What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2018-03-06 20:21:56 | NBlog March 6 - bloggin on bloggin (lien direct) | You might have noticed the Digital Guardian logo in the side bar: we're honoured to be listed among their "top 50 infosec blogs you should be reading". Cool! Thanks Digital Guardian, purveyors of "Threat Aware Data Protection to Safeguard Your Sensitive Data from ALL THREATS!" One of their topical product lines is ransomware protection that "FILTERS OUT THE NOISE SO YOU FOCUS ON REAL THREATS".Nice! We take a similar filtering approach with our security awareness subscription service but, hey, take it easy on the CAPS there, DiGiTaL GuArDiAn!Last year we made it onto Feedspot's top 100 information security blogs list to earn a nice virtual medallion.There's more to this piece than mutual grooming and product placement though. Top-N lists are handy starting points for those seeking new sources - me included. I track a fair number of information risk and security blogs and websites routinely, specifically the ones I have discovered and liked enough to add to my bookmarks and blog aggregator. Every so often I review my selections, trimming off the ones that are either no longer actively updated or have spun away on tangents. When hunting for replacements, top N lists can be inspirational.I hope this blog inspires you, and that you find my perspective interesting. Thanks for stopping by. |
|||
|
2018-03-05 14:42:07 | NBlog March 5 - fiftieth ISO27k standard published (lien direct) |  I've completed the revision of www.ISO27001security.com, bringing the site up to date with the status of all the ISO27k information security management standards.There are currently some 50 published ISO27k standards, by my count, with a further 12 or so in development.Way down in the weeds, there are several inconsistencies and issues within individual standards, and some gaps in the coverage. Overall, though, the standards do a pretty good job of promoting a systematic approach to information risk management (without using that specific term!).ISO/IEC standards cost about US$150 each so a full set of 50 would set you back about US$7,000 - a non-trivial amount. I've argued for years that the ISO27k standards should be free to encourage global adoption of good security practices for the benefit of society at large ... but so far only two of the set are free, and worse still it takes a determined hunter to find them since the standards bodies and commercial outlets would much rather make money.Talking of which, we will soon be hosting advertisements on the site, courtesy of Google, in order to defray our costs. It's time to stop jangling the begging bowl and look after our interests in order to keep the site going. I just hope the ads aren't too intrusive and earn us enough to pay for the hosting and administration. It would be great to redevelop the site to improve the design, especially for all our pixel-constrained mobile-phone-using visitors, but somehow I doubt there will be enough in the coffers for that. |
|||
|
2018-02-28 21:54:40 | NBlog March 1 - Invasion of the Cryptominers (lien direct) |  That's it, we're done! The 2018 malware awareness module is on its way to NoticeBored subscribers, infecting customers with ... our passion for the topic.There are 28 different types of awareness and training material, in three parallel streams as always: Stream A: security awareness materials for staff/all employees [if !supportLists]-->1. [endif]-->Train-the-trainer guide on malware MS Word document [if gte vml 1]> |
Malware | APT 15 | |
|
2018-02-27 14:30:42 | NBlog February 27 - the bigger picture (lien direct) |  The NoticeBored awareness module now nearing completion discusses the cryptomining malware that has come to prominence since the materials were last updated a year ago. It is hard to get terribly worked up about the theft of CPU cycles and joules while we're still battling ransomware, spyware and APTs ... but scratch a little deeper to discover that crypominers are more symptom than cause, the tip of a very chilly iceberg.Q: How do systems get infected with cryptominers? A: Through the usual malware infection mechanisms i.e. security vulnerabilities in the IT systems and the people who use them.Q: How do the crooks benefit?A: Victims generate money for them, plainly ... but they also expose themselves and their systems to further compromise and exploitation. Ahhhh.There are shades of the 'fraud recovery' frauds which trick the victims of 419 advance fee frauds into also spending out for mythical 'compensation' and 'lawyers fees'. You'd have thought being suckered once was enough to put people on their guard but it seems not: victims have marked themselves out as vulnerable. "I'm down, kick me again".I'll leave it there for today as we need to finish the module. Maybe tomorrow I'll have time to blog about the similarities between today's Bitcoin boom and the pyramid or Ponzi schemes of yore. |
|||
|
2018-02-25 09:07:30 | NBlog February 25 - malware update 2019? (lien direct) | The 2018 malware update awareness module is a Work In Progress. We've all but completed the awareness materials for the general staff audience, and today we'll crack on through the management and professional streams.Every year I wonder what we are going to say in the malware module, given that we've covered this topic so many times before. I worry that we might not find anything new to add, forcing us to re-hash the same old stuff in the hope of making it interesting enough to resonate with the audiences. Yet again I needn't have worried. The malware threat is constantly mutating, much like a biological virus in fact. As fast as we discover and get to grips with each form, novel attacks and new challenges arise. There's no shortage of new things to say.Cryptomining malware emerged from its lair in the middle of last year. As it happens, it's one of the more benign forms that merely consumes resources, reduces performance and increases costs, as opposed to devastating and in some circumstances life-threatening forms ... and yet it is virulent (it spreads widely and rapidly) and weakens the host (aside from running the cryptomining software, what else might be going on in the background?).Perhaps next March when we refresh the malware module yet again, we'll pick up on the biological similarities by bringing up MRSA "superbugs" that have the healthcare and pharmaceutical industries and authorities worried. What will we do if/when our antivirus controls fail us? What is the cybersecurity equivalent of 'deep cleaning the ward' using bleach, with palliative care for patients whose infections we simply cannot treat? If it came down to it, how would we fully isolate and treat an organization whose malware infection seriously threatens the rest of us? Who has the ability, and the authority, to turn off life-support or flip the kill-switch?It would be good to have kick-started the thinking and planning early, before we find ourselves wallowing around in brown stuff. Security awareness isn't purely about learning from the past, or even the present.Either way, I'm confident that in a year's time there will be something new and pressing to raise! |
|||
|
2018-02-22 16:38:06 | NBlog February 22 - responsible disclosure (lien direct) | Today I've been scouring the web for news on cryptominer incidents to incorporate into next month's awareness materials on malware.As well as the usual doom-n-gloom reports from assorted antivirus companies bigging-up the cryptominer threat, I came across an interesting letter from a US hospital, formally notifying patients about an incident.The infection was identified back in September 2017, and eradicated within 4 days of detection.Although the malware infection was a relatively benign cryptominer, the hospital sent a formal notification letter to patients at the end of January 2018 since the infected system held their medical data.  Full marks to the hospital management for 'fessing up to the incident and publicly disclosing it, and for apparently handling the incident in a professional and reasonably efficient manner (although arguably 4 months is an age in Internet time).They have offered free credit monitoring services, more appropriate in case of identity fraud ... which is a possibility if the malware gained privileged access to the system. I wonder, though, whether this letter was simply part of their pre-prepared generic response to a cyber-incident, perhaps a defensive move prompted by their lawyers just in case personal/medical information was disclosed inappropriately. |
|||
|
2018-02-20 18:35:49 | NBlog February 20 - awareness in small doses (lien direct) | Last month I blogged about consciously adopting a different style of awareness writing, with succinct tips-n-tricks supplementing, perhaps even replacing, conventional descriptive paragraphs.At the risk of becoming recursive, one of the tips included in March's malware awareness module will be for NoticeBored customers to solicit tips from their colleagues who have suffered malware incidents recently. The idea is for the security awareness people to:Find out what happened, to whom, when and how;Speak, discreetly, to the people involved or implicated in the incidents;Explore the consequences, both for the business and for them personally;Tease out the tips - lessons worth sharing with others;Share them.Such an approach would work extremely well in some organizational cultures, but in others people can be reluctant to admit to and open up about their issues. Although it is feasible to draw out and express the key learning points anonymously, without identifying those directly involved, the process loses a lot of its awareness impact.Think about it: if someone stands up before an audience, admits to failings that caused or failed to prevent a malware incident, and is clearly affected by the whole episode, isn't that a powerful, moving message in itself, regardless of the content?So, taking my own medicine, the Hinson tip cut-to-the-chase version of this blog piece is:"Find out about malware incidents from those involved, and share the lessons as part of your awareness program." While it's not the full story, that is hopefully just enough to catch your eye and stick in your memory. |
|||
|
2018-02-17 12:25:47 | NBlog February 17 - The I part of CIA (lien direct) | Integrity is a universal requirement, especially if you interpret the term widely to include aspects such as:Completeness of information;Accuracy of information;Veracity, authenticity and assurance levels in general e.g. testing and measuring to determine how complete and accurate a data set is, or is not (an important control, often neglected);Timeliness (or currency or 'up-to-date-ness') of information (with the implication of controls to handle identifying and dealing appropriately with outdated info – a control missing from ISO/IEC 27001 Annex A, I think);Database integrity plus aspects such as contextual appropriateness plus internal and external consistency (and, again, a raft of associated controls at all levels of the system, not just Codd's rules within the DBMS);Honesty, justified credibility, trust, trustworthiness, 'true grit', resilience, dependability and so forth, particularly in the humans and systems performing critical activities (another wide-ranging issue with several related controls);Responsibility and accountability, including custodianship, delegation, expectations, obligations, commitments and all that …… leading into ethics, professional standards of good conduct, 'rules', compliance and more.The full breadth of meanings and the implications of “integrity” are the key rea |
Guideline | ||
|
2018-02-16 14:37:13 | NBlog February 16 - innovative malawareness (lien direct) | Malware has been a concern since the 1980's. It's an awareness topic we update and refresh every March, and yet we never fail to find something new to discuss. Last year, we focused on ransomware, a 'real and present danger' at the time with several high-profile organizations (such as the UK National Health Service) suffering disruptive and very costly incidents. This year, surprisingly, the ransomware risk appears to have declined according to some reports, only to be replaced it seems by the next wave: cryptocurrency mining Trojans.Meanwhile, we suspect reports of the demise of ransomware are premature. Compared to slowly milking a few Bitcoins from a large botnet of cryptominers, holding organizations' or indeed individuals' data to ransom for a few hundred dollars or more per hit seems much more lucrative – but also riskier for the criminals behind the scams. Perhaps what's really behind this is the criminals' risk-reward tradeoff. Then again, maybe it's just that the analysis is flawed. Perhaps ransomware was not quite as bad as it seemed last March, and remains at much the same level today. One of the perennial issues we face in researching the malware topic is that the most readily available information is published by antivirus companies, with an obvious commercial agenda to make the malware issue appear worse than it really is. Sifting through the stream of "surveys" and "reports" to find the few of any note and credibility is a tedious task, making this one of those areas where our security awareness service goes beyond the bare minimum. Rather than regurgitating the same old stuff and scaremongering, we're adding value by researching information risks and challenging the conventional wisdom. Innovating, you could say, or being unconventionally wise. |
|||
|
2018-02-14 12:59:46 | NBlog February 14 - IoT security & privacy standard (lien direct) | I've just added another new page to ISO27001security.com for ISO/IEC 27030, a standard now being developed for IoT security and privacy.I've been arguing for years that it would be appropriate, since they specify a risk-based approach to security management, for the ISO27k standards to specify the information risks they address. To that end, I've published a PIG (Probability Impact Graph) graphic from the NoticeBored security awareness module on IoT and BYOD, to set the ball rolling ... There seems little chance of persuading ISO/IEC to incorporate such a colorful image in the standard, unfortunately, but hopefully the analytical approach will at least prove useful for the project team busily drafting the new standard.On the web page I've described the red and amber zone IoT risks. I'm sure we could have an excellent discussion about those and other risks in the committee, except there is never enough time at the twice-yearly SC27 meetings to get far into the nitty-gritty of stuff like this. Instead I'll see whether I can raise any interest on the ISO27k Forum, perhaps feeding relevant content and creative suggestions to SC27 via formal comments submitted by NZ Standards - the tedious, antiquated, laborious, slow and expensive approach that we are presently lumbered with. It hardly seems worth the effort. |
|||
|
2018-02-13 13:18:38 | NBlog February 13: ISO/IEC 27000:2018 FREE download (lien direct) |  I've caught up with a small mountain of ISO/IEC JTC1/SC27 emails, and updated www.ISO27001.com with a smattering of news.A few new and updated standards have been released in the past 4 months or so, including ISO/IEC 27000:2008, the overview and glossary of terms used throughout ISO27k. As usual, ITTF offers legitimate FREE single-user PDF versions of ISO/IEC 27000 in both Englishand French. Please observe the copyright notice. The free ITTF PDFs are for personal use and are not to be shared or networked.Other recent (but not free) releases include ISO/IEC 27007 (management system auditing), 27019(securing SCADA/ICS process controls in the energy industry) and 27034-5(application security).ISO/IEC 27021 is an interesting new one: it explains the competences (knowledge and skills) required by ISMS professionals. It's fairly straightforward, really, but nice to see it laid out in black and white, with the implication that assorted ISO27k training courses will gradually fall into line.Perhaps we should develop an ISO27021-aligned training course. Would you like to pop down to the South Pacific to learn how to do this ISO27k ISMS stuff, or invite me over to wherever you are? If so, please get in touch. It's a lot of work to put a course together, so we'd need to establish first whether there would be sufficient demand. 😊 |
|||
|
2018-02-09 15:09:40 | NBlog February 9 - mapping awareness memes (lien direct) | Yesterday I came up with the suggestion of using memes to spread security awareness messages from person to person, in a similar fashion to the way that computer viruses and worms spread from IT system to IT system. Today I'm trying to come up with something that people will spread among each other by word of mouth, through email and TXT etc., something funny, shocking or useful - such as tips to avoid falling prey to malware maybe, or rumors about a serious malware infection within or close to the organization.'Too close for comfort' has potential, perhaps a malware incident and business crisis narrowly averted by sheer good fortune. Or maybe we could fool workers into believing that the auditors will soon be coming to check up on the antivirus controls? Such an approach could be unethical, risky even (e.g. if it prompted workers to meddle inappropriately with antivirus configurations or audit trails, rather than ensuring that the antivirus controls were operating correctly). It would need to be carefully considered and planned, which itself constitutes an awareness activity even if, in the end, the decision is taken not to go ahead.The 'meme map' (derived from "Meme Maps: A Tool for Configuring Memes in Time and Space" by John Paull) represents the lifecycle and spatial or geographical spread of the meme. Reading from the bottom up, both the yellow area prior to the meme's release, and then the green area, are awareness opportunities. Mapping and demonstrating the gradual spread of a security awareness meme within the organization (e.g. mapping the source of clicks on a link to a fake internal memo about the fictitious antivirus audit, or tracking calls abo |
|||
|
2018-02-08 14:04:50 | NBlog February 8 - making security awareness infectious (lien direct) |  Just appearing into view along our virtual conveyor belt comes an updated module on malware, one of those perennial, almost universally-applicable security awareness topics.Aside from generally checking over and fluffing-up the content delivered in prior years, we're on the lookout for new developments, specifically any changes in the risk profile or security controls associated with malware.Something we've spotted is an alleged move away from ransomware (which was Big News this time last year, a real and present danger) towards using compromised systems for crypto currency mining. I'm not entirely convinced at this point whether that is a genuine change: maybe ransomware has indeed peaked out (I sure hope so!), maybe not, but either way mining malware could be an emerging trend, another short-lived fad, a mistaken interpretation of limited data or pure fiction invented by someone flogging antivirus software.Over a much longer timescale, commercial exploitation of malware remains evident, along with the continuing battles between black and white hats. For decades we have seen innovative and increasingly complex technologies being deployed on both sides - clever stuff, but things have more or less stalled on the human front. Despite our best efforts through awareness, education, training, phishing simulators etc., the same old social engineering tricks remain somewhat effective today at spreading malware, and there's plenty of potential there for further innovation. Novelty is a challenge for both the tech and non-tech malware defenses. This is cutting-edge stuff where established approaches gradually lose their power. Purely responding to changes on the offensive side is bound to set us on the back foot, especially given that most of those changes are unrecognized as such, initially anyway. Who knows, maybe the Next Big Thing in social engineering might be quietly ramping up right now.So, I'm sitting here thinking about how to encourage NoticeBored subscribers to up their game with more innovative malware defenses, including our creative efforts on security awareness of course but what else could they be doing? Hmmm, I wonder if security awareness messages could be delivered by malware-like infectious mechanisms? |
|||
|
2018-02-05 20:55:47 | NBlog February 5 - protecting information awareness module (lien direct) |  'Protecting information' is a non-specific title. Almost everything that we do is about protecting information so what does February's NoticeBored awareness module actually cover?'Protecting information' begs questions such as:What is the information that deserves or needs to be protected?What are the risks the information is protected against - the threats, vulnerabilities and impacts?How can or should the information be protected?Who is responsible for protecting it?For the answers, we drew inspiration from the fields of information risk management, intellectual property and knowledge management, as well as information security and governance. As usual, we chose to discuss all kinds or forms of information in the typical business context - not just computer data. 'Knowledge' for instance includes workers' experience and expertise, trade secrets and know-how in general. The corresponding information risks and controls are quite diverse.Information classification is one of the key controls patiently explained. The process of classifying and protecting information is more involved than it may appear. Awareness is particularly important for organizations handling government and defense information: it's all very well stamping SECRET on your manila folders, but what does that actually mean, in practice? What does it achieve? What's the point? How does it work?The materials promote a balanced and considered approach towards protecting information. Excessively strong information security reduces legitimate access to, and utility of, the information. The very value we seek to protect can be degraded by too much security. Many information/cyber security professionals would do well to consider this paradox! Protecting the availability of information sometimes means compromising on the controls for confidentiality and integrity. |
|||
|
2018-01-31 19:09:58 | NBlog January 31 - protecting information (lien direct) |  Today after the usual end-of-month rush, we completed and delivered February's security awareness module on protecting information.We have updated the NoticeBored website with an outline of the new module. I'll have a bit more to say about it here on the blog, maybe tomorrow. Right now I'm de-stressing with a glass of red wine and some time off in front of the TV. |
|||
|
2018-01-24 17:40:49 | NBlog January 24 - distracted, again (lien direct) | Today was a glorious summer day in Hawkes Bay - about 30C under clear blue skies, hot sun and plenty of greenery thanks to the odd thunderstorm lately. Not exactly the ideal weather for slaving away in the office.As I was hootling down the track on the 4x4 farmbike on my way to turn off our water pump this afternoon, I turned to look across our paddock ... and saw Maka ("maarka"), our tame/pet red deer hind, sniffing at a little brown wobbly thing, staggering drunkenly around as it struggled to stand on the slope. The fawn was only an hour or so old. We didn't even know Maka was pregnant, let alone due today, so it was a very pleasant surprise. Mother and baby are doing well. We feel like proud grandparents. |
|||
|
2018-01-22 18:30:50 | NBlog January 22 - turning the tables (lien direct) |  Social engineers exploit their "knowledge" of psychology to manipulate and exploit their victims. So how about we turn the tables - use our knowledge of psychology to counter the social engineers?That thought popped unexpectedly into my head over the weekend as I was grubbing weeds in the paddock. I've been mulling it over ever since, making hardly any progress to be honest. One thing that occurs to me is that social engineers are potentially just as vulnerable to manipulation as their victims, although they have the advantage of having consciously and deliberately performed their attacks ... which could in fact be a weak point: if they believe they are in the driving seat, they may not anticipate being driven. There is some evidence of this, for example 419ers (advance fee fraudsters) have occasionally been led along the garden path by savvy targets. Scam-baiting became A Thing about a decade ago, relatively amateurish though and risky to boot: the authorities quite rightly warn against vigilantism in general, but there were some creative schemes and hilarious trophies.A better planned, coordinated and generally more professional approach, applying proper psychology and science rather than just bitterness, retribution and belittling, has some merit as a strategy, particularly if the aim is to fire up workers' imaginations and so make them more aware of, and resistant to, the scammers. Whereas an individual organization or even a group may stand little chance of stamping out the 419ers and other social engineers, they can perhaps tilt the odds in their favor, becoming slightly harder, less attractive targets.I'm still not sure where I'm going with this. It's one of those little germs of an idea that might sprout and flourish, but more likely will disappear without trace. Perhaps me writing about it here has set YOU thinking about it, and together we can take it forward as a discussion thread. It will at least remind me when I'm checking through the blog posts at some future point, having totally forgotten about it! |
|||
|
2018-01-19 15:33:48 | NBlog January 17 - the compliance case for security awareness (lien direct) |  Security awareness may be something you have to do for compliance reasons (mostly to avoid penalties) or something you want to do to gain the benefits, often both.Today I'll concentrate on the compliance aspects, the most straightforward part, leaving the business case for another day's blogging.Compliance pressures come at us from all sides!Laws and regulations: many information-related laws and regs mandate adequate information security, particularly those concerning privacy and governance, plus those applicable to the healthcare, financial services, government, infrastructure/utility and defense industries. Some of them specify awareness and training explicitly, others are more circumspect, typically referring to ensuring compliance without saying precisely how to achieve that.Contracts and agreements: PCI-DSS is the classic example of a contractual obligation to secure information, specifically card holder information relating to credit and debit cards. Security awareness is a mandatory requirement of PCI-DSS. Another example is the typical employment or service contract, containing clauses about securing personal and proprietary information and protecting the organization's interests. Yet another is cyber insurance: the policy small-print may include requirements along the lines of 'generally accepted standards and practises of information security', or mention particular laws and standards, or may specify particular controls (such as incident management and breach notification). Many a lawyer's fee results from the nuances in this area! Claiming that an incident occurred because workers were unaware of their security obligations would be a strong case for the prosecution, not the defense.Corporate strategies, policies and standards: many organizations have formal company rules relating to information risk and security, website privacy policies for instance. If employees don't know and care about them, what is the point in even having them? Despite being an obvious requirement (obvious to us anyway, and now you too!), awareness and training is not universal although the requireme |
|||
|
2018-01-19 15:30:23 | NBlog January 18 - the business case for security awareness (lien direct) | A day or so ago I wrote about organizations being pressured into security awareness for compliance reasons. With some exceptions, compliance is externally imposed and doesn't directly benefit the organization through increased profits - rather it avoids or reduces the losses and costs (including penalties) associated with noncompliance. That is still a financial benefit but with negative, oppressive connotations. Today I'm moving on to more positive, profitable matters, the business benefits arising from security awareness and training, of which there are several:Better recognition and identification of information risksMore appreciation and understanding of information risksFewer, less costly incidentsBetter governanceGreater organizational and personal resilienceOrganizational learning and sustained improvement (maturity)A genuine, deep-rooted and all-encompassing corporate security cultureDeterrenceGetting the most out of other information security controlsOther spin-off benefits e.g. inventories of information assetsYou may have spotted an underlying theme, in that most of the benefits of security awareness and training stem from better information risk management. In a sense, awareness is 'just another security tool', but one with a multitude of applications, more Swiss multitool than hammer.I am fleshing out all those bullet points into a template "Business case for an infor |
|||
|
2018-01-16 20:21:49 | NBlog January 16 - revising a backup tip-sheet (lien direct) | I've been talking about simplifying our awareness content, making the materials more actionable, more direct in style - and here's an example.Dipping into our stash of awareness content I discovered an awareness briefing on "Data backups" written six and a half years ago. It's not a massive tome, just a single A4 side of information, and the content hasn't aged significantly (although "PDA" is not an acronym we hear much these days!). But the written style needs some adjustment.The original started out with a summary: "IT Department makes regular backups of data on the network drives so computer users must either store all their information on the corporate network, or make alternative backup arrangements. Make sure you have good backups before it is too late."The first sentence is passive, referring to "computer users" in the third person, rather than speaking directly to the reader. I have railed before about the term "end user" being used by IT professionals as a disparaging term with vague connotations of drug addiction - not exactly a flattering way to refer to our work colleagues! The second sentence is much more direct: it's a keeper.Moving on, the next section headed "Why backups are so important" set the scene by outlining typical situations where computer data might be lost or corrupted, such that the only feasible response is to restore from backups - not a bad little list of incidents (malware, bugs, hackers and physical loss/damage), one we can re-use easily enough. It's a set of bullet points, quit succinct.The next section gave advice: this took two substantial paragraphs making a big block of text. I've rewritten that to another set of succinct bullet points, more direct and action-oriented. |
|||
|
2018-01-15 12:38:30 | NBlog January 15 - protecting information in the cloud (lien direct) | The graphic is about securing data in the cloud, taking us into the realm of cloud computing and Internet security. At the end of my previous blog item, I mentioned that I'd be looking for situations where tightening security by adding additional controls is not necessarily the best approach, and sure enough here's one.Putting corporate and personal data into the cloud involves a significant increase in some information risks, compared to keeping everything in-house. Strong encryption of both data comms and storage is a substantial and obvious control - necessary but not sufficient to mitigate the cloud risks entirely. Many other information security controls can be applied to reduce the risks further. However the costs increase all the time. Extremely risk-averse organizations may take the position that cloud computing is simply too risky, even with strong controls in place, so they partially or wholly avoid it ... which also means forgoing the benefits, including significant business and information security benefits (such as the highly resilient and flexible cloud infrastructure, supporting business continuity plus proactive capacity and performance management).OK, so that's a situation we might explore for the "Protecting information" awareness module, but it's quite complex as described. We need to find a simpler, more straightforward way to express it - my task for today. |
|||
|
2018-01-12 17:54:28 | NBlog January 12 - microwave ready meals (lien direct) | February's working title "Protecting information" is so vague as to be almost meaningless, yet it is written in an active sense, hinting at the process or practice of protecting information - the things we actually do, or should consider doing at least. We might instead have gone for "Information protection", placing more emphasis on the principles than the practices but, in keeping with yesterday's piece about engaging our reader on an individual basis, the new materials will be relatively simple and pragmatic: I'm thinking checklists and action plans, stuff that the reader can pick up and use directly.More "Microwave ready meal" than "Michelin chef's secret recipe".Leafing through our stash of awareness content, we have previously delved into information classification schemes (what they are for, how they are designed and how they typically work): this time around we might skim or ignore the theory to focus on using classification in practice, as a workplace tool - how to do it, basically.Hmmm, I wonder if I can write a Haynes Manual-style step-by-step classification guide, with pictures?We've also explored knowledge management and intellectual property rights before - again fairly academic or theoretical concerns. It will take a bit more head-scratching to think of practical applications that people can relate to. Straight-talking advice on 'What to look for in a license' maybe? Maybe not.Another area we have covered repeatedly is information risk management, a structured approach that underpins the entire domain, including the ISO27k standards. The management aspects remain relevant for our customers' managers but for February I'm tempted to skirt around the conventional information risk and security perspective (identifying and characterising the risks, then applying security controls to mitigate them) to find real-world examples of risk avoidance, risk sharing and/or risk acceptance. So now I'm on the look-out for examples of real-world situations where tightening the controls is not necessarily the best approach .... |
|||
|
2018-01-11 16:06:05 | NBlog January 11 - awareness styles (lien direct) |  Over the past couple of months, I've written and published a suite of 'Hinson tips' on another passion of mine: amateur radio. The tips concern a cutting-edge development in digital communications, and how to get the most out of the associated software. I've had a lot of feedback on the tips, reflecting global interest in the new software and, I guess, the need for more guidance on how to use it. The reason I'm bringing it up here is that my writing style appears to have influenced the nature of the feedback I'm getting from, and my relationship with, the readers. I honestly wasn't expecting that.There was already a reasonably comprehensive help file for the program, well-written but in a fairly formal and dry technical style typical of technical manuals (not those ineptly translated from Chinese via Double Dutch!). A constant refrain is that people don't read the help file, just as we don't RTFM (Read The Flamin' Manual!). I suspect part of the reason is that 'fairly formal and dry technical style': despite amateur radio being a technical hobby, many hams are not technically-minded. Some simply enjoy using the radio to talk to people, and why not? It takes all sorts. Digital communications adds another layer of complexity through information theory and mathematics underpinning the protocols we use, and IT is a world of pain for some. To be frank, although I have a passing interest and some knowledge, I'm way out of my depth in some of those areas ... which means I empathise with those who are equally uncomfortable.There is also an active online support forum, populated by a mix of experts, somewhat experienced users and complete novices. Unfortunately, the forum is suffering a little from the recent influx of people, some of whom are very passionate (which can easily come across as opinionated, strong-willed and direct). Being a global community, a lot of hams don't understand English very well (if at all!), hence the language can be a problem for them, as well as the sometimes hostile reception anyone gets on asking a 'dumb question'. Even attempting to explain things patiently in response to a genuine question or discuss ways to respond to an issue can lead to complaints that there are 'too many messages' and we are 'going off-topic', reflecting general frustration and perhaps a lack of understanding and/or focus.So, I deliberately chose to write the tips in an accessible, readable, informal style, drawing on, interpreting and re-writing material from the help file and the forum, |
Guideline | ||
|
2018-01-10 10:47:49 | NBlog January 10 - archives come in pairs (lien direct) |  The NoticeBored security awareness program moves on to the next topic for February: 'protecting information' is the working title, a deliberately vague term giving us plenty of latitude. Exactly what we will bring up, how we will raise and discuss things, the specific awareness messages we will be drawing out and so on is not determined at this point. It will become clear during January as we complete our prep-work and develop the awareness materials.This morning, in connection with a discussion thread on the ISO27k Forum, I've been contemplating information risk management in a general sense by thinking through a situation, coming up with a specific example that draws out a much broader learning point.Briefly setting the scene, the thread was started by someone asking whether it is really necessary under ISO/IEC 27001 to have a policy on risk-assessing valuable documents individually. We talked about grouping related assets together (such as 'Contents of cupboard 12') and controls (such as electronic backups) but the original poster circled back to the question of whether the ISO standard itself mandates a policy:"I understood that I need to classify our assets according to their importancy and risk. But in general, would this cupboard-labeling method work according to ISO 27001 policies? For example, we have a lot of paperform documents in three cupboards and I would sort them all in some way, and make the cupboard lockable and label the cupboard according to the sorting and put the label into my inventory list. Would that violate any ISO 27001 policy?"So this morning, I wrote this ... . . . o o o O O O o o o . . .Here's an important information security control that, as far as I |
|||
|
2018-01-04 11:14:03 | NBlog January 4 - IoT and BYOD security awareness module released (lien direct) |  The Internet of Things and Bring Your Own Device typically involve the use of small, portable, wireless networked computer systems, big on convenience and utility but small on security. Striking the right balance between those and other factors is tricky, especially if people don't understand or willfully ignore the issues – hence education through security awareness on this topic makes a lot of sense.From the average employee's perspective, BYOD is simply a matter of working on their favorite IT devices rather than being lumbered with the clunky corporate stuff provided by most organizations. In practice, there are substantial implications for information risk and security e.g.:Ownership and control of the BYOD device is distinct from ownership and control of the corporate data and IT services;The lines between business use and personal life, and data, are blurred;The organization and workers may have differing, perhaps even conflicting expectations and requirements concerning security and privacy (particularly the workers' private and personal information on their devices);Granting access to the corporate network, systems, applications and data by assorted devices, most of which are portable and often physically remote, markedly changes the organization's cyber-risk profile compared to everything being contained on the facilities and wired LANs;Increasing technical diversity and complexity leads to concerns over supportability, management, monitoring etc., and security of course. Complexity is the information security manager's kryptonite.IoT is more than just allowing assorted things to be connected to |
Guideline | ||
|
2017-12-30 20:57:06 | NBlog December 30 - the start is nigh (lien direct) | With near-perfect timing, we're into the final stages of polishing off January's awareness module on IoT and BYOD security. I say near-perfect because this is the last weekend of 2017 with just over a day remaining until 2018. After a week of chilly and miserable weather, an unseasonal polar blast, I'd rather be out enjoying the fine weather and getting ready for the traditional new year's eve celebrations! The last section of writing took a bit longer than planned, but I'm confident we'll hit the delivery deadline. Updates to the NoticeBored website are in hand and we'll be packaging and sending the materials to subscribers tomorrow, electronically that is.Looking forward, we've selected awareness topics for first few months of 2018 and written them up on our distinctly low-tech office whiteboard. We deliberately don't plan too far ahead (who knows what will crop up?) but it takes time to research and draft the materials. Having working titles and outline scopes in mind keeps us focused and on-track. If a particularly dramatic information security incident occurs, we can always drop the current work to pick up on it, pushing the original plan out a month. With 60-odd information risk and security-related topics in the portfolio, there's not a lot we haven't covered already, to some extent. The NoticeBored back catalog is as much a source of inspiration as content, though, since the field is constantly moving. On top of that, our own interests and preferences are gradually evolving too. |
|||
|
2017-12-28 13:51:20 | NBlog December 28 - slowly slowly catchee monkey (lien direct) | As the end of month deadline looms, we're close to finishing January's NoticeBored security awareness module on IoT and BYOD. Today I'm working on the awareness seminar slide deck and accompanying briefing paper for the audience group we call 'professionals', blue-collar workers essentially, specialists in IT, risk, security, audit, facilities, control, compliance etc.We dig a bit deeper into topic for that audience, but not too deep. The overriding awareness objective is to inform, intrigue, motivate and set them talking to their colleagues (other professionals plus the general and management audiences) about and around the topic. Awareness is not training, although there is a grey area and the terms are often confused. Ultimately, we hope the pros will pass on some of their knowledge and enthusiasm for the topic to others, preferably with more than just a casual nod towards the information risk and security aspects. IoT and BYOD are obviously IT-related, so the pro materials are IT-centric this month. The awareness poster image above mentions "latest hi-tech goodies" specifically to catch the eyes of geeks and technophiles, people who just love hot new gadgets - reading about them, drooling over the adverts, sometimes buying and using/playing with them, showing them off to their less fortunate playmates ... and occasionally hacking them to figure out how they really work.An article about hacking building management systems (things!) caught my beady eye today, for several reasons. It's right on-topic, for starters, exactly the kind of intriguing tech content that appeals to the pro audience we have in mind. The author's hacker mentality rings out. He has spent countless hours exploring their capabilities and vulnerabilities for more than a decade. To most of us, that's unnaturally obsessive behaviour but to him it's a hobby, a fascination or passion, fun even. I'm sure he'd do it even if he wasn't being paid to hack (he's a professional penetration tester by day).I'd love to inspire such intense passion among our customers' employees on the defensive side ... but it's hard given that I'm not there in person and anyway security awareness has a broader and more realistic goal. Some workers may be fire |
|||
|
2017-12-27 13:46:26 | NBlog December 27 - inspirational security awareness (lien direct) | Normally in security circles, the word 'exploitation' has the distinctly negative and foreboding connotation of some evil miscreant wantonly attacking and taking advantage of us ... but we'll be using the word in a much more positive sense in the IoT and BYOD security awareness materials for January.The topic presents a golden opportunity to point out that information security mitigates the substantial information risks associated with IoT and BYOD, risks that would otherwise reduce, negate or even reverse the business advantages.It's not entirely plain sailing, though, since the risks are context-dependent. Someone needs to identify and evaluate the risks and the corresponding security controls, in order to determine firstly whether the risks are truly of concern to the organization (they can't be avoided or accepted), and secondly whether the security controls are necessary and justified since there are costs as well as benefits.We've pump-primed the process by doing the risk and security analysis in a generic way - a starting point for subscribers to consider and take forward. We don't pretend to know all about all the information risks each customer faces, nor the information security control options open to them. We're definitely not attempting to do the analysis for them, rather to inspire them to do it themselves. The awareness materials are the prompt to set them thinking and the motivation to get them going. |
|||
|
2017-12-26 20:01:58 | NBlog December 26 - government security manual (lien direct) | An updated version of the New Zealand Information Security Manual (NZISM) - in effect the government's information security policy manual, or at least the public non-secret element - was released this month: NZISM is painstakingly maintained and published by the Government Communications Security Bureau (GCSB) - our spooks in other words. It is a substantial tome, well over six hundred A4 pages split across two volumes.Part 1 (365 pages) covers:A brief introduction to the topic and the manual, in the NZ government context;Governance arrangements including overall controls such as accountability and responsibility, and compliance through system certification and accreditation, audits and reviews;Policies, plans, Standard Operating Procedures plus emergency and incident response procedures;Change management;Business continuity and Disaster Recovery management; Physical security;Personnel security (including security awareness;Infrastructure security (well, cabling and TEMPEST anyway);Communications systems and devices (e.g. cellphones and wearables);Product security (acquiring commercial goods and services);Storage media (lifecycle management).Part 2 (another 300 pages) covers:Software security (e.g. hardened Standard Operating |
|||
|
2017-12-21 15:49:45 | NBlog December 21 - auditor independence [LONG] (lien direct) | Over on the ISO27k Forum, we've been discussing one of my favourite topics: auditing, or more precisely the question of auditor independence. How independent should an auditor be? What does that even mean, in this context? SPOILER ALERT: there's rather more to it than reporting lines.My experienced IT auditor friend Anton posted some relevant definitions from ISACA, including this little gem:"Independence of mind: the state of mind that permits the expression of a conclusion without being affected by influences that compromise professional judgement, thereby allowing an individual to act with integrity and exercise objectivity and professional scepticism."While I agree this is an extremely important factor, I have a slightly different interpretation. 'Independence of mind', to me, is the auditor's mental capacity to examine a situation free of the prejudice or bias that naturally afflicts people who have been in or dealing with or managing or indeed suffering from the situation, plus all that led up to it, and all the stuff around it (the context), including all the 'constraints' or 'reasons' or 'issues' that make it 'a situation' at all. It's more about the auditor making a back-to-basics theoretical assessment, thinking through all the complexities and (hopefully!) teasing out the real underlying reasons for whatever has happened, is happening, and needs to happen next. The ability to report stuff (ISACA's "expression of a conclusion") is only part of it: figuring out how the situation ought to be in theory, then looking at it in practice, gathering objective, factual evidence, doing the analysis, probing further and focusing on the stuff that matters most (the 'root causes'), are at least as important audit activities as reporting.Here's a little exercise to demonstrate why independence matters: next time you drive or are driven on a familiar route, make an extra special effort to spot and look carefully at EVERY road sign and potential hazard along the way. Concentrate on the task (as well as driving safely, please!). Say out loud ever |
Guideline | ||
|
2017-12-19 20:52:40 | NBlog December 19 - sticky ends (lien direct) | Surveys typically show that: Most organizations have some form of BYOD scheme encouraging or permitting workers to use their own laptops, smartphones and tablets for work; andIoT is spreading fast but still has a long way to go before it peaks.We infosec geeks may throw up our hands in horror ... but the facts remain: BYOD and IoT are popular, now. They are here to stay and almost certain to expand.It's too late now for us to bleat on about the information risks and security concerns*. The train has long since left the station.So how should we handle this situation? An obvious approach is to retrospectively identify, assess and treat the information risks as best we can, emphasizing threats such as hackers, malware, theft or loss of information, and inappropriate disclosure, and promoting security controls such as - well, that's where it gets tricky because we have limited options for technical controls, and (despite our best efforts!) security awareness is never going to be a total cure for employees being incautious or careless. Being so negative and constrained, it's hardly a convincing argument. You could say it's also behind the times, fighting the last war as it were.Instead, we're taking a more proactive and upbeat line in the NoticeBored content for January. There are business opportunities in going with the flow, embracing BYOD and IoT (where appropriate), making the best of the rapidly evolving technology and forging ahead. Maybe we can't fix everything today, but we surely can make tomorrow better. Here's a single example: if a company's widgets can be smartened-up and networked, they might just catch the wave. Innovation is a vital component of brand value for many organizations, a common strategic driver. Provided the technology, security and privacy aspects are sufficiently well addressed, smart, networked widgets may be used to gather information about how the widgets are used in practice by real customers, en masse, giving valuable insight to drive furthe |
|||
|
2017-12-18 15:32:02 | NBlog December 18 - the complexities of simplification (lien direct) | From a worker's perspective, BYOD is 'simply' about being allowed to work on his/her own ICT devices, rather than having to use those owned and provided by the organization. What difference would that make? It's straightforward, isn't it?Good questions! There are numerous differences in fact, some of which have substantial implications for information risk, security and privacy. For example, ownership and control of the device is distinct from ownership and control of the data: so what happens when a worker leaves the organization (resigns or is 'let go'), taking their devices with them? Aside from any corporate data on the devices, they had been permitted access to the corporate network, systems, apps and data. The corporate IT support professionals had been managing the devices, and probably had access to any personal data on them. Lines are blurred.In a similar vein, IoT is more than just allowing assorted things to be accessed through the Internet and/or corporate networks. Securing things is distinctly challenging when the devices are diverse, often inaccessible and have limited storage, processing and other capabilities ... but if they are delivering business- or safety-critical functions, the associated risks may be serious.The complexities beneath the surface make this a challenging topic for security awareness: we need to help workers (general staff, managers and specialists, remember) appreciate and address the underlying issues, without totally confusing them with techno-babble. That means simplifying things just enough but no more, a delicate balancing act.In reality, dividing the awareness audience into those three groups lets us adjust the focus, nature and depth of the materials accordingly. Managers, for instance, have a particular interest in the risk management, compliance and governance aspects that are of little concern to workers in general. At the same time, the awareness materials should generate opportunities for the three audience groups to interact, which means finding common ground and shared interests, points for discussion. That's what we're working on now. |
|||
|
2017-12-14 11:58:04 | NBlog December 14 - distracted (lien direct) |  I've been a bit distracted the past day or two by the arrival of a calf called Nellie. Amelia, her mum, had been waddling dejectedly around the paddock for ages, almost as wide as she is tall, complaining about her sore back and practicing her breathing exercises.After the heat of recent weeks, the weather has now turned a bit cooler, wet and stormy which is probably a nice change for Amelia but a bit of a challenge for little Nellie, so we're keeping a close eye on them both.The joys of rural NZ! |
|||
|
2017-12-13 15:58:28 | NBlog December 13 - IoT & BYOD security policies (lien direct) | Today we've been working on a model policies concerning IoT and BYOD security.We offer two distinct types of policy:Formal information security policies explicitly defining the rules, obligations and requirements that must be satisfied, with a strong compliance imperative relating to management's authority. These are the internal corporate equivalent of laws ... although we go to great lengths to make them reasonably succinct (about 3 sides), readable and understandable by everyone, not just lawyers familiar with the archaic and arcane legal lexicon (such as has heretofore in the present clause been ably demonstrated, m'lud).Informal - or at least semi-formal - Acceptable Use Policies that are more advisory and motivational in nature. These compare pragmatic examples of acceptable (in green) against unacceptable (red) uses to illustrate the kinds of situation that workers are likely to understand. They are even more succinct - just a single side of paper.So, we now have four security policy templates for IoT and BYOD.Although they don't contain huge volumes of content and are relatively simple, it takes a fair bit of time and effort to research, design and prepare them. Part of our challenge is that we don't have a particular organization in mind - these are generic templates giving customers a reasonably complete and hopefully useful starting point that they can then customize or adapt as they wish. Those customers who already have policies covering IoT and BYOD might find it helpful to compare theirs against ours, particularly in terms of keeping them up to date with ever-changing technologies and risks, while also being readable and pragmatic. Having been developing policies for close to 30 years, I've learnt a trick or two along the way!The policies will be delivered to NoticeBored subscribers in January's security awareness module, and are available to purchase either individually or as a suite from us. Contact me (Gary@isect.com) for details. |
|||
|
2017-12-12 20:31:46 | NBlog December 11 - things in Santa\'s sack (lien direct) | What's hot in toyland this Christmas?Way back when I was a kid, shortly after the big bang, it was Meccano and Lego for me. I still value the mechanical skills I learnt way back then. Give me a box of thin metal strips full of holes, a plentiful supply of tiny nuts and bolts, and some nobbly plastic bricks, and I'll build you an extraordinary space station complete with spinning artificial gravity module. Or I might just chew them.Today's toys supplement the child's imagination with the software developers'. There are apps for everything, running on diminutive devices more powerful than those fridge-sized beige boxes I tended for a hundred odd scientists (some very odd) in my first real job.Writing about tech toys in the shops this Christmas, Stuart Miles says:"For many, the days of just building a spaceship out of Lego or playing a game of Monopoly are long gone. Today, kids want interactive tech toys that are powered by an app or that connect to the internet. They want animals that learn and grow as you play with them, or robots that will answer back."Some toys are autonomous while others are networked - they are things. Microphones and cameras are often built-in for interaction, and we've already seen a few news reports about them being used for snooping on families. All fairly innocuous, so far ... but what about those high-tech toys we grownups are buying each other this year? Some will find their way into the office, the home office at least, where snooping has different implications. |
|||
|
2017-12-08 10:10:13 | NBlog December 8 - cybersecurity awareness story-telling (lien direct) | Conceptual diagrams ('mind maps') are extremely useful for awareness purposes. This one, for instance, only has about 50 words but expresses a lot more than could be said with ~50 words of conventional prose: Despite it being more than 7 years since I drew that diagram in Visio, it immediately makes sense. It tells a story. Working clockwise from 1 o'clock, it steps through the main wireless networking technologies that were common in 2010, picking out some of the key information security concerns for each of them. It's not hard to guess what I was thinking about.The arrows draw the reader's eye in the specified direction along each path linking together related items. Larger font, bold text and the red highlight the main elements, leading towards and emphasizing "New risks" especially. Sure enough today we have to contend with a raft of personal, local, mesh, community and wide area networks, in addition to the those shown. When the diagram was prepared, we didn't know exactly what was coming but predicted that new wireless networking technologies would present new risks. That's hardly ground-breaking insight, although pointing out that risks arise from the combination of threats, vulnerabilities and impacts hinted at the likelihood of changes in all three areas, a deliberate ploy to get the audience wondering about what might be coming, and hopefully thinking and planning ahead.It's time, now, to update the diagram and adapt it to reflect the current situation for inclusion in January's awareness module. The process of updating the diagram is as valuable as the product - researching and thinking about what has changed, how things have changed, what's new in this spa |
Guideline | ||
|
2017-12-07 11:16:01 | NBlog December 7 - Santa\'s slaves bearing gifts (lien direct) | Today we went on a tiki-tour of the forest in search of a few pine saplings of just the right size, shape and density to serve as Christmas trees. Naturally, the best ones were in the brambles or on the side of a near vertical slope but, hey, that's all part of the fun.I guess 'Web-enabled remotely-controllable LED Christmas tree lights' are The Thing this year. Ooh the sheer luxury of being able to program an amazing light show from your mobile phone!So what are the information risks in that scenario? Let's run through a conventional risk analysis.THREATSElves meddling with the light show, causing frustration and puzzlement.Pixies making the lights flash at a specific frequency known to trigger epileptic attacks.Naughty pixies intent on infecting mobile phones with malware, taking control of them and stealing information, via the light show app.Hackers using yet-another-insecure-Thing as an entry point into assorted home ... and corporate networks (because, yes, BYOD doubtless extends to someone bringing in Web-enabled lights to brighten up the office Christmas tree this year).VULNERABILITIESIrresistibly sexy new high-technology stuff. Resistance is futile. Christmas is coming. Santa is king.Inherently insecure Things (probably ... with probability levels approaching one). Blind-spots towards information risk and security associated with Things, especially cheap little Things in all the shops. Who gives a stuff about cybersecurity for web-enabled Christmas tree lights? Before you read this blog, did it even occur to you as an issue? Are you still dubious about it? Read on!Does anyone bother security-testing them, or laying down rules about bringing them into the home |
Guideline | ||
|
2017-12-05 08:24:37 | NBlog December 5 - lurid headline (lien direct) | Social-Engineer.com's newsletter is a useful source of information about social engineering methods. The latest issue outlines some of the tricks used by phishers to lure their victims initially."It is not breaking news that phishing is the leading cause of data breaches in the modern world. It is safe to ask why that is the case though, given how much of this email gets caught up in our spam filters and perimeter defenses. One trick sophisticated attackers use is triggering emotional responses from targets using simple and seemingly innocuous messaging to generate any response at all. Some messaging does not initially employ attachments or links, but instead tries to elicit an actual reply from the target. Once the attackers establish a communication channel and a certain level of trust, either a payload of the attacker's choosing can then be sent or the message itself can entice the target to act."That same technique is used by advertisers over the web in the form of lurid or intriguing headlines and images, carefully crafted to get us to click the links and so dive into a rabbit warren of further items and junk, all the while being inundated with ads. You may even see the lures here or hereabouts (courtesy of Google). Once you've seen enough of them, you'll recognize the style and spot the trigger words - bizarre, trick, insane, weird, THIS and so on, essentially meaning CLICK HERE, NOW!They are curiously attractive, almost irresistible, even though we've groped around in the rabbit warrens before and suspect or know what we're letting ourselves in for. But why is that? 'Curiously' is the key: it's our natural curiosity that leads us in. It's what led you to read this sentence. Ending the previous paragraph with a rhetorical question was my deliberate choice. Like magpies or trout chasing something shiny, I got you. You fell for it. I manipulated you. Sorry.There are loads more examples along similar lines - random survey statistics for instance ("87% of X prone to Y") and emotive subjects ("Doctors warn Z causes cancer"). We have the newspapers to thank for the very term 'headline', not just the tabloid/gutter press ("Elvis buried on Mars") but the broadsheets and more up-market magazines and journals, even scientific papers. The vast majority of stuff we read has titles and headings, large and bold in style, both literally and figuratively. Postings on this blog all have short titles and a brief summary/description, and some of the more detailed pieces have subheadings providing structure and shortcuts for readers who lack the time or inclination to read every word ... which hints at another issue, information overload. Today's Web is so vast that we're all sipping from the fire hose.And that | Guideline | APT 15 | |
|
2017-12-04 21:33:39 | NBlog December 4 - word clouds (lien direct) |  Today I've been hunting for word-art programs or services. We've been happily using Wordle for a good while now. It has worked well, despite a few minor niggles:It runs in Internet Explorer, but not Chrome;It creates cloud shapes, blobs not distinct shapes;It feeds on word lists, not URLs.There are several alternatives. The hands image above was generated quite simply in WordArt. WordClouds is another option. There are more: Google knows where to find them. I'll be trying them out during December. The combination of words and graphics amuses me, and hopefully catches a few eyes out there too. Catching eyes and imaginations is what we do. |
|||
|
2017-12-02 18:10:22 | NBlog December 2 - next topic (lien direct) |  Next up on the NoticeBored conveyor belt is an awareness module on the security aspects of BYOD and IoT.Aside from being topical IT acronyms, both (largely) involve portable ICT devices - wireless-networked self-contained portable electronic gizmos. We've covered BYOD and IoT security before, separately, but it makes sense to put them together for a change of focus.As things steadily proliferate, workers are increasingly likely to want to wear or bring them to work, and carry on using them. The security implications are what we'll be exploring in the next module. |
|||
|
2017-12-01 08:45:23 | NBlog December 1 - social engineering module released (lien direct) |  We close off the year with a fresh look at social engineering, always a topical issue during the holiday/new-year party season when we let our hair down. Generally speaking, we are less guarded and more vulnerable than usual to some forms of social engineering. The sheer variety of social engineering is one of the key messages in this month's awareness materials. This module concerns:Social engineering attacks including phishing and spear-phishing, and myriad scams, con-tricks and frauds;The use of pretexts, spoofs, masquerading, psychological manipulation and coercion, the social engineers' tradecraft;Significant information risks involving blended or multimode attacks and insider threats.The NoticeBored module is designed to appeal to virtually everyone in the organization,regardless of their individual preferences and perspectives. A given individual may not value everything in the module, but hopefully there will be something that catches their attention – and that something may not even be the NoticeBored awareness materials as such, but perhaps a casual comment or oblique criticism from a peer or manager relating to the topic, which in turn was prompted by the NoticeBored content. The NoticeBored posters, for instance, are deliberately thought-provoking, puzzling even. Rather than spoon-feeding people with lots of written information, we choose striking images to express various challenging and often complex concepts visually. We hope people will notice the posters, wonder what they are on about, and maybe chat about them … which is where the learning happens.Explore the thinking that went into these awareness materials, and by all means tag-along with us as we develop next month's module, on the NoticeBored blog. |
|||
|
2017-11-30 07:25:14 | NBlog November 30 - social engineering module (lien direct) | We've been busier than ever the past week or so, particularly with the NoticeBored materials on social engineering. It is a core topic for security awareness since workers' vigilance is the primary control, hence a lot of effort goes into preparing materials that are interesting, informing, engaging and motivational. It's benign social engineering! The materials are prepared and are in the final stage now, being proofread before being delivered to subscribers later today.This is a bumper module with a wealth of content, most of which is brand new. I blogged previously about the A-to-Z guides on social engineering scams, con-tricks and frauds, methods and techniques, and controls and countermeasures. I'll describe the remainder of the materials soon, once everything is finished and out the door. Meanwhile, I must get on: lots to do! |
|||
|
2017-11-28 22:34:29 | ISO27k internal audits for small organizations (lien direct) | Figuring out how to organize, resource and conduct internal audits of an ISO/IEC 27001 Information Security Management System can be awkward for small organizations.Independence is the overriding factor in auditing of all forms. For internal auditing, it's not just a question of who the auditors report to and their freedom to 'say what needs to be said' (important though that is), but more fundamentally their mindset, experience and attitude. They need to see things with fresh eyes, pointing out and where necessary challenging management to deal with deep-seated long-term 'cultural' issues that are part of the fabric in any established organization. That's hard if they are part of the day-to-day running of the organization, fully immersed in the culture and (for managers in small organizations especially) partly responsible for the culture being the way it is. We all have our biases and blind spots, our habits and routines: a truly independent view hopefully does not - at least, not entirely the same one!ISO/IEC 27001 recommends both management reviews and internal audits. The people you have mentioned may well be technically qualified to do both but (especially without appropriate experience/training, management support and the independent, critical perspective I've mentioned) they may not do so well at auditing as, say, consultants. The decision is a business issue for you and your management: do the benefits of having a truly independent and competent audit outweigh the additional cost? Or do you think your own people would do it well enough at lower cost?As the customer, you get to specify exactly what you want the consultants to bid for. A very tightly scoped and focused internal audit for a relatively small and simple ISMS might only take a day or two of consulting time, keeping the costs down. On the other hand, they will be able to dig deeper and put more effort into the reporting and achieving improvements if you allow them more time for the job – again, a management decision, worth discussing with potential consultants.One strategy you might consider is to rotate the internal audit responsibility among your own people, having different individuals perform successive audits. That way, although they are not totally independent, they do at least have the chance to bring different perspectives to areas that they would not normally get involved in. It would help to have a solid, standardized audit process though, so each of the auditors is performing and reporting the audit work in a similar way … and to get you started and set that up, you might like to engage a consultant for the first audit, designing and documenting the audit process, providing checklist and reporting templates etc., |
Guideline | ||
|
2017-11-22 16:30:57 | NBlog November 22 - A to Z of social engineering controls (lien direct) | I didn't quite finish the A-to-Z on social engineering methods yesterday as planned but that's OK, it's coming along nicely and we're still on track. I found myself dipping back into the A-to-Z on scams, con-tricks and frauds for inspiration or to make little changes, and moving forward to sketch rough notes on the third and final part of our hot new security awareness trilogy: an A-to-Z on the controls and countermeasures against social engineering. Writing that is my main task for today, and all three pieces are now progressing in parallel as a coherent suite.It's no blockbuster but I have a good feeling about this, and encouraging feedback from readers who took me up on my offer of a free copy of the first part.Along the way, a distinctive new style and format has evolved for the A-to-Zs, using big red drop caps to emphasize the first item under each letter of the alphabet. I've created and saved a Word template to make it easier and quicker to write A-to-Zs in future - a handy tip, that, for those of you who are singing along at home, writing your own awareness and training content.I'd like to include some graphics and examples to illustrate them and lighten them up a bit, but with the deadline fast approaching that may have to wait until they are next updated. Getting the entire awareness module across the line by December 1st comes first, which limits the amount of tweaking time I can afford - arguably a good thing as I find this topic fascinating, and I could easily prepare much more than is strictly necessary for awareness purposes. Aside from that, the release of an updated OWASP top 10 list of application security controls prompted me to update our information security glossary with a couple of new definitions, and a radio NZ program about a book fair in Edinburgh (!) prompted me to explain improv sessions as a creative suggestion for the train-the-trainer guide for the social engineering module. |
Uber | ||
|
2017-11-21 20:39:43 | NBlog November 21 - A to Z of social engineering techniques (lien direct) | On a roll from yesterday's A-to-Z catalog of scams, con-tricks and frauds, I'm writing another A-Z today, this time focusing on social engineering techniques and methods. Yesterday's piece was about what they do. Today's is about how they do it.Given my background and the research we've done, it's surprisingly easy to find appropriate entries for most letters of the alphabet, albeit with a bit of creativity and lateral thinking needed for some (e.g. "Xtreme social engineering"!). That's part of the challenge of writing any A to Z listing ... and part of the allure for the reader. What will the Z entry be? As of this moment, I don't actually know but I will come up with zomething!Both awareness pieces impress upon the reader the sheer variety of social engineering, while at the same time the alphabetical sequence provides a logical order to what would otherwise be a confusing jumble of stuff. Making people aware of the breadth and diversity of social engineering is one of the key learning objectives for December's NoticeBored module. Providing structured, useful, innovative awareness content is what we do.We hope to leave a lasting impression that almost any social interaction or communication could be social engineering - any email or text message, any phone call or conversation, any glance or frown, any blog item (am I manipulating your thoughts? Am I persuading you to subscribe to NoticeBored? Look deeply into my eyes. Concentrate on the eyes. You are starting to feel drowsy ...)Yes, hypnosis will make an appearance in today's A-Z. It's not entirely serious!Tomorrow, after completing the second, I'd like to complete the set with a third piece concerning the controls against social engineering. Can we come up |
|||
|
2017-11-20 18:14:49 | NBlog November 20 - an A to Z catalog of social engineering (lien direct) |  A productive couple of days' graft has seen what was envisaged to be a fairly short and high-level general staff awareness briefing on social engineering morph gradually into an A-to-Z list of scams, con-tricks and frauds.It has grown to about 9 pages in the process. That may sound like a tome, over-the-top for awareness purposes ... and maybe it is, but the scams are described in an informal style in just a few lines each, making it readable and easily digestible. The A-to-Z format leads the reader naturally through a logical sequence, perhaps skim-reading in places and hopefully stopping to think in others.For slow/struggling readers, there are visual cues and images to catch their eyes but let's be honest: this briefing is not for them. They would benefit more from seminars, case studies, chatting with their colleagues and getting involved in other interactive activities (which we also support through our other awareness content). The NoticeBored mind maps and posters, for instance, express things visually with few words.Taking a step back from the A-Z list, the sheer variety and creativity of scams is fascinating, and I'm not just saying that because I wrote it! That's a key security awareness lesson in itself. Social engineering is hard to pin down to a few simple characteristics, in a way that workers can be expected to recognize easily. Some social engineering methods, such as ordinary phishing, are readily explained and fairly obvious but even then there are more obscure variants (such as whaling and spear phishing) that take the technique and threat level up a gear. It's not feasible for an awareness program to explain all forms of social engineering in depth, literally impossible in fact. It's something that an intensive work or college course might attempt, perhaps, for fraud specialists who will be fully immersed in the topic, but that's fraud training, not security awareness. We can't bank on workers taking time out from their day-jobs to sit in a room, paying full attention to their lecturers and scribbling notes for hour after hour. There probably aren't 'lecturers' in practice: most of this stuff is delivered online today, pushed out impersonally through the corporate intranet and learning management systems.Our aim is to grab workers' |
Guideline | ||
|
2017-11-19 15:03:39 | NBlog November 19 - IoD advises members to develop "cyber security strategy" (lien direct) |  A report for the UK Institute of Directors by Professor Richard Benham encourages IoD members to develop “a formal cyber security strategyâ€.As is so often the way, 'cyber' is not explicitly defined by the authors although it is strongly implied that the report concerns the commercial use of IT, the Internet, digital systems and computer data (as opposed to cyberwar perpetrated by well-resourced nation states - a markedly different interpretation of 'cyber' involving substantially greater threats).A 'formal cyber security strategy' would be context dependent, reflecting the organization's business situation. That broader perspective introduces other aspects of information risk, security, governance and compliance. All relevant aspects need to be considered at the strategic level, including but not just 'cyber security'. Counteracting or balancing the desire to lock down information systems and hence data so tightly that its value to the business is squeezed out, 'cyber security strategy' should be closely aligned with, if not an integral part of, information management. For instance it should elaborate on proactively exploiting and maximising the value of information the organization already holds or can obtain or generate, working the asset harder for more productive business purposes. In some circumstances, that means deliberately relaxing the security, consciously accepting the risks in order to gain the rewards. I find it ironic that the professor is quoted:“This issue must stop being treated as the domain of the IT department and be the subject of boardroom policy. Businesses need to develop a cyber security policy, educate their staff, review supplier co |
|||
|
2017-11-16 14:51:52 | NBlog November 16 - color-coding awareness (lien direct) | Looking back, I see that I've blogged quite a few times in different contexts about color.For example, most of the security metrics I discuss are colored, and color is one of several important factors when communicating metrics, drawing the viewer's eye towards certain aspects for emphasis. We talk of white hats and black hats, red teams and so on.Traffic light RAG coloring (Red-Amber-Green) is more or less universally understood to represent a logical sequence of speed, intensity, threat level, concern or whatever - perhaps an over-used metaphor but effective nonetheless. Bright primary colors are commonly used on warning signs and indications, sometimes glinting or flashing for extra eye-catchiness.Red alert is a pleonasm!Jeff Cooper, father of the "modern technique" of handgun shooting, raised the concept of Condition White, the state of mind of someone who is totally oblivious to a serious threat to their personal safety. Cooper's Color Code is readily adapted to the information risk and security context, for example in relation to a worker's state of alertness and readiness for an impending hack, malware infectio |
|||
|
2017-11-15 07:10:03 | NBlog November 15 - ethical social engineering for awareness (lien direct) | Security awareness involves persuading, influencing and you could say manipulating people to behave differently ... and so does social engineering. So could social engineering techniques be used for security awareness purposes?The answer is a resounding yes - in fact we already do, in all sorts of ways. Take the security policies and procedures, for instance: they inform and direct people to do our bidding. We even include process controls and compliance checks to make sure things go to plan. This is manipulative.Obviously the motivations, objectives and outcomes differ, but social engineering methods can be used ethically, beneficially and productively to achieve awareness. Exploring that idea even reveals some novel approaches that might just work, and some that are probably best avoided or reversed. Social engineering method, technique or approach Security awareness & training equivalents Pretexting: fabricating plausible situations |
|||
|
2017-11-14 13:22:31 | NBlog November 14 - 50 best infosec blogs (lien direct) | I'm delighted that this blog has been featured among the 50 Best Information Security Blogs. Fantastic! Thank you, top10vpn.com ... and congrats to the other top blogs on the list, many of which I read and enjoy too. It's humbling to be among such august company.We update this blog frequently in connection with the security awareness materials we're preparing, on security awareness techniques in general, or on hot infosec topics of the day. Blogging helps get our thoughts in order and expand on the thinking and research that goes into the NoticeBored modules. More than just an account of what's going on, updating the blog (including this very item) is an integral part of the production process.A perennial theme is that it's harder than it appears to security awareness properly. Anyone can scrabble together and push out a crude mishmash of awareness content (typically stealing or plagiarizing other people's intellectual property - tut tut) but if they don't really appreciate what it all means, nor how to apply the principles of awareness, training and adult education, they are unlikely to achieve much. It's all too easy to add to the clutter and noise of modern life, more junk than mail.Simply understanding what awareness is intended to achieve is a challenge for some! As I blogged the other day, being aware is not the ultimate goal, just another step on the journey - a crucial distinction.  It could be said that this lack of understanding, rather than the usual lame excuse - lack of funds - is the main reason that security awareness programs falter or fail. I'm sure there are many other reasons too:Lack of creativity: people gradually tune-out of dull, uninspiring approaches and come to ignore the same old same old (they get Bored of the Notices). If all the awareness program ever blabbers on about is compliance, privacy and phishing, over and over like a cracked record, don't be surprised if the audience nods off or slips quietly away for something more stimulating;Poor quality communications: |
To see everything:
Our RSS (filtrered)
