Of APTs and RPTs

Do you recall when APTs were A Thing? Advanced Persistent Threats were exemplified by Stuxnet, a species of malware that was stealthy enough to penetrate the defences of an Iranian nuclear fuel processing plant ten years ago, persistent enough to undermine numerous layers of control, and sophisticated enough to over-speed and wreck the centrifuges without alerting the plant operators until the damage was done.  

We seldom hear of weapons-grade APTs these days, suggesting they are no longer newsworthy or effective. Maybe they have gone the way of the trebuchet or musket ... but I believe it's much more likely that APTs have become even more sophisticated, stealthier and more damaging now than ever before, especially given the ascendance of IoT, IIoT and 'cyber-physical systems'. Now, Things are A Thing.

Meanwhile, we are frequently constantly assaulted by ordinary, conventional, old-school malware - Retarded Persistent Threats as it were.

In contrast to APTs, RPTs are relatively crude and commonplace - more blunderbuss than sniper's rifle but every bit as devastating at close range. Despite becoming increasingly sophisticated and capable, they are presumably well behind APTs, especially given governmental investments in cyber capabilities as part of national defence spending.

RPTs 'persist' in the sense that they steadfastly refuse to go away. Bog-standard malware has dogged computer systems, networks and users since the 1980s. It has grown in prevalence at least as fast as IT, and in some ways it has driven advances in IT. The few percent of system resources needed to run today's antivirus packages and firewalls would surely have brought systems from previous decades to their little silicon knees.

Whereas most RPT incidents are, well, incidental in relation to our global society, they threaten the very large number of vulnerable systems, individuals and organisations out there. It has become painfully obvious during COVID-19 that vanishingly few organisations stand alone, immune to the global repercussions. We are all entangled in, and highly dependent upon, a global mesh of information, goods and services. Just as a single COVID case causes knock-on effects, an RPT incident creates ripples.

We're lucky that, so far, neither real-world nor cyber-world viruses have tipped us over the edge, triggering the zombie apocalypse that preppers fear. With their additional stealth and firepower, APTs may one day push things a byte too far - and then what? Perhaps those preppers aren't so loco as they may seem. Perhaps it's not such a crazy idea to build and secure our virtual bunkers to protect the information we'll need when zombies emerge from the forest. I guess I should carve this blog piece onto a rock, an information archival medium proven to last thousands of years. I wonder if these strange hieroglyphics will mean anything when the rock is dug up? 

Come to that, I wonder if they mean anything now! Are these merely the incoherent ramblings of a paranoid infosec geek, or have I struck a chord? Comments are welcome. Chisel away.

Further lessons from Travelex

At the bottom of a Travelex update on their incident, I spotted this yesterday:

Customer Precautions

Based on the public attention this incident has received, individuals may try to take advantage of it and attempt some common e-mail or telephone scams. Increased awareness and vigilance are key to detecting and preventing this type of activity. As a precaution, if you receive a call from someone claiming to be from Travelex that you are not expecting or you are unsure about the identity of a caller, you should end the call and call back on 0345 872 7627. If you have any questions or believe you have received a suspicious e-mail or telephone call, please do not hesitate to contact us. 

Although I am not personally aware of any such 'e-mail or telephone scams', Travelex would know better than me - and anyway even if there have been no scams as yet, the warning makes sense: there is indeed a known risk of scammers exploiting major, well-publicised incidents such as this. We've seen it before, such as fake charity scams taking advantage of the public reaction to natural disasters such as the New Orleans floods, and - who knows - maybe the Australian bushfires.

At the same time, this infosec geek is idly wondering whether the Travelex warning message and web page are legitimate. It is conceivable that the cyber-criminals and hackers behind the ransomware incident may still have control of the Travelex domains, webservers and/or websites, perhaps all their corporate comms including the Travelex Twitter feeds and maybe even the switchboard behind that 0345 number. 

I'm waffling on about corporate identity theft, flowing on from the original incident.

I appreciate the scenario I'm postulating seems unlikely but bear with me and my professional paranoia for a moment. Let's explore the hypothetical information risks and see where it leads.

Firstly, corporate identity theft may not be as well publicised as personal identity theft but it is a genuine risk, as demonstrated through incidents such as: 

• Scammers seizing control of DNS records to redirect traffic from corporate websites to their own; 
• Scammers using fraudulently obtained or fake digital certificates, or exploiting browser vulnerabilities, to undermine HTTPS controls; 
• Phishing where victims are socially-engineered into believing they are interacting with the lure organization's website; 
• Fake apps, spyware and bank Trojans designed to steal login credentials and other confidential information while maintaining the facade of normality; 
• Cybersquatters registering domains similar to legitimate corporate domains with different extensions, typos or lookalike characters, intending to mislead visitors; 
• Counterfeiting, where branding, logos, packaging etc. are used to dupe victims (consumers and sometimes also retailers and corporate customers) into buying fake and usually substandard products; 
• Various telephone, email and social media scams involving misrepresentation and other social engineering methods to mislead and defraud victims who mistakenly believe they are dealing with legitimate companies, authorities or other trusted bodies. 

Secondly, the breadth and depth of network security compromise involved in major ransomware and other malware incidents suggests an even more sinister threat: the ransom demand is merely a dramatic, shocking point in the course of the incident, an incident that started at some prior point when the first corporate system was hacked or infected. Since then, possibly for days, weeks or months, the perpetrators would presumably have been surreptitiously roaming around the network 'behind enemy lines', exploring the topography and mapping out controls, installing and preparing to trigger the ransomware (perhaps also disabling the backups), stealing and exfiltrating corporate information to reinforce the ransom demands (perhaps selling or disclosing it for kicks, or stashing it away for a rainy day) and who knows what else. 

It is feasible, then, for the cybercriminals to have taken command of Travelex's external relations, including the website, the current holding pages and Tweets. They could all be fakes, the hackers pressing home management's powerlessness. How would we tell? Even the Travelex CEO's talking-heads videoblog concerning the incident could be part of the scam. Like many of their retail customers, I have no idea whether the person we've seen in the video is really their CEO or an actor, an imposter, perhaps a deepfake video animation.

Even if you find that lurid scenario untenable, there are less extreme possibilities worth considering. The fact is it's no simple matter to lock down a complex global corporate network following such a compromise, shutting out the hackers while also releasing official information, patching and securing systems, recovering compromised data and services, resuming internal corporate comms and keeping various external stakeholders in touch with developments. Maybe the hackers still have partial access (e.g. through covert backdoors) and limited control, enough to observe and meddle with the recovery activities, discredit and disrupt comms and so restrict management's freedom of action.

As with the Sony incident 5 years ago, there's a lot we can learn from Travelex's misfortune, through a blend of observation, analysis and supposition. All it take is some appreciation of the information risk and security aspects, a vivid imagination, and the ability to draw out general lessons from the specific case. For example, under crisis conditions, normal internal and external corporate communications may be disrupted and untrustworthy ... so what can be done now to prepare for that eventuality? Recovering from a major cyber incident takes rather more than just 'invoking the IT disaster recovery plan'! February's security awareness module will have a gripping story to tell, for sure!

Cyber-insurance standard published

We are delighted to announce the birth of another ISO27k standard: 

ISO/IEC 27102:2019 — Information security management —

Guidelines for cyber-insurance

The newest, shiniest member of the ISO27k family nearly didn't make it into this world. Some in the insurance industry are concerned about this standard muscling-in on their territory. Apparently, no other ISO/IEC standards seek to define categories of insurance, especially one as volatile as this. Despite some pressure not to publish, this standard flew through the drafting process in record time thanks mostly to starting with an excellent ‘donor’ document and a project team tightly focused on producing a standard to support and guide this emerging business market. Well done I say! Blaze that trail! This is what standards are all about.

‘Cyber’ is not yet a clearly-, formally- and explicitly-defined prefix, despite being bandied about willy-nilly, a solid-gold buzzword. It is scattered like confetti throughout but unfortunately not defined in this standard, although some cyber-prefixed conventional common-or-garden information risk and security terms are defined by reference to “cyberspace” which is - of course - the “interconnected digital environment of networks, services, systems, and processes”. Ah, OK then. Got yer.

We each have our own interpretations and understandings of the meaning of cyber, some of which differ markedly. The information risks associated with cyberwarfare and critical national and international infrastructures (such as the Internet), for example, are much more substantial than those associated with the activities of hackers, VXers and script kiddies generally. Even a ‘massive’ privacy breach or ransomware incident is trivial compared to, say, all-out global cyberwar. The range is huge ... and yet people (including ISO/IEC JTC1/SC27) are using 'cyber' without clarifying which part or parts of the range they mean. Worse still, some (even within the profession) evidently don’t appreciate that there are materially different uses of the same term. It’s a recipe for confusion and misunderstanding.

The standard concerns what I would call everyday [cyber] incidents, not the kinds of incident we can expect to see in a cyberwar or state-sponsored full-on balls-out all-knobs-to-eleven cyber attack. I believe [some? most? all?] policies explicitly exclude cyberwarfare ... but defining that may be tricky for all concerned! No doubt the loss adjusters and lawyers will be heavily involved, especially in major claims. At the same time, the insurance industry as a whole is well aware that its business model depends on its integrity and credibility, as well as its ability to pay out on rare but severe events: if clients are dubious about being compensated for losses, why would they pay for insurance? Hopefully this standard provides the basis for mutual understanding and a full and frank discussion between cyber-insurers and their clients leading to contracts (confusingly termed “policies”!) that meet everyone’s needs and expectations.

There are legal and regulatory aspects to this too e.g. compensation for ransomware payments may be legally prohibited in some countries. Competent professional advice is highly recommended, if not essential.

Depending on how the term is (a) defined and (b) interpreted, ‘cyber incidents’ covers a subset of information security incidents. Incidents such as frauds, intellectual property theft and business interruption can also be covered by various types of insurance, and some such as loss of critical people may or may not be insurable. Whether these are included or excluded from cyber-insurance is uncertain and would again depend on the policy wording and interpretation. 

Likewise the standard offers sage advice on the categories or types of costs that may or may not be covered, depending on the policy wording. I heartily recommend breaking out the magnifying glasses and poring over the small-print carefully. Do it during the negotiation and agreement phase prior to signing on the dotted line, or argue it out later in court - your choice.

Personally, I’d like to see the business case for using cyber-insurance as a risk treatment option expanded further (beyond what the standard already covers), laying out the pros and cons, the costs and benefits of so doing, in business terms. It is a classic example of the risk treatment now known as ‘sharing’, formerly ‘transferral’. Maybe I will write a paper on that very topic. Watch this space.

More than 5 years of ransomwareness

We are in the final stages of preparing July's awareness materials on "Workplace information security".  Six cool new poster designs have come in from the art department so the staff/general employee stream is practically finished, aside from proofreading. We're working hard to complete the management and professional briefings and tying up a couple of loose ends, leaving just the newsletter left to prepare, right on cue. As usual, we've left it to the very end of the month to make the newsletter, and in fact the whole module, as topical as humanly possible.

The latest ransomware outbreak all over the news this week is a classic illustration of the value of our innovative approach to security awareness. 

We've covered malware at least once a year since 2003, several times in fact since malware often crops up in awareness modules covering related topics such as social engineering, identity theft, phishing, fraud, email security and cybertage. Every time through the hoop, we endeavor to pick up on emerging risks and new trends ...

I've just done a quick search our back catalog. We first brought up ransomware way back in 2012, mentioning it in several awareness materials. It may be in the headlines now, but it's old news for us and our customers.

Here's an extract from the staff briefing on viruses delivered in February 2012:

Ransomware was an obscure issue when it first came to our notice, a risk that has grown steadily until today it is patently substantial - a real and present danger as they say. Because of that it's easy to catch people's eyes with awareness content on ransomware today, and that's great because there are clearly still organizations and individuals who have yet to get the message, unfortunately. So, in March this year, our annual malware awareness update focused almost exclusively on ransomware, an entire module dedicated to ransomwareness. 

Having said that, awareness of current risks and incidents is, in many ways, too late: employees and their employers need to be pre-warned so they have the chance to consider and address the risks before they get hit. I've said it before: forewarned is forearmed. 

If you are still running around desperately trying to cobble something together to get the word out to your employees about ransomware, or worse still simply too busy to do anything at all on this topic, we can help. 

We have more than 50 Mb of top-quality security awareness content on ransomware ready-to-roll, today:

There are seminar slide decks, posters, briefings, an FAQ, a test, a glossary and more - a smorgasbord of ransomwareness content from which to serve up a tasty meal for your organization. Aside from the general employee awareness stuff, there is a stream of content written specifically for management (e.g. a model policy and metrics), and another more technical stream for professionals. It's all customer-editable, so you are very welcome to adapt it to your particular circumstances and corporate comms style. No need to pay someone else a small fortune to customize it for you, do it yourself. 

Email me, now, before it's too late!

PS  What are you doing to raise awareness on workplace information security? Is it even on your risk-radar, let alone your to-do list?

WannaCry? We told you so

Yesterday I mentioned that I was preparing a quick update for customers in the aftermath of the WannaCry ransomware worm virus outbreak incident cyber hack nightmare (evidently I'm not sure what to call it, neither are the journalists). 

Having taken another look at the awareness materials we delivered on this topic already - particularly the ransomware awareness module - it turns out we've said all that needs to be said, really.

For example, we used this PIG (probability impact graph) to discuss current malware risks, locating ransomware up there in the red zone:

Trust me, I haven't altered the figure. That is exactly how it was delivered at the end of February 2017. I'm not claiming to have magical fortune-telling powers, however: the graphic is based on information that was in the public domain prior to March 1st.  

All we did was to research and analyze the information, present it in an eye-catching Visio graphic, and use it in the seminar slides and briefings to draw out the key issues in the awareness module. Easy when you know how.

CERT insider threat guide

The fifth edition of the Common Sense Guide to Mitigating Insider Threats was published at the end of 2016 by the CERT Insider Threat Center.  As we've come to expect from CMU/SEI & CERT), it's an impressive, well-written piece of work.

In short, these are the 20 best practices they recommend:

1. Know and protect your critical assets. 
2. Develop a formalized insider threat program. 
3. Clearly document and consistently enforce policies and controls. 
4. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior. 
5. Anticipate and manage negative issues in the work environment. 
6. Consider threats from insiders and business partners in enterprise-wide risk assessments.
7. Be especially vigilant regarding social media.
8. Structure management and tasks to minimize unintentional insider stress and mistakes. 
9. Incorporate malicious and unintentional insider threat awareness into periodic security training for all employees. 
10. Implement strict password and account management policies and practices. 
11. Institute stringent access controls and monitoring policies on privileged users. 
12. Deploy solutions for monitoring employee actions and correlating information from multiple data sources.
13. Monitor and control remote access from all end points, including mobile devices.
14. Establish a baseline of normal behavior for both networks and employees.
15. Enforce separation of duties and least privilege.
16. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
17. Institutionalize system change controls.
18. Implement secure backup and recovery processes.
19. Close the doors to unauthorized data exfiltration. 
20. Develop a comprehensive employee termination procedure.

The guide expands substantially on each of those, explaining the challenges, describing case studies and offering quick wins for many of them. Pre-hiring background checks, for instance, aren't mentioned in the list above but feature several times in the guide.

I've picked out practice 9 for special attention, given my interest in security awareness. In the main body, the guide states:

"Without broad understanding and buy-in from the organization, technical or managerial controls will be short lived. Periodic security training that includes malicious and unintentional insider threat awareness supports a stable culture of security in the organization."

Well said! It goes on to note several warning signs:

"Security awareness training should encourage employees to identify malicious insiders not by stereotypical characteristics but by their behavior, including

• threatening the organization or bragging about the damage the insider could do to the organization or coworkers 

• downloading sensitive or proprietary data within 30 days of resignation 

• using the organization’s resources for a side business or discussing starting a competing business with co-workers 

• attempting to gain employees’ passwords or to obtain access through trickery or exploitation of a trusted relationship (often called “social engineering”) 

Awareness training for the unintentional insider threat should encourage employees to identify potential actions or ways of thinking that could lead to an unintentional event, including

• level of risk tolerance—someone willing to take more risks than the norm

• attempts at multi-tasking—individuals who multi-task may be more likely to make mistakes

• large amounts of personal or proprietary information shared on social media

• lack of attention to detail"

I'm intrigued by the concept of 'unintentional' insider threats.

"We define unintentional insider threats as a current or former employee, contractor, or other business partner who:

• has or had authorized access to an organization’s network, system, or data and 

• had no malicious intent associated with his or her action (or inaction) that caused harm or substantially increased the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems."

Seems to me that covers almost everyone since we humans all experience the odd errors and accidents, but I guess it's a matter of degree: most of us catch our typoos etc. in time, without precipitating global meltdowns.

The advice includes "Training programs should create a security culture appropriate for the organization and include all personnel" - OK so far on both points. "The training program should be offered at least once a year" is not so good if it is taken to mean a single annual event or session is sufficient, but I'm relieved that it goes on to mention 'refresher training'.

The recommendations are sound:

"All organizations:

• Develop and implement an enterprise-wide training program that discusses various topics related to insider threat. The training program must have the support of senior management to be effective. Management must be seen participating in the course and must not be exempt  from it, which other employees could see as a lack of support and an unequal enforcement of policies. 

• Train all new employees and contractors in security awareness, including insider threat, before giving them access to any computer system. Make sure to include training for employees who may not need to access computer systems daily, such as janitorial and maintenance staff. These users may require a special training program that covers security scenarios they may encounter, such as social engineering, active shooter, and sensitive documents left out in the open. 

• Train employees continuously. However, training does not always need to be classroom instruction. Posters, newsletters, alert emails, and brown-bag lunch programs are all effective training methods. Your organization should consider implementing one or more of these programs to increase security awareness. 

• Establish an anonymous or confidential mechanism for reporting security incidents. Encourage employees to report security issues and consider incentives to reporting by rewarding those who do.

 Large organizations:

• The information security team can conduct periodic inspections by walking through areas of your organization, including workspaces, and identifying security concerns. Your organization should bring security issues to the employee’s attention in a calm, nonthreatening manner and in private. Employees spotted doing something good for security, like stopping a person without a badge, should be rewarded. Even a certificate or other item of minimal value goes a long way to improving employee morale and increasing security awareness. Where possible, these rewards should be presented before a group of the employee’s peers. This type of program does not have to be administered by the security team but could be delegated to the employee’s peer team members or first-level management."  

The quotes above are just part of the 6 pages on that one practice area, a small fraction of the guide's 175 pages - well worth the trouble to read if your organization has humans on the payroll, or depends on third party personnel for that matter - those nice people who do their level best to keep the lights on whatever the weather, for instance. 

PS  If anyone from CERT reads this blog, please stop referring to awareness and training as if they are the same thing. They aren't. See NIST SP800-50 and SP800-16 ... or ask me!

Reflected anger

Friends,

Given my profession, I am of course utterly opposed to spam and dedicated to fighting the scourge, which makes it especially annoying when some noxious spammer uses one of my email addresses as the From: address for their nasty spam.

I usually discover this when assorted email servers send me error messages along the lines of "Sorry we could not deliver your spam".  Those reflected messages are just the tip of the iceberg, though, since I presume many other poor sods received the spam with my email address at the top.  Some of them probably cursed me.

Just in case any of them are reading this, I'd like to confirm that I am most certainly not a spammer.  I share your annoyance but it wasn't my fault!

Marketing or social engineering?

Electronics supplier RS Online sent me an unsolicited promotional mailing in the post this week, consisting of a slimline USB stick mounted in a professionally printed cut-out card:

Well, it looks like something from RS' marketing machine.  It has their branding, images of the kinds of tools they sell and a printed URL to the RS website.  But the envelope has been modified ...

The printed sticker stamp top right has been crudely redacted with a black marker pen plus two further sticky labels, and 'postage paid' has been printed lower left, allegedly by the Hong Kong post office.  [I put the blue rectangle over my address.]

A week ago, we released a security awareness module on human factors in information security, including social engineering. Among other things, we discussed the risk of malware distributed on infectious USB sticks, and modified USB hardware that zaps the computer's USB port. The notes to a slide in the awareness seminar for management said this:

What would YOU do if you found a USB stick in your mailbox (at home or at work), or in the street, in the parking lot, in a corridor or sitting on your desk? 

In tests, roughly 50% of people plug found USB sticks into their computers.  A few of them may not care about the security risks (such as virus infections or physical damage that can be caused by rogue USB sticks), but most probably don’t even think about it – security doesn’t even occur to them. Maybe they simply don’t know that USB sticks can be dangerous.

Providing information about the dangers is straightforward: we can (and do!) tell people about this stuff through the awareness program.  But convincing them to take the risks seriously and behave more responsibly and securely is a different matter.  The awareness program needs to motivate as well as inform.  

The accompanying management briefing paper said:

It is possible that the USB stick carries malware, whether it truly originates from RS Online's marketing department in Hong Kong, or was intercepted and infected en route to me, or is a total fabrication, a fake made to look like a fancy piece of marketing collateral. I didn't request it from RS, in fact I've done no business with them for ages. The risk to loading the USB stick may be small ... but the benefit of being marketed-at is even less, negligible or even negative, so on balance it will be put through the office shredder.  It's a risk I'm happy to avoid.

PS  The title of this piece is ironic.  Marketing IS social engineering.

Sony still paying for the hack

The Sony hack two years ago is still costing Sony money.

An article in the Hollywood Reporter notes that Sony has paid $millions already:

"After the hack, Sony has faced several lawsuits over failure to safeguard private data and most notably settled a class action from former employees in a deal worth somewhere between $5.5 million to $8 million."

That is on top of the substantial costs directly incurred in or caused by the incident, including the loss of business, inability for Sony Pictures Entertainment to operate for several weeks, penalties from the authorities due to its problems filing financial results on time, and of course the incident investigation and actions arising, clearing-up the mess.

Possibility Pictures is now claiming compensation for the loss of revenue on one of its films that Sony was supposed to be distributing. "To write love on her arms" was one of five films stolen in the hack and released onto the Internet as part of the incident. Possibility Pictures claims that Sony breached its obligation under an anti-piracy clause in their agreement due to the "entirely forseeable and avoidable failure of internal security".

'Entirely forseeable' is an interesting turn of phrase. It's not too hard for Sony to figure out what went wrong with the benefit of 20/20 hindsight, after the fact, but to claim that it was 'entirely forseeable' implies that Sony was blind to the possibility before the fact. It seems to me this was an audacious hack, unique in terms of its scale and the media coverage, so is it reasonable to expect Sony to have foreseen it? I guess that is one of many questions that will be argued out in court (if it gets that far). It's a fascinating example of information risk management.

Free Sony hack case study

We have just published our security awareness case study on the Sony hack under a Creative Commons license.

The information sources are fully cited and referenced in the materials – all public domain stuff and no special inside-track from Sony I’m afraid*, hence there are probably errors and certainly omissions … and yet nevertheless this was a remarkably instructive incident touching on an usually wide range of information security topics. 

One aspect that stands out for me is that, since information is Sony’s lifeblood, information risks arebusiness risks.  Regardless of whether the North Koreans were or were not behind the hack, management’s strategic decision to press ahead with The Interview undoubtedly affected Sony’s information risk profile.  Their strategic approach towards information and IT security has been implicated in several major infosec incidents over the years.  There are lessons here about governance, risk management and security strategy.

The ongoing incident management and business continuity aspects are also interesting.  The Sony hack may no longer be all over the news but (as far as I know) we have yet to discover how they ultimately responded to the extortion demands, and whether the FBI are homing-in on the culprits.  Meanwhile, Sony recently had to ask for a special dispensation to miss a critical business reporting deadline as a result of the disruption caused to its systems and processes.  It’s not hard to imagine the internal turmoil behind their relatively calm public statements.

* Hey, wouldn't it be good to have the information security equivalent of the official air accident investigations or public inquiries into other types of major incident i.e. a thorough, detailed examination of the facts by highly competent, diligent and independent experts with unrestricted access to the necessary information, leading to a public report with sound improvement recommendations to help us all avoid falling into the same traps?  ...

Physical IP theft

The overnight theft of an entire wall from an eco-house being constructed in Christchurch raises the possibility that competitors wanted to find out how the construction company is prefabricating the panels with such good insulation properties - in other words, they have allegedly stolen the intellectual property by stealing a clever wall, presumably with the intent to duplicate the technology and perhaps sabotage the rightful IP owner's business.

So it was cybertage.

Deconstructing a competitor's product to figure out how it works and how it was made is common practice in many product markets, although usually there's no need to steal the product: the IP thief can simply purchase it legitimately.

Sometimes (as with new car models prior to their launch), still photographs or videos of the product from the testing grounds are sufficient to steal a march on the competitor, hence physical security around the product (testing ground site access controls and fake vehicle panels to conceal its shape) can be an important IP control.

Even better for the unethical competitor is to steal the design blueprints, engineering drawings and specifications direct from the source, for example by placing a mole in the competitor's organization, bribing a worker to steal the information, or hacking the systems.  They can reduce their risks and costs still further by exploiting the patent information published for patented products and hoping that the IP owners either don't notice, don't care, or don't have the resources for a full-on legal battle.

Anyway, I'm sure the building company whose wall technology appears to have been stolen will be watching the market closely for indications that a competitor is planning to introduce eco-buildings with remarkably good heat insulation ...

Cybertage - our 50th security awareness topic

We have just achieved a significant milestone with the release of an awareness module covering the fiftieth topic in our ever-growing information security awareness portfolio.

Our topic for October is “cybertage”, meaning sabotage in cyberspace. As you might surmise from the stark red awareness poster in the style of 1940’s public safety warnings, cybertage is an age old subject. It even pre-dates IT: propaganda, for instance, involves deliberately using information to manipulate, undermine and - yes - cybertage an enemy. It is of little consequence how propaganda is delivered: leaflets, emails, stone tablets, CNN, wax cylinders, Blogger, Morse code, hilltop beacons, whatever. Message trumps medium. As with security awareness, it’s the content that matters most.

Today’s cyberteurs are truly spoilt for choice. They have the potential to attack their targets through the Internet and a variety of media, and as we learned from Stuxnet even air-gaps are an imperfect defense against sophisticated viruses. Our IT systems and networks make juicy cybertage targets in their own right. Add to that the possibility of smear campaigns spreading vicious rumours and half-truths through social media and ‘customer review and feedback’ sites, and the power of cybertage in the 21st Century becomes alarmingly obvious.

But wait, there’s more! Cyberteurs walk among us. They lurk in our midst, waiting to strike from within. All it takes is a careless, cutting remark, a snub from management or some other incident to turn our once-loyal colleague into a raving virtual-ax-wielding cyberteur, intent on getting his own back by inflicting maximum grief on the corporation.

Cybertage is a novel topic for the security awareness program, something deliberately out-of-the-ordinary that we hope will catch you and your colleagues’ imaginations as it did ours. However, we appreciate that this is a delicate issue, and that raising awareness could conceivably induce people who are so inclined to commit cybertage. 

On balance, as with several other modules in our portfolio, we take the position that in the unlikely event that any disgruntled, unethical employees do become cyberteurs solely as a result of these awareness materials, the far greater number of security-aware and motivated colleagues who will notice and discourage, warn or report them represents an effective information security control. It seems to us that the alternative – blind faith and ignorance, ignoring the issue in the hope that it will go away – is literally worse than useless. 

However, if customers feel that we are biased, and that we might even be undermining (cybertaging!) their information security arrangements, they can choose to avoid the awareness topic completely or be more circumspect or focused in how they approach it.

Our job as authors is to provide high quality ammunition for your security awareness program: it’s up to you to load, aim and fire!

So what does your security awareness program have to say about cybertage and 49 other information security matters?