This week, I'm thoroughly engrossed by a deep dive into ISO/IEC 2382, a suite of standards on IT terminology from the 1990's around the end of the previous millennium - ancient history as far as IT goes. "ISO 2382 was initially based mainly on the usage to be found in the Vocabulary of Information Processing which was established and published by the International Federation for Information Processing and the International Computation Centre, and in the American National Dictionary for Information Processing Systems and its earlier editions published by the American National Standards Institute (formerly known as the American Standards Association). Published and Draft International Standards relating to information technology of other international organizations (such as the International Telecommunication Union and the International Electrotechnical Commission) as well as published and draft national standards have also been considered." I say "IT" but it...

I blogged about the Crowdstrike incident on July 21st  while it was still playing out. Now, having  d rained the swamp and let the d ust settle, I'm  d ue to d raw out, d econstruct and d ecide what to d o about the Crowdstrike d isaster, so here goes: Design, build and test systems for resilience, where 'systems' means not just IT systems but the totality of interdependent technologies, organisations, people, information flows and other resources necessary to deliver and support critical business activities. Hinson tip : "be prepared" is not just for  boy scouts ! Those dependencies are p otential p inch p lus  p ain p oints. Test software before release. Sounds easy, right? It isn't. There is an infinite amount of testing that could be performed, only a fraction of which realistically should be, while the amount and quality of testing actually performed is resource-constrained and time-boxed for business and uncertainty (risk!) reasons (delaying secu...

Title: Permanent Record Author: Edward Snowden ISBN: 978-1-250-23723-1 Price: US$18 from Amazon GH rating: 90% Summary Until I read this book, I considered my personal integrity a fundamental strength, core to my very being. It pales in comparison to Ed's extreme courage and intense determination to expose the shocking truth about the NSA's mass surveillance programme and the way it was concealed from Congress.

Having declared it officially 'done', the SecAware information security hyperglossary is finally self-published as an eBook in PDF format. More than three thousand terms-of-art are defined in the areas of: Information risk  Information security  Cybersecurity (IT/Internet security) ICS/SCADA/OT security Artificial Intelligence Privacy, data protection, personal information Governance Conformity and compliance Incidents  Business continuity and more.  It has taken me three decades so far to compile the glossary, initially just as a reference for my personal use, then for our security awareness clients, and now for anyone with a little cash to spare and an interest in the field.

I freely admit to being an Old Fart, old and plenty farty enough to remember a time even before the DTI Code of Practice was released and then in 1995 became  BS7799 , making information security A Thing. OK so I'm not quite so old as to remember when computers were women in rank and file, studiously calculating missile trajectories, but I've read about them and I remain fascinated by the early mechanical, electro-mechanical and then electronic computers - initially single-purpose tools such as that nice Mr Babbage's difference engine, then machines capable of various tasks using toggle switches, punched tape and cards to program their instructions. Back in the 80's when I escaped the genetics lab to become a net/sysadmin, computer security was just becoming important: people (particularly managers, few of whom had a clue about IT) were vaguely concerned about these new fangled, complicated, mysterious and expensive computers. Securing data processing hardware was seen ...

Lately, I've been contemplating how the widespread availability and use of AI might affect humankind - big picture stuff. We are currently awash in a tidal wave of commentary about AI innovation, the information risks of AI and its naive users, the tech, the ethics and compliance aspects, the inevitable grab by greedy big tech firms, misinformation, disinformation, jailbreaking and so on. Skimming promptly past well-meaning advisories about prompt engineering from people excited to share their discoveries, I've been reading pieces about how AI can support or will supplant all manner of expert advisors on any topic sufficiently well represented in the models and datasets. The likelihood (near certainty!) of AI-generated content feeding back into AI-data sets and hence the potential consequences of runaway hallucinations, coupled with deliberate manipulation by those with private agendas, is quite scary - but equally the possibility of AI generating new knowledge (valid and usefu...

Two and a half years ago in March 2020 as we were fast approaching our first lockdown, I published the following P robability I mpact G raph depicting my analysis of the information risks relating to COVID: The PIG reports the information risks I identified at the time, thinking about COVID from the general societal perspective as opposed to a personal or organisational perspective.

There are clearly substantial information risks associated with the redaction of sensitive elements from disclosed reports and other formats, risks that the controls don't necessarily fully mitigate. Yes, controls are fallible and constrained, leaving residual risks. This is hardly Earth-shattering news to any competent professional or enlightened infidel, and yet others are frequently shocked.  A new report* from a research team at the University of Illinois specifically concerns failures in the redaction processes and tools applied to  PDF documents . The physical size of redacted text denoted (covered or replaced) with a variable-length black rectangle may give clues as to the original content, while historically a disappointing number of redaction attempts have failed to prevent the original information being recovered simply by removing the cover images or selecting then pasting the underlying text. Doh!

Since October is cybersecurity awareness month in the USA, we've seized the opportunity to update SecAware.com with additional information on our security awareness material.  SecAware's information security awareness modules explore a deliberately wide variety of individual topics in some depth:

I mentioned recently here on the blog that there can be strategic elements to policies, just as there are operational aspects to the supporting procedures and guidelines. With the new year fast approaching, I'd like to explore that further today. Warning : your blinkers are coming off. Prepare for the glare. Take for instance the corporate responses to COVID-19. Out of necessity, organisations in lockdown shifted rapidly from on-site office work and in-person meetings to home-working, using video conferencing, email and collaborative approaches. Although that may have been a purely reactive, un-pre-planned response to the global crisis that erupted (despite prior pandemics and warnings arising from increasing international travel) , it was facilitated by longer-term planned, strategic changes and investments in a resilient workforce with flexible working practices and positive attitudes, strong relationships within and without the organisation, plus appropriate tools and technolog...

I gather from friends and the news media that there was an unplanned outage earlier this week at Facebook. I'm told that Facebook is a fairly popular social media platform - some have said addictive. As you can no doubt tell, I don't see the attraction and I'm definitely not hooked. If it weren't for the brouhaha, I wouldn't have even noticed, let alone worried or written about it. I understand the outage was caused by a technical issue in the network - something to do with the BGP configuration. I'm not particularly interested in, and probably wouldn't even understand, the details. The self same issue locked Facebook's IT administrators out of their own systems, leaving them cut off and unable to address/reverse/fix the issue for several hours, causing mild panic and a little outrage among its users, customers and other stakeholders. The same issue took down related websites too. Doubtless the admins were stressed out, possibly frantic, while their mana...

Anyone seeking  information security standards or guidance is spoilt for choice e.g. : ISO27k - produced by a large international committee of subject matter experts and national representatives   NIST SP 800 series – well researched, well written, actively maintained ... and FREE! IT Grundschutz - a typically thorough Germanic approach, to the point of absurdity (4,800 pages!  It's encyclopaedic!)    CSA - cloud security guidance is their home turf COBIT - takes a deliberately different perspective on 'risk' and 'control'   Secure application development standards such as those from  OWASP   IT standards and methods as a whole : relevant because IT or cyber security is clearly a big part of information security   HR, physical security, privacy and business continuity standards and methods as a whole : filling-in the substantial gaps in IT or cyber security  Risk management standards , the best of which at least mention the im...

It feels like 'just the other day' to me but do you recall "Y2k" and all that?  Some of you reading this weren't even born back then, so here's a brief, biased and somewhat cynical recap. For a long time prior to the year 2000, a significant number of software programmers had taken the same shortcut we all did  back in "the 90s". Year values were often coded with just two decimal digits: 97, 98, 99 ... then 00, "coming ready or not!". "Oh Oh" you could say. "OOps". When year counters went around the clock and reset to zero, simplistic arithmetic operations (such as calculating when something last happened, or should next occur) would fail causing ... well, potentially causing issues, in some cases far more significant than others. Failing coke can dispensers and the appropriately-named Hornby Dublo train sets we could have coped with but, trust me, you wouldn't want your heart pacemaker, new fangled fly-by-wire plan...

Do you recall when APTs were A Thing? A dvanced P ersistent T hreats were exemplified by Stuxnet , a species of malware that was stealthy enough to penetrate the defences of an Iranian nuclear fuel processing plant ten years ago, persistent enough to undermine numerous layers of control, and sophisticated enough to over-speed and wreck the centrifuges without alerting the plant operators until the damage was done.   We seldom hear of weapons-grade APTs these days, suggesting they are no longer newsworthy or effective. Maybe they have gone the way of the trebuchet or musket ... but I believe it's much more likely that APTs have become even more sophisticated, stealthier and more damaging now than ever before, especially given the ascendance of IoT, IIoT and 'cyber-physical systems'. Now, Things are A Thing. Meanwhile, we are frequently  constantly assaulted by ordinary, conventional, old-school malware - R etarded P ersistent T hreats as it were. In contrast to APTs, RPTs ...

From my narrow perspective as a practitioner, manager and consultant in the field, some 20-30 years ago, B usiness C ontinuity P lanning revolved around  IT D isaster R ecovery which generally involved (at the time) either powering up an alternative data centre or hiring a few servers on the back of a truck and plugging them in to restore services taken out when the data centre was flooded/burnt.   It was almost entirely IT focused, expensive, and could cope with very few disaster scenarios (there still had to be somewhere for the truck to park up and plug in, while the backups to be restored had to have survived miraculously, plus of course the rest of the organization - including the alternative data centre plus the people and associated essential services). From that primitive origin, BCP started to get better organised, with scenario planning and tabletop exercises, and actual 'management' instead of just 'planning' - leading to B usiness C ontinuity M anagement. ...

The Travelex ransomware case study is coming along nicely. Over the dull grey NZ weekend, I prepared a timeline of the ongoing incident to compare and contrast against the Sony Pictures Entertainment ransomware incident at the end of 2014.  Already, Travelex is well ahead on points, restoring UK customer services within 3 weeks of the attack with more on the way. The incident timeline is substantially compressed relative to Sony's: they are getting through whatever needs to be done more quickly. Travelex has done well to keep its retail customers updated throughout, from the initial rapid disclosure on Twitter through to brief informational pages on the web, an FAQ , plus a statement and talking-head videoblog by its CEO on Friday just gone. Full marks from me! As far as I'm concerned, Travelex has managed the disclosures and public comms well, releasing professionally-crafted, informative briefings about the evolving situation, reassuring customers and not trying to cover th...

As we slave away on next month's security awareness module on malware, the Travelex ransomware incident rumbles on - a gift of a case study for us, our customers and for other security awareness pro's out there. A quick glance at Travelex dotcom  tells us that (as of this blogging) the incident is ongoing, unresolved, still a public embarrassment to Travelex that is presumably harming their business and their brand ... although having said that I've already mentioned their name three times in this piece. If you believe 'there's no such thing as bad publicity', then headline stories about the incident are all good, right? Hmmm, leave that thought with me. Meanwhile, for the remainder of this piece, I'll call them "Tx" for short. Technically speaking, the Tx dotcom website is up and running, serving a simple information page 'apologising for any inconvenience' [such as retail customers being unable to use the site to access Tx financial serv...