What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2020-01-23 09:00:00 | NBlog Jan 23 - awareness quiz on malware (lien direct) |  Trawling through our back catalogue for content worth recycling into next month's awareness module, I came across a quiz we set in 2017. The challenge we set the group was this:Aside from malware (malicious software), what other kinds of “wares” are there?The idea was to prompt the group to come up with a few obvious ones (such as software), then start digging deeper for more obscure ones. Eventually they would inevitably start to improvise, making up 'ware' terms but, if not, here are our tongue-in-cheek suggested answers, provided for the quiz master in case the group needed prompting towards more creative, lateral thinking: Abandonware – software long since given up on by its author/support krew and left to rot Adware – software that pops up unwelcome advertisements at the least appropriate and most annoying possible momentAnyware - web-based apps that can be used while in the office, on the road, in the bath, wherever ... provided the Internet is accessibleBeggarware – smelly, homeless software that periodically rattles its virtual cup, begging loose change "for a cup of tea"Bloatware – software that has grown fatter than a week-old beached whale with 'features'Botware - software to stop the bots becoming bored and naughtyBrochureware – over-hyped marketing, promotional or advertising copy ab |
Spam Malware | ||
|
2020-01-22 09:00:00 | NBlog Jan 22 - further lessons from Travelex (lien direct) |  At the bottom of a Travelex update on their incident, I spotted this yesterday:Customer PrecautionsBased on the public attention this incident has received, individuals may try to take advantage of it and attempt some common e-mail or telephone scams. Increased awareness and vigilance are key to detecting and preventing this type of activity. As a precaution, if you receive a call from someone claiming to be from Travelex that you are not expecting or you are unsure about the identity of a caller, you should end the call and call back on 0345 872 7627. If you have any questions or believe you have received a suspicious e-mail or telephone call, please do not hesitate to contact us. Although I am not personally aware of any such 'e-mail or telephone scams', Travelex would know better than me - and anyway even if there have been no scams as yet, the warning makes sense: there is indeed a known risk of scammers exploiting major, well-publicised incidents such as this. We've seen it before, such as fake charity scams taking advantage of the public reaction to natural disasters such as the New Orleans floods, and - who knows - maybe the Australian bushfires.At the same time, this infosec geek is idly wondering whether the Travelex warning message and web page are legitimate. It is conceivable that the cyber-criminals and hackers behind the ransomware incident may still have control of the Travelex domains, webservers and/or websites, perhaps all their corporate comms including the Travelex Twitter feeds and maybe even the switchboard behind that 0345 number. I'm waffling on about corporate identity theft, flowing on from the original incident.I appreciate the scenario I'm postulating seems unlikely but bear with me and my professional paranoia for a moment. Let's explore the hypot |
Ransomware Malware Patching Guideline | APT 15 | |
|
2020-01-21 08:49:54 | NBlog Jan 21 - exceptions vs exemptions (lien direct) |  In the context of information risk and security management, I define and use the terms "exemption" and "exception" quite deliberately.“Exceptions” are unauthorized non-conformance or non-compliance situations. For example if the organization has a policy to use multi-factor authentication for all privileged system accounts, a privileged account that only has single-factor auth for some reason (maybe an oversight or a practical issue) would constitute an exception, something that has not [yet] been officially notified to, risk-assessed and accepted, authorized, permitted or granted by management. Depending on the circumstances and the nature of the information risks, identified exceptions may be classed as issues or events, perhaps even incidents worth reporting and managing as such.“Exemptions” are where management has formally considered and risk-assessed non-conformance or non-compliance situations and explicitly authorized or agreed that they should continue – perhaps with compensating controls, for a defined limited period, and with clear accountability for the associated risks. So, for instance, the information risks associated with only having single-factor auth on a test system may be acceptable to management if the control costs are deemed excessive in that situation … but the exemption might be only for the duration of the testing, and on the condition that the test system only has access to test data not live/production data, with the Test Manager accepting personally accountability for the associated information risks. Exemptions do not constitute issues, events or incidents unless: The situation at hand varies substantially from that authorized e.g. if the compensating controls are not actually in operation, or if the authorized exemption period has expired (yes, even exemptions have to be complied with ... perhaps implying the need for compliance checks and other control measures if the information risks are significant);The information risks are materially different from those accepted e.g. if |
|||
|
2020-01-20 09:00:00 | NBlog Jan 20 - Travelex vs Sony shootout (lien direct) | The Travelex ransomware case study is coming along nicely. Over the dull grey NZ weekend, I prepared a timeline of the ongoing incident to compare and contrast against the Sony Pictures Entertainment ransomware incident at the end of 2014. Already, Travelex is well ahead on points, restoring UK customer services within 3 weeks of the attack with more on the way. The incident timeline is substantially compressed relative to Sony's: they are getting through whatever needs to be done more quickly.Travelex has done well to keep its retail customers updated throughout, from the initial rapid disclosure on Twitter through to brief informational pages on the web, an FAQ, plus a statement and talking-head videoblog by its CEO on Friday just gone. Full marks from me!As far as I'm concerned, Travelex has managed the disclosures and public comms well, releasing professionally-crafted, informative briefings about the evolving situation, reassuring customers and not trying to cover things up or hide away. The CEO fronting-up is notable, confirming beyond doubt that senior management is on top of things, facing up rather than shying away. As with city's most senior policeman fielding a press briefing very shortly after the London bombings of July 2005, impeccably dressed, confident and impressive, the reassurance is very valuable, damping down rather than fanning the flames.Although admittedly I have not hunted for them specifically, I haven't yet come across any informal/unauthorized disclosures by Travelex workers, such as those mobile phone photos of the scary skeleton threats plastered over Sony's screens. Despite what must surely be a tense atmosphere in the offices, the Travelex workforce is evidently pressing on with the job, all hands to the pumps. Good on them too!In parallel, Travelex management must have been busy liaising with and reassuring its commercial customers/partners, industry regulators and the global news media too, while the fairly rapid restoration of services hints at a huge amount of work under way down in the IT engine room (presumably a disaster recovery approach, rebuilding servers from backups?). |
Ransomware | ||
|
2020-01-19 13:14:12 | NBlog Jan 14 - a live case study (lien direct) | As we slave away on next month's security awareness module on malware, the Travelex ransomware incident rumbles on - a gift of a case study for us, our customers and for other security awareness pro's out there.A quick glance at Travelex dotcom tells us that (as of this blogging) the incident is ongoing, unresolved, still a public embarrassment to Travelex that is presumably harming their business and their brand ... although having said that I've already mentioned their name three times in this piece. If you believe 'there's no such thing as bad publicity', then headline stories about the incident are all good, right?Hmmm, leave that thought with me. Meanwhile, for the remainder of this piece, I'll call them "Tx" for short.Technically speaking, the Tx dotcom website is up and running, serving a simple information page 'apologising for any inconvenience' [such as retail customers being unable to use the site to access Tx financial services in the normal fashion] and blaming 'a software virus':  It refers to another Tx website which appears to be a legitimate Tx customer authentication page ... but, if it were me, given the incident I would be very dubious about submitting my credentials without first ascertaining that the site is legitimate, not simply part of the scam.Anyway, the point is that they are at least |
Ransomware Malware | ||
|
2020-01-19 09:00:00 | NBlog Jan 19 - exercising in private (lien direct) | Continuing this mini-series of bloggings inspired by business continuity exercises, today I'm talking about other sources of creative inspiration for security awareness purposes - specifically, information from within and around the organization concerning incidents, near-misses, information risks and other issues that are known internally but haven't (yet!) been picked up by the news media. There's a wealth of information there, behind closed doors.Most organizations care enough about various kinds of risks to manage them explicitly. All organizations seeking certification against ISO/IEC 27001 are required to manage information risks (by which I mean "risks pertaining to information"), a process that starts by identifying the risks to be managed.How do they do that?One approach involves considering the organization's risks in general: what threatens achievement of corporate/business objectives? And which of those risks has an information element? Large, mature organizations typically have some sort of 'corporate risk register', perhaps even a dedicated team or department of risk experts primarily responsible for risk management, especially (if not exclusively) for the "significant", "substantial", "strategic" or "bet-the-farm" risks. Other organizations have more diffuse arrangements for managing risks, perhaps just an implicit, integral or informal part of 'governing', 'managing' or 'doing business'. Either way, the risks typically identified at that high level may not be labelled or even considered to be "information risks" but many are, or have an information aspect. Fluctuating exchange and interest rates, for instance, can have significant implications for corporate financial management, and so need to managed carefully: the rates, plus the factors influencing them, plus the details around how the rates affect corporate finances, plus the financial management systems and processes themselves, all revolve around information ... hence there are information risks. Pick any other significant corporate risk and you can almost certainly find significant information risks.Another approach explores business processes, systems etc. For business continuity purposes, a classical Business Impa |
|||
|
2020-01-18 09:00:04 | NBlog Jan 18 - business discontinuity (lien direct) |  As if following a cunning plan (by sheer conicidence, in fact) and leading directly on from my last two bloggings about business continuity exercises, Belgian manufacturing company Picanol suffered a ransomware infection this week, disabling its IT and halting production of high-tech weaving machines at its facilities in Ypres, Romania and China.Fortunately, Picanol's corporate website is still up and running thanks to Webhosting.be, hence management was able to publish this matter-of-fact press release about the incident: Unsurprisingly, just a few short days after it struck, technical details about the "massive ransomware attack" are sparse at this point. The commercial effects, though, are deemed serious enough for trading in its shares to have been suspended on the Brussels bourse. There's already plenty of information here for a case study in February's awareness module. Through a brief scenario and a few rhetorical questions, we'll prompt workers to consider the implications both for Picanol and for their own organizations. If a similar malware incident occurred here, knocking out IT and production for at lea |
Ransomware Malware Studies Guideline | ||
|
2020-01-17 12:57:01 | NBlog Jan 17 - live-fire continuity exercises (lien direct) | Yesterday I blogged about the advantages and disadvantages of business continuity exercises. Today's topic concerns the alternative approaches, in particular the idea of 'live-fire' exercises in the business continuity context.Vast tracts of prime agricultural land are set aside as military training grounds, allowing the armed forces to practice their maneuvers and, sometimes, fire actual bullets, mortars, missiles and bombs. Real ones, not dummies. There are, of course, certain health and safety risks associated with weapons (!), so why take the risks? What are the benefits of not using blanks and simulations?Two obvious reasons are:To test, prove and improve the weapons, for example confirming the accuracy, range and effectiveness of a field gun firing live rounds towards a tank, building or bunker, with gusting cross winds, challenging terrain, engineering and operational variables.To practice, test, prove and improve the soldiers' capabilities, including dealing with the very real safety concerns when their weapons are locked and loaded.These are still exercises, though, somewhat removed from genuine action on the battle grounds of, say, the middle East ... and it could be argued that even those are merely limited-scope live-fire exercise in preparation for for all-out global warfare.So do we have the equivalent of live-fire exercises in the business continuity context? Yes, there are at least two types: Actual incidents that occur routinely within the organization, ranging from frequent minor events up to the occasional more serious incidents, if somewhat removed from genuine disasters thanks, in part, to the incident management and disaster mitigation activities. Hopefully all that preparation and exercising pays off! It's straightforward for a responsible manager to "declare an emergency", initiating the disaster management activities even though that may not be strictly justified by the exact circumstances. From that point, turning the incident into an exercise may simply be a matter of going through the motions, perhaps simulating various facets that haven't been tested a |
|||
|
2020-01-16 13:45:01 | NBlog Jan 16 - pros and cons of continuity exercises (lien direct) | Usually, business continuity-related exercises are very carefully planned in advance. Those directly involved are generally well aware of the impending events, often having a good idea if not explicit information about the timescale as well as the situation to be simulated. The more involved the exercise, and the longer the planning, the greater the leakage of information about it. The rumour mill grinds it out.There are several good reasons for all that exercise pre-planning:Preparing for exercises is also [at least partly] preparing for genuine incidents - a convenient [partial] alignment of objectives Planning improves the chances of 'success' - an important factor for those personally charged with overseeing, managing and conducting the exercises People and organizations confronted with an exercise scenario are less likely to panic, thinking and reacting as if it is a genuine incident, if they know about it in advanceOn the other hand, the pre-planning has its drawbacks too:People and organizations naturally focus on and prepare for the specific scenario/s planned, perhaps diverting resources from other aspects of preparedness that might be even more important/urgentA pre-planned and anticipated exercise removes a substantial element of uncertainty that occurs in real incidents, begging questions such as "Is this an incident?", "What's going on?", "How serious is this?" and "Am I the only person who knows about this?""Success" in an exercise is not quite the same as "success" in a genuine incident - generally speaking, the stakes and hence the stresses are much higher, pushing systems, processes, individuals, organizations and communities to and in some cases beyond their breaking points, something that most exercises studiously avoid. It is conceivable for organizations to become highly accomplished at exercises, yet hopeless in actual incidents.There may be adverse effects on operations if exercises go wrong, despite all the efforts to minimise the risks, whereas there certainly will be adverse effects in the case of actual incidents, especially those severe enough to warrant all this preparation, planning, exercising and so on. One consequence of this is that exercises tend to last a few hours or days at most, maybe a further few weeks for the wash-up meetings, reporting and note-taking for the next run. Genuine incidents typically last for weeks or months |
|||
|
2020-01-06 19:24:42 | NBlog Jan 6 - post-malware-incident notification & other stuff (lien direct) | A couple of days ago here on NBlog I wrote: "One screamingly-obvious lesson from the rash of ransomware incidents is that we need to anticipate malware infections when the preventive controls fail, which means strengthening the security protecting our business-critical systems and being ready to recover IT services and data efficiently following incidents." That's not all.Anticipating that, despite all we do to prevent them, malware infections are still likely to occur implies the need for several post-event controls. These are the kinds of controls I have in mind:Reliable, efficient, effective, top-quality incident response and management processes - in particular, speed is almost always of the essence in malware incidents, and the responses need to be well-practiced - not just the run-of-the-mill routine infections but the more extreme/serious "outbreaks";Decisive action is required, with strong leadership, clear roles and responsibilities, and of course strong awareness and training both for the response team and for the wider organization;Clarity around priorities for action e.g. halt the spread, assess the damage, find the source/cause, recover;Technological controls, of course, such as network segmentation (part of network architectural design), traffic filtering and (reliable!) isolation of segments pending their being given the all-clear;Clarity around priorities for reporting including rapid escalation and ongoing progress updates, in parallel with the other activities;Forensics, where appropriate, feasible and helpful (e.g. which preventive controls failed, why, and what if anything can be done to strengthen them); |
Ransomware Malware Guideline | ||
|
2020-01-06 10:25:54 | NBlog Jan 5 - plus ça change, plus c\'est la même chose (lien direct) |  Malware has clearly been an issue for a long time. It was prevalent enough to be the topic of our second NoticeBored security awareness module way back in July 2003. I've just dug the old NB newsletter out of the archive to see what's changed. In 2003, I wrote about viruses (macro, boot sector and parasitic types), Trojans, worms and logic bombs. Although other forms of malware were around back then, we elected to stick with the basics for awareness purposes. Getting on for 18 years later, we're taking a broader perspective. Today's workers need to know about spyware, BEC & VEC (Business/Vendor bmail Compromise), phishing, infectious mobile apps and more. Actual computer viruses are practically unheard of now, although the term remains.We're still concerned about preventive, detective and corrective controls, and malware risks that include data corruption - only now it's mostly deliberate in the form of ransomware rather than cybertage or bugs in the malware code.The 2020 and 2003 newsletters have a very similar style with minor differences that only catch my eye because I wrote them, and I've been responsible for using and updating the format throughout. We've changed from Arial to Calibri font. Shouty "EMAIL" became calmer "email" at some point. The Hinson Tips on awareness migrated from the newsletter to the train-the-trainer guide, and the NoticeBored banner logo was smartened up. We have reverted from 'American English' to English spelling. The two-column newsletter format remains, though, despite the layout problems that has caused me over the years, particularly when I wanted to include full-page-width diagrams. I've learnt to overcome most of the limitations of MS Word but not always without grief! We have more actual news now, too, finding short but relevant news items on the web to push the point home that the information risks are not merely theoretical: actual incidents are occurring all the time. Finding quotable news clips is becoming harder, however, due to the spread of paywalls: it's simply not economic for us to subscribe to all the commercial sources we'd need to maintain a broad-based newsletter, so we're increasingly using soundbytes from blogs and |
Ransomware Malware | ||
|
2020-01-04 09:16:03 | NBlog Jan 4 - malware awareness update 2020 (lien direct) |  Our security awareness topic for February will be malware, malicious software - viruses, Trojans, worms, crytpminers, APTs, ransomware, spyware and Tupperware. Well OK, maybe not all of them: viruses are vanishingly rare these days.An increasingly important part of the malware problem is the wetware: we humans evidently find it hard to sense and react appropriately to the dangers presented by infected messages, web pages and apps. Addressing that is a key objective of the awareness module, and quite a challenge it is given that the bad guys are forever coming up with new ways to conceal their intentions or trick us into doing something inappropriate. Digging a little deeper, I feel we also need to explain why we can't rely on antivirus software etc. to save the day because the baddies are also finding novel ways to evade the technological controls, despite the best efforts of the good guys in IT.One screamingly-obvious lesson from the rash of ransomware incidents is that we need to anticipate malware infections when the preventive controls fail, which means strengthening the security protecting our business-critical systems and being ready to recover IT services and data efficiently following incidents. Another less-obvious lesson from incidents such as cryptominers, spyware, Vendor Email Compromises and Advanced Persistent Threats is that detecting infections in progress is harder than it appears ... and, again, it makes sense not to over-depend on detection. Taking that to its logical conclusion, what could/should we do if we presume the organization is currently infected by some sneaky malware? I'm talking about the malware element of counter-espionage, for example deliberately seeding false information, or creating situations designed to reveal 'moles in the camp'.There we are then: malware issues to discuss with general employees, tech/specialists and management, respectively. Now all I need to do is prepare the content for those three streams and Bob's yer uncle! |
Ransomware Malware | ||
|
2020-01-03 14:24:22 | NBlog Dec 15 - the business case for ISO27k (lien direct) |  As part of January's awareness module, I'm compiling a generic business case laying out the costs and benefits of implementing the ISO27k standards and seeking an ISO/IEC 27001 certificate.Well, that was the cunning plan anyway. So far, I have a long list of benefits and a small handful of costs - just the obvious ones to do with managing an implementation project, reviewing information risks, improving governance arrangements, writing and updating the documentation such as policies, and contracting with an accredited certification body. There may be additional costs to implement information security controls ... but not necessarily: it all depends on the information risks and decisions arising. Patently I'm a big fan of ISO27k but I honestly didn't expect the business case to be so overwhelmingly positive. It's quite a surprise.If management is willing to accept the organization's current information risk status, there's no need to splash out on additional security, at least not yet, not purely for certification anyway. The situation may change, later, once the ISMS is running sweetly and shortcomings with the risk treatments come to light, perhaps through incidents or a growing appreciation of the evolving information risks ... but that's a way down the track, post-certification. Possible future costs are not part of the business case, nor are possible future benefits.It's not entirely plain sailing though, as the implementation process involves systematically reviewing the infosec controls catalogued in ISO/IEC 27001 Annex A to be sure that nothing important has been neglected. An organization that is lacking in near-universal controls such as identification and authentication, access controls, backups, antivirus and firewalls would be hard-pressed to justify to the certification auditors that they are inapplicable. It can be done, but it's not easy. |
|||
|
2020-01-03 13:55:50 | NBlog Jan 3 - ISO27k business case published (lien direct) |  I've just published the ISO27k business paper I wrote for the latest security awareness module. It elaborates on the typical business benefits and drawbacks of the ISO/IEC 27000 “ISO27k” information security management standards. It is the fourth revision, a complete re-write in fact of a generic business case paper I started roughly two decades ago. Since then, I've gained experience working with clients, chatting with participants in the ISO27k Forum, plus colleagues on the ISO/IEC committee writing and maintaining the ISO27k standards.The new version deliberately takes a very broad perspective: ISO27k is not just about securing IT systems, networks and data ('cybersecurity') nor even 'information security'. It's really a governance structure for managing an organization's information risks systematically, in support of its business objectives. It's as much about exploiting as protecting information. ISO27k is a business-enabler.Use it to construct your business case, budget request or project proposal to adopt ISO27k or, if you already have an Information Security Management System in operation, find ways to squeeze even more business value from it. Download the paper here.Comments welcome. |
|||
|
2019-12-31 10:36:58 | NBlog January - ISO27k awareness & training materials (lien direct) |  January's security awareness and training materials concern a topic I've been itching to cover for years, literally (the years part, not the itching ... thanks to the magic ointment).I've been a user and fan of the ISO/IEC 27000 series standards since forever, before they were even conceived, even before BS 7799 was published.From the original corporate security policy and 'code of practice' on information security (essentially a catalogue of information security controls), ISO27k has grown into a family of related standards, along the way assimilating a couple of other standards and, lately, expanding into privacy, eDiscovery, IoT, smart cities, big data and more.Making sense of the bewildering scope of today's ISO27k was a particular challenge for this awareness module ... ... and of course ISO27k is not the only source of guidance out there ... The module came together and turned out nicely ... |
|||
|
2019-12-31 10:25:33 | NBlog Dec 23 - how many ISO MSSs are there? (lien direct) | Did you know there are fourteen ISO Management Systems Standards*?ISO 9001 Quality management systemISO 13485 Medical devices quality management systemISO 14001 Environmental management systemISO 18788 Private security ops management systemISO/IEC 20000-1 IT service management systemISO 22000 Food safety management systemISO 22301 Business continuity management systemISO/IEC 27001 Information security management systemISO 28000 Supply chain security management systemISO 37001 Anti-bribery management systemISO 39001 |
|||
|
2019-12-27 18:30:47 | NBlog Dec 27 - Pakistan supports ISO27k (lien direct) | Through the Pakistan Software Export Board of the Ministry of IT & Telecom, the Pakistan government is subsidising 80% of the cost of consultants and auditors to advise and certify Pakistani IT companies against ISO 20000 (ITIL) and ISO/IEC 27001 (information security). With over 5,000 companies in Pakistan offering Business Process Outsourcing and IT services, this represent a substantial investment, reflecting the government's intention to raise standards in the industry. Good on them! If only other governments would follow their lead. |
Guideline | ||
|
2019-12-22 13:14:31 | NBlog Dec 22 - zero-based risk assessment (lien direct) | In a thread on the ISO27k Forum, Ed Hodgson said:"There are many security controls we have already implemented that already manage risk to an acceptable level e.g. my building has a roof which helps ensure my papers don't get wet, soggy and illegible. But I don't tend to include the risk of papers getting damaged by rain in my risk assessment".Should we consider or ignore our existing information security controls when assessing information risks for an ISO27k ISMS? That question took me back to the origins of ISO27k, pre-BS7799 even. As I recall, Donn Parker originally suggested a standard laying out typical or commonplace controls providing a security baseline, a generally-applicable foundation or bedrock of basic or fundamental controls. The idea was to bypass the trivial justification for baseline controls: simply get on with implementing them, saving thinking-time and brain-power to consider the need for additional controls where the baseline controls are insufficient to mitigate the risks. [I'm hazy on the details now: that was ~30 years ago after all.]I have previous used and still have a soft-spot for the baseline concept … and yet it's no easier to define a generic baseline today than it was way back then. In deciding how to go about information risk analysis, should we:Go right back to basics and assume there are no controls at |
APT 17 | ||
|
2019-12-20 12:49:52 | NBlog Dec 20 - ISO27k maturity metric (lien direct) | Yesterday I completed the "universal KPI" metrics paper for January's ISO27k awareness module. The finished article uses the management system requirements from the main body of ISO/IEC 27001, followed by the security controls in Annex A or ISO/IEC 27002 (mostly), as the basis for measuring an organization's ISMS. Here's a little taster (click to enlarge): I have added a few supplementary controls and scoring criteria in areas where I feel '27002 falls short of current good practice e.g. policy management, business continuity and compliance. At some future point, I will add IoT, cloud security and perhaps other controls for the same reason. One of the advantages of this style of metric is that it's straightforward to maintain, such as updating or adding new scoring criteria, ideally in such a way that prior scores remain valid.As it is, it's already a lengthy, detailed paper - a 37-page Word document with two tables in landscape format containing ~13,000 words plus a page of instructions. I'm itching to try this out in earnest, so if you know of anyone looking for an ISMS internal audit, ISO27k gap analysis, benchmark or review, or simply looking for a pragmatic infosec maturity metric, please get in touch.PS This metric scores well on the PRAGMATIC metametric scale, naturally, since it is predictive, relevant, actionable, cost-effective, independently verifiable etc.PPS The metric has value for:Reviewing and evaluating an organization's information risk and security management practicesReviewing and evalua |
|||
|
2019-12-18 11:35:06 | NBlog Dec 18 - c. 32,000 ISO/IEC 27001 certificates (lien direct) | The latest ISO Survey gives the certification figures for 2018 on ISO's management systems standards. Yes, evidently it takes that long to compile and publish the data. No, I don't know why it is so slow, except that it involves gathering information from busy certification bodies dotted around the globe. By donkey, maybe.Anyway, here are some of the stats: So, by now there are probably more than 32,000 ISO/IEC 27001:2013 certified organizations globally, each cert covering two physical sites on average. A further unknown number are currently in the process of being certified, or have chosen to adopt the standards without being certified compliant.Compared to ISO9k (quality management) and ISO14k (environmental management), ISO27k (information risk & security management) is way behind, meaning a lot of growth potential - more than 27 times the current uptake to match ISO9k.Yes, I'm an optimist. ISO's other management system standards are: ISO22k (food safety), ISO45k (health & safety), ISO13k485 (medical devices), ISO50k (energy) |
|||
|
2019-12-13 13:57:03 | NBlog Dec 10 - a brutal lesson in risk management (lien direct) | Yesterday's volcanic eruption on White Island is headline news around the globe, a tragedy that sadly resulted in several deaths, currently estimated at 13. Also, yesterday in NZ there were roughly 90 other deaths (as there are every day), roughly two thirds of which were caused by cardiovascular diseases or cancer: So, yesterday, the proportion of deaths in NZ caused by "Natural disasters" spiked from 0% to 13%. Today, it is likely to fall back to 0%. "Natural disasters" will have caused roughly 0.04% of the ~33,500 deaths in NZ during 2019 ... but judging by the news media coverage today, you'd have thought NZ was a disaster zone, a lethal place - which indeed it is for ~33,500 of us every year. Very very few, though, expire under a hail of molten rock and cloud of noxious fumes, viewable in glorious Technicolor on social media.Those 13 tourists who perished yesterday chose to see NZ's most active volcano up close, real close. You may be thinking "Ah but if they'd known it would erupt, they wouldn't have gone" ... but they did know it was a possibility: for at least some of the 13, that was the very reason they went. It's euphemistically called "adventure tourism". The possibility of death or serious injury is, perversely, part of the attraction, the thrill of it. Recent warnings from geologists about the increased threat of eruption on White Island would, I'm sure, have been carefully considered by the tourist companies involved, plus I guess they may have noticed changes in the amount of steam and sulfur lingering in the air. Tourists are explicitly warned about the dangers and instructed on the safety aspects. I gather one of the dead was a local, an employee of the tourist company. Aside perhaps from the geologists, it's hard to think of anyone more aware of the risk.Having weighed-up the risks and rewards, the 13 enjoyed an amazing spectacle, doing the equivalent of 'clicking the go-away button' to dismiss computer security warnings despite facing, in their case, the ultimate impact. While I suspect their final moments would have been literally petrifying, hopefully the extra-special buzz leading up to it made it worthwhile. At that point, h |
Threat Guideline | ||
|
2019-12-13 08:00:01 | NBlog Dec 13 - what is an "information asset"? (lien direct) | ISO/IEC JTC 1/SC 27 tied itself in knots for years trying to answer that disarmingly simple and straightforward question, failing to reach consensus and eventually admitting defeat.Back in 2014, ISO/IEC 27000 defined "Asset" very broadly as "anything that has value to the organization ... including: information; software, such as a computer program; physical, such as computer; services; people, and their qualifications, skills and experience; and intangibles, such as reputation and image."To narrow it down a bit in the context of ISO27k, "Information asset" had also been explicitly defined in ISO/IEC 27000:2009 as "Knowledge or data that has value to the organization".That definition still works quite well for me. "Information asset" refers to the intangible content - the meaning of information - rather than the vessels, media, equipment, facilities and human beings that house, process, communicate and use it.The content is both valuable and vulnerable and hence needs to be protected or secured. That's what ISO27k does.I appreciate that the tangible vessels, media, equipment, facilities and people are also assets that also require adequate protection, security and safety, but that's largely the domain of conventional physical risk and security measures such as vaults, locks and guards, plus health and safety. Other standards apply there.At some point after the release of ISO/IEC 27000:2009 (I forget exactly when), SC 27 had become exhausted by the interminable arguments over the definition and called a halt to it. The definitions of "information asset" and then "asset" were summaril |
|||
|
2019-12-12 08:00:11 | NBlog Dec 12 - a universal KPI (lien direct) | For January's security awareness module on ISO27k, I'm developing a detailed checklist with which to assess, evaluate and score each of the information security controls recommended by ISO/IEC 27002 (as summarized in Annex A of ISO/IEC 27001)*.The checklist/scoring format is one I invented years ago and have been using and refining ever since. It is a kind of maturity metric that has proven very valuable in practice, giving surprisingly consistent and useful results despite the subjective nature of the checks.I am laying out 4 'indicators' for each control from '27002, specifying the kinds of things that would typically correspond to scores of 0% (exceptionally weak or missing controls) through 33% and 67% to 100% (exceptionally strong or cutting-edge controls). The 50% centre point on the scale divides 'inadequate' from 'adequate' controls, although that only really applies in the context of a mythical generic mid-sized organization with minimal information risks and hence security requirements. For many commercial organizations, 60% may be a more appropriate target, varying between organizations and controls - e.g. a financial services organization is likely to have more substantial information risks and hence needs stronger controls to ensure confidentiality, integrity and availability of information, than a typical manufacturing or retail business; an engineering design firm may value data integrity above all else, given the health and safety implications and liabilities if its output is inaccurate. Looking back over the draft checklist, I've noticed that the scores for most controls correlate with 'assurance' activities. At the top end, 100% scores often involve strong assurance measures such as thorough, independent audits by competent auditors. At the bottom end, assurance measures are conspicuously absent: if it's not painfully obvious already, even a cursory check would no doubt reveal that the controls are either completely absent or totally inadequate, but checking simply isn't performed at the 0% level - in fact, it probably doesn't even occur to those involved. In the middle ground, assurance activities either drive systematic improvements where necessary, or increase confidence that the controls in place are sufficient - fit for purpose, of decent quality, doing a good job.Therefore, assurance appears to be a universal KP |
|||
|
2019-12-11 08:00:00 | NBlog Dec 11 - risk treatments (lien direct) |  Yesterday I wrote about what the White Island eruption teaches us about risk management, in particular the way we decide how to deal with or "treat" identified risks. ISO/IEC 27005 describes 4 risk treatment options:Avoid the risk by deliberately not getting ourselves into risky situations - not getting too close to a known active volcano for example;Modify the risk: typically we mitigate (reduce) the risk through the use of controls intended to reduce the threats or vulnerabilities and hence the probability, or to reduce the impacts;Retain the risk: this is the default - more on this below;Share the risk: previously known as "risk transfer", this involves getting the assistance of third parties to deal with our risks, through insurance for instance, or liability clauses in contracts, or consultants' advice.Risk management standards and advisories usually state or imply that these 'options' are exclusive, in other words alternatives from which we should choose just one treatment per risk. ISO/IEC 27005 says "Controls to reduce, retain, avoid, or share the risks should be selected". In fact, they are nonexclusive options since they all involve an element of risk retention. The sentence should perhaps read "Controls to reduce, retain, avoid, and share the risks should be selected".*Risk retention is inevitable because of the very nature of risk. We can never be totally certain of risk, up to the point that the probability reaches 1 when an incident occurs (which, arguably, means it is no longer a risk but a certainty!). We might have misunderstood it, or made mistakes in our analysis. Our risk treatments might not work out as expected, perhaps even failing spectacularly when we least expect it, or conversely working so well that the risk never eventuates. Our insurers and partners might reneg |
Guideline | ||
|
2019-12-09 19:47:45 | NBlog Dec 9 - ISO27k security awareness (lien direct) |  Our two-hundred-and-first security awareness module concerns the ISO27k standards.◄ The quotation from ISO/IEC 27000 is right on the button: information is worth securing because it's valuable, essential in fact. Inadequately protected organizations hit by ransomware incidents know that only too well, with hindsight ... which is of course 20/20 ...... And that reminds me: as the NoticeBored service draws to a close, I'd like to think we'll be leaving the world in a better state in 2020, but to be honest we've made little impression. Pundits have long advised that security awareness is important. An increasing proportion now recommend regular awareness activities. A few even suggest a continuous or ongoing approach. Perhaps they've been listening. I've been banging that drum for 20 years.As we hand over the reins, I hope the information security management and awareness pros will finally come to recognize the value of not treating their awareness audience as one amorphous blob, disparagingly called "users". As far as I know, NoticeBored remains unique in addressing two discrete audiences within "users" (we much prefer the term "workers") with distinct information needs: managers and professionals. Given their markedly different concerns and responsibilities, its hardly surprising (to me!) that they find little of value in conventional security awareness content and fail to participate in the usual awareness activities. They are largely disinterested and disengaged, substantially weakening the organization's security culture, like a three-legged milking stool missing two of its legs. ISO/IEC 27002:2013 section 7.2.2 takes a page to say not very much about security awareness: I must take a close look at the awareness section in the draft update to '27002, currently extruding its way through the ISO/IEC sausage machine towards publication at the end of 2021. |
Ransomware | ||
|
2019-12-03 17:12:11 | NBlog Dec 3 - infosec driving principles (lien direct) | In an interview for CIO Dive, Maersk's recently-appointed CISO Andy Powell discussed aligning the organization with these five 'key operating principles': "The first is trust. The client has got to trust us with their data, to trust us to look at their business. So we've got to build trust through the cybersecurity solutions that we put in place. That is absolutely fundamental. So client trust, client buy-in has been fundamental to what we tried to drive as a key message. The second is resilience. Because you've got to have resilient systems because clients won't give you business if you're not resilient ... The third really is around the fact that security is everybody's responsibility. And we push that message really hard across the company … be clear about what you need to do and we train people accordingly. ...The fourth one really is accountability of security and I have pushed accountability for cyber risk to the business. ... And the final piece, and this has been one of the big call outs of my team to everybody, is that security is a benefit, not a burden. The reason I say that is people's perception is that security will slow things down, will get in the way ... the reality is that if you involve security early enough, you can build solutions that actually attract additional clients."Fair enough Andy. I wouldn't particularly quarrel with any of them, but as to whether they would feature in my personal top-five I'm not so sure. Here are five others they'd be competing against, with shipping-related illustrations just for fun:Governance involves structuring, positioning, setting things up and guiding the organization in the right overall direction - determining then plotting the optimal route to the ship's ultimate destination, loading up with the right tools, people and provisions. Corporate governance necessarily involves putting things in place for both protecting and exploiting information, a vital and valuable yet vulnerable business asset;Information is subject to risks that can and probably should be managed proactively, just as a ship's captain doesn't merely accept the inclement weather and various other hazards but, where appropriate, actively mitigates or avoids them, dynamically reacting and adjusting course as things change;Flexibility and responsiveness, along with resilience and ro |
Tool Guideline | NotPetya | |
|
2019-12-01 17:44:15 | NBlog December - social engineering awareness module (lien direct) |  December 2019 sees the release of our 200th security awareness and training module, this one covering social engineering. The topic was planned to coincide with the end of year holiday period - peak hunting season for social engineers on the prowl, including those portly, bearded gentlemen in red suits, allegedly carrying sacks full of presents down chimneys. Yeah right!I'm fascinated by the paradox at the heart of social engineering. Certain humans threaten our interests by exploiting or harming our information. They are the tricksters, scammers, con-artists and fraudsters who evade our beautiful technological and physical security controls, exploiting the vulnerable underbelly of information security: the people. At the same time, humans are intimately involved in protecting and legitimately exploiting information for beneficial purposes. We depend on our good people to protect us against the bad people.Vigilance is often the only remaining hurdle to be overcome, making security awareness and training crucial to our defense. It's do or die, quite literally in some cases! The module concerns information risks, controls and incidents involving and affecting people:Various types of social engineering attacks, scams, cons and frauds – phishing being just one of many topical examples;Exploitation of information and people via social media, social networks, social apps and social proofing e.g. fraudulent manipulation of brands and reputations through fake customer feedback, blog comments etc.;The social engineer's tradecraft i.e. pretexts, spoofs, masquerading, psychological manipulation and coercion. |
Malware Hack | ||
|
2019-11-29 06:59:00 | NBlog Nov 28 - risks, dynamics and strategies (lien direct) | Of information risk management, "It's dynamic" said my greybeard friend Anton Aylward - a good point that set me thinking as Anton so often does.Whereas normally we address information risks as if they are static situations using our crude risk models and simplistic analysis, we know many things are changing ... sometimes unpredictably, although often there are discernible trends.On Probability-Impact Graphs (PIGs), it is possible to represent changing risks with arrows or trajectories, or even time-sequences. I generated an animated GIF PIG once showing how my assessment of malware risks had changed over recent years, with certain risks ascending (and projected to increase further) whereas others declined (partly because our controls were reasonably effective). It's tricky though, and highly subjective ... and the added complexity/whizz-factor tends to distract attention from the very pressing current risks, plus the uncertainties that make evaluating and treating the risks so, errrr, risky (e.g. I didn't foresee the rise of cryptomining malware, and who knows what novel malware might suddenly appear at any time?).A simpler approach is to project or imagine what will be the most significant information risks for, say, the year or two or three ahead. You don't need many, perhaps as few as the "top 5" or "top 10", since treating them involves a lot of work, while other risks are often also reduced coincidentally as controls are introduced or improved. It's possible to imagine/project risks even further out, which may suit a security architec |
Malware | ||
|
2019-11-26 17:57:12 | NBlog Nov 26 - 7 ways to improve security awareness & training (lien direct) | Although 7 Ways to Improve Employee Development Programs by Keith Ferrazzi in the Harvard Business Review is not specifically about information security awareness and training, it's straightforward to apply it in that context. The 7 ways in bold below are quoted from Keith's paper, followed by my take.1. Ignite managers' passion to coach their employees. I quite like this one: the idea is to incentivize managers to coach the workforce. As far as I'm concerned, this is an inherent part of management and leadership, something that can be enabled and encouraged in a general manner not just through explicit (e.g. financial) incentives. For me, this starts right at the very top: a proactive CEO, MD and executive/leadership team is in an ideal position to set this ball rolling on down the cascade - or not. If the top table is ambiguous or even negative about this, guess what happens! So, right there is an obvious strategy worth pursuing: start at, or at the very least, include those at the very top of the organization ... which means taking their perspectives and addressing their current information needs, preferred learning styles and so forth (more below: directors and execs are - allegedly - as human as the rest of us!).2. Deal with the short-shelf life of learning and development needs. 'Short shelf-life' is a nice way to put it. In the field of information risk and security, the emergence of novel threats that exploit previously unrecognized vulnerabilities causing substantial business impacts, is a key and recurrent challenge. I totally agree with the need to make security awareness an ongoing, ideally continuous activity, drip-feeding workers with current, pertinent information and guidance all year long rather than attempting to dump everything on them in a once-in-a-blue-moon event, session or course. Apart from anything else, keeping the awareness materials and activities topical makes them more interesting than stale old irrelevant and distracting junk that is 'so last year' (at best!).3. Teach employees to own their career development. An interesting suggestion, this, especially for the more involved infosec topics normally taught through intensive training courses rather than general spare-time awareness activities. I'm not sure off-hand how this suggestion would work in practice, but it occurs to me that periodic employee appraisals and team meetings provide ample opportunities to offer training and encourage workers to take up whatever suits their career and personal development aspirations. |
Guideline | ||
|
2019-11-22 11:56:29 | NBlog Nov 22 - who owns compliance? (lien direct) | For some weeks now on the ISO27k Forum we've been vigorously and passionately debating whether an Information Security Management System should, or should not, include the organization's compliance with "information security-related" laws, regulations and other obligations such as contractual clauses specifying compliance with PCI-DSS.The issue arises because:The relevant infosec compliance section is tucked away at the end of ISO/IEC 27001 Annex A, which has an ambiguous status with respect to '27001 certification. Although Annex A is discretionary rather than mandatory, certifiable organizations must use Annex A as a checklist to confirm that their ISMS incorporates all the information security controls necessary to address the information risks within scope of the ISMS. Interpret that paradox as you will ... and hope that the certification auditors take the same line;It could be argued that, in a very broad sense, all the laws, regs, contracts, standards, ethical codes etc. which apply to the organization are "information security-related". The requirements are all forms of information with associated information risks. Therefore, they fall at least partially within the remit of an ISMS;Likewise, "compliance", as a whole, could be seen as an information security control, a suite of organizational activities and measures to both satisfy and be able to demonstrate conformance with requirements, plus the associated assurance, reinforcement (awareness, acceptance) and enforcement aspects. In philosophical terms, compliance is an integrity issue, and integrity is part of information security, therefore compliance is part of infosec; |
|||
|
2019-11-19 20:20:14 | NBlog Nov 18 - enough is enough (lien direct) | Keeping ISO27k Information Security Management Systems tight, constrained within narrow scopes, avoiding unnecessary elaboration, seems an admirable objective. The advantages of ISMS simplicity include having less to design, implement, monitor, manage, maintain, review and audit. There's less to go wrong. The ISMS is more focused, a valuable business tool with a specific purpose rather than a costly overhead. All good. However, that doesn't necessarily mean that it is better to have fewer ISMS documents. In practice, simplifying ISMS documentation generally means combining docs or dispensing with any that are deemed irrelevant. That may not be the best approach for every organization, especially if it goes a step too far.Take information security policies for example. Separate, smaller policy docs are easier to generate and maintain, {re}authorize and {re}circulate individually than a thick monolithic “policy manual”. It's easier for authors, authorisers and recipients to focus on the specific issue/s at hand. That's important from the governance, awareness and compliance perspective. At a basic level, what are the chances of people actually bothering to read the change management/version control/document history info then check out all the individual changes (many of which are relatively insignificant) when yet another updated policy manual update drops into their inbox? In practice, it aint gonna happen, much to the chagrin of QA experts!On the other hand, individual policies are necessarily interlinked, forming a governance mesh: substantial changes in one part can have a ripple effect across the rest, which means someone has the unenviable task of updating and maintaining the entire suite, keeping everything reasonably consistent. Having all the policies in one big document makes maintenance easier for the author/maintainer, but harder for change managers, authorisers and the intended audiences/users. |
Tool | ||
|
2019-11-15 16:47:06 | NBlog Nov 15 - risky business (lien direct) |  Physical penetration testing is a worthwhile extension to classical IT network pentests, since most technological controls can be negated by physical access to the IT equipment and storage media. In Iowa, a pentest incident that led to two professional pentesters being jailed and taken to court illustrates the importance of the legalities for such work. A badly-drafted pentest contract and 'get out of jail free' authorization letter led to genuine differences of opinion about whether the pentesters were or were not acting with due authority when they broke into a court building and were arrested. With the court case now pending against the pentesters, little errors and omissions, conflicts and doubts in the contract have taken on greater significance than either the pentest firm or its client appreciated, despite both parties appreciating the need for the contract. They thought they were doing the right thing by completing the formalities. Turns out maybe they hadn't.I hope common sense will prevail and all parties will learn the lessons here, and so should other pentesters and clients. The contract must be air-tight (which includes, by the way, being certain that the client has the legal authority to authorize the testing as stated), and the pentesters must act entirely within the scope and terms as agreed (in doubt, stay out!). Communications around the contract, the scope and nature of work, and the tests themselves, are all crucial, and I will just mention the little matter of ethics, trust and competence.PS An article about the alleged shortage of pentesters casually mentions:"The ideal pen tester also exhibits a healthy dose of deviancy. Some people are so bound by the rules of a system that they can't think beyond it. They can't fathom the failure modes of a system. Future penetration testers should have a natural inclination toward pushing the boundaries – especially when they are told, in no uncertain terms, not to do so."Hmm. So pentesters are supposed to go beyond the boundaries in their testing, but remain strictly within the formally contracted scope, terms and condi |
|||
|
2019-11-12 09:43:44 | NBlog Nov 12 - on being a professional (lien direct) |  While Googling for something else entirely, I chanced across this statement from Darren on a ten year old SceptikLawer forum thread:"The essence of my job as an information security architect is to understand the balance between risk (legal, practical, and otherwise) and the need for an organization to conduct business efficiently. I think a lot of what I do really does boil down to seeing the other side of things; I know what the “most secure” way is, but I also have to understand that implementing it might mean debilitating restrictions on the way my employer does business. So what I have to do is see their point of view, clearly articulate mine, and propose a compromise that works. There's a reason a lot of IT security folks become lawyers. "Nicely put, Darren! While personally I'd be reluctant to claim that I 'know what the most secure way is', the point remains that an information security - or indeed any professional's job revolves around achieving workable compromises. For us, it's about helping or persuading clients and employers identify and reduce their information risks to 'reasonable' levels, then maintaining the status quo through ongoing risk management.Some of our professional peers struggle with this, particularly inexperienced ones with IT backgrounds. They (well OK, we) can come across as assertive, sometimes to the point of being arrogant and pig-headed, obstinate or even rude. Things 'must' be done in a certain way - their way. They are trained professionals who have been taught the 'most secure way' and are unwilling to countenance any other/lesser approach. Situations appear black or white to them, with no shades of grey.Along with with Darren, presumably, I view most situations as greys, sometimes multicoloured or even multidimensional due to inherent complexities and differing perspectives. There is almost always more to a situation than it first appears, and often more to it that I appreciate even after studying it hard. I embrace ambiguity. I value flexibility and open-mindedness, and strive to be flexible and open-minded in my work: for me, it's an integral part of 'being professional'. Such pragmatism is fine ... up to a point. However there are situations where it gets harder to back down and eventually I may stand my ground, refusing to compromise any further on my core values (particularly personal inte |
|||
|
2019-11-10 11:20:08 | NBlog Nov 10 - strategic risk management (lien direct) |  There's an old old joke about a passing stranger asking for directions to Limerick. "Well," says the farmer, "If oi was you, oi wouldn't start from here".So it is with infosec strategies. Regardless of where your organization may be headed, by definition you set out from a less than ideal starting point. If it was ideal, you wouldn't be heading somewhere else, would you? That naive perspective immediately suggests two alternatives:Bear in mind where you are today, planning your route accordingly.Regardless of where you are today, focus exclusively on the destination and how to get there.Actually, those are just two of many possibilities. It's even possible to do both: strategic thinking generally includes a good measure of blue-sky idealist thinking, tempered by at least a modicum of reality and pragmatism. 'We are where we are'. We have a history and finite resources at our disposal ... including limited knowledge about our history, current situation and future direction. What's more, the world is a dynamic place and we don't exist in a vacuum, hence any sensible infosec strategy needs to take account of factors such as competitors, compliance and other challenges ahead - situational awareness plus conjecture about how the situation might conceivably change as we put our cunning strategy into practice (as in chess). That's risk, information risk in fact, amenable to information risk management in the conventional, straightforward, systematic manner:Identify and characterise the risk/s, both negative and positive (opportunities, the possibility that things might turn out even better than planned);Quantify and evaluate the risk/s;Decide what to do about them;Do it! Finalise the strategy, negotiate its approval (with all that entails) and make it so;Manage and monitor things as the strategy unfolds and changes inevitably happen; |
|||
|
2019-11-07 17:41:58 | NBlog Nov 7 - super management systems (lien direct) | ISO 22301, already an excellent standard on business continuity, has just been revised and republished. Advisera has a useful page of info about ISO 22301 here.There's quite a bit of common ground between business continuity and information risk and security, especially as most organizations are highly dependent on their information, IT systems and processes. The most significant risks are often the same, hence it makes sense to manage both aspects competently and consistently. The ISO 'management system' structured approach is effective from the governance and management perspective. Aligning/coordinating the infosec and business continuity management systems has several valuable benefits since they are complementary. Extending that thought, it occurs to me that most if not all other areas of management also have information risk and security implications:Physical site security and facilities management (e.g. reliable power and cooling for the servers);IT and information management (dataflows, information architecture, information systems and networks and processes, intellectual property, innovation, creativity);Change management (ranging from version control through projects and initiatives up to strategic changes);Incident management (see below);Risk management (as a whole, not just information risks);Privacy management; |
Deloitte | ||
|
2019-11-07 10:31:27 | NBlog Nov 6 - insight into ISO27k editing (lien direct) | Today I find myself poring through ISO/IEC 27000:2018 looking for quotable snippets to use on our awareness posters in January. Although there's plenty of good content, I can't help but notice a few rough edges, such as this:“Conducting a methodical assessment of the risks associated with the organization's information assets involves analysing threats to information assets, vulnerabilities to and the likelihood of a threat materializing to information assets, and the potential impact of any information security incident on information assets. The expenditure on relevant controls is expected to be proportionate to the perceived business impact of the risk materializing.” [part of clause 4.5.2]. First off, here and elsewhere the '27000 text uses the term “information asset” which is no longer defined in the standard since the committee couldn't reach consensus on that. Readers are left to figure out the meaning for themselves, with the possibility of differing interpretations that may affect the sense in places. The term is, or probably should be, deprecated.Secondly, the first sentence is long and confusing – badly constructed and (perhaps) grammatically incorrect. “Vulnerabilities to” is incomplete: vulnerabilities to what? Shouldn't that be “vulnerabilities in” anyway? Threats get mentioned twice for no obvious reason, overemphasizing that aspect. “Likelihood” is a vague and problematic word with no precise equivalent in some languages - it too should probably be deprecated. The final clause as worded could be interpreted to mean that the process is only concerned with potential impacts on information assets, whereas incidents can cause direct and/or indirect/consequential impacts on systems, organizations, business relationships, compliance status, reputations and brands, commercial prospects, profits, individuals, partners, society at large and so forth, not all of which are information assets (as commonly interpreted, anyway!). Thirdly, do “the organization's information assets” include personal information? Some might argue that personal information belongs to the person concerned – the data subject – not the organiza |
Threat Guideline | ||
|
2019-11-04 11:28:45 | NBlog Nov 4 - social engineering awareness (lien direct) |  December's awareness topic is one of our regular annual topics. Social engineering has been around for millennia - literally, in the sense that deliberate deception is a survival strategy adopted by many living beings, right back to primordial times.So, what shall we cover this time around? In 2018, the NoticeBored awareness module took a deep dive into phishing, a modern-day scourge ... but definitely not the only form of social engineering, despite what those companies pushing their 'phishing solutions' would have us believe. We picked up on 'business email compromise' as well, another name for spear-phishing. In 2017, we explored 'frauds and scams' in the broad, producing a set of 'scam buster' leaflets explaining common attacks in straightforward terms, illustrated with genuine examples and offering pragmatic advice to avoid falling victim to similar tricks.Back in 2016, the 'protecting people' module covered: social engineering attacks, scams and frauds, such as phishing, spear-phishing and whaling; exploitation of information and people via social media, social networks, social apps and social proofing e.g. fraudulent manipulation of brands and reputations through fake customer feedback, blog comments etc.; the use of pretexts, spoofs, masquerading, psychological manipulation and coercion, the social engineer's tradecraft; and significant information risks involving blended or multimode attacks and insider threats.Although we already have lots of content to draw upon and update, we always aim to cover current threats, which means this week our research phase draws to a close with a clearer idea of the scope of December's module, plus a bunch of recent incidents to illustrate the materials.As to precisely what aspects |
|||
|
2018-03-26 15:35:27 | NBlog March 26 - repetitititition (lien direct) |  It is often said (repeatedly in fact) that repetition is the key to learning. Well is that true? Is that a fact? It must be true if it is said often enough, surely? This blog piece is about using and misusing repetition as an awareness technique, repeatedly.You may have come across the classic 3-step tell-em technique for classes, lectures and seminars:Tell them what you're about to tell them about.Tell them it.Tell them about what you told them about.It's a simple, or rather simplistic approach, a crude technique based on simple repetition. You have probably sat through repetitive classes, lectures and seminars by teachers or speakers that follow the advice slavishly, every time, some of them even pointing out what they are doing as if that helps. It's obvious, without being pointed out. You don't need to tell us that you're using the tell-em technique! In my experience, the tell-em technique is most often used by teachers and presenters who are not comfortable teaching and presenting: they are still practicing, repeating the same basic, tedious approach until/unless someone points out that it's not the most effective technique, if we're lucky.Repetition is one way to teach and learn, certainly, but not the only way. There are other forms of teaching and learning apart from repetition. Learning and teaching, teaching and learning, can take place without repetition, however repetition can be a useful technique for learning. And teaching. Repeating things is the essence of practicing, gradually becoming familiar with whatever it is - especially by repeating physical activities such as yoga, skateboarding, teeth-cleaning, yoga or escaping a burning building. Repeating activities such as yoga makes them familiar, well-practiced. Eventually with sufficient repetition they become subconscious, autonomous or 'natural' as we master them. |
|||
|
2018-03-23 11:45:12 | NBlog March 23 - assurance metrics (lien direct) |  Today I'm writing about 'security assurance metrics' for April's NoticeBored module. One aspect that interests me is measuring and confirming (being assured of) the correct operation of security controls. Such metrics are seldom discussed and, I suspect, fairly uncommon in practice.Generally speaking, we infosec pros just love measuring and reporting on incidents and stuff that doesn't work because that helps us focus our efforts and justify investment in the controls we believe are necessary. It also fits our natural risk-aversion. We can't help but focus on the downside of risk.Most of us blithely assume that, once operational, the security controls are doing their thing: that may be a dangerous assumption, especially in the case of safety-, business- or mission-critical controls plus the foundational controls on which they depend (e.g. reliable authentication is a prerequisite for access control, and physical security underpins almost all other forms of control). So, on the security metrics dashboard, what's our equivalent of the "bulb test" when well-designed electro-mechanical equipment is powered up? How many of us have even considered building-in self-test functions and alarms for the failure of critical controls?I could be wrong but I feel this may be an industry-wide blind spot with the exception of safety-critical controls, perhaps, and situations where security is designed and built in from scratch as an integral part of the architecture (implying a mature, professional approach to security engineering rather than the usual bolt-on security). |
|||
|
2018-03-21 13:58:38 | NBlog March 21 - down to Earth (lien direct) | Since "assurance" is a fairly obscure concept, April's awareness materials inevitably have to explain it in simple enough terms that people can grasp it, without glossing over things to such an extent that nothing matters, nothing registers.Tricky that!Harder still, our purpose for raising this at all is to emphasize the relevance of assurance to information security - another conceptual area that we're trying hard to make less obscure!The approach we've come up with is to draw parallels between assurance for information security, and assurance for safety. Safety is clearly something that matters. People 'get it' without the need to spell it out in words of one syllabub. With just a gentle help, they understand why safety testing, for instance, is necessary, and why safety tags and certificates mean something worthwhile - valuable in fact ... and that gives us a link between assurance and business.For awareness purposes, we'll be using bungy-jumping as a safety-, business- and assurance-related situation that catches attention and sparks imaginations. It's something risky that people can relate to, regardless of whether they have personally done it or not. You could say it is well-grounded. Aside from the emotional connection, it has the added bonus of striking images - great for seminar slides and to break up the written briefings.We still face the challenge of linking from there across to information security, and that's what the bulk of the awareness materials address, covering assurance in the context of information risk, security, integrity, testing, auditing, trust and more - quite a swathe of relevant issues to discuss in fact. |
|||
|
2018-03-20 15:18:15 | NBlog March 20½ - Facebook assures (lien direct) |  Facebook is facing a crisis of confidence on stockmarkets already jittery about interest rates and over-priced tech stocks, thanks to a privacy breach with overtones of political interference:"Facebook fell as much as 8.1 percent to $170.06 on Monday in New York, wiping out all of the year's gains so far. That marked the biggest intraday drop since August 2015. Facebook said Friday that the data mining company Cambridge Analytica improperly obtained data on some of its users, and that it had suspended Cambridge while it investigates. Facebook said the company obtained data from 270,000 people who downloaded a purported research app that was described as a personality test. The New York Times and the Guardian reported that Cambridge was able to tap the profiles of more than 50 million Facebook users without their permission. Facebook first learned of the breach more than two years ago but hadn't disclosed it. A British legislator said Facebook had misled officials while Senator Amy Klobuchar of Minnesota said Facebook CEO Mark Zuckerberg should testify before the Senate Judiciary Committee ... Daniel Ives, chief strategy officer and head of technology research for GBH Insights, said this is a crisis for Facebook, and it will have to work hard to reassure users, investors and governments."[NZ Herald, 20th March 2018, emphasis added] Attempting to halt and ideally reverse the decline in the extent to which third-parties trust the organization following a major incident is tough, and expensive. Can anyone believe its claims and assurances in future? Will they inspire the same level of confidence that they might once have done? What additional hoops will they be expected to clear in future to reassure others? Will they ever rebuild their credibility and reputation, or is this incident going to haunt them in perpetuity? A lot depends on how the incident is handled.Facebook and its management will, I guess, spend large to scrape through the crisis with the usual flurry of denials, excuses, explanations/justifications and apologies. Lawyers will profit. Heads may roll, and the suspended relationship with Cambridge Analytica will be 'strained', perhaps to breaking point.But what of the ongoing relationship with "users, investors and governments"? I wonder if Facebook had a strategy in place to 'reassure' them following a privacy breach or some other major incident? Does it have a business continuity plan for this eventuality? We will see how it plays out over the next few days and weeks, perhaps months given the political and regulatory ramifications.I'm looking forward to findi |
|||
|
2018-03-20 10:30:42 | NBlog March 20 - a critique of CIS netsec metrics (lien direct) |  Perusing a CIS paper on metrics for their newly-updated recommended network security controls (version 7), several things strike me all at once, a veritable rash of issues.Before reading on, please at least take a quick squint at the CIS paper. See what you see. Think what you think. You'll get more out of this blog piece if you've done your homework first. You may well disagree with me, and we can talk about that. That way, I'll get more out of this blog piece too![Pause while you browse the CIS paper on metrics][Further pause while you get your thoughts in order] |
Guideline | ||
|
2018-03-19 18:40:12 | NBlog March 19 - a thinking day (lien direct) | Today was a thinking day - time away from the office doing Other Stuff meant my reluctant separation from the keyboard and a chance to mull over the awareness materials for April, free of distractions.I returned sufficiently refreshed to catch up with emails and press ahead with the writing, and inspired enough to come up with this little gem: I say 'gem' because that single (albeit convoluted) statement helps us explain and focus the awareness module. We will explain assurance in terms of confidence, integrity, trust, proof etc. and discuss the activities that get us to that happy place, or not as the case may be. Discovering any problems that need to be addressed is an important and obvious part of various forms of testing, but so too is giving the all-clear. Gaining assurance, either way, is the real goal, supporting information risk management: if you discover, later, that the testing was inept, inadequate, biased, skipped or otherwise lame, the whole thing is devalued, and worse still the practice of testing is undermined as an assurance measure. Take for example dieselgate - the diesel emissions-testing scandal involving Volkwagen vehicles: in essence, some bright spark at VW allegedly came up with a cunning scheme to defeat the emissions testing lab by switching the vehicle's computer control unit to a special mode when it detected the conditions indicating a test in progress, reverting to a less environmentally-friendly mode for normal driving. Ethics and legality aside, the scandal brought a measure of doubt onto the testing regime, and yet the trick was (eventually) discovered and the perpetrators uncloaked, bringing greater disrepute to VW. Hmmm, that little story might make an interesting case study scenario for the module. If it makes people think and talk animatedly about the information risk aspects arising (assurance in particular but there are other relevant issues too), that's a big awareness win right there. Job's a good 'un. Thank you and good night. |
|||
|
2018-03-18 22:26:09 | NBlog March 18 - building a sausage machine (lien direct) |  We've been engaged to write a series of awareness materials on a variety of information security topics - a specific type of awareness product that we haven't produced before. So the initial part of the assignment is to clarify what the client wants, come up with and talk through our options, and draft the first one. That's my weekend spoken for!Once the first one is discussed, revised and agreed, stage two will be to refine the production process so future products will be easier and quicker to generate, better for the client and better for us.Like sausages. We're building a sausage machine. We'll plug in a topic, turn the handle and extrude a perfectly-formed sausage every time.Sounds fine in theory but on past experience that's not quite how it will work out, for two key reasons:Since the topics vary, the content of the awareness product will vary, naturally ... but so too may the structure and perhaps the writing style. Awareness content on, say, viruses or passwords is conceptually and practically a bit different to that on, say, privacy or cybersecurity. The breadth and depth of cover affects how we write, so the machine needs some 'give'. It can't be too rigid.As the string of sausages gets ever longer, we will continually refine the machine and think up new wrinkles ... which may even mean going back and reforming some of the early products. It's possible an entirely new approach may emerge as we progress, but more likely it will evolve and mature gradually. What starts out producing a string of plain beef sausages may end up churning out Moroccan lamb and mint - still definitely sausages but different flavours. Knowing that, now, the sausage machine has to be capable of being modified to some extent in the future, within certain constraints since the customer expects a reasonably consistent product. Some features being designed into the process today will remain in a month or three, while others will evaporate to be replaced by others and we're cool with that. Hopefully the client will be too!In more practical terms, the sausage machine itself consists of |
General Information | ||
|
2018-03-17 08:23:37 | NBlog March 17 - assurance functions (lien direct) | Of all the typical corporate departments or functions or teams, which have an assurance role?Internal Audit - audits are all about gaining and providing assurance;Quality Assurance plus related functions such as Product Assurance, Quality Control, Testing and Final Inspection, Statistical Process Control and others;Risk Management - because assurance reduces uncertainty and hence risk;IT, Information Management, Information Risk and Security Management etc. - for example, ensuring the integrity of information increases assurance, and software quality assurance is a big issue;Information Security Management - which is of course why this is an information security awareness topic;Business Continuity Management - who need assurance on everything business-critical;Health and Safety - who need assurance on everything safety-critical;Production/Operations - who use QA, SPC and many other techniques to ensure the quality and reliability of production methods, processes and products;Sales and Marketing who seek to assure and reassure prospects and customers that the organization is a quality outfit producing reliable, high-quality products, building trust in the brands and maintaining a strong reputation;Procurement - who need assurance about the raw materials, goods and services offered and provided to the organization, and about the suppliers in a more general way (e.g. will they deliver orders within specification, on time, reliably? Will the relationship and transactions be worry-free?);Finance - who absolutely need to ensure the integrity of financial information, and who perform numerous assurance measures to achieve and guarantee that;Human Resources - who seek to reassure management that the organization is finding and recruiting the best candidates and making the best of its people; Legal/Compliance - need to be sure that the organization complies sufficiently with external obligations to avoid penalties, and that internal obligations are sufficiently fulfilled to achieve business advantage; |
|||
|
2018-03-16 16:59:15 | NBlog March 16 - word games (lien direct) | The assurance word-art tick (or boot?) that we created and blogged about a few days ago is still inspiring us. In particular, some assurance-related words hint at slightly different aspects of the same core concept:AssureAssuranceAssuredAssuredlyEnsureEnsuredInsureInsuranceReassureAlong with the tongue-in-cheek terms 'man-sure' and 'lady-sure', they are all based on 'sure', being a statement of certainty and confidence.Insure is interesting: in American English, I believe it means the same as ensure in the Queen's English (i.e. being certain of something), but in the Queen's English, insure only relates to the practice of insurance, when some third-party offers indemnity against particular risks.Assured, ensured and insured are not merely the past tenses of the respective verbs, but have slightly different implications or meanings:If someone is assured of something, they have somehow been convinced and accept it as true. They internalize and no longer question or doubt their belief to the same extent as if they were not assured of it. They rest-assured, generally as a result of a third-party providing them the assurance if they don't convince themselves;Someone who ensured something made certain it was so or at least made the effort to do so (they don't always succeed!). This often means passing responsibility to a third-party who they believe will do as required;In the Queen's English, a company that insured something provided the indemnity (insurance cover) to whoever had it insured. In American English, the previous bullet applies, presumably.Reassure is diff |
|||
|
2018-03-15 07:43:59 | NBlog March 15 - scheduling audits (lien direct) | One type of assurance is audit, hence auditing and IT auditing in particular is very much in-scope for our next security awareness module.By coincidence, yesterday on the ISO27k Forum, the topic of 'security audit schedules' came up.An audit schedule is a schedule of audits, in simple terms a diary sheet listing the audits you are planning to do. The usual way to prepare an audit schedule is risk-based and resource-constrained. Here's an outline (!) of the planning process to set you thinking, with a sprinkling of Hinson tips:Figure out all the things that might be worth auditing within your scope (the 'audit universe') and list them out. Brainstorm (individually and if you can with a small group of brainstormers), look at the ISMS scope, look for problem areas and concerns, look at incident records and findings from previous audits, reviews and other things. Mind map if that helps ... then write them all down into a linear list.Assess the associated information risks, at a high level, to rank the rough list of potential audits by risk - riskiest areas at the top (roughly at first -'high/medium/low' risk categories would probably do - not least because until the audit work commences, it's hard to know what the risks really are). Guess how much time and effort each audit would take (roughly at first -'big/medium/small categories would probably do - again, this will change in practice but you have to start your journey of discovery with a first step).In conjunction with other colleagues, meddle around with the wording and purposes of the potential audits, taking account of the business value (e.g. particular audits on the list that would be fantastic 'must-do' audits vs audits that would be extraordinarily difficult or pointless with little prospect of achieving real change). If it helps, split up audits that are too big to handle, and combine or blend-in tiddlers that are hardly worth running separately. Make notes on any fixed constraints (e.g. parts of the business cycle when audits would be needed, or would be problematic; and dependencies such as pre/prep-work audits to be followed by in-depth audits to explore problem areas found earlier, plus audits that are linked to IT system/service implementations, mergers, compliance deadlines etc.). |
Guideline | ||
|
2018-03-13 21:27:39 | NBlog March 13 - normal service ... (lien direct) |  ... will be resumed, soon. We've been slaving away on a side project, putting things in place, setting things up, trying things out. It's not quite ready to release yet - more tweaking required, more polishing, lots more standing back and admiring from a distance - but it's close. |
General Information | ||
|
2018-03-09 13:00:43 | NBlog March 9 - word cloud creativity (lien direct) |  Yesterday I wrote about mind mapping. The tick image above is another creative technique we use to both explore and express the awareness topic.To generate a word cloud, we start by compiling a list of words relating in some way to the area. Two key sources of inspiration are: The background research we've been doing over the past couple of months - lots of Googling, reading and contemplating; and Our extensive information risk and security glossary, a working document of 300-odd pages, systematically reviewed and updated every month and included in the NoticeBored awareness modules. Two specific terms in that word cloud amuse me: "Man-sure" and "Lady-sure" hint about the different ways people think about things. When a lay person (man or woman!) says "I'm sure", they may be quite uncertain in fact. They are usually expressing a subjective opinion, an interpretation or belief with little substance, no objective, factual evidence. It can easily be wrong and misleading. When a male or female expert or scientist, on the other hand, says "I'm sure", their opinion typically stems from experience, and carries more weight. It is less likely to be wrong, and hence provides greater assurance. This relates to integrity, a core part of information security. It's not literally about sex.Aside from integrity and assurance, we have defined more than 2,000 terms-of-art in the glossary, with key words in the definitions hyperlinked to the corresponding glossary entries. I use it like a thesaurus, following a train of thought that meanders through the document, sometimes spinning off at a tangent but always triggering fresh ideas. Updating the glossary is painstaking yet creative at the same time.Getting back to the word cloud, we squeeze extra value from the list of words by generating puzzles for the modules. Our word-searches are grids of letters that spell out the words in various directions. Finding the words 'hidden' in the grid is an interesting, fun challenge in itself, and also a learning process since the words all relate to the chosen topic.There are other aspects to the word cloud graphic:All the words are relevant to the topic, to some extent; |
Guideline | ||
|
2018-03-08 10:37:08 | NBlog March 8 - brainstorming awareness ideas (lien direct) | At this early stage of the month, although we have some ideas in mind for the content of the next awareness module, they are unstructured. We need to clarify the scope and purpose of the module, developing themes to pull things together and 'tell the story'.Mind mapping is our favourite technique for that: we sketch out the topic area on a single sheet starting from a central topic word ("Assurance" this month) and arranging a few major themes around it, connecting the words to show their relationships. On paper, it starts out simply like this with 3 key themes: Then we expand on those initial themes with further details ... ... and keep going until we run short of inspiration and decide to move ahead to the next stage ... |
General Information | ★★ |
To see everything:
Our RSS (filtrered)
