Used hard disks bought on an online auction site were found to contain personal and proprietary data . Some of the drives that had supposedly been erased yielded their secrets to forensic examination techniques. Others still had the original undeleted data and could have been read easily by any purchaser. The Irish newspaper article notes that homeworkers were probably the source of at least some of the security lapses, having used their own PCs for work projects, "forgotten" about the sensitive work data they contained, and sold the disks or whole systems privately. This kind of breach would fall outside the remit of most organizations I have worked for, except those few who insist that staff only use company systems for work activities, typically providing laptops for the purpose. That said, whether the laptop hard disks were properly erased at the end of their life, or the extent to which employees complied with the company policies on not working on personal IT equip...

Dear friends of NoticeBored, Digital forensics - the capture and analysis of digital evidence for use in court - is an increasingly important topic not just for law enforcement but for ordinary organizations and even individuals. The forensic investigation of computers, cellphones, PDAs, USB memory sticks etc. is a tedious, painstaking process involving the systematic collection, storage, examination, analysis and interpretation of the data they contain. Digital forensics is a completely new topic for NoticeBored, our 35th information security focus area so far. While we do not know of any competing security awareness products that cover forensics, it’s a fascinating topic for those who enjoy whodunnit thrillers or watch CSI Miami. Awareness of the procedures and issues involved in digital or computer forensics might just interest technical employees enough to take up the challenge and complete the training, and should give management the basic knowledge to be able to select and/or ...

Writing in Computerworld, author Jennifer Bayuk offered some innovative suggestions on how best to write information security policies that are effective and workable in practice. I particularly like the way she emphasized taking time to canvas management on their perspectives on the value and hence need to protect their information assets, drawing out management's control objectives as a prelude to drafting the actual policy statements. She talked about an implicit risk assessment approach, I guess: I have successfully used risk workshops and so forth to achieve essentially the same ends, namely explicit management understanding and support for information security. It works. Jennifer mentioned the use of standards such as ISO27k, COBIT and the ISF Standard of Good Practice, all of which I would agree form a sound basis for developing reasonably comprehensive policy sets - in fact, it could be argued that organizations should perhaps use a synthesis of all three, plus relevan...

From today's GigaLaw news: "A federal appeals court ruled that the office that has records about millions of possibly missing e-mails from the Bush White House does not have to make them public. The appeals court in Washington ruled that the White House Office of Administration is not subject to the Freedom of Information Act. Read more: http://gigalaw.blogspot.com/2009/05/appeals-court-protects-white-house.html (Source: WPVI-TV)" What is it with US public admininstration and cover-ups? Is the White House above the law? Does anybody (besides me, and I'm 10,000km away) care? I shall remember this story the next time I hear an American lecturing about fraud and corruption in foreign parts ...

Popular Mechanics gives the US national infrastructure a once-over from the perspective of its resilience to cyberwarfare, asking "How Vulnerable is U.S. Infrastructure to a Major Cyber Attack? Could hackers take down key parts of our infrastructure? Experts say yes. They could use the very computer systems that keep America's infrastructure running to bring down key utilities and industries, from railroads to natural gas pipelines. How worried should we be about hacking, the new weapon of mass disruption?" It starts with a pop culture doomsday scenario to grab the readers' attention: "The next world war might not start with a bang, but with a blackout. An enemy could send a few lines of code to control computers at key power plants, causing equipment to overheat and melt down, plunging sectors of the U.S. and Canadian grid into darkness. Trains could roll to a stop on their tracks, while airport landing lights wink out and the few traffic lights that remain act...

I've been reading and thinking today about a revised NIST Special Publicatio SP800-16 , currently released for public comment. If you are genuinely interested in making security awareness more effective, I recommend setting aside an hour or three to read and consider the draft document. To whet your appetite, here are just a few short paragraphs from one section of the draft, with my own thoughts and comments cited below. Under section 2.2.1 of SP800-16, NIST says: "Awareness is not training (1). Security awareness is a blended solution of activities (2) that promote security, establish accountability, and inform the workforce of security news (3). Awareness seeks to focus an individual’s attention on an issue or a set of issues (4). The purpose of awareness presentations is simply to focus attention on security (4). Awareness presentations are intended to allow individuals to recognize information security concerns and respond accordingly. (2) In awareness activities the lea...

In " A cautionary tale about nuclear change management " ComputerWorld blogger Scott McPerson discusses a few security incidents that have been linked to SCADA systems, picking out two causes: poor change management and problems with the IT architectures. If only things were so simple in Real Life. According to Scott, the change management problem can be solved by adequate pre-release testing of patches. Mmm. OK, well let's assume a SCADA-using organization has the resources to invest in an IT test jig comprehensive enough to model the live SCADA/ICS systems, complete with real-time data feed simulators and control panels, or at least a sufficient part of the complete live system to allow representative and realistic testing. Presumably they could test the patches and software upgrades thoroughly enough to reduce the possibility of unintended consequences, but how far can or indeed should they go? Anyone who has actually tried to do exhaustive software testing, even...