered your perception or appreciation of the associated information risks?  If nothing changes, it's an awareness opportunity lost, a senseless waste.

Don't worry though.  I'm certain there will be plenty more learning opportunities in due course - in fact, I'm sure I can see the next one peeking into view just around the corner ...

Application security awareness module

In the dying days of August, just as we were busily finishing-off September's awareness module on application security, what should pop on to my screen but a new survey from Ponemon Institute on that very topic.  With some trepidation, I opened the report to see how its findings compared to our own research ... and was relieved to see that we had picked up on all seven of Ponemon's key issues, plus a few more due to our slightly wider scope.  

Does your security awareness and training program cover the information security aspects of application development, acquisition, management and use?  Does it even mention mobile apps, BYOD and cloud computing?  Go ahead, dust it off and take a look.  Does it talk to business and project managers, IT pros and employees in general about relevant security aspects that matter to them, in terms that make sense and resonate?  Does it successfully prompt a productive dialogue between executives and practitioners concerning application security risks and controls?  Does it highlight topical issues, pull up the latest research and thinking, capture employees’ imagination, and most of all motivate them to behave more securely? 

Portable ICT & BYOD security

[Cynicism: high]

We have just delivered June's security awareness module to subscribers, covering portable ICT, BYOD (Bake|Bury|Bash|Bring Your Own Device|Disaster|Dog), mobile and home working, and various associated matters.

One of those 'associated matters' concerns the social changes that are going on around us, thanks in large measure to the freedom that comes from workers no longer being leashed to the office like so many dogs.  I've been pondering this issue for quite a while now, sitting here in my modest home office looking out over the beautiful New Zealand countryside.   When I think back to the days when I commuted to the city every day to sit in a series of dreary offices and stuffy meeting rooms, looking forward to a chance to escape to a nearby cafe or go for a lunchtime walk in the local park, I wonder how I put up with it - those seemingly endless wasted hours of traffic jams and pointless committees and (in some cases) ignorant, pig-headed bosses trying to tell me how to do the job that I had trained and self-trained for decades to do.  

I'm fascinated by the pre-industrial-age days of skilled craftsmen and tradesmen and women, selling their knowledge and capabilities by the hour, day or job to a number of customers without the need for "employment" as we understand the term today.   In the realm of the "knowledge worker", thanks to portable ICT and networking, there are so many more opportunities for creative collaboration that the whole employer-employee thing seems terribly dated and ridiculously constrained to me.  

Looking back over the past decade or so, I've done some fantastic work and achieved great things with people I've never met in person, and am unlikely ever to meet in the future.  For differing periods and over great physical and cultural distances, we've made productive connections, done stuff, and moved on, with no hint of the anger or resentment that so often accompanies resignation and redundancy.  Instead of petty office politics and power plays, there's mutual respect and admiration, sharing the joy instead of jealously guarding our respective turfs.

The BYOD situation exemplifies the mess we've got ourselves into.  The corporation expects employees who have the temerity to suggest that they might be more productive using modern, up-to-date ICT gizmos instead of those old clunkers in the office that the accountants say have another year to go before being written off, to permit some faceless PC technician to poke around inside their personal property using fully privileged remote management facilities, with no security controls to speak of?  You're having a laugh!  

As far as I'm concerned, nosy, incompetent and malicious MDM admins are every bit as much of a threat to employees' privacy and other personal interests as those naughty haxxors and VXers who might sneak inside a BYOD tablet.  But no, the corporate power balance gives management the big stick.  "Give away your rights by signing this BYOD policy and hand over your admin password, or it's the IBM PS/2 in the corner for you my lad."  What kind of a 'social contract' is that?

There's far more to mobile working than bashing out a company memo on a beige laptop or playing cellphone tag with some other poor sod, en route to the next excruciatingly pointless and demoralizing encounter.

[/Cynicism]