This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-18T21:45:15+00:00 www.secnews.physaphae.fr NoticeBored - Experienced IT Security professional Today we've been chatting about this on the ISO27k Forum: "Let's assume that the company is willing to accept risks with a potential financial impact less than $50k. Obviously after performing risk assessment, we need to decide which treatment option we should follow. In case when the potential impact of the risk is below $50k - (risk appetite), we should accept the risk, right?  My question is: what happens if for some reason, multiple Low Risks (below risk appetite value/already accepted) occur at the same time? Should the Risk Appetite represent an aggregation of all low risks or just reflect the appetite for a single risk?"I suggested considering 'coincident risks' as another entire category or class of risks, some of which may well be above the risk appetite/acceptance threshold even if the individual risks fall below it. It gets worse. There are many other coincidences, errors, failures, issues and exceptional circumstances that could occur - in extremis, it's an infinite set of possibilities given all the permutations and combinations.Our collective failure to identify and take seriously the possibility of a pandemic landed us in the poo we're in now. Even those organisations that did have pandemic controls in place have found the going tougher than anticipated, some discovering that their stockpile of sanitizer and masks had not been properly stored and maintained, and hence was next to useless when called upon. Trust me, it can be a sobering exercise to run a risk workshop focused on rare but extremely impactful events, the outliers that we tend to ignore in routine risk management because it's hard enough dealing with the commonplace extreme events, let alone the rarities. Every well-managed organisation needs to deal sensibly with the scarily vague “something else happens and lands us in serious trouble” situations, when classical scenario planning runs out of steam. There are far too many possibilities to even enumerate, let alone evaluate and treat individually: a more general-purpose approach is required. ]]> 2020-07-17T16:53:31+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/WffQMmJ56QM/nblog-july-17-appetite-for-risk.html www.secnews.physaphae.fr/article.php?IdArticle=2148843 False Guideline None None NoticeBored - Experienced IT Security professional "The Winning Business Case: how to create a compelling conceptual, analytical and pitch model that your audience will love" is a free eBook from OCEG - more than 20,000 words of advice about generating and pitching a business case for investment in some sort of risk-based project or initiative.The Open Compliance and Ethics Group identifies as: "a global nonprofit think tank that helps organizations reliably achieve objectives, address uncertainty and act with integrity ... We inform, empower, and help advance our 85,000+ members on governance, risk management, and compliance (GRC). Independent of specific professions, we provide content, best practices, education, and certifications to drive leadership and business strategy through the application of the OCEG GRC Capability Model™ and Principled Performance®. An OCEG differentiator, Principled Performance enables the reliable achievement of objectives while addressing uncertainty and acting with integrity. Our members include c-suite, executive, management, and other professionals from small and midsize businesses, international corporations, nonprofits, and government agencies. Founded in 2002, OCEG has locations around the globe."The eBook lays out and explains 15 activities or steps in the process. The sequence and of course the details within each step may vary according to circumstances but it's a comprehensive, well-written document, worth studying if you need to justify investment in risk or security management projects or related areas such as  compliance, assurance, cybersecurity, business continuity and ISO27k. With some adjustments, the process could also be valuable for operational budgets too: securing next year's budget for a business department or function is similar to getting approval for a project, especially if management takes a longer-term, strategic view rather than being solely annual in focus. Thinking more broadly still, it could be useful for other kinds of proposal, such as when bidding for consultancy work. Maybe if prospective clients had a bet]]> 2020-07-16T13:45:31+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/FdUnAVESxrM/nblog-july-16-tips-on-preparing.html www.secnews.physaphae.fr/article.php?IdArticle=2148844 False Guideline None 3.0000000000000000 NoticeBored - Experienced IT Security professional Consulting for small organisations lately to design and implement their ISO/IEC 27001 Information Security Management Systems, resourcing constraints often come to light, particularly the lack of information security expertise and knowledge in-house. I have previously taken this to indicate lack of understanding, support and commitment from senior management, insufficient priority relative to all the other important stuff going on, hence my abiding interest in elaborating on the business case for investing in information risk and security management. Currently, though, I'm gaining a new-found appreciation of the realities of running a small business where even IT may be done on a shoestring, leaving information security way out on a limb. With barely enough cash-flow to sustain the business during COVID-19 and the obvious need to focus on core business activities, it's no surprise if ISO27k implementation and certification projects take a back seat for now. That delaying tactic, however, leaves the business more exposed meanwhile, increasing the probability and impacts of incidents that should have been avoided, prevented or mitigated. It can lead to missed business opportunities and customer defections as they turn to certified competitors rather than waiting for the assurance an ISO/IEC 27001 compliance certificate would bring. It reduces trust and devalues brands. All in all, it's a risky approach.Putting the ISMS implementation on hold is not the only option, however. With some creative thinking, it is possible to keep the project moving along, albeit at a slower pace:A bare-bones minimalist ISMS, barely adequate to satisfy the standard's mandatory requirements, may not deliver all the business benefits of good practice information risk and security management ... but it is both certifiable and better than nothing. A small but perfectly formed ISMS demonstrates the organisation's genuine commitment to information risk and security management, gaining the assurance value of the certificate to third parties without the investment necessary for a full-blown ISMS. Furthermore it is a perfectly valid and sensible starting point, a platform or basis from which to mature the organization's information risk and security management practices as and when it proves its value. It's a pragmatic approach. Being a pragmatist, I like that. Partnering with consultants reduces the pressure on employees, demonstrates management's support (more than just the intention to resume the ISMS project 'at some point'), and keeps up the momentum. Based on our practical experience and knowledge of the standards, we can generally help clients navigate the process by the shortest and most direct route, perhaps making small diversions only where it makes business sense. Speaking for myself, I'm happy to regulate m]]> 2020-07-10T19:01:37+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/PPeuZVTVToM/nblog-july-11-small-but-perfectly.html www.secnews.physaphae.fr/article.php?IdArticle=2148846 False Guideline None None NoticeBored - Experienced IT Security professional Today was different. Today the message was there long enough for me to grab that little screen shot.Meanwhile, I had to waits e v e r a ll   o   n   gm i n u t e sfor the Google search results to appear.  Minutes I tell you, minutes! Several of them! Shock! Horror! My little world stood still for a moment, my online life on hold.In an instant, I realised that not only have we grown accustomed to near instantaneous access to Google's gigantic Web catalogue, but that I am actually quite dependent on it. I do sometimes use other search engines but I always scurry back to Google because it works well, almost always. The only reason I am bloggering on about it here is that a Google service failing is so unusual, exceptional in fact. Almost unheard of.  The technology to achieve that outstanding level of service in terms of capacity, performance and reliability is awesome in both scale and cost, and yet most Google services appear free to use (well OK, they're not really free: we provide our search terms and a fair amount of personal information in return, plus Google's commercial services are charged at commercial rates. But at least we can opt out if we choose). ]]> 2020-07-09T12:53:22+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/aEwrsw3DXIY/nblog-july-9-day-earth-stopped-spinning.html www.secnews.physaphae.fr/article.php?IdArticle=2148847 False None None None NoticeBored - Experienced IT Security professional Do you recall when APTs were A Thing? Advanced Persistent Threats were exemplified by Stuxnet, a species of malware that was stealthy enough to penetrate the defences of an Iranian nuclear fuel processing plant ten years ago, persistent enough to undermine numerous layers of control, and sophisticated enough to over-speed and wreck the centrifuges without alerting the plant operators until the damage was done.  We seldom hear of weapons-grade APTs these days, suggesting they are no longer newsworthy or effective. Maybe they have gone the way of the trebuchet or musket ... but I believe it's much more likely that APTs have become even more sophisticated, stealthier and more damaging now than ever before, especially given the ascendance of IoT, IIoT and 'cyber-physical systems'. Now, Things are A Thing.Meanwhile, we are frequently constantly assaulted by ordinary, conventional, old-school malware - Retarded Persistent Threats as it were.In contrast to APTs, RPTs are relatively crude and commonplace - more blunderbuss than sniper's rifle but every bit as devastating at close range. Despite becoming increasingly sophisticated and capable, they are presumably well behind APTs, especially given governmental investments in cyber capabilities as part of national defence spending.RPTs 'persist' in the sense that they steadfastly refuse to go away. Bog-standard malware has dogged computer systems, networks and users since the 1980s. It has grown in prevalence at least as fast as IT, and in some ways it has driven advances in IT. The few percent of system resources needed to run today's antivirus packages and firewalls would surely have brought systems from previous decades to their little silicon knees.Whereas most RPT incidents are, well, incidental in relation to our global society, they threaten the very large number of vulnerable systems, individuals and organisations out there. It has become painfully obvious during COVID-19 that vanishingly few organisations stand alone, immune to the global repercussions. We are all entangled in, and highly dependent upon, a global mesh of information, goods and services. Just as a single COVID case causes knock-on effects, an RPT incident creates ripples.We're lucky that, so far, neither real-world nor]]> 2020-07-06T17:45:47+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/c2c0J8r9q5E/nblog-july-6-of-apts-and-rpts.html www.secnews.physaphae.fr/article.php?IdArticle=2148848 False Malware None None NoticeBored - Experienced IT Security professional ISO/IEC 27001:2013, organisations are supposed to consider all the information security controls outlined in Annex A, confirming that they have done so by preparing a Statement of Applicability "that contains the necessary controls .... and justification for inclusions, [states] whether they are implemented or not, and [gives] the justification for exclusions of controls from Annex A".That ineptly-worded requirement in a poorly-constructed and in fact self-contradictory clause of the standard is generally interpreted, in practice, in the form of an SoA table with a row for every Annex A control* and columns for applicability, justifications and implementation status of each control*.Three exclusive states are generally used.  Each control* is either:Applicable and implemented; orApplicable but not implemented; orNot applicable.... implying a simple decision tree with just two binary questions:  First, is the control* applicable (yes or no)?If the control* is applicable, is it implemented (yes or no)?Hmmmm, that's all very well in theory but here are some of the options I've heard as an auditor, or thought if not expressed as an auditee:Applicable under some circumstances – the control applies in specific situations only and is not generally applicablePartially applicable – the control is not enough to mitigate the risk and needs to be modified and/or complemented by other controls; as described, it's not really what we want to doApplicable and partially implemented – we did this at least onceApplicable and allegedly implemented – someone claims to have done this at least onceApplicable and apparently implemented - someone genuinely but naively and perhaps inadvisedly believes they have truly nailed this oneImplemented but inapplicable – to pacify out auditors, we “just did it” ... even th]]> 2020-06-27T09:50:37+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/bDW440wM_Xw/nblog-june-26-things-iso27k-soa-doesnt.html www.secnews.physaphae.fr/article.php?IdArticle=1779372 False None None None NoticeBored - Experienced IT Security professional The past 6 weeks or so have been quite surreal for us, and I guess for you too. Yesterday we went shopping, leaving our property for the first time since our shopping expedition a week before NZ went into "level 4" lockdown. As of a couple of days ago, we're now at "level 3". Don't ask me what the differences are between the levels, nor what levels 2, 1 and 0 might look like. All I know is that it was a relief to see other people out and about, most of us making obvious efforts to keep our distance. The new normal isn't so bad as I imagined, certainly nothing like a zombie apocalypse or police state.Those 6 weeks blurred into one. At some point I stopped counting up and blogging about the passing days ... and eventually started counting down to the end of "level 4", or more importantly the impending exhaustion of some of our most essential supplies: coffee, wine and chocolate. Some valuable lessons there for when we replenish our "earthquake kit"!Meanwhile, NZ's COVID-19 numbers have apparently peaked and fallen. I say "apparently" because the metrics are dubious - again, that's not just our situation in NZ, but a global issue. Differences in the way the metrics are defined, collected and interpreted are layered on top of cultural/national differences in the populations, health systems, economies and more. In particular, there are substantial differences in the amount and quality (reliability, utility) of COVID-19 testing, which is important because COVID-19 infections are cryptic: some of us are infected but have little to no symptoms and hence we don't know it, at least not right now (during the incubation period, the virus multiplies and the symptoms may - or may not - show). Some aren't so lucky and a few are seriously, even gravely ill, at which point the infection is obvious and hard (but not impossible) to ignore or discount. There's still the issue that it appears the most vulnerable patients have other "underlying medical conditions", which is the phrase of the moment and points to yet another issue with the metrics.Two valuable metrics in infectious disease are:The rate of spread of the infection throughout the population. This is akin to the 'probability' factor in classical risk management. Essentially, it's a gross measure of the chances of anyone becoming infected. For the reasons just stated, it is tricky to measure in practice.The proportion of infected people who become sick - more specifically, sick enough to show symptoms, affect their lives, require treatment and hospitalisation, a]]> 2020-06-20T18:13:14+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/W1jY-JhklhQ/nblog-april-30-blursday-metrics.html www.secnews.physaphae.fr/article.php?IdArticle=1779380 False None None None NoticeBored - Experienced IT Security professional [if gte vml 1]> [if !vml]-->[endif]-->  As usual, these are relatively crude and (for most reasonably alert people) easy to spot thanks to the obvious spelling and grammatical errors, often using spurious technobabble and urgency as well as the fake branding and sender email address in an attempt to trick victims. The 'blocked emails' and 'storage limit' memes are popular in my spam box right now, suggesting that these are basic phishing-as-a-service or phishing-kit products being used by idiots to lure, hook, land and gut other idiots. They are, however, using my first name in place of “Dear subscriber” or “Hello, how are you doing?” that we used to see, implying the use of mailmerge-type content customisation with databases of email addresses and other info on potential victims*.Moving up the scale, some current phishing attempts are more sophisticated, more convincing. Sometimes it's just a lucky coincidence e.g. when the lure glints alluringly because it just happens to mention something I am currently doing - for example if I am dealing with American Express o]]> 2020-06-18T07:58:14+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/hnJ1NrJMf5o/nblog-june-17-phishing-evolution.html www.secnews.physaphae.fr/article.php?IdArticle=1779374 False Ransomware,Spam,Guideline None None NoticeBored - Experienced IT Security professional Aside from the conventional 'gap analysis', it is possible to do a 'fill analysis' to discover the things that the organization is doing successfully already – its strengths, foundations on which to build. The analytical processes are almost the same but a fill analysis aims to identify, learn from and expand upon the strengths - the positives - whereas a gap analysis involves hunting down and addressing the weaknesses - the negatives.These are complementary not alternative approaches.So, for instance, if the organization is poor at compliance, OK at policies and excellent at impact assessment: A gap analysis would focus on closing the compliance gaps;]]> 2020-05-25T08:14:25+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/zCAttVzcmfw/nblog-may-25-gap-and-fill.html www.secnews.physaphae.fr/article.php?IdArticle=1779376 False Guideline None None NoticeBored - Experienced IT Security professional According to alert AA20-133A from US-CERT:"The U.S. Government has reported that the following vulnerabilities are being routinely exploited by sophisticated foreign cyber actors in 2020:Malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities. An arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781, has been detected in exploits in the wild.An arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510, continues to be an attractive target for malicious actors.March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365 (O365). Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack.Cybersecurity weaknesses-such as poor employee education on social engineering attacks and a lack of system recovery and contingency plans-have continued to make organizations susceptible to ransomware attacks in 2020."Well whadyaknow?The US government blames "sophisticated foreign cyber actors" - the usual xenophobic, somewhat paranoid and conspiratorial stance towards those filthy rotten foreigners, desperately attacking little old US of A (today's version of reds under beds I guess);"Unpatched" VPNs and insecurely configured Office 365 services are being targeted, implicitly blaming customers for failing to patch and configure the software correctly, blithely ignoring the fact that it was US-based software vendors behind the systems that required patching and configuring to address exploitable vulnerabilities;]]> 2020-05-16T17:38:09+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/rbNX9B0Dz6c/nblog-may-16-adjusting-to-new-normal.html www.secnews.physaphae.fr/article.php?IdArticle=1779378 False Ransomware,Vulnerability,Patching None None NoticeBored - Experienced IT Security professional ... Despite the history and the experts' warnings that a pandemic was likely to happen again at some point, it turns out we were ill-prepared for it, not as resilient as we thought and should have been... Experts disagree on the details, sometimes even the fundamentals, and love their models... Commentary and advice is plentiful, but sound, reasoned, appropriate advice by competent advisors is at a premium and partly lost in the noise... Whereas information is important, information integrity, quality and trustworthiness are vital, hence there is also value in assurance and other information controls, including the pundits' reputations and credibility... Most of us are non-experts, hence it is tricky for us to distinguish fact from fiction and make sense of conflicting advice ... Perfect, complete information is seldom available, so there are bound to be compromises and errors - and we should be ready to spot and deal with them too... Controls against COVID-19 are imperfect, at best; some are purely for appearance sake; some are as much use as a bubble level in space; others are literally worse than useless (the cure really can be worse than the disease!); in most cases, we simply don't know how well they will work in practice... Many people and organizations struggle to cope with a serious crisis, whereas some shine and thrive - but even the best may crumble at some point... They are all about risk and risk management, not just protection, control, safety and security: we are where we are partly as a result of our prior decisions about priorities, resources etc. ... We are mutually dependent and hence collectively vulnerable since total isolation is impract]]> 2020-05-03T13:19:31+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/EXqosjErYCs/nblog-may-3-covid-19-is-like-infosec.html www.secnews.physaphae.fr/article.php?IdArticle=1779379 False Guideline None None NoticeBored - Experienced IT Security professional There's a slew of social media posts promoting business continuity management, resilience, ISO 22301 and the like, right now, during COVID-19. That's like promoting birth control to a family of twenty. It's 20-20 hindsight.Now is the time to promote the planning and preparations needed to cope with the aftermath of COVID-19, taking account of things such as:Lingering uncertainties/doubts about business, the economy, life, health, management and workforce capabilities/competence, supply chains ... whatever Inertia - the additional effort needed to spin-up to normal speeds after the go-slow Low morale resulting from isolation depression, sickness, stress, over-work etc.Lack of motivation to 'get back into the swing of things' as if nothing happenedVarious adjustments to the new working, home and social lifeCoping with losses of all sorts (money, people, jobs, opportunities ...)Realisation (for some) that working from home beats working from workFamilial, cultural and social factorsLong term effects such as paying back the loans needed to get throughLearning hard lessons from the incident, making genuine efforts to improve business continuity arrangements for the next one e.g. investing in risk management, resilience, contingency, security, change management Introspection (busily getting our own house in order) diverting attention from the (changed) outside world - new challenges, new opportunitiesThe practicalities of getting back into the nine-to-five routine and dealing with a backlog of problems, deferred work, various mini-crises and shortages etc.Things will eventually settle down into the (new) normal. Organizations that make the transition]]> 2020-04-11T13:51:06+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/9d3Tq8QqXkY/nblog-april-11-nz-lockdown-day-x-of-n.html www.secnews.physaphae.fr/article.php?IdArticle=1779381 False None None None NoticeBored - Experienced IT Security professional headline metrics noted by the NZ Ministry of Health:Confirmed and probable cases of COVID-19The number of people who have recoveredHow many people are (and have been) in hospitalCases by District Health Board, and by age and gender.The metrics are updated daily and reported dutifully by the NZ news media, but what use are they, in fact? What information and knowledge can we glean from the data? Here is the current summary (snapshot at 7am on April 2nd): There are no detailed definiti]]> 2020-04-02T12:16:40+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/lJpVsdc8-lc/nblog-april-2-nz-lockdown-day-8-of-n.html www.secnews.physaphae.fr/article.php?IdArticle=1779382 False None None None NoticeBored - Experienced IT Security professional The NZ politicians and news media are updating us daily on selected COVID-19 statistics (metrics), particularly concerning NZ of course but also the global situation. Countries with the largest numbers (regardless of which metric) are naturally media-fodder.It's fair to ask, though, what all these numbers mean, why we should care about them, and why they are being reported rather than others.As with information risk and security metrics, there are various audiences of the metrics with numerous concerns, objectives, purposes, uses for or interests in them e.g.:Those actually managing the national response, day-by-day, need to know how they are doing relative to their plans and intentions, and how they might improveCentral and local government politicians giving oversight and direction to the response ... with a keen eye on their popular standing, given that an election is in the offing (unless deferred) ... plus administrators in the civil serviceThe Treasury and Inland Revenue, overseeing the financial aspects of NZ's impacts from COVID-19, not least the costs of the controls and handouts intended to keep businesses and other organizations afloat, the national debt and tax burden on those who make it through The stock market and financial industry generally - interested for the same reasonsThe NZ general public with a personal, familial and general interest in the situation, mostly concerned non-specialistsThe news media - specifically journalists, editors and proprietors  The social media - specifically bloggers, Twits, Facebookers, community members and influencers, commentators and assorted 'interested parties' ... including me Specialists in public health, infectious disease, virology, epidemiology, genetics, risk and incident management etc.Healthcare professionals - in particular those planning for, leading and administering the public health response to COVID-19The police and justice system, largely responsible for administering the lockdown and dealing with noncompliance ]]> 2020-03-31T19:48:03+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/3BiPoJH7-uw/nblog-march-31-nz-lockdown-day-6-of-n.html www.secnews.physaphae.fr/article.php?IdArticle=1779383 False Guideline None None NoticeBored - Experienced IT Security professional Our "broadband" is gradually becoming narrower by the day as an increasing number of Kiwis on staycation are working from home, downloading/watching videos, playing online games or whatever.Normally I listen to online music stations while working and I still can: thanks to bufferuffering and the relatively little bandwidth required, streaming audio still works OK ... but instead I'm listening to my music CDs for a change, figuring there are those out there who need the Interweb bandwidth more than me.Besides which, I like my CDs and it's easy to skip the duff tracks. ]]> 2020-03-30T16:47:35+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/8CI0-540NTU/nblog-march-30-nz-lockdown-day-5-of-n.html www.secnews.physaphae.fr/article.php?IdArticle=1779384 False None None None NoticeBored - Experienced IT Security professional Yesterday I wrote about exploiting/making the most of opportunities that arise in a crisis. Here's an example - using COVID-19 as an analogy to help explain a concept.A question came up on the ISO27k Forum about how to handle 'primary and secondary assets' in the risk assessment processes described by ISO/IEC 27005. This is my response ...“Primary assets (business processes and activities, information) … usually the core processes and information of the activity in the scope” [ISO/IEC 27005:2018 section B.1.2] are the focal point: that's what we need to protect. However, in order to do that, we also need to take care of other matters, including the supporting/enabling information systems, networks etc. Those have someintrinsic value (e.g. used but now redundant servers can be upgraded, redeployed, sold or scrapped) but their main value relates to their roles in relation to the primary assets.A topical analogy is “health” – an asset we all need to protect.  ]For virtually everyone, it's clearly primary - #1, The Most Important Thing Of All. There are many threats to our health (not just coronavirus!) and we have many vulnerabilities (e.g. we need to breathe, we have mucosa, we need to interact with the world around us to gather essential supplies …), while the impacts of health incidents are many and varied (from 'feeling a bit off colour' to death). We can't directly protect “health” (which is intangible and cloudy), but we can work on various related aspects that, in turn, support good health – like for instance staying out of range of coronavirus and flu sufferers coughing and sneezing; staying well nourished; exercising to maintain physical fitness; thinking about hard stuff like this to maintain mental agility; being vigilant for the symptoms of poor or deteriorating health; having the health services, docs, drugs, respirators etc. to increase our ability to survive disease etc. In infosec terms, that's a blend of preventive, detective and corrective controls designed to protect our continued integrity and availability ]]> 2020-03-29T22:03:55+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/jfFVHe4ji0A/nblog-march-29-nz-lockdown-day-4-of-n.html www.secnews.physaphae.fr/article.php?IdArticle=1779385 False None None None NoticeBored - Experienced IT Security professional With a bit of lateral thinking, there are ways to hook-in to and even exploit the COVID-19 brouhaha. More time for reflection is one of the advantages of the lockdown, for some of us at least. Many organizations, for instance, have sent out customer comms about what they are doing to maintain services during/despite the pandemic. Although most are matter-of-fact and boring (maybe not even branded), some are more creative and engaging, even acknowledging that COVID is not going to blow over in a couple of weeks. Most are generic, superficial and bland, often supplier-focused, whereas some are personalised, unique, detailed and customer-focused. Most appear to be one-off broadcasts, hurriedly cobbled together by teams immersed in the chaos and confusion, then slowly refined and authorized. Not many that I've seen so far even hint that there might be more to come. The odd tinge of humour is welcome.  Unlike the vast majority of incidents and crises, a global incident such as COVID-19 or world war extends way beyond the individual organization, even its primary supply chain. The conventional incident and crisis management comms, often pre-canned as templated press releases, may not therefore be appropriate, relevant and helpful. The context, and hence the messages, are materially different. Even the anticipated modes of delivery are not guaranteed if, say, a cyberwar takes down the Internet.I'm exploring some of the many lessons here for those of us vigilant enough to notice and think about what's going on around us, rather than being totally introspective and absorbed by dealing with the crisis. We're lucky in that we don't feel as if we are in immediate danger, we were well prepared for this and we're resilient ... which frees us from the grief and torment that others are experiencing and allows us to think clearly, but our situation could easily change if someone close to us (whether literally or figuratively) gets sick, or if the global or national crisis deepens.]]> 2020-03-28T10:50:40+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/fws8lpVfI1Q/nblog-march-28-nz-lockdown-day-3-of-n.html www.secnews.physaphae.fr/article.php?IdArticle=1779386 False None None None NoticeBored - Experienced IT Security professional I said yesterday that we've identified our home essentials - things such as food, fuel, booze, the web etc. - and stocked up accordingly, like any sensible family would do. Those are the thing we all need. Pretty obvious really and not particularly interesting.But what about the things we don't need? What would we rather not have during this pandemic, or in general? While painstakingly giving my chisels a long-overdue regrind and manual sharpen in the man-shed, I came up with the following A-to-Z list. These are the things I can do without:AccidentsAches & painsAlzheimer'sArmed forcesAuthoritiesBad backsBad breathBad debtsBad decisionsBad designBad dreamsBad engineeringBad habitsBad healthBad memoriesBadges & thumbs-upBadness generallyBiasBrambleBreakagesBriscoes salesBroken promisesCancerCheatingClassroomsClimate changeCoffinsCompliance enforcementConcertsConstraintsCrappy software & patching]]> 2020-03-27T10:00:15+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/xcXV8iex4eg/nblog-march-27-nz-lockdown-day-2-of-n.html www.secnews.physaphae.fr/article.php?IdArticle=1779387 False None None None NoticeBored - Experienced IT Security professional The official NZ government list of essential services appears to have been finalised and published hastily. Naturally, 'the authorities' consider themselves essential as overnight we've become a police state: police and courts are working through the lockdown, albeit providing limited services, health and immigration/customs services too. What will happen as their workers are or suspect themselves to be infected with coronavirus is unclear at this point. Presumably they have contingency plans, plus controls to limit the spread of infection within police stations, court houses, hospitals, customs halls, mail sorting offices etc. ... but staffing and service problems are entirely possible as the lockdown continues.Since they aren't entirely self-contained, there's also a second tier of organizations supporting the essential services and here the lines get blurry. For example, police cars need tyres, fuel and servicing. Today we will be revising our personal list of essential home services in light of the lockdown. More tomorrow. ]]> 2020-03-26T09:27:21+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/521uSkXkqrE/nblog-march-26-nz-lockdown-day-1-of-n.html www.secnews.physaphae.fr/article.php?IdArticle=1779388 False None None None NoticeBored - Experienced IT Security professional I bumped into an insightful piece by Jeff Immelt 'Lead through a crisis' yesterday. This paragraph really caught my eye: I agree there are material differences between us in how we react under pressure, differences that are exaggerated during a crisis. The same applies to social groups and families as well as work teams: some of us are (or at least give the appearance of being) fully on top of things, some are 'coping', some are struggling, and some are in turmoil, overwhelmed by it all.The current situation reminds me of the Kübler-Ross grieving curve. Here's a version I've used to help explain our emotional responses to traumatic events such as information security incidents and changes:]]> 2020-03-25T08:31:13+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/bGiJBS_oFLE/nblog-march-25-coping-with-covid-crisis.html www.secnews.physaphae.fr/article.php?IdArticle=1779389 False Guideline None None NoticeBored - Experienced IT Security professional I've slightly shifted and revised the wording of some of the risks but there's nothing really new (as far as I know anyway). Reports of panic buying from the UK and US are concerning, given the possible escalation to social disorder and looting … but hopefully sanity will soon return, aided by the authorities promoting “social distancing” and “self-isolation”. Meanwhile, I hope those of you responsible for physically securing corporate premises have appropriate security arrangements in place. Remotely monitored alarms and CCTV are all very well, but what if the guards that would be expected to do their rounds and respond to an incident are off sick or isolated at home? Do you have contingency arrangements for physical security?'Sanity' is a fragile condition: there is clearly a lot of anxiety, stress and tension around, due to the sudden social changes, fear about the infectious disease etc., which is my rationale for including 'mental health issues' in the middle of the PIG. There is some genuinely good news in the medical world concerning progress on coronavirus testing, antiviral drugs and vaccines, although it's hard to spot among the large volume of dubious information and rumours sloshing around on social media (another information risk on the PIG).  There's even some good news for infosec pro's. COVID-19 is a golden opportunity for those of us with an interest in security awareness and business continuity. Essentially, we are in the midst of a dramatic case study.]]> 2020-03-23T13:19:46+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/8pYI6uW9T8c/nblog-march-20-covid-19-pig-update.html www.secnews.physaphae.fr/article.php?IdArticle=1779391 False Patching,Guideline None None NoticeBored - Experienced IT Security professional Top left, the reported shortages of toilet rolls, facemasks, hand sanitiser and soap qualify as information incidents because they are the result of panic buying by people over-reacting to initial media coverage of shortages. The impacts are low because most people are just not that daft. Fear, Uncertainty and Doubt, however, is largely what drives those panic buyers. To an extent, I blame the media (mostly social media but also the traditional news media, desperate for their next headline) for frenziedly whipping up a storm of information. There are potentially significant personal and social consequences arising from FUD that I'll cover later.In amongst the frenzied bad news, there are a few good things coming out of this incident. The global scientific, medical and public services communities are quietly sharing information about the virus, infections, symptoms, morbidity, treatments, contributory factors, social responses etc. There is excellent work going on to characterise the virus, understand its morphology and genetics, understand the disease progression, understand the modes of transmission etc. It's a shame this isn't as widely reported as the bad news but I think I understand why that is: scientists, generally, are reluctant to publish information they aren't reasonably sure about, and "reasonably sure" means if a reporter asks for a categorical statement of fact, most scientists will at least hesitate if not refuse. An example of this is the face mask issue: good quality face masks are designed to trap small particles but not as small as viruses. They help by impeding airborne particles and so reducing the spread of airborne viruses, but do not total]]> 2020-03-21T06:49:12+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/IM_L8W65sJE/nblog-march-13-covid-19-information.html www.secnews.physaphae.fr/article.php?IdArticle=1779395 False Guideline None None NoticeBored - Experienced IT Security professional Today I trawled through our back catalog of information security awareness content for anything pertinent to COVID-19. The "Off-site working" security awareness module published less than a year ago is right on the button. "Off-site working" complements the "on-site working" awareness module, about the information risk and security aspects of working on corporate premises in conventional offices and similar workplaces. Off-site concerns the information risk and security aspects of working from home or on-the-road (e.g. from hotels or customer premises), often using portable IT equipment and working independently ... which is exactly the situation many of us are in right now.Off-site working changes the information risks compared to working in purpose-built corporate offices. Mostly, the risks increase in line with the complexities of remote access, portability and physical dispersion … but offsetting that, off-site working can be convenient, productive and popular, and patently there are business continuity advantages in working through incidents such as COVID-19. Implementing appropriate security controls makes it work, on the whole, with security awareness being an essential part of the mix. People need to know about and follow the rules.To assist organizations through the crisis and showcase our awareness materials, we're currently offering the off-site working security awareness module at just under $400 - that's half price. Several other awareness modules may also be pertinent, delving into related topics such as:Business continuityBYOD and IoT securityCybersecurityIncidents and disastersInternet securityPhishing]]> 2020-03-20T16:30:54+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/tuPFJX2EhtI/nblog-march-20-covid-19-infosec.html www.secnews.physaphae.fr/article.php?IdArticle=1779390 False None None None NoticeBored - Experienced IT Security professional information risks relating to COVID-19, originally published here five days ago: Two additional information risks now feature in the middle:Mental health issues arising from the sudden widespread introduction of work-from-home, social distancing, cancellation of many leisure activities etc., on top of the stress of potentially being infected and becoming sick. Laid-off workers are basically cast adrift, placing them under immense personal stress at this difficult time because of the scale of COVID-19: they are unlikely to walk directly into their next contract or permanent role with some other organisation if everyone is in crisis. Remaining workers may have 'survivor guilt', and fear also being laid off - hardly conducive to productive working. It may increase 'insider threats'. Also, this risk may increase over time once we get beyond the honeymoon period as workers settle in to their more isolated workspaces, and face up to the realities of being largely self-directed.I brought up the increased information risks associated with working-from-home four days ago. Scrambling to get workers set up for home working probably means corner-cutting here and there, for example making do with whatever comms and IT technology people already have, rather than the organization providing suitable new equipment pre-configured for security and perhaps dedicated for work purposes.  Another tech risk here relates to our suddenly increased reliance on comms and collaborative working tools: the Internet and cloud service providers so far seem to be coping quite well but things could change quickly - for example if they are hit by ransomware ... which in turn begs questions about their customers' readiness to cope with service issues and incidents.I'll stress once again that IANAV and my assessment is focused on risks pertaining to information.I'll have more to say about treating these information risks soon (still contemplating!). Meanwhile, there is quite a lot of advice already circulating on social media such as LinkeDin. We've seen outpourings of sympathy before following natural disasters, but the global real-time sharing of pragmatic advice on dealing with a health crisis in progress is unprecedented. See it's not all bad news!]]> 2020-03-18T11:50:47+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/LxhSQ3mG1WI/nblog-march-18-covid-19-pig-update.html www.secnews.physaphae.fr/article.php?IdArticle=1779392 False Ransomware None None NoticeBored - Experienced IT Security professional From my narrow perspective as a practitioner, manager and consultant in the field, some 20-30 years ago, Business Continuity Planning revolved around IT Disaster Recovery which generally involved (at the time) either powering up an alternative data centre or hiring a few servers on the back of a truck and plugging them in to restore services taken out when the data centre was flooded/burnt. It was almost entirely IT focused, expensive, and could cope with very few disaster scenarios (there still had to be somewhere for the truck to park up and plug in, while the backups to be restored had to have survived miraculously, plus of course the rest of the organization - including the alternative data centre plus the people and associated essential services).From that primitive origin, BCP started to get better organised, with scenario planning and tabletop exercises, and actual 'management' instead of just 'planning' - leading to Business Continuity Management. The scenarios expanded, and before long organisations realised that they couldn't reasonably plan and prepare playbooks for every possible situation, every single risk. Also, the process linkages with incident management grew stronger, including the shortcuts necessary to escalate serious incidents, authorise and initiate significant responses quickly etc. Oh and warm-site and hot-site concepts appeared, along with Recovery Time Objective, Recovery Point Objective and a few other basic metrics. Then, about 10 to 15 years ago, resilience popped out of the ether as a supplement for IT DR and other recovery approaches, the idea being to do whatever it takes to maintain essential services supporting essential business processes. Even today, some organisations struggle with this concept, and yet "high availability" systems and networks, dual-live/distributed systems, load-sharing, multi-sourced supplies, customer diversity etc. are reasonably straightforward and generally-accepted concepts. I guess they have trouble joining the dots - particularly in the area of workforce resilience, and the cultural aspects of "We WILL get through this: now, what can I do to help? Here, hold my beer ..."  During the past 10 years or so, true contingency approaches have appeared, in some organizations at least, partly in rec]]> 2020-03-17T08:58:05+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/nGa8yovECII/nblog-march-17-covid-19-bcm.html www.secnews.physaphae.fr/article.php?IdArticle=1779393 False Guideline None None NoticeBored - Experienced IT Security professional yesterday's assessment of the information risks associated with the coronavirus pandemic and the discussion arising, here are a few more aspects.An increased number of knowledge workers are now working from home, some of them for the first time. What equipment and services are they using? What are the information risks and security arrangements? Who knows? Larger organizations tend to have in place suitable policies plus structured, systematic approaches towards home and other off-site working, with controls such as management authorization, remote security management of end user devices (corporate or BYOD), VPNs, network security monitoring, network backups, automated patching, antivirus etc. Hopefully they have all scaled easily to cope with the changing proportions of off-siters. Medium and especially small organizations, however, may be less well prepared ... and all of them are likely to be feeling the strain of changed working practices and social interaction. The managers, supervisors, network security pro's and others who are meant to be keeping an eye on all this are also more likely to be working off-site, relying more on automation and information through the systems. That smells like a green or borderline amber information risk to me, redder for those ill-prepared SMEs maybe, or for larger organizations that for some reason were not on top of this already. Given that managers and execs generally have been working off-site for years, they really have no excuse for failing to identify, evaluate and treat the associated information risks. If they now deserve to be called to account, so be it. Which reminds me, another bit of good news is that organizations are running and hopefully proving the adequacy of their business continuity arrangements, including the resilience aspects of keeping the information flowing more or less normally. This is better than the normal business continuity exercise in that everyone is participating (like it or not!) ... but as to whether everyone is coping well, we shall see. Some supply chains/networks are clearly under stress (toilet rolls, for instance!), and others probably too. If they fail due to inadequate resilience, the consequences may ripple outwards, meaning that some organizations will also get to use and prove their contingency arrangements. There are some more green/amber information risks in there, judging largely by what we see today i.e. nothing significantly amiss so far, no dramatic failures or industry collapses (except perhaps for the financial industry - a red risk already on the chart). Oh and there's more good news: most of the population now knows the basics of personal hygiene such as covering their sneezes and washing their hands. These aren't totally effective co]]> 2020-03-14T09:25:28+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/cWGB8J93d74/nblog-march-14-covid-19-information.html www.secnews.physaphae.fr/article.php?IdArticle=1779394 False None None None NoticeBored - Experienced IT Security professional I'm reviewing and revising our information security policy templates, again. At the moment I'm systematically compiling a cross-reference matrix in Excel showing how each of the 65 policies relates to others in the set - quite a laborious job but it will result in greater consistency. The objective is to make the policies knit together coherently, without significant overlaps or gaps in coverage - less mess, more mesh.All our policies include a reference section noting other relevant policies, procedures, guidelines etc. but only the main ones: the information risk management policy, for instance, is relevant to all the others but there's no point listing it as a reference in all of them, nor listing all of them in it.I have shortened the titles of a few policies for readability, and need to check/update the formatting then generate new screenshots for the website. Once that is all done, I will be checking coverage: a couple of policies are similar enough that they might perhaps be combined, and I'm always on the lookout for gaps that need plugging.In all of this, it helps enormously that I wrote them all in the first place, and have maintained them all through the NoticeBored monthly updates. Organisational policies usually accumulate over time from a variety of sources and authors, with different writing styles and mind-sets. Conflicts and holes are not uncommon, creating problems for awareness and compliance. Hot issues tend to have current, up-to-date policies, whereas policies covering longstanding aspects tend to go stale, unless someone takes the time to review and update the entire suite as I am doing now. Even something as simple as using a common MS Word template with styles for headings and text makes a huge difference to the readability and consistency, but the template itself has evolved over the years I've been doing this, and is changing again now. It takes concentration to work systematically through the whole suite, updating them to the same standard.The end result is worth it though. The policy suite is already a polished, professional product at a good price (a fraction of the cost of developing this much content from scratch). It sells well and I'm proud of it! We are using it to develop custom, branded policies for clients and would love to do the same for you, so if your infosec policies are looking a bit shabby, messy, the worse for wear, ]]> 2020-03-12T15:17:34+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/ZVXf_proDWc/nblog-march-8-meshy-policies.html www.secnews.physaphae.fr/article.php?IdArticle=1779398 False None None None NoticeBored - Experienced IT Security professional Anyone who read Orwell's masterpiece or saw the film "1984" appreciates the threat of mass surveillance by the state a.k.a. Big Brother. Anyone who has followed Ed Snowden's revelations knows that mass surveillance is no longer fanciful fiction. There are clearly privacy impacts from surveillance with implications for personal freedoms, assurance and compliance. At the same time, surveillance offers significant social benefits too, in other words, pros and cons which vary with one's perspective. Big Brother sees overwhelming benefits from mass surveillance and has the power, capability and (these days) the technology to conduct both overt and covert mass or targeted surveillance more or less at will. The same thing applies to other forms of surveillance and other contexts: many of us gleefully carry surveillance devices with us wherever we go, continuously transmitting information about our activities, conversations, locations, contacts and more. We may call them 'smartphones' but is that really a smart thing to do? Drug dealers and other criminals appreciate the value of burner phones, essentially buying a modicum of privacy. What about the rest of us? Are we wise to rely on the technologies, the phone companies and the authorities not to invade our privacy? Some of us are introducing IoT things into our homes, seduced by the convenience of being able to tell our smart TV to order a pizza without even getting up from the sofa. Evidently people either don't even consider the privacy implications, or accept them presumably on the basis that they own and chose to introduce the surveillance devices, and could just as easily stop and remove them (fine in theory, doesn't happen in practice).Then there are the surveillance devices we use to monitor, track or snoop on various others: baby monitors, nanny-cams, commercial and home CCTV systems, webcams, dashcams, audio bugs, covert cameras, spyware, keyloggers and more. Surveillance tech is big business, both retail, commercial and governmental/military. Need to know where a recent arrival from China has been? Simply collect the surveillance jigsaw pieces into a credible sequence and despatch the hazmat teams.Overt surveillance in the form of obvious CCTV camera installations are just the tip of the iceberg. Covert cams and bugs are already snooping on us in changing rooms, toilets, video-conference facilities, courts and mor]]> 2020-03-12T09:41:18+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/c_5LUN7g-EU/nblog-march-12-reflecting-on-privacy.html www.secnews.physaphae.fr/article.php?IdArticle=1779397 False Threat Uber None NoticeBored - Experienced IT Security professional ◄ This amuses me - part of an advertisement by NZ farm supplies company FFM for their quad bike safety helmets ... but the principle applies equally to knowledge workers in any industry.We used a similar concept for one of our social engineering awareness posters, emphasising the manipulation rather than protection ►Earlier this week, Gelo asked on the ISO]]> 2020-03-06T10:00:03+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/sAabMC2M8z0/nblog-march-6-cry-ber-security.html www.secnews.physaphae.fr/article.php?IdArticle=1779399 False None None None NoticeBored - Experienced IT Security professional I've heard rumours about the possibility of SIM-swap "identity theft" (fraud) but wasn't aware of the details ... until reading a couple of recent articles pointing to an academic paper from a team at Princeton University.The fraud involves socially-engineering the cellphone companies into migrating a victim's cellphone number onto a new SIM card, one in the fraudster's possession. That gives the fraudster control of a factor used in several multifactor authentication schemes ... and in some cases, that's enough to take full control (e.g. resetting the victim's password - another factor). Otherwise, it might take them a bit more effort to guess, steal or brute-force the victim's password or PIN code first. Authentication is usually a key control, yet authentication schemes often turn out to have vulnerabilities due to:Fundamental design flaws (e.g. saving passwords unencrypted or weakly encrypted) Bugs in the software and firmware (e.g. cheat codes - bypasses and backdoors in production, and broken crypto in CPU microcode)Physical hardware limitations (e.g. the tolerances needed for biometrics, allowing fakes and forgeries)Issues in their implementation, configuration and administration (e.g. giving new users the same well-known default passwords or weak password reset mechanisms) Operational "user" issues (e.g. naively falling for phishing attacks)Multifactor is stronger than single factor authentication but still not perfect ... hence aside from addressing the vulnerabilities, we should also anticipate control failures and put in place further, supplementary controls to detect and respond to incidents.The risks are there for authentication to networks, systems, apps and online services in general, but the greater potential impacts in the case of, say, banking, law enforcement and defence imply greater risks, justifying the investment in stronger controls.]]> 2020-03-05T09:44:29+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/K2QMYdX2Pes/nblog-march-5-sim-swap-fraud.html www.secnews.physaphae.fr/article.php?IdArticle=1779400 False None None None NoticeBored - Experienced IT Security professional Whereas usually our awareness and training modules focus in some depth on one of the 70 information security topics in our portfolio, Information Security 101 is a broad but shallow module. It is intended to bring workers quickly up to speed on the basics of information risk and security during security induction courses, for periodic refresher training, or when launching an awareness program.As soon as a new worker arrives, they start absorbing and being assimilated into the corporate culture, picking up 'the way we do things here'. Sensible organizations run orientation sessions to welcome newcomers and kick-start the cultural integration.InfoSec 101 covers common information risks (e.g. malware) and information security controls (e.g.& antivirus). The materials are deliberately succinct, outlining key aspects without delving into the details. We're not trying to tell workers everything about information risk and security all at once but to set them off on the right foot, engaging them as integral and valuable parts of the organisation's Information Security Management System. It's a gentle introduction, more splash in the paddling pool than high dive at the deep end!First impressions matter, so the module helps Information Security, HR or training professionals deliver interesting and engaging awareness sessions accompanied by impressive, top-quality supporting materials. Establishing personal contacts throughout the organization gradually expands the Information Security team across the enterprise - more 'eyes and ears' out there. This alone would be well worth the investment!As well as induction or orientation purposes, InfoSec]]> 2020-02-29T16:46:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/iNmHz5NCc00/nblog-march-infosec-101-module-released.html www.secnews.physaphae.fr/article.php?IdArticle=1570351 False Guideline None None NoticeBored - Experienced IT Security professional The remaining items for the recycled InfoSec 101 module are falling rapidly into place. It will be a bumper delivery with fifty (yes, 50) files already in the bag.One of the regular end-of-month jobs involves matching up the awareness items - the files - with the contents listing and their descriptions in the train-the-trainer guide. Years back I came up with a simple numeric naming scheme to make it easier to get the files in order and link them with the listings. Good thing too: this afternoon I came across one listed item that I've decided to drop from the module, and about three additions that need to be listed and described. There's still a little time left before delivery to change things further and renumber, again, if we need to ... which emphasises the value of these final quality checks before packaging and despatch.Another part of the quality assurance process is to open and review the content of all the files. This is our last chance to spot speling mishtakes, errror, omissons and half-finishedI've already made a couple of passes through the materials: the first pass often reminds me of things I've brought up in one item that ought to be repeated or reflected in others, so there's a bit of back-and-forth refinement ... but the looming deadline means eventually I have call a halt to the spit-n-polish phase. It's tough for me to stop when the materials are 'good enough' rather than 'perfect' but I console (or is it delude?) myself by thinking that nobody but me will spot most of what I consider to be the remaining errors, while it's unlikely I will ever a some further tranche of errors due to my inherent blind spots.So I keep calm and carry on.In risk terms, I'm consciously making a trade-off. I could carry on checking and refining the content indefinitely but I'd blow the delivery deadline. Alternatively I could stop right now and deliver the module as-is, but I'd be distraught to discover significant problems later on ... which does happen sometimes when I re-read stuff I have written, checked and published some months or years earlier. Some of the problems that catch my beady now are genuine boo-boos that I should really have spotted corrected at the time. Some are things I would put differently now because I've changed and the infosec world has mov]]> 2020-02-26T20:23:36+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/o2tl_whIgMw/nblog-feb-26-good-day-down-salt-mine.html www.secnews.physaphae.fr/article.php?IdArticle=1570352 False None None None NoticeBored - Experienced IT Security professional The diagram above represents the nature of risk i.e. 'uncertain outcome'. That's a seminar slide's worth, with a few words from the presenter briefly explaining each of the red-amber-green spectra as they appear on the screen.The next slide contrasts two complementary forms of control: either we stop harmful things from occurring by avoiding, preventing or mitigating incidents, or we ensure that good things occur - and that's an intriguing thought. What does that actually mean in this context? 'Prevent bad stuff' is what most people think security is all about ... but wait, there's more. 'Protect good stuff' refers to maintaining the confidentiality, integrity and availability of information, thereby supporting and enabling business activities which use and depend on information.Looking again at those two images, the simpler, cleaner style of the 'control' one seems more elegant and better suited to InfoSec 101, so I will redraw the 'risk' one in the same style.  We could stop right there with a 2-slide InfoSec 101 pro seminar but, ]]> 2020-02-24T12:37:21+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/HgCJBbu6huM/nblog-feb-24-infosec-101-for-pros.html www.secnews.physaphae.fr/article.php?IdArticle=1570353 False None None None NoticeBored - Experienced IT Security professional From time to time, people get all excited about micro-learning, the educational equivalent of eating a chocolate elephant - one bite or byte at a time."It's easy", the line goes. "Simply break down large indigestible topics into lots of smaller edible chunks, spreading them out enticingly for people to snack on whenever they feel peckish."I've tried that with our digital awareness content. For some strange reason, nobody was hungry enough to consume the random assortment of ones and zeroes, hundreds and thousands of bits all over the disk.Evidently it's not quite that easy. Education is never easy, if you want it to work well that is. Micro-, milli- and macro-learning, online learning, traditional classroom-based courses, webinars and seminars, conferences, educational events, rote and experiential learning, on-the-job training and demonstration classes, mentoring and so on are neither simple nor universal solutions. They each have their pros and cons. For one thing, they all just tools in the box. For an educator who happens to be a master craftsman, almost any tool will do, but he has preferences and a range of experience. Likewise for the students: some of us like reading and thinking things through in private, or debating the ins-and-outs at length with colleagues.  Others need to be shown stuff, just briefly, or put through an intensive boot camp complete with sadistic 'instructors', hard beds and nasty food. Some appear stubbornly resistant to all known edumacational techniques and do their level best to skip class, and we all have our cognitive issues occasionally.The fact that there is such a variety of techniques suggests that none of them is ideal for all learning situations. The advice to use, say, micro-learning could be taken to mean "use ONLY micro-learning" but that would be a mistake, in just the same way as "send them to college" or "gamify it"! It's well-meaning but naive silver bullet advice.Consider how we learn stuff in general. We take classes, go to night school, take driving or diving or cookery lessons, read-up on stuff, watch You Tube vids, read/listen to/watch/contemplate sage advisors, ask someone ... and generally muddle through by ourselves, learning as we go from our successes and failures.]]> 2020-02-22T15:11:12+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/2OtFZveex4w/nblog-feb-22-educator-virus.html www.secnews.physaphae.fr/article.php?IdArticle=1570354 False Tool None None NoticeBored - Experienced IT Security professional Using the InfoSec 101 theme I mentioned on Feb 14th, I'm close to finishing the first set of presentation slides with a preponderance of yellow and black. Through a carefully chosen sequence of bright, clear images, no bullet points and very few written words, the slides tell a visual story based around risk. The core message is that information security is less a case of stopping the business from doing things, than of being vigilant. 'Proceed with caution' sums it up nicely.Given the elegance, simplicity and power of those 3 words, I'm not sure whether to elaborate on information risk and information security at all, in fact. I guess we'll mention a few current current threats, some recent incidents and typical controls in the speaker notes but I rather like the idea of leaving it up to the presenter/trainer to decide how to play things at run-time - during the induction courses and awareness program launch sessions for which the 101 module is destined. Some audiences will get it, effortlessly, while others might need a bit more of a steer, more of a clue about the point we're expressing here. I've blogged before about my strong preference for images over written words on training course and seminar slides. The audience should focus their energies on understanding what the present/trainer is putting across, rather than reading the words on the screen, and is there anything more sleep-inducing than an inept and often nervous presenter literally reading aloud his own slides, often great blocks of text in a dreadful monotone?It's not exactly death by PowerPoint, but close. "Take it easy, relax. Your eyelids feel heavy ..." The answer is glaringly obvious: swap the written words for diagrams and images. Visual impact is doubly important for induction courses since inductees are often assaulted by an avalanche of new information. There's a lot to take in - not just from the slides and maybe handouts but from the speakers/trainers too, plus their new colleagues. If our InfoSec 101 materials add to rather than slicing through the information fog, we\]]> 2020-02-20T16:41:25+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/lXA-kUcLZyA/nblog-feb-20-proceed-with-caution.html www.secnews.physaphae.fr/article.php?IdArticle=1570355 False None None None NoticeBored - Experienced IT Security professional Fueled by a lot of Brahms and a wee tot of rum, half an hour's idle brainstorming on the purpose and objectives for information security awareness generated the following little Liszt:Rites, ritualsRite of passageRitual slaughterReligionsBelief systems Cult, visionary leader, positional power, faithSheep, lemmingsWolves, packs, threats, skillsGroup-think, conformityCompliance, rules, constraints, in the boxIndividuality, creativity, nonconformity, freedom, out of the boxHippies, communes, cliquesHallucinogensNoncomplianceCultural norms, expectationsCounter-cultural, bucking trendsConventions, habits, preferencesAutomatic behaviours, instinctsSocialising infosecSocial pressure, influence, shared valuesSocial acceptabilitySocial structures, hierarchies, linksNetworks and relationshipsFamilies, organizations, departments, teams, groups, cliquesNationsInteractions]]> 2020-02-19T18:03:26+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/f6dvh1QqVW4/nblog-feb-19-brahms-and-liszt.html www.secnews.physaphae.fr/article.php?IdArticle=1570356 False Guideline None None NoticeBored - Experienced IT Security professional My perfectionist streak flared up with a vengeance today.First I spent a productive couple of hours checking and revising the content of our generic/model Acceptable Use Policies, intending to include them in the updated InfoSec 101 module for March. Aside from reviewing and tinkering with the information content, this also involved standardising the formatting of the AUPs by using the same MS Word template with specific styles for all of them. The AUPs have been updated at various times in various NoticeBored modules and I noticed that, somewhere along the way, I must have changed the bullets and colouring for the 'acceptable use' and 'unacceptable use' points. Evidently I have also meddled with the boilerplate text that tops and tails each AUP, making them slightly inconsistent. To my beady eye, this will not do! Unsure how to name the model AUP files, I toyed with the idea of making a single multi-page document containing them all but customers may not want them all.  Instead I settled on a numeric naming scheme.    As I was doing that, I noticed the document properties also needed standardising. The properties are stored with each document and affect the directory listings. To get to this picture of neatness ...... I had to fiddle with the Tags and Authors for each of the 8 AUPs. The Tags are easy enough to update but changing the Author property is a little awkward: originally, the Author for all the files was "Gary" which, although technically]]> 2020-02-17T19:25:21+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/93P-SUvAQ4o/nblog-feb-17-neat-and-tidy.html www.secnews.physaphae.fr/article.php?IdArticle=1570357 False None None None NoticeBored - Experienced IT Security professional The InfoSec 101 management presentation is coming along ... but I'll need to rein in my enthusiasm for all things yellow to refocus on the information security essentials: one of the challenges with induction training is keeping it within a tight timescale. 'Speak fast!' is not the answer because the audience probably won't take it all in, given that information security is just one of several important induction topics. It's trial by fire for them.Some of our customers will have more time for induction training than others, so my cunning plan is to make the 101 presentations flexible. Customers who have the luxury of more time can elaborate on pertinent details and interact more extensively with the inductees. Those short of time may want to skim through or skip some of the slides ... but I hope to encourage them all to make the time to introduce inductees to the information security team. Making that personal link starts the long process of getting to know each other, with benefits on both sides as time goes on. For example, it's easier for workers to email, pick up the phone or drop in on someone they have already met, whether to ask a question, raise an issue or simply say "Hi!". 'Putting faces to names' is, to me, part of 'socialising information security', making it an integral part of the corporate culture. On that point, I will be encouraging NB customers to allocate suitable information risk and security pro's to conduct the induction courses, in person. Information Security's 'customer services' or 'help desk' people and experienced trainers are the obvious choices for this job. Furthermore, if the Information Security Manager or CISO or CEO turns up, in person, to say hello and reinforce some point or other (implying a little preparation), that sends a more subtle message about the importance of information security for new workers. It's a powerful technique to cut through the avalanche of information assaulting inductees.If it is simply not practicable for the relevant InfoSec people to make the time to attend induction courses, other approaches include:Playing a brief 'talking heads' video statement by the ISM, CISO or CEO;A quick live phone call or videoconference appearance by the ISM, CISO or CEO during the session;Showing 'meet the team' biographies - mugshots and a few choice words about the pro's in the InfoSec team (which, in fact, means everyone in the organization, including those currently in the induction session!). Another cool idea is to invite inductees to come along to Information Security eve]]> 2020-02-17T07:40:03+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/PhFnhWCdcqc/nblog-feb-17-tips-on-security-induction.html www.secnews.physaphae.fr/article.php?IdArticle=1570358 False None None None NoticeBored - Experienced IT Security professional I've come up with a new theme for the InfoSec 101 presentations this year, driven by a visual metaphor.  As I was picking out general-purpose security-related graphics from our stock for the slide decks, I noticed a preponderance of yellow ... which led me to think about warnings in nature (such as the yellow and black stripes of this wasp) and on the roads (driving hazards), plus the classic Red-Amber-Green traffic lights.RAG colours are a simple visual cue, well suited to a basic induction or awareness refresher module. The concept gradually forming in my head is that we would like to get to green (as in "Go ahead, get on with the business ... safely") and, wherever possible, avoid the reds ("STOP!  Dangerous!"), so amber ("Caution: hazards") is the path trodden by the security awareness and training program. I have in mind using a few reds and greens to illustrate the range but mostly I think we'll focus on those ambers in the middle ground.  The core message concerns vigilance, caution and situational awareness. We can't be there all the time, pointing out dangers to our colleagues, so they need to take responsibility for their own well-being - for example, hesitating and thinking twice about clicking those too-good-to-be-true offers sitting in their email inboxes and social media messaging.We can even have a bit of fun with the roadsigns while we're at it, raise the odd laugh or wry smile maybe. Who says warning notices and awareness sessions should be dull and boring?]]> 2020-02-14T11:01:59+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/ybAETpFIkIw/nblog-feb-14-this-years-infosec-101.html www.secnews.physaphae.fr/article.php?IdArticle=1570359 False None None None NoticeBored - Experienced IT Security professional There's a nice bonus to all this: the terms that made it into the 101 glossary will go into a word-grid and possibly also a crossword if there's time. If people find unfamiliar words in the puzzles, they can look them up in the glossary to find out what they mean ... and it doesn't stop there: the glossary is designed to intrigue as well as inform. Any specialist terms in the explanations are hyperlinked to the corresponding entries, encouraging readers to click and read-on, hopefully browsing the whole thing. We want it to be as sticky as a tar-pit for newbies. In millennia to come, paleontologists will be digging out the bones of Novi operatur, a long-forgotten but remarkably vigilant humanoid species from the 21st Century. But wait, there's more! We also use word lists to generate word clouds, visual depictions of the topic that again intrigue and inform - this sort of thing:That's one I created for the 'surveillance' awareness module, an unusual topic that led us through corporate oversight and security monitoring into the realm of spooks and spies. The words on the graphic remind me of our coverage when the module was prepared three years ago - things such as Ed Snowden's revelations about t]]> 2020-02-14T07:40:06+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/aMNxRM8tVtU/nblog-feb-12-terms-of-art.html www.secnews.physaphae.fr/article.php?IdArticle=1570360 False None None None NoticeBored - Experienced IT Security professional Our  information risk and security glossary has grown steadily over the years to a document of 100,000 words over 346 pages defining about 3,000 terms. That's easily a book's worth (maybe we should publish it!), and way too much information for the InfoSec 101 module, so I spent yesterday paring it down to a more sensible size. The easiest approach was to chop out obscure/specialist terms and their definitions, then go through again to catch the ones I missed. Next I set to work trimming down the definitions for the remaining terms, simplifying the wording and removing the quoted extracts from the ISO27k and other standards and references. Some terms are context-dependent - they normally mean one thing but can mean something else. For the purposes of the 101 module, I've chopped off the 'something else' explanations.So now we're down to 11,000 words and 40 pages, defining about 400 terms. Still more than I'd like. The most recent 2017 revision of the 101 module included a glossary of 2,000 words and 10 pages defining about 100 terms. Hmmm, it will be a struggle to get it down that far, but I'll give it a go. Time for another few cycles of chopping and trimming ...]]> 2020-02-11T14:01:46+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/RLxgcFIeqj8/nblog-feb-11-infosec-101-terms.html www.secnews.physaphae.fr/article.php?IdArticle=1570361 False None None None NoticeBored - Experienced IT Security professional For March, we're working on our final NoticeBored security awareness module, an update to "InfoSec 101". Unlike the other NoticeBored modules, this covers several information risk and security topics at a basic level. Its main purpose is to provide a gentle introduction, for example in new employee induction or orientation training, or as a launch module for organizations just starting or re-starting their awareness and training programs, bringing everybody quickly up to speed.So what should it cover? For the general staff audience, I'm thinking:Information risk and security fundamentals, including common terms Policies and procedures, with a touch of compliance User IDs and passwords ... and why they matter Backups Patching Phishing and other social engineering scams Apps and mobile security Ransomware and antivirus Physical security in the office Physical security when on the road or working from home Cloud, Internet, network and system security basics Vigilance: spotting, reacting to and reporting concerns Who's who - putting faces to the names behind information security For the management audience:Information risk and security management basics e.g. net value of incidents avoided/reduced less the costs of controlA little more on compliance e.g. privacy Roles, responsibilities and accountability, with a little on governance Strategies, architecture, plans and big-picture-stuff Insider/outsider threats includ]]> 2020-02-11T13:36:19+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Tm7GBVIcwNM/nblog-feb-8-infosec-101.html www.secnews.physaphae.fr/article.php?IdArticle=1570362 False None None None NoticeBored - Experienced IT Security professional Once more today I find myself drawn into an interminable discussion over on the ISO27k Forum.This time around, it's with a member who (as I see it) steadfastly refuses to remove his IT blinkers and acknowledge that - perhaps - there's more to information risk and security management than IT security, that he can't simply ignore the rest or claim/pretend that it's someone else's problem.His little IT world defines his horizon, and everything beyond the edge is (to him) at once both unseen and scary.And to be fair to him, I'm just the same. OK, so my blinkers don't say "IT" all over them but it's true I perceive the world in terms of information risks. I can't help it. It's how my brain works. I have something of an idea of what lies beyond that horizon, but nevertheless it's scary because that's not my domain of knowledge, experience and expertise. It's not my home turf. It makes me uncomfortable.Take 'financial risk' for example. I know a tiny bit about return on investment, exchange rates, stock markets, money markets and so on ... but I'm well out of my depth when it comes to, say, futures and options. I thoroughly enjoyed reading Nick Leeson's book about his shenanigans that brought down the veritable British financial institution of Barings Bank but I freely admit that, despite his patient and eloquent description in the book, I didn't entirely understand the ins-and-outs of his fraud (nor indeed did the bank's managers and auditors, until it was too late!). Although the story sort of made sense at the time, I was struggling to understand and, now, I'd fall in a heap if I tried to recall and explain it.Arguably there's a difference, though, between me and my rather naive, blinkered colleague on the ISO27k Forum. Specifically, I'm sufficiently self-aware to know my limits. If I wanted/needed to get into, say, financial risk, I'd seek out and rely on someone who's good at that stuff, someone with experience and reputati]]> 2020-02-05T20:01:16+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/mj5NWAez1us/nblog-feb-5-ymmv.html www.secnews.physaphae.fr/article.php?IdArticle=1570363 False None None None NoticeBored - Experienced IT Security professional This afternoon, we completed, proofread and published February's security awareness module on malware, a few short hours before our (self imposed!) end-of-month deadline. The atmosphere in the office has grown increasingly tense this week as the deadline loomed. Early in January we took the decision to use the Travelex ransomware incident as a very topical (live!) case study for the module, and as such we were hostage to their timeline. By sheer chance, the main Travelex websites were up and running again this very morning, neatly tying off the month's events.Comparing and contrasting the Sony and Travelex ransomware incidents has been fascinating: they each handled the situations in their own way, and yet there are common themes - for instance they were both forced to fend off an inquisitive (hostile!) pack of journalists. Travelex also made effective use of social media, and completed the main part of their recovery roughly twice as fast as Sony, so things have moved on in the five years since Sony Pictures Entertainment were all over the headlines with salacious gossip about film stars and wild speculation about North Korean cybertage.Meanwhile, down here in rural NZ, our 4G wireless broadband Internet connection has been playing up something rotten. It's not good at the best of times but has been notably unreliable this week until, with perfect timing, the connection dropped out entirely as I was uploading the completed awareness module to our server. You probably know that we're a micro-company. I am the network technician, the IT Department in fact. Also the Procurement, Finance, Production, Marketing and Customer Services Departments, and yes I even make the tea. I'm not doing this totally alone, quite, but we rely on third party suppliers for various essential services, such as our comms. This week I could really have done with some technical help to get the broadband connection fixed while finishing the awareness materials, but as it was I found myself lashing-up a temporary Internet connection just to deliver the module at the most stressful time of the month.On top of that, strong winds brought down trees across the track ... and guess who is the Chainsaw Operative part of the Grounds Maintenance Department!Such is life. Business continuity is a challenge even for a microbusiness in sleepy NZ. But, like Travelex, we made it through and live to fight another day.]]> 2020-01-31T18:57:10+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/I7tSpG_gFk0/nblog-february-just-in-time-security.html www.secnews.physaphae.fr/article.php?IdArticle=1570364 False Ransomware None None NoticeBored - Experienced IT Security professional "Simplicity is the default unless there's a good business reason to do something else. What is typically lacking are the business reasons ..."That comment on CISSPforum set me pondering during this morning's caffeine fix. We've been chatting about some training webinar sessions recently promoted by (ISC)2. Some say they over-simplify information security to the point of trivialising and perhaps misleading people.If you follow NBlog, you'll know that this month I have been slaving away on an awareness module covering malware, a topic we've covered many times before - particularly the avoidance or prevention of infections but this year a customer asked us for something on publicly disclosing incidents in progress, a disarmingly simple request that turned into a fascinating foray into the post-malware-infection incident management and resolution phase for a change. I've been exploring and writing about what does, could or should happen after malware 'hits' - from that dramatic moment the ransomware demands appear on everyone's screens, for example. What follows is quite an intricate and frantic dance, in fact, involving management, IT and other staff, customers, suppliers and partners, regulators/authorities, journalists and the news + social media etc. plus the Incident Management Team, infosec and business continuity pros trying to keep everything on track, the legal team figuring out who to sue, the compliance pros wondering how not to get sued, and various hired-hands helping with forensics, disinfection and finding then retrospectively plugging whatever holes were initially exploited by the malware. All the while, the menacing hackers and cybercrims are wielding big coshes in the shape of threats to make the disruption permanent and terminal, and/or to disclose whatever juicy tidbits of corporate and personal info they've previously stolen (the CEO's emails, or browser history perhaps?). And all the while the systems, data, business processes/activities, websites and apps are being maintained, recovered or restored. Brands and relationships are under pressure, along with all the dancers. It's an intensely stressful time for them, I'm sure. The approach we've taken is to explore the timeline of an actual incident, in real time as it happens (as it happens), building a case study around the ongoing Travelex ransomware incident: the sequence forms a convenient thread to lead people through the story, thinking about what's going on at each stage and imagining how it would be if a similar incident happened 'here'. I've drawn up a simplified Travelex incident timeline in the same style as the one I drew for the Sony Pictures Entertainment fiasco 5 years back, pointing out some of the key events plus the phases of the overall process. The new Travelex version ('in press'!) is simpler ]]> 2020-01-30T11:02:19+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Y6zr23iZHO8/nblog-jan-30-simplicity-itself.html www.secnews.physaphae.fr/article.php?IdArticle=1570365 False Ransomware,Malware,Guideline None None NoticeBored - Experienced IT Security professional Today since before 5am I've been slaving away over a hot keyboard in a steamy hot office on a flaming hot topic: malware awareness. As you may have noticed here on the blog, all month long I've been systematically tracking the ongoing Travelex incident, observing from a safe distance the unsightly aftermath of another ugly malware - and business continuity - incident unfolding before our very eyes.With our end-of-month delivery deadline looming large, it's time to draw out the lessons from the case study and weave the whole episode into a compelling tale for February's awareness module - well, three closely-related tales in fact since as always we're catering for the differing perspectives, concerns and information needs of our customers' staff, management and professional audiences. What have we learnt this month? What has happened, and why? What do we think might/should have been going on behind the scenes, out of the glare of the media spotlight? What were the dilemmas facing Travelex's management and IT people?How might things have played out if the incident had been handled differently?And, most importantly of all, what are our carry-outs, our take-home learning points and the Things We Ought to be Doing? Taking the whole sorry episode into account, what does it mean for us, our organization, right now?You'll find a few clues to the answers in the blog ... but for the full nine yards you'll need to hang on just a few short days until the awareness module is completed and published. Or of course ]]> 2020-01-29T18:59:32+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/y8tMwU4Pmh8/nblog-jan-29-taking-it-to-wire.html www.secnews.physaphae.fr/article.php?IdArticle=1516887 False Malware None None NoticeBored - Experienced IT Security professional .... any organization unfortunate enough to suffer a privacy breach today, of all days, being "Data Privacy Day". In the unlikely event that there are no new ones today, recent newsworthy breaches are liable to be trawled up and paraded across the media, again. I've been writing about preparing to deal with malware incidents all this month. Managing or controlling the publicity aspects is trickier than it may appear. Sony pulled a master stroke in getting its legal team to threaten action against journalists who continued to exploit the tittle-tattle disclosed in the Sony Pictures Entertainment breach five years ago - but that's not a universally applicable approach. Travelex did well to get basic, static web pages published quickly, plus a talking-heads video explanation/apology by the CEO ... but ask their retail customers whether they feel 'informed', while the promised restoration of services is patently taking longer than anyone (except perhaps the cybercrims behind the attack) wants.Blend in the compliance aspects as well for good measure. I suspect British Airways and Marriott International, for instance, would have much preferred to take their corporal punishment under GDPR in private, rather than baring their bottoms on News At Ten.There's a fine line between their being directly blamed for causing the incidents, and being blamed for failing to prevent them - a line which Public Relations teams might do well to consider. The real culprits here are the cunning VXers, hackers and cybercrims, rather than their targets. Defending all points at once is undoubtedly much tougher than exploiting one or more vulnerabilities. It's not a fair fight! Too bad: that's how it is ... but maybe it wouldn't hurt to explain that.By the way, the issues multiply when you take into account the wide range of people and organizations who want to know and/or should be kept informed. Take employees, for instance:]]> 2020-01-29T05:30:36+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/byeAcm2inX8/nblog-jan-28-woe-betide.html www.secnews.physaphae.fr/article.php?IdArticle=1516888 False Malware None None NoticeBored - Experienced IT Security professional On Tuesday, data privacy day, privacy will be top of the agenda.Well, OK, not top exactly, not even very high if I'm honest.And apart from mine, I'm not sure whose agenda I'm talking about.Evidently it's about "data privacy", not other kinds of privacy, oh no.If I'm coming across just a little cynically, then evidently I need to try harder.I bumped into data privacy day while searching for something privacy related - I forget exactly what, now. Otherwise, it would surely have passed me by, and maybe you too, dear blog reader.Anyway, data privacy day appears to date back to Jan 28th 1981 when Convention 108 was signed in conventional Europe. "The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" was among the first, if not the very first, data protection regulation, predating today's privacy laws and regs.In 2006, the Council of Europe launched Data Privacy Day as an annual event on January 28th.Data privacy day was later taken up by some American organizations. ]]> 2020-01-29T05:23:20+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/W8E8PbYn2JI/nblog-jan-25-data-privacy-day.html www.secnews.physaphae.fr/article.php?IdArticle=1516890 False Guideline None None NoticeBored - Experienced IT Security professional Seems I'm not the only ravenous shark circling the Travelex ransomware incident.Over at the Institute of Chartered Accountants in England and Wales website, Kirstin Gillon points out there are learning opportunities for senior management in this "horror story".Specifically, Kirstin suggests posing six awkward questions of those responsible for managing incidents and risks of this nature ...Rhetorical questions of this nature are not a bad way to get management thinking and talking about the important issues arising - a valuable activity in its own right although it falls some way short of taking decisions leading to appropriate action. Admittedly, there's an art to framing and posing such questions. Kirstin's questions are along the right lines, a good starting point at least.Faced with such questions, some Boards and management teams will immediately 'get it', initiating further work to explore the issues, evaluate the risks and controls more deeply, and if appropriate propose corrective actions to a]]> 2020-01-27T16:54:17+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/6qgXcicvfDM/nblog-jan-27-mdcisos-question-time.html www.secnews.physaphae.fr/article.php?IdArticle=1516889 False Ransomware,Malware,Guideline None None NoticeBored - Experienced IT Security professional On the ISO27k Forum lately we've been discussing something that comes up repeatedly, a zombie topic you could say since the discussion is never really settled to everyone's complete satisfaction. There's always more to say.The discussion concerns the disarmingly simple phrase "information asset", used in some but no longer defined in any of the ISO27k standards. Among other things, we've discussed whether people/workers can be classed as information assets, hence information risks associated with people potentially fall within scope of an ISO27k ISMS.Yesterday, Mat said:"Knowledge is generally broken down into three different types - explicit, implicit, and tacit. When we are talking about classing employees as an asset or simply treating the information that they know as an asset, I think maybe this can be broken down further using these different knowledge types. Explicit knowledge is knowledge that is easily transferable, can be recorded and stored. Things like standard work instructions, guides, procedures, policies. Due to the nature of this information, it seems obvious to class the information itself as the asset here - you can mitigate the risk of information loss simply by recording the information. Implicit knowledge is the practical application of explicit knowledge. This can include knowing your way around a particular security product, or a particular piece of equipment. This type of knowledge is difficult to record, however, things like best practices are the best attempt although it's difficult to include the entire background knowledge of the best practice. Due to this, loss of this information is difficult to completely mitigate, and hence, I think the employee here could be classed as the information asset. The best mitigation is to keep the employee. Tacit knowledge is the practical application of implicit knowledge. Examples of this are knowing not only a particu]]> 2020-01-24T08:37:48+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/ctVidOal-9w/nblog-jan-24-information-data-knowledge.html www.secnews.physaphae.fr/article.php?IdArticle=1506669 False Guideline None None NoticeBored - Experienced IT Security professional Trawling through our back catalogue for content worth recycling into next month's awareness module, I came across a quiz we set in 2017. The challenge we set the group was this:Aside from malware (malicious software), what other kinds of “wares” are there?The idea was to prompt the group to come up with a few obvious ones (such as software), then start digging deeper for more obscure ones. Eventually they would inevitably start to improvise, making up 'ware' terms but, if not, here are our tongue-in-cheek suggested answers, provided for the quiz master in case the group needed prompting towards more creative, lateral thinking: Abandonware – software long since given up on by its author/support krew and left to rot Adware – software that pops up unwelcome advertisements at the least appropriate and most annoying possible momentAnyware - web-based apps that can be used while in the office, on the road, in the bath, wherever ... provided the Internet is accessibleBeggarware – smelly, homeless software that periodically rattles its virtual cup, begging loose change "for a cup of tea"Bloatware – software that has grown fatter than a week-old beached whale with 'features'Botware - software to stop the bots  becoming bored and naughtyBrochureware – over-hyped marketing, promotional or advertising copy ab]]> 2020-01-23T09:00:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/UEmlfqzv88w/nblog-jan-23-awareness-quiz-on-malware.html www.secnews.physaphae.fr/article.php?IdArticle=1505060 False Spam,Malware None None NoticeBored - Experienced IT Security professional At the bottom of a Travelex update on their incident, I spotted this yesterday:Customer PrecautionsBased on the public attention this incident has received, individuals may try to take advantage of it and attempt some common e-mail or telephone scams. Increased awareness and vigilance are key to detecting and preventing this type of activity. As a precaution, if you receive a call from someone claiming to be from Travelex that you are not expecting or you are unsure about the identity of a caller, you should end the call and call back on 0345 872 7627. If you have any questions or believe you have received a suspicious e-mail or telephone call, please do not hesitate to contact us. Although I am not personally aware of any such 'e-mail or telephone scams', Travelex would know better than me - and anyway even if there have been no scams as yet, the warning makes sense: there is indeed a known risk of scammers exploiting major, well-publicised incidents such as this. We've seen it before, such as fake charity scams taking advantage of the public reaction to natural disasters such as the New Orleans floods, and - who knows - maybe the Australian bushfires.At the same time, this infosec geek is idly wondering whether the Travelex warning message and web page are legitimate. It is conceivable that the cyber-criminals and hackers behind the ransomware incident may still have control of the Travelex domains, webservers and/or websites, perhaps all their corporate comms including the Travelex Twitter feeds and maybe even the switchboard behind that 0345 number. I'm waffling on about corporate identity theft, flowing on from the original incident.I appreciate the scenario I'm postulating seems unlikely but bear with me and my professional paranoia for a moment. Let's explore the hypot]]> 2020-01-22T09:00:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/tIKSOS4dN4A/nblog-jan-22-further-lessons-from.html www.secnews.physaphae.fr/article.php?IdArticle=1503295 False Ransomware,Malware,Patching,Guideline APT 15 None NoticeBored - Experienced IT Security professional In the context of information risk and security management, I define and use the terms "exemption" and "exception" quite deliberately.“Exceptions” are unauthorized non-conformance or non-compliance situations.  For example if the organization has a policy to use multi-factor authentication for all privileged system accounts, a privileged account that only has single-factor auth for some reason (maybe an oversight or a practical issue) would constitute an exception, something that has not [yet] been officially notified to, risk-assessed and accepted, authorized, permitted or granted by management. Depending on the circumstances and the nature of the information risks, identified exceptions may be classed as issues or events, perhaps even incidents worth reporting and managing as such.“Exemptions” are where management has formally considered and risk-assessed non-conformance or non-compliance situations and explicitly authorized or agreed that they should continue – perhaps with compensating controls, for a defined limited period, and with clear accountability for the associated risks. So, for instance, the information risks associated with only having single-factor auth on a test system may be acceptable to management if the control costs are deemed excessive in that situation … but the exemption might be only for the duration of the testing, and on the condition that the test system only has access to test data not live/production data, with the Test Manager accepting personally accountability for the associated information risks. Exemptions do not constitute issues, events or incidents unless: The situation at hand varies substantially from that authorized e.g. if the compensating controls are not actually in operation, or if the authorized exemption period has expired (yes, even exemptions have to be complied with ... perhaps implying the need for compliance checks and other control measures if the information risks are significant);The information risks are materially different from those accepted e.g. if]]> 2020-01-21T08:49:54+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Cow3EyYbJCE/nblog-jan-21-exceptions-vs-exemptions.html www.secnews.physaphae.fr/article.php?IdArticle=1502077 False None None None NoticeBored - Experienced IT Security professional The Travelex ransomware case study is coming along nicely. Over the dull grey NZ weekend, I prepared a timeline of the ongoing incident to compare and contrast against the Sony Pictures Entertainment ransomware incident at the end of 2014. Already, Travelex is well ahead on points, restoring UK customer services within 3 weeks of the attack with more on the way. The incident timeline is substantially compressed relative to Sony's: they are getting through whatever needs to be done more quickly.Travelex has done well to keep its retail customers updated throughout, from the initial rapid disclosure on Twitter through to brief informational pages on the web, an FAQ, plus a statement and talking-head videoblog by its CEO on Friday just gone. Full marks from me!As far as I'm concerned, Travelex has managed the disclosures and public comms well, releasing professionally-crafted, informative briefings about the evolving situation, reassuring customers and not trying to cover things up or hide away. The CEO fronting-up is notable, confirming beyond doubt that senior management is on top of things, facing up rather than shying away. As with city's most senior policeman fielding a press briefing very shortly after the London bombings of July 2005, impeccably dressed, confident and impressive, the reassurance is very valuable, damping down rather than fanning the flames.Although admittedly I have not hunted for them specifically, I haven't yet come across any informal/unauthorized disclosures by Travelex workers, such as those mobile phone photos of the scary skeleton threats plastered over Sony's screens. Despite what must surely be a tense atmosphere in the offices, the Travelex workforce is evidently pressing on with the job, all hands to the pumps. Good on them too!In parallel, Travelex management must have been busy liaising with and reassuring its commercial customers/partners, industry regulators and the global news media too, while the fairly rapid restoration of services hints at a huge amount of work under way down in the IT engine room (presumably a disaster recovery approach, rebuilding servers from backups?).]]> 2020-01-20T09:00:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/qnWiKuVDW9s/nblog-jan-20-travelex-vs-sony-shootout.html www.secnews.physaphae.fr/article.php?IdArticle=1502078 False Ransomware None None NoticeBored - Experienced IT Security professional As we slave away on next month's security awareness module on malware, the Travelex ransomware incident rumbles on - a gift of a case study for us, our customers and for other security awareness pro's out there.A quick glance at Travelex dotcom tells us that (as of this blogging) the incident is ongoing, unresolved, still a public embarrassment to Travelex that is presumably harming their business and their brand ... although having said that I've already mentioned their name three times in this piece. If you believe 'there's no such thing as bad publicity', then headline stories about the incident are all good, right?Hmmm, leave that thought with me. Meanwhile, for the remainder of this piece, I'll call them "Tx" for short.Technically speaking, the Tx dotcom website is up and running, serving a simple information page 'apologising for any inconvenience' [such as retail customers being unable to use the site to access Tx financial services in the normal fashion] and blaming 'a software virus': It refers to another Tx website which appears to be a legitimate Tx customer authentication page ... but, if it were me, given the incident I would be very dubious about submitting my credentials without first ascertaining that the site is legitimate, not simply part of the scam.Anyway, the point is that they are at least]]> 2020-01-19T13:14:12+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/DeQ77qEMiJg/nblog-jan-14-live-case-study.html www.secnews.physaphae.fr/article.php?IdArticle=1501884 False Ransomware,Malware None None NoticeBored - Experienced IT Security professional Continuing this mini-series of bloggings inspired by business continuity exercises, today I'm talking about other sources of creative inspiration for security awareness purposes - specifically, information from within and around the organization concerning incidents, near-misses, information risks and other issues that are known internally but haven't (yet!) been picked up by the news media. There's a wealth of information there, behind closed doors.Most organizations care enough about various kinds of risks to manage them explicitly. All organizations seeking certification against ISO/IEC 27001 are required to manage information risks (by which I mean "risks pertaining to information"), a process that starts by identifying the risks to be managed.How do they do that?One approach involves considering the organization's risks in general: what threatens achievement of corporate/business objectives? And which of those risks has an information element? Large, mature organizations typically have some sort of 'corporate risk register', perhaps even a dedicated team or department of risk experts primarily responsible for risk management, especially (if not exclusively) for the "significant", "substantial", "strategic" or "bet-the-farm" risks. Other organizations have more diffuse arrangements for managing risks, perhaps just an implicit, integral or informal part of 'governing', 'managing' or 'doing business'. Either way, the risks typically identified at that high level may not be labelled or even considered to be "information risks" but many are, or have an information aspect. Fluctuating exchange and interest rates, for instance, can have significant implications for corporate financial management, and so need to managed carefully: the rates, plus the factors influencing them, plus the details around how the rates affect corporate finances, plus the financial management systems and processes themselves, all revolve around information ... hence there are information risks. Pick any other significant corporate risk and you can almost certainly find significant information risks.Another approach explores business processes, systems etc. For business continuity purposes, a classical Business Impa]]> 2020-01-19T09:00:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/rkFMjjrGQBc/nblog-jan-19-exercising-in-private.html www.secnews.physaphae.fr/article.php?IdArticle=1501880 False None None None NoticeBored - Experienced IT Security professional As if following a cunning plan (by sheer conicidence, in fact) and leading directly on from my last two bloggings about business continuity exercises, Belgian manufacturing company Picanol suffered a ransomware infection this week, disabling its IT and halting production of high-tech weaving machines at its facilities in Ypres, Romania and China.Fortunately, Picanol's corporate website is still up and running thanks to Webhosting.be, hence management was able to publish this matter-of-fact press release about the incident:Unsurprisingly, just a few short days after it struck, technical details about the "massive ransomware attack" are sparse at this point. The commercial effects, though, are deemed serious enough for trading in its shares to have been suspended on the Brussels bourse. There's already plenty of information here for a case study in February's awareness module. Through a brief scenario and a few rhetorical questions, we'll prompt workers to consider the implications both for Picanol and for their own organizations. If a similar malware incident occurred here, knocking out IT and production for at lea]]> 2020-01-18T09:00:04+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/9PNzfvaciv4/nblog-jan-18-business-discontinuity.html www.secnews.physaphae.fr/article.php?IdArticle=1501881 False Ransomware,Malware,Studies,Guideline None None NoticeBored - Experienced IT Security professional Yesterday I blogged about the advantages and disadvantages of business continuity exercises. Today's topic concerns the alternative approaches, in particular the idea of 'live-fire' exercises in the business continuity context.Vast tracts of prime agricultural land are set aside as military training grounds, allowing the armed forces to practice their maneuvers and, sometimes, fire actual bullets, mortars, missiles and bombs. Real ones, not dummies. There are, of course, certain health and safety risks associated with weapons (!), so why take the risks? What are the benefits of not using blanks and simulations?Two obvious reasons are:To test, prove and improve the weapons, for example confirming the accuracy, range and effectiveness of a field gun firing live rounds towards a tank, building or bunker, with gusting cross winds, challenging terrain, engineering and operational variables.To practice, test, prove and improve the soldiers' capabilities, including dealing with the very real safety concerns when their weapons are locked and loaded.These are still exercises, though, somewhat removed from genuine action on the battle grounds of, say, the middle East ... and it could be argued that even those are merely limited-scope live-fire exercise in preparation for for all-out global warfare.So do we have the equivalent of live-fire exercises in the business continuity context? Yes, there are at least two types: Actual incidents that occur routinely within the organization, ranging from frequent minor events up to the occasional more serious incidents, if somewhat removed from genuine disasters thanks, in part, to the incident management and disaster mitigation activities. Hopefully all that preparation and exercising pays off! It's straightforward for a responsible manager to "declare an emergency", initiating the disaster management activities even though that may not be strictly justified by the exact circumstances. From that point, turning the incident into an exercise may simply be a matter of going through the motions, perhaps simulating various facets that haven't been tested a]]> 2020-01-17T12:57:01+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/t4xfUIeYzk8/nblog-jan-17-live-fire-continuity.html www.secnews.physaphae.fr/article.php?IdArticle=1501882 False None None None NoticeBored - Experienced IT Security professional Usually, business continuity-related exercises are very carefully planned in advance. Those directly involved are generally well aware of the impending events, often having a good idea if not explicit information about the timescale as well as the situation to be simulated. The more involved the exercise, and the longer the planning, the greater the leakage of information about it. The rumour mill grinds it out.There are several good reasons for all that exercise pre-planning:Preparing for exercises is also [at least partly] preparing for genuine incidents - a convenient [partial] alignment of objectives Planning improves the chances of 'success' - an important factor for those personally charged with overseeing, managing and conducting the exercises People and organizations confronted with an exercise scenario are less likely to panic, thinking and reacting as if it is a genuine incident, if they know about it in advanceOn the other hand, the pre-planning has its drawbacks too:People and organizations naturally focus on and prepare for the specific scenario/s planned, perhaps diverting resources from other aspects of preparedness that might be even more important/urgentA pre-planned and anticipated exercise removes a substantial element of uncertainty that occurs in real incidents, begging questions such as "Is this an incident?", "What's going on?", "How serious is this?" and "Am I the only person who knows about this?""Success" in an exercise is not quite the same as "success" in a genuine incident - generally speaking, the stakes and hence the stresses are much higher, pushing systems, processes, individuals, organizations and communities to and in some cases beyond their breaking points, something that most exercises studiously avoid. It is conceivable for organizations to become highly accomplished at exercises, yet hopeless in actual incidents.There may be adverse effects on operations if exercises go wrong, despite all the efforts to minimise the risks, whereas there certainly will be adverse effects in the case of actual incidents, especially those severe enough to warrant all this preparation, planning, exercising and so on. One consequence of this is that exercises tend to last a few hours or days at most, maybe a further few weeks for the wash-up meetings, reporting and note-taking for the next run. Genuine incidents typically last for weeks or months]]> 2020-01-16T13:45:01+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/FlAU3a7s6v0/nblog-jan-16-pros-and-cons-of.html www.secnews.physaphae.fr/article.php?IdArticle=1501883 False None None None NoticeBored - Experienced IT Security professional A couple of days ago here on NBlog I wrote: "One screamingly-obvious lesson from the rash of ransomware incidents is that we need to anticipate malware infections when the preventive controls fail, which means strengthening the security protecting our business-critical systems and being ready to recover IT services and data efficiently following incidents." That's not all.Anticipating that, despite all we do to prevent them, malware infections are still likely to occur implies the need for several post-event controls.  These are the kinds of controls I have in mind:Reliable, efficient, effective, top-quality incident response and management processes - in particular, speed is almost always of the essence in malware incidents, and the responses need to be well-practiced - not just the run-of-the-mill routine infections but the more extreme/serious "outbreaks";Decisive action is required, with strong leadership, clear roles and responsibilities, and of course strong awareness and training both for the response team and for the wider organization;Clarity around priorities for action e.g. halt the spread, assess the damage, find the source/cause, recover;Technological controls, of course, such as network segmentation (part of network architectural design), traffic filtering and (reliable!) isolation of segments pending their being given the all-clear;Clarity around priorities for reporting including rapid escalation and ongoing progress updates, in parallel with the other activities;Forensics, where appropriate, feasible and helpful (e.g. which preventive controls failed, why, and what if anything can be done to strengthen them);]]> 2020-01-06T19:24:42+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/KizzfUNMsGQ/nblog-jan-6-post-malware-incident.html www.secnews.physaphae.fr/article.php?IdArticle=1497042 False Ransomware,Malware,Guideline None None NoticeBored - Experienced IT Security professional Malware has clearly been an issue for a long time. It was prevalent enough to be the topic of our second NoticeBored security awareness module way back in July 2003. I've just dug the old NB newsletter out of the archive to see what's changed.  In 2003, I wrote about viruses (macro, boot sector and parasitic types), Trojans, worms and logic bombs. Although other forms of malware were around back then, we elected to stick with the basics for awareness purposes. Getting on for 18 years later, we're taking a broader perspective. Today's workers need to know about spyware, BEC & VEC (Business/Vendor bmail Compromise), phishing, infectious mobile apps and more. Actual computer viruses are practically unheard of now, although the term remains.We're still concerned about preventive, detective and corrective controls, and malware risks that include data corruption - only now it's mostly deliberate in the form of ransomware rather than cybertage or bugs in the malware code.The 2020 and 2003 newsletters have a very similar style with minor differences that only catch my eye because I wrote them, and I've been responsible for using and updating the format throughout. We've changed from Arial to Calibri font. Shouty "EMAIL" became calmer "email" at some point. The Hinson Tips on awareness migrated from the newsletter to the train-the-trainer guide, and the NoticeBored banner logo was smartened up. We have reverted from 'American English' to English spelling. The two-column newsletter format remains, though, despite the layout problems that has caused me over the years, particularly when I wanted to include full-page-width diagrams. I've learnt to overcome most of the limitations of MS Word but not always without grief! We have more actual news now, too, finding short but relevant news items on the web to push the point home that the information risks are not merely theoretical: actual incidents are occurring all the time. Finding quotable news clips is becoming harder, however, due to the spread of paywalls: it's simply not economic for us to subscribe to all the commercial sources we'd need to maintain a broad-based newsletter, so we're increasingly using soundbytes from blogs and ]]> 2020-01-06T10:25:54+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/TLIOKJpA_tM/nblog-jan-5-plus-ca-change-plus-cest-la.html www.secnews.physaphae.fr/article.php?IdArticle=1497043 False Ransomware,Malware None None NoticeBored - Experienced IT Security professional Our security awareness topic for February will be malware, malicious software - viruses, Trojans, worms, crytpminers, APTs, ransomware, spyware and Tupperware. Well OK, maybe not all of them: viruses are vanishingly rare these days.An increasingly important part of the malware problem is the wetware: we humans evidently find it hard to sense and react appropriately to the dangers presented by infected messages, web pages and apps. Addressing that is a key objective of the awareness module, and quite a challenge it is given that the bad guys are forever coming up with new ways to conceal their intentions or trick us into doing something inappropriate. Digging a little deeper, I feel we also need to explain why we can't rely on antivirus software etc. to save the day because the baddies are also finding novel ways to evade the technological controls, despite the best efforts of the good guys in IT.One screamingly-obvious lesson from the rash of ransomware incidents is that we need to anticipate malware infections when the preventive controls fail, which means strengthening the security protecting our business-critical systems and being ready to recover IT services and data efficiently following incidents. Another less-obvious lesson from incidents such as cryptominers, spyware, Vendor Email Compromises and Advanced Persistent Threats is that detecting infections in progress is harder than it appears ... and, again, it makes sense not to over-depend on detection. Taking that to its logical conclusion, what could/should we do if we presume the organization is currently infected by some sneaky malware? I'm talking about the malware element of counter-espionage, for example deliberately seeding false information, or creating situations designed to reveal 'moles in the camp'.There we are then: malware issues to discuss with general employees, tech/specialists and management, respectively. Now all I need to do is prepare the content for those three streams and Bob's yer uncle!]]> 2020-01-04T09:16:03+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/6RcWcMrZhsQ/nblog-jan-4-malware-awareness-update.html www.secnews.physaphae.fr/article.php?IdArticle=1497044 False Ransomware,Malware None None NoticeBored - Experienced IT Security professional As part of January's awareness module, I'm compiling a generic business case laying out the costs and benefits of implementing the ISO27k standards and seeking an ISO/IEC 27001 certificate.Well, that was the cunning plan anyway.  So far, I have a long list of benefits and a small handful of costs - just the obvious ones to do with managing an implementation project, reviewing information risks, improving governance arrangements, writing and updating the documentation such as policies, and contracting with an accredited certification body. There may be additional costs to implement information security controls ... but not necessarily: it all depends on the information risks and decisions arising. Patently I'm a big fan of ISO27k but I honestly didn't expect the business case to be so overwhelmingly positive. It's quite a surprise.If management is willing to accept the organization's current information risk status, there's no need to splash out on additional security, at least not yet, not purely for certification anyway. The situation may change, later, once the ISMS is running sweetly and shortcomings with the risk treatments come to light, perhaps through incidents or a growing appreciation of the evolving information risks ... but that's a way down the track, post-certification. Possible future costs are not part of the business case, nor are possible future benefits.It's not entirely plain sailing though, as the implementation process involves systematically reviewing the infosec controls catalogued in ISO/IEC 27001 Annex A to be sure that nothing important has been neglected. An organization that is lacking in near-universal controls such as identification and authentication, access controls, backups, antivirus and firewalls would be hard-pressed to justify to the certification auditors that they are inapplicable. It can be done, but it's not easy.]]> 2020-01-03T14:24:22+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/LWMA2HH8sr0/nblog-dec-15-business-case-for-iso27k.html www.secnews.physaphae.fr/article.php?IdArticle=1495736 False None None None NoticeBored - Experienced IT Security professional I've just published the ISO27k business paper I wrote for the latest security awareness module. It elaborates on the typical business benefits and drawbacks of the ISO/IEC 27000 “ISO27k” information security management standards. It is the fourth revision, a complete re-write in fact of a generic business case paper I started roughly two decades ago. Since then, I've gained experience working with clients, chatting with participants in the ISO27k Forum, plus colleagues on the ISO/IEC committee writing and maintaining the ISO27k standards.The new version deliberately takes a very broad perspective: ISO27k is not just about securing IT systems, networks and data ('cybersecurity') nor even 'information security'. It's really a governance structure for managing an organization's information risks systematically, in support of its business objectives. It's as much about exploiting as protecting information. ISO27k is a business-enabler.Use it to construct your business case, budget request or project proposal to adopt ISO27k or, if you already have an Information Security Management System in operation, find ways to squeeze even more business value from it. Download the paper here.Comments welcome.]]> 2020-01-03T13:55:50+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/E2zTmuMpwMU/nblog-jan-3-iso27k-business-case.html www.secnews.physaphae.fr/article.php?IdArticle=1495729 False None None None NoticeBored - Experienced IT Security professional January's security awareness and training materials concern a topic I've been itching to cover for years, literally (the years part, not the itching ... thanks to the magic ointment).I've been a user and fan of the ISO/IEC 27000 series standards since forever, before they were even conceived, even before BS 7799 was published.From the original corporate security policy and 'code of practice' on information security (essentially a catalogue of information security controls), ISO27k has grown into a family of related standards, along the way assimilating a couple of other standards and, lately, expanding into privacy, eDiscovery, IoT, smart cities, big data and more.Making sense of the bewildering scope of today's ISO27k was a particular challenge for this awareness module ...... and of course ISO27k is not the only source of guidance out there ...The module came together and turned out nicely ...]]> 2019-12-31T10:36:58+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/PyyhCcv29xg/nblog-january-iso27k-awareness-training.html www.secnews.physaphae.fr/article.php?IdArticle=1495730 False None None None NoticeBored - Experienced IT Security professional ISO 9001 Quality management systemISO 13485 Medical devices quality management systemISO 14001 Environmental management systemISO 18788 Private security ops management systemISO/IEC 20000-1 IT service management systemISO 22000 Food safety management systemISO 22301 Business continuity management systemISO/IEC 27001 Information security management systemISO 28000 Supply chain security management systemISO 37001 Anti-bribery management systemISO 39001 ]]> 2019-12-31T10:25:33+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/GJJ3g0tddKA/nblog-dec-23-how-many-iso-msss-are-there.html www.secnews.physaphae.fr/article.php?IdArticle=1495732 False None None None NoticeBored - Experienced IT Security professional Through the Pakistan Software Export Board of the Ministry of IT & Telecom, the Pakistan government is subsidising 80% of the cost of consultants and auditors to advise and certify Pakistani IT companies against ISO 20000 (ITIL) and ISO/IEC 27001 (information security). With over 5,000 companies in Pakistan offering Business Process Outsourcing and IT services, this represent a substantial investment, reflecting the government's intention to raise standards in the industry. Good on them! If only other governments would follow their lead.]]> 2019-12-27T18:30:47+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/oR2aWtWfP8A/nblog-dec-27-pakistan-supports-iso27k.html www.secnews.physaphae.fr/article.php?IdArticle=1495731 False Guideline None None NoticeBored - Experienced IT Security professional In a thread on the ISO27k Forum, Ed Hodgson said:"There are many security controls we have already implemented that already manage risk to an acceptable level e.g. my building has a roof which helps ensure my papers don't get wet, soggy  and illegible.  But I don't tend to include the risk of papers getting damaged by rain in my risk assessment".Should we consider or ignore our existing information security controls when assessing information risks for an ISO27k ISMS? That question took me back to the origins of ISO27k, pre-BS7799 even. As I recall, Donn Parker originally suggested a standard laying out typical or commonplace controls providing a security baseline, a generally-applicable foundation or bedrock of basic or fundamental controls. The idea was to bypass the trivial justification for baseline controls: simply get on with implementing them, saving thinking-time and brain-power to consider the need for additional controls where the baseline controls are insufficient to mitigate the risks.  [I'm hazy on the details now: that was ~30 years ago after all.]I have previous used and still have a soft-spot for the baseline concept … and yet it's no easier to define a generic baseline today than it was way back then.  In deciding how to go about information risk analysis, should we:Go right back to basics and assume there are no controls at]]> 2019-12-22T13:14:31+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/xM2mY8xgkq0/nblog-dec-22-zero-based-risk-assessment.html www.secnews.physaphae.fr/article.php?IdArticle=1495733 False None APT 17 None NoticeBored - Experienced IT Security professional "universal KPI" metrics paper for January's ISO27k awareness module. The finished article uses the management system requirements from the main body of ISO/IEC 27001, followed by the security controls in Annex A or ISO/IEC 27002 (mostly), as the basis for measuring an organization's ISMS. Here's a little taster (click to enlarge):I have added a few supplementary controls and scoring criteria in areas where I feel '27002 falls short of current good practice e.g. policy management, business continuity and compliance. At some future point, I will add IoT, cloud security and perhaps other controls for the same reason. One of the advantages of this style of metric is that it's straightforward to maintain, such as updating or adding new scoring criteria, ideally in such a way that prior scores remain valid.As it is, it's already a lengthy, detailed paper - a 37-page Word document with two tables in landscape format containing ~13,000 words plus a page of instructions. I'm itching to try this out in earnest, so if you know of anyone looking for an ISMS internal audit, ISO27k gap analysis, benchmark or review, or simply looking for a pragmatic infosec maturity metric, please get in touch.PS  This metric scores well on the PRAGMATIC metametric scale, naturally, since it is predictive, relevant, actionable, cost-effective, independently verifiable etc.PPS  The metric has value for:Reviewing and evaluating an organization's information risk and security management practicesReviewing and evalua]]> 2019-12-20T12:49:52+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/d9z2Wu90j_o/nblog-dec-20-iso27k-maturity-metric.html www.secnews.physaphae.fr/article.php?IdArticle=1495734 False None None None NoticeBored - Experienced IT Security professional ISO Survey gives the certification figures for 2018 on ISO's management systems standards. Yes, evidently it takes that long to compile and publish the data.  No, I don't know why it is so slow, except that it involves gathering information from busy certification bodies dotted around the globe. By donkey, maybe.Anyway, here are some of the stats:So, by now there are probably more than 32,000 ISO/IEC 27001:2013 certified organizations globally, each cert covering two physical sites on average. A further unknown number are currently in the process of being certified, or have chosen to adopt the standards without being certified compliant.Compared to ISO9k (quality management) and ISO14k (environmental management), ISO27k (information risk & security management) is way behind, meaning a lot of growth potential - more than 27 times the current uptake to match ISO9k.Yes, I'm an optimist. ISO's other management system standards are: ISO22k (food safety), ISO45k (health & safety), ISO13k485 (medical devices), ISO50k (energy)]]> 2019-12-18T11:35:06+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/i3tvmqhNoMc/nblog-dec-18-c-32000-isoiec-27001.html www.secnews.physaphae.fr/article.php?IdArticle=1495735 False None None None NoticeBored - Experienced IT Security professional headline news around the globe, a tragedy that sadly resulted in several deaths, currently estimated at 13.  Also, yesterday in NZ there were roughly 90 other deaths (as there are every day), roughly two thirds of which were caused by cardiovascular diseases or cancer:So, yesterday, the proportion of deaths in NZ caused by "Natural disasters" spiked from 0% to 13%. Today, it is likely to fall back to 0%. "Natural disasters" will have caused roughly 0.04% of the ~33,500 deaths in NZ during 2019 ... but judging by the news media coverage today, you'd have thought NZ was a disaster zone, a lethal place - which indeed it is for ~33,500 of us every year. Very very few, though, expire under a hail of molten rock and cloud of noxious fumes, viewable in glorious Technicolor on social media.Those 13 tourists who perished yesterday chose to see NZ's most active volcano up close, real close. You may be thinking "Ah but if they'd known it would erupt, they wouldn't have gone" ... but they did know it was a possibility: for at least some of the 13, that was the very reason they went. It's euphemistically called "adventure tourism". The possibility of death or serious injury is, perversely, part of the attraction, the thrill of it. Recent warnings from geologists about the increased threat of eruption on White Island would, I'm sure, have been carefully considered by the tourist companies involved, plus I guess they may have noticed changes in the amount of steam and sulfur lingering in the air. Tourists are explicitly warned about the dangers and instructed on the safety aspects. I gather one of the dead was a local, an employee of the tourist company. Aside perhaps from the geologists, it's hard to think of anyone more aware of the risk.Having weighed-up the risks and rewards, the 13 enjoyed an amazing spectacle, doing the equivalent of 'clicking the go-away button' to dismiss computer security warnings despite facing, in their case, the ultimate impact. While I suspect their final moments would have been literally petrifying, hopefully the extra-special buzz leading up to it made it worthwhile. At that point, h]]> 2019-12-13T13:57:03+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Bx9exPjhr4I/nblog-dec-10-brutal-lesson-in-risk.html www.secnews.physaphae.fr/article.php?IdArticle=1495740 False Threat,Guideline None None NoticeBored - Experienced IT Security professional ISO/IEC JTC 1/SC 27 tied itself in knots for years trying to answer that disarmingly simple and straightforward question, failing to reach consensus and eventually admitting defeat.Back in 2014, ISO/IEC 27000 defined "Asset" very broadly as "anything that has value to the organization ... including: information; software, such as a computer program; physical, such as computer; services; people, and their qualifications, skills and experience; and intangibles, such as reputation and image."To narrow it down a bit in the context of ISO27k, "Information asset" had also been explicitly defined in ISO/IEC 27000:2009 as "Knowledge or data that has value to the organization".That definition still works quite well for me. "Information asset" refers to the intangible content - the meaning of information - rather than the vessels, media, equipment, facilities and human beings that house, process, communicate and use it.The content is both valuable and vulnerable and hence needs to be protected or secured. That's what ISO27k does.I appreciate that the tangible vessels, media, equipment, facilities and people are also assets that also require adequate protection, security and safety, but that's largely the domain of conventional physical risk and security measures such as vaults, locks and guards, plus health and safety. Other standards apply there.At some point after the release of ISO/IEC 27000:2009 (I forget exactly when), SC 27 had become exhausted by the interminable arguments over the definition and called a halt to it. The definitions of "information asset" and then "asset" were summaril]]> 2019-12-13T08:00:01+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Q1TLdvx0hfs/nblog-dec-13-what-is-information-asset.html www.secnews.physaphae.fr/article.php?IdArticle=1495737 False None None None NoticeBored - Experienced IT Security professional For January's security awareness module on ISO27k, I'm developing a detailed checklist with which to assess, evaluate and score each of the information security controls recommended by ISO/IEC 27002 (as summarized in Annex A of ISO/IEC 27001)*.The checklist/scoring format is one I invented years ago and have been using and refining ever since. It is a kind of maturity metric that has proven very valuable in practice, giving surprisingly consistent and useful results despite the subjective nature of the checks.I am laying out 4 'indicators' for each control from '27002, specifying the kinds of things that would typically correspond to scores of 0% (exceptionally weak or missing controls) through 33% and 67% to 100% (exceptionally strong or cutting-edge controls). The 50% centre point on the scale divides 'inadequate' from 'adequate' controls, although that only really applies in the context of a mythical generic mid-sized organization with minimal information risks and hence security requirements. For many commercial organizations, 60% may be a more appropriate target, varying between organizations and controls - e.g. a financial services organization is likely to have more substantial information risks and hence needs stronger controls to ensure confidentiality, integrity and availability of information, than a typical manufacturing or retail business; an engineering design firm may value data integrity above all else, given the health and safety implications and liabilities if its output is inaccurate.   Looking back over the draft checklist, I've noticed that the scores for most controls correlate with 'assurance' activities. At the top end, 100% scores often involve strong assurance measures such as thorough, independent audits by competent auditors. At the bottom end, assurance measures are conspicuously absent: if it's not painfully obvious already, even a cursory check would no doubt reveal that the controls are either completely absent or totally inadequate, but checking simply isn't performed at the 0% level - in fact, it probably doesn't even occur to those involved. In the middle ground, assurance activities either drive systematic improvements where necessary, or increase confidence that the controls in place are sufficient - fit for purpose, of decent quality, doing a good job.Therefore, assurance appears to be a universal KP]]> 2019-12-12T08:00:11+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/-q6syeJ66Q8/nblog-dec-12-universal-kpi.html www.secnews.physaphae.fr/article.php?IdArticle=1495738 False None None None NoticeBored - Experienced IT Security professional Yesterday I wrote about what the White Island eruption teaches us about risk management, in particular the way we decide how to deal with or "treat" identified risks. ISO/IEC 27005 describes 4 risk treatment options:Avoid the risk by deliberately not getting ourselves into risky situations - not getting too close to a known active volcano for example;Modify the risk: typically we mitigate (reduce) the risk through the use of controls intended to reduce the threats or vulnerabilities and hence the probability, or to reduce the impacts;Retain the risk: this is the default - more on this below;Share the risk: previously known as "risk transfer", this involves getting the assistance of third parties to deal with our risks, through insurance for instance, or liability clauses in contracts, or consultants' advice.Risk management standards and advisories usually state or imply that these 'options' are exclusive, in other words alternatives from which we should choose just one treatment per risk. ISO/IEC 27005 says "Controls to reduce, retain, avoid, or share the risks should be selected". In fact, they are nonexclusive options since they all involve an element of risk retention. The sentence should perhaps read "Controls to reduce, retain, avoid, and share the risks should be selected".*Risk retention is inevitable because of the very nature of risk. We can never be totally certain of risk, up to the point that the probability reaches 1 when an incident occurs (which, arguably, means it is no longer a risk but a certainty!). We might have misunderstood it, or made mistakes in our analysis. Our risk treatments might not work out as expected, perhaps even failing spectacularly when we least expect it, or conversely working so well that the risk never eventuates. Our insurers and partners might reneg]]> 2019-12-11T08:00:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/fL3qkL1iMYI/nblog-dec-11-risk-treatments.html www.secnews.physaphae.fr/article.php?IdArticle=1495739 False Guideline None None NoticeBored - Experienced IT Security professional Our two-hundred-and-first security awareness module concerns the ISO27k standards.◄ The quotation from ISO/IEC 27000 is right on the button: information is worth securing because it's valuable, essential in fact. Inadequately protected organizations hit by ransomware incidents know that only too well, with hindsight ... which is of course 20/20 ...... And that reminds me: as the NoticeBored service draws to a close, I'd like to think we'll be leaving the world in a better state in 2020, but to be honest we've made little impression. Pundits have long advised that security awareness is important. An increasing proportion now recommend regular awareness activities. A few even suggest a continuous or ongoing approach. Perhaps they've been listening. I've been banging that drum for 20 years.As we hand over the reins, I hope the information security management and awareness pros will finally come to recognize the value of not treating their awareness audience as one amorphous blob, disparagingly called "users". As far as I know, NoticeBored remains unique in addressing two discrete audiences within "users" (we much prefer the term "workers") with distinct information needs: managers and professionals. Given their markedly different concerns and responsibilities, its hardly surprising (to me!) that they find little of value in conventional security awareness content and fail to participate in the usual awareness activities. They are largely disinterested and disengaged, substantially weakening the organization's security culture, like a three-legged milking stool missing two of its legs. ISO/IEC 27002:2013 section 7.2.2 takes a page to say not very much about security awareness: I must take a close look at the awareness section in the draft update to '27002, currently extruding its way through the ISO/IEC sausage machine towards publication at the end of 2021. ]]> 2019-12-09T19:47:45+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/j4YAoI7P8j4/nblog-dec-9-iso27k-security-awareness.html www.secnews.physaphae.fr/article.php?IdArticle=1495741 False Ransomware None None NoticeBored - Experienced IT Security professional an interview for CIO Dive, Maersk's recently-appointed CISO Andy Powell discussed aligning the organization with these five 'key operating principles':"The first is trust. The client has got to trust us with their data, to trust us to look at their business. So we've got to build trust through the cybersecurity solutions that we put in place. That is absolutely fundamental. So client trust, client buy-in has been fundamental to what we tried to drive as a key message. The second is resilience. Because you've got to have resilient systems because clients won't give you business if you're not resilient ... The third really is around the fact that security is everybody's responsibility. And we push that message really hard across the company … be clear about what you need to do and we train people accordingly. ...The fourth one really is accountability of security and I have pushed accountability for cyber risk to the business. ... And the final piece, and this has been one of the big call outs of my team to everybody, is that security is a benefit, not a burden. The reason I say that is people's perception is that security will slow things down, will get in the way ... the reality is that if you involve security early enough, you can build solutions that actually attract additional clients."Fair enough Andy. I wouldn't particularly quarrel with any of them, but as to whether they would feature in my personal top-five I'm not so sure. Here are five others they'd be competing against, with shipping-related illustrations just for fun:Governance involves structuring, positioning, setting things up and guiding the organization in the right overall direction - determining then plotting the optimal route to the ship's ultimate destination, loading up with the right tools, people and provisions. Corporate governance necessarily involves putting things in place for both protecting and exploiting information, a vital and valuable yet vulnerable business asset;Information is subject to risks that can and probably should be managed proactively, just as a ship's captain doesn't merely accept the inclement weather and various other hazards but, where appropriate, actively mitigates or avoids them, dynamically reacting and adjusting course as things change;Flexibility and responsiveness, along with resilience and ro]]> 2019-12-03T17:12:11+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/8b7e865ezZk/nblog-dec-3-infosec-driving-principles.html www.secnews.physaphae.fr/article.php?IdArticle=1495742 False Tool,Guideline NotPetya None NoticeBored - Experienced IT Security professional December 2019 sees the release of our 200th security awareness and training module, this one covering social engineering. The topic was planned to coincide with the end of year holiday period - peak hunting season for social engineers on the prowl, including those portly, bearded gentlemen in red suits, allegedly carrying sacks full of presents down chimneys. Yeah right!I'm fascinated by the paradox at the heart of social engineering. Certain humans threaten our interests by exploiting or harming our information. They are the tricksters, scammers, con-artists and fraudsters who evade our beautiful technological and physical security controls, exploiting the vulnerable underbelly of information security: the people. At the same time, humans are intimately involved in protecting and legitimately exploiting information for beneficial purposes. We depend on our good people to protect us against the bad people.Vigilance is often the only remaining hurdle to be overcome, making security awareness and training crucial to our defense. It's do or die, quite literally in some cases! The module concerns information risks, controls and incidents involving and affecting people:Various types of social engineering attacks, scams, cons and frauds – phishing being just one of many topical examples;Exploitation of information and people via social media, social networks, social apps and social proofing e.g. fraudulent manipulation of brands and reputations through fake customer feedback, blog comments etc.;The social engineer's tradecraft i.e. pretexts, spoofs, masquerading, psychological manipulation and coercion.]]> 2019-12-01T17:44:15+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/v9HTbLDA1ss/nblog-december-social-engineering.html www.secnews.physaphae.fr/article.php?IdArticle=1495743 False Malware,Hack None None NoticeBored - Experienced IT Security professional Of information risk management, "It's dynamic" said my greybeard friend Anton Aylward - a good point that set me thinking as Anton so often does.Whereas normally we address information risks as if they are static situations using our crude risk models and simplistic analysis, we know many things are changing ... sometimes unpredictably, although often there are discernible trends.On Probability-Impact Graphs (PIGs), it is possible to represent changing risks with arrows or trajectories, or even time-sequences. I generated an animated GIF PIG once showing how my assessment of malware risks had changed over recent years, with certain risks ascending (and projected to increase further) whereas others declined (partly because our controls were reasonably effective).It's tricky though, and highly subjective ... and the added complexity/whizz-factor tends to distract attention from the very pressing current risks, plus the uncertainties that make evaluating and treating the risks so, errrr, risky (e.g. I didn't foresee the rise of cryptomining malware, and who knows what novel malware might suddenly appear at any time?).A simpler approach is to project or imagine what will be the most significant information risks for, say, the year or two or three ahead. You don't need many, perhaps as few as the "top 5" or "top 10", since treating them involves a lot of work, while other risks are often also reduced coincidentally as controls are introduced or improved. It's possible to imagine/project risks even further out, which may suit a security architec]]> 2019-11-29T06:59:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/4nuD8pUPDas/nblog-nov-28-risks-dynamics-and.html www.secnews.physaphae.fr/article.php?IdArticle=1495744 False Malware None None NoticeBored - Experienced IT Security professional Although 7 Ways to Improve Employee Development Programs by Keith Ferrazzi in the Harvard Business Review is not specifically about information security awareness and training, it's straightforward to apply it in that context. The 7 ways in bold below are quoted from Keith's paper, followed by my take.1. Ignite managers' passion to coach their employees.  I quite like this one: the idea is to incentivize managers to coach the workforce. As far as I'm concerned, this is an inherent part of management and leadership, something that can be enabled and encouraged in a general manner not just through explicit (e.g. financial) incentives. For me, this starts right at the very top: a proactive CEO, MD and executive/leadership team is in an ideal position to set this ball rolling on down the cascade - or not. If the top table is ambiguous or even negative about this, guess what happens! So, right there is an obvious strategy worth pursuing: start at, or at the very least, include those at the very top of the organization ... which means taking their perspectives and addressing their current information needs, preferred learning styles and so forth (more below: directors and execs are - allegedly - as human as the rest of us!).2. Deal with the short-shelf life of learning and development needs. 'Short shelf-life' is a nice way to put it. In the field of information risk and security, the emergence of novel threats that exploit previously unrecognized vulnerabilities causing substantial business impacts, is a key and recurrent challenge. I totally agree with the need to make security awareness an ongoing, ideally continuous activity, drip-feeding workers with current, pertinent information and guidance all year long rather than attempting to dump everything on them in a once-in-a-blue-moon event, session or course. Apart from anything else, keeping the awareness materials and activities topical makes them more interesting than stale old irrelevant and distracting junk that is 'so last year' (at best!).3. Teach employees to own their career development. An interesting suggestion, this, especially for the more involved infosec topics normally taught through intensive training courses rather than general spare-time awareness activities. I'm not sure off-hand how this suggestion would work in practice, but it occurs to me that periodic employee appraisals and team meetings provide ample opportunities to offer training and encourage workers to take up whatever suits their career and personal development aspirations.]]> 2019-11-26T17:57:12+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/hDNag6pZp6Q/nblog-nov-26-7-ways-to-improve-security.html www.secnews.physaphae.fr/article.php?IdArticle=1495745 False Guideline None None NoticeBored - Experienced IT Security professional For some weeks now on the ISO27k Forum we've been vigorously and passionately debating whether an Information Security Management System should, or should not, include the organization's compliance with "information security-related" laws, regulations and other obligations such as contractual clauses specifying compliance with PCI-DSS.The issue arises because:The relevant infosec compliance section is tucked away at the end of ISO/IEC 27001 Annex A, which has an ambiguous status with respect to '27001 certification. Although Annex A is discretionary rather than mandatory, certifiable organizations must use Annex A as a checklist to confirm that their ISMS incorporates all the information security controls necessary to address the information risks within scope of the ISMS. Interpret that paradox as you will ... and hope that the certification auditors take the same line;It could be argued that, in a very broad sense, all the laws, regs, contracts, standards, ethical codes etc. which apply to the organization are "information security-related". The requirements are all forms of information with associated information risks. Therefore, they fall at least partially within the remit of an ISMS;Likewise, "compliance", as a whole, could be seen as an information security control, a suite of organizational activities and measures to both satisfy and be able to demonstrate conformance with requirements, plus the associated assurance, reinforcement (awareness, acceptance) and enforcement aspects. In philosophical terms, compliance is an integrity issue, and integrity is part of information security, therefore compliance is part of infosec; ]]> 2019-11-22T11:56:29+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/2qHE5fXYd2E/nblog-nov-22-who-owns-compliance.html www.secnews.physaphae.fr/article.php?IdArticle=1495746 False None None None NoticeBored - Experienced IT Security professional Keeping ISO27k Information Security Management Systems tight, constrained within narrow scopes, avoiding unnecessary elaboration, seems an admirable objective. The advantages of ISMS simplicity include having less to design, implement, monitor, manage, maintain, review and audit. There's less to go wrong. The ISMS is more focused, a valuable business tool with a specific purpose rather than a costly overhead. All good. However, that doesn't necessarily mean that it is better to have fewer ISMS documents. In practice, simplifying ISMS documentation generally means combining docs or dispensing with any that are deemed irrelevant. That may not be the best approach for every organization, especially if it goes a step too far.Take information security policies for example. Separate, smaller policy docs are easier to generate and maintain, {re}authorize and {re}circulate individually than a thick monolithic “policy manual”. It's easier for authors, authorisers and recipients to focus on the specific issue/s at hand. That's important from the governance, awareness and compliance perspective. At a basic level, what are the chances of people actually bothering to read the change management/version control/document history info then check out all the individual changes (many of which are relatively insignificant) when yet another updated policy manual update drops into their inbox? In practice, it aint gonna happen, much to the chagrin of QA experts!On the other hand, individual policies are necessarily interlinked, forming a governance mesh: substantial changes in one part can have a ripple effect across the rest, which means someone has the unenviable task of updating and maintaining the entire suite, keeping everything reasonably consistent. Having all the policies in one big document makes maintenance easier for the author/maintainer, but harder for change managers, authorisers and the intended audiences/users. ]]> 2019-11-19T20:20:14+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/zRyaGUrNHCQ/nblog-nov-18-enough-is-enough.html www.secnews.physaphae.fr/article.php?IdArticle=1495747 False Tool None None NoticeBored - Experienced IT Security professional Physical penetration testing is a worthwhile extension to classical IT network pentests, since most technological controls can be negated by physical access to the IT equipment and storage media. In Iowa, a pentest incident that led to two professional pentesters being jailed and taken to court illustrates the importance of the legalities for such work. A badly-drafted pentest contract and 'get out of jail free' authorization letter led to genuine differences of opinion about whether the pentesters were or were not acting with due authority when they broke into a court building and were arrested. With the court case now pending against the pentesters, little errors and omissions, conflicts and doubts in the contract have taken on greater significance than either the pentest firm or its client appreciated, despite both parties appreciating the need for the contract. They thought they were doing the right thing by completing the formalities. Turns out maybe they hadn't.I hope common sense will prevail and all parties will learn the lessons here, and so should other pentesters and clients. The contract must be air-tight (which includes, by the way, being certain that the client has the legal authority to authorize the testing as stated), and the pentesters must act entirely within the scope and terms as agreed (in doubt, stay out!).  Communications around the contract, the scope and nature of work, and the tests themselves, are all crucial, and I will just mention the little matter of ethics, trust and competence.PS  An article about the alleged shortage of pentesters casually mentions:"The ideal pen tester also exhibits a healthy dose of deviancy. Some people are so bound by the rules of a system that they can't think beyond it. They can't fathom the failure modes of a system. Future penetration testers should have a natural inclination toward pushing the boundaries – especially when they are told, in no uncertain terms, not to do so."Hmm. So pentesters are supposed to go beyond the boundaries in their testing, but remain strictly within the formally contracted scope, terms and condi]]> 2019-11-15T16:47:06+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/ZMjXhOtrYVE/nblog-nov-15-risky-business.html www.secnews.physaphae.fr/article.php?IdArticle=1495748 False None None None NoticeBored - Experienced IT Security professional While Googling for something else entirely, I chanced across this statement from Darren on a ten year old SceptikLawer forum thread:"The essence of my job as an information security architect is to understand the balance between risk (legal, practical, and otherwise) and the need for an organization to conduct business efficiently. I think a lot of what I do really does boil down to seeing the other side of things; I know what the “most secure” way is, but I also have to understand that implementing it might mean debilitating restrictions on the way my employer does business. So what I have to do is see their point of view, clearly articulate mine, and propose a compromise that works. There's a reason a lot of IT security folks become lawyers. "Nicely put, Darren! While personally I'd be reluctant to claim that I 'know what the most secure way is', the point remains that an information security - or indeed any professional's job revolves around achieving workable compromises. For us, it's about helping or persuading clients and employers identify and reduce their information risks to 'reasonable' levels, then maintaining the status quo through ongoing risk management.Some of our professional peers struggle with this, particularly inexperienced ones with IT backgrounds. They (well OK, we) can come across as assertive, sometimes to the point of being arrogant and pig-headed, obstinate or even rude. Things 'must' be done in a certain way - their way. They are trained professionals who have been taught the 'most secure way' and are unwilling to countenance any other/lesser approach. Situations appear black or white to them, with no shades of grey.Along with with Darren, presumably, I view most situations as greys, sometimes multicoloured or even multidimensional due to inherent complexities and differing perspectives. There is almost always more to a situation than it first appears, and often more to it that I appreciate even after studying it hard. I embrace ambiguity. I value flexibility and open-mindedness, and strive to be flexible and open-minded in my work: for me, it's an integral part of 'being professional'. Such pragmatism is fine ... up to a point. However there are situations where it gets harder to back down and eventually I may stand my ground, refusing to compromise any further on my core values (particularly personal inte]]> 2019-11-12T09:43:44+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/S2d5kiR0Wk8/nblog-nov-12-on-being-professional.html www.secnews.physaphae.fr/article.php?IdArticle=1495749 False None None None NoticeBored - Experienced IT Security professional There's an old old joke about a passing stranger asking for directions to Limerick.  "Well," says the farmer, "If oi was you, oi wouldn't start from here".So it is with infosec strategies. Regardless of where your organization may be headed, by definition you set out from a less than ideal starting point. If it was ideal, you wouldn't be heading somewhere else, would you? That naive perspective immediately suggests two alternatives:Bear in mind where you are today, planning your route accordingly.Regardless of where you are today, focus exclusively on the destination and how to get there.Actually, those are just two of many possibilities. It's even possible to do both: strategic thinking generally includes a good measure of blue-sky idealist thinking, tempered by at least a modicum of reality and pragmatism. 'We are where we are'. We have a history and finite resources at our disposal ... including limited knowledge about our history, current situation and future direction. What's more, the world is a dynamic place and we don't exist in a vacuum, hence any sensible infosec strategy needs to take account of factors such as competitors, compliance and other challenges ahead - situational awareness plus conjecture about how the situation might conceivably change as we put our cunning strategy into practice (as in chess). That's risk, information risk in fact, amenable to information risk management in the conventional, straightforward, systematic manner:Identify and characterise the risk/s, both negative and positive (opportunities, the possibility that things might turn out even better than planned);Quantify and evaluate the risk/s;Decide what to do about them;Do it! Finalise the strategy, negotiate its approval (with all that entails) and make it so;Manage and monitor things as the strategy unfolds and changes inevitably happen;]]> 2019-11-10T11:20:08+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/MjZbEKVeyFk/nblog-nov-10-strategic-risk-management.html www.secnews.physaphae.fr/article.php?IdArticle=1495750 False None None None NoticeBored - Experienced IT Security professional ISO 22301, already an excellent standard on business continuity, has just been revised and republished. Advisera has a useful page of info about ISO 22301 here.There's quite a bit of common ground between business continuity and information risk and security, especially as most organizations are highly dependent on their information, IT systems and processes. The most significant risks are often the same, hence it makes sense to manage both aspects competently and consistently. The ISO 'management system' structured approach is effective from the governance and management perspective.  Aligning/coordinating the infosec and business continuity management systems has several valuable benefits since they are complementary. Extending that thought, it occurs to me that most if not all other areas of management also have information risk and security implications:Physical site security and facilities management (e.g. reliable power and cooling for the servers);IT and information management (dataflows, information architecture, information systems and networks and processes, intellectual property, innovation, creativity);Change management (ranging from version control through projects and initiatives up to strategic changes);Incident management (see below);Risk management (as a whole, not just information risks);Privacy management;]]> 2019-11-07T17:41:58+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Ab_6GEHY1Js/nblog-nov-7-super-management-systems.html www.secnews.physaphae.fr/article.php?IdArticle=1495751 False None Deloitte None NoticeBored - Experienced IT Security professional ISO/IEC 27000:2018 looking for quotable snippets to use on our awareness posters in January. Although there's plenty of good content, I can't help but notice a few rough edges, such as this:“Conducting a methodical assessment of the risks associated with the organization's information assets involves analysing threats to information assets, vulnerabilities to and the likelihood of a threat materializing to information assets, and the potential impact of any information security incident on information assets. The expenditure on relevant controls is expected to be proportionate to the perceived business impact of the risk materializing.” [part of clause 4.5.2]. First off, here and elsewhere the '27000 text uses the term “information asset” which is no longer defined in the standard since the committee couldn't reach consensus on that. Readers are left to figure out the meaning for themselves, with the possibility of differing interpretations that may affect the sense in places. The term is, or probably should be, deprecated.Secondly, the first sentence is long and confusing – badly constructed and (perhaps) grammatically incorrect. “Vulnerabilities to” is incomplete: vulnerabilities to what? Shouldn't that be “vulnerabilities in” anyway? Threats get mentioned twice for no obvious reason, overemphasizing that aspect. “Likelihood” is a vague and problematic word with no precise equivalent in some languages - it too should probably be deprecated. The final clause as worded could be interpreted to mean that the process is only concerned with potential impacts on information assets, whereas incidents can cause direct and/or indirect/consequential impacts on systems, organizations, business relationships, compliance status, reputations and brands, commercial prospects, profits, individuals, partners, society at large and so forth, not all of which are information assets (as commonly interpreted, anyway!).  Thirdly, do “the organization's information assets” include personal information? Some might argue that personal information belongs to the person concerned – the data subject – not the organiza]]> 2019-11-07T10:31:27+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/xP_UGEqhdio/nblog-nov-6-insight-into-iso27k-editing.html www.secnews.physaphae.fr/article.php?IdArticle=1495752 False Threat,Guideline None None NoticeBored - Experienced IT Security professional December's awareness topic is one of our regular annual topics. Social engineering has been around for millennia - literally, in the sense that deliberate deception is a survival strategy adopted by many living beings, right back to primordial times.So, what shall we cover this time around? In 2018, the NoticeBored awareness module took a deep dive into phishing, a modern-day scourge ... but definitely not the only form of social engineering, despite what those companies pushing their 'phishing solutions' would have us believe. We picked up on 'business email compromise' as well, another name for spear-phishing. In 2017, we explored 'frauds and scams' in the broad, producing a set of 'scam buster' leaflets explaining common attacks in straightforward terms, illustrated with genuine examples and offering pragmatic advice to avoid falling victim to similar tricks.Back in 2016, the 'protecting people' module covered: social engineering attacks, scams and frauds, such as phishing, spear-phishing and whaling; exploitation of information and people via social media, social networks, social apps and social proofing e.g. fraudulent manipulation of brands and reputations through fake customer feedback, blog comments etc.; the use of pretexts, spoofs, masquerading, psychological manipulation and coercion, the social engineer's tradecraft; and significant information risks involving blended or multimode attacks and insider threats.Although we already have lots of content to draw upon and update, we always aim to cover current threats, which means this week our research phase draws to a close with a clearer idea of the scope of December's module, plus a bunch of recent incidents to illustrate the materials.As to precisely what aspects]]> 2019-11-04T11:28:45+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/u3QhCZGFf7Y/nblog-nov-4-social-engineering-awareness.html www.secnews.physaphae.fr/article.php?IdArticle=1495753 False None None None NoticeBored - Experienced IT Security professional It is often said (repeatedly in fact) that repetition is the key to learning. Well is that true? Is that a fact? It must be true if it is said often enough, surely?  This blog piece is about using and misusing repetition as an awareness technique, repeatedly.You may have come across the classic 3-step tell-em technique for classes, lectures and seminars:Tell them what you're about to tell them about.Tell them it.Tell them about what you told them about.It's a simple, or rather simplistic approach, a crude technique based on simple repetition. You have probably sat through repetitive classes, lectures and seminars by teachers or speakers that follow the advice slavishly, every time, some of them even pointing out what they are doing as if that helps. It's obvious, without being pointed out. You don't need to tell us that you're using the tell-em technique! In my experience, the tell-em technique is most often used by teachers and presenters who are not comfortable teaching and presenting: they are still practicing, repeating the same basic, tedious approach until/unless someone points out that it's not the most effective technique, if we're lucky.Repetition is one way to teach and learn, certainly, but not the only way. There are other forms of teaching and learning apart from repetition. Learning and teaching, teaching and learning, can take place without repetition, however repetition can be a useful technique for learning. And teaching. Repeating things is the essence of practicing, gradually becoming familiar with whatever it is - especially by repeating physical activities such as yoga, skateboarding, teeth-cleaning, yoga or escaping a burning building. Repeating activities such as yoga makes them familiar, well-practiced. Eventually with sufficient repetition they become subconscious, autonomous or 'natural' as we master them. ]]> 2018-03-26T15:35:27+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/ibewSGXYvu0/nblog-march-26-repetitititition.html www.secnews.physaphae.fr/article.php?IdArticle=541710 False None None None NoticeBored - Experienced IT Security professional Today I'm writing about 'security assurance metrics' for April's NoticeBored module. One aspect that interests me is measuring and confirming (being assured of) the correct operation of security controls. Such metrics are seldom discussed and, I suspect, fairly uncommon in practice.Generally speaking, we infosec pros just love measuring and reporting on incidents and stuff that doesn't work because that helps us focus our efforts and justify investment in the controls we believe are necessary.  It also fits our natural risk-aversion. We can't help but focus on the downside of risk.Most of us blithely assume that, once operational, the security controls are doing their thing: that may be a dangerous assumption, especially in the case of safety-, business- or mission-critical controls plus the foundational controls on which they depend (e.g. reliable authentication is a prerequisite for access control, and physical security underpins almost all other forms of control). So, on the security metrics dashboard, what's our equivalent of the "bulb test" when well-designed electro-mechanical equipment is powered up? How many of us have even considered building-in self-test functions and alarms for the failure of critical controls?I could be wrong but I feel this may be an industry-wide blind spot with the exception of safety-critical controls, perhaps, and situations where security is designed and built in from scratch as an integral part of the architecture (implying a mature, professional approach to security engineering rather than the usual bolt-on security).]]> 2018-03-23T11:45:12+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/gZfJ8MIftYQ/nblog-march-23-assurance-metrics.html www.secnews.physaphae.fr/article.php?IdArticle=535830 False None None None NoticeBored - Experienced IT Security professional Since "assurance" is a fairly obscure concept, April's awareness materials inevitably have to explain it in simple enough terms that people can grasp it, without glossing over things to such an extent that nothing matters, nothing registers.Tricky that!Harder still, our purpose for raising this at all is to emphasize the relevance of assurance to information security - another conceptual area that we're trying hard to make less obscure!The approach we've come up with is to draw parallels between assurance for information security, and assurance for safety. Safety is clearly something that matters. People 'get it' without the need to spell it out in words of one syllabub. With just a gentle help, they understand why safety testing, for instance, is necessary, and why safety tags and certificates mean something worthwhile - valuable in fact ... and that gives us a link between assurance and business.For awareness purposes, we'll be using bungy-jumping as a safety-, business- and assurance-related situation that catches attention and sparks imaginations. It's something risky that people can relate to, regardless of whether they have personally done it or not. You could say it is well-grounded. Aside from the emotional connection, it has the added bonus of striking images - great for seminar slides and to break up the written briefings.We still face the challenge of linking from there across to information security, and that's what the bulk of the awareness materials address, covering assurance in the context of information risk, security, integrity, testing, auditing, trust and more - quite a swathe of relevant issues to discuss in fact. ]]> 2018-03-21T13:58:38+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/bdxqbYuGnDU/nblog-march-21-down-to-earth.html www.secnews.physaphae.fr/article.php?IdArticle=532592 False None None None NoticeBored - Experienced IT Security professional Facebook is facing a crisis of confidence on stockmarkets already jittery about interest rates and over-priced tech stocks, thanks to a privacy breach with overtones of political interference:"Facebook fell as much as 8.1 percent to $170.06 on Monday in New York, wiping out all of the year's gains so far. That marked the biggest intraday drop since August 2015. Facebook said Friday that the data mining company Cambridge Analytica improperly obtained data on some of its users, and that it had suspended Cambridge while it investigates. Facebook said the company obtained data from 270,000 people who downloaded a purported research app that was described as a personality test. The New York Times and the Guardian reported that Cambridge was able to tap the profiles of more than 50 million Facebook users without their permission. Facebook first learned of the breach more than two years ago but hadn't disclosed it. A British legislator said Facebook had misled officials while Senator Amy Klobuchar of Minnesota said Facebook CEO Mark Zuckerberg should testify before the Senate Judiciary Committee ... Daniel Ives, chief strategy officer and head of technology research for GBH Insights, said this is a crisis for Facebook, and it will have to work hard to reassure users, investors and governments."[NZ Herald, 20th March 2018, emphasis added] Attempting to halt and ideally reverse the decline in the extent to which third-parties trust the organization following a major incident is tough, and expensive. Can anyone believe its claims and assurances in future? Will they inspire the same level of confidence that they might once have done? What additional hoops will they be expected to clear in future to reassure others? Will they ever rebuild their credibility and reputation, or is this incident going to haunt them in perpetuity? A lot depends on how the incident is handled.Facebook and its management will, I guess, spend large to scrape through the crisis with the usual flurry of denials, excuses, explanations/justifications and apologies. Lawyers will profit. Heads may roll, and the suspended relationship with Cambridge Analytica will be 'strained', perhaps to breaking point.But what of the ongoing relationship with "users, investors and governments"? I wonder if Facebook had a strategy in place to 'reassure' them following a privacy breach or some other major incident? Does it have a business continuity plan for this eventuality? We will see how it plays out over the next few days and weeks, perhaps months given the political and regulatory ramifications.I'm looking forward to findi]]> 2018-03-20T15:18:15+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/9kLYQ_w1Ujw/nblog-march-20-facebook-assures.html www.secnews.physaphae.fr/article.php?IdArticle=530636 False None None None NoticeBored - Experienced IT Security professional Perusing a CIS paper on metrics for their newly-updated recommended network security controls (version 7), several things strike me all at once, a veritable rash of issues.Before reading on, please at least take a quick squint at the CIS paper. See what you see. Think what you think. You'll get more out of this blog piece if you've done your homework first. You may well disagree with me, and we can talk about that. That way, I'll get more out of this blog piece too![Pause while you browse the CIS paper on metrics][Further pause while you get your thoughts in order]]]> 2018-03-20T10:30:42+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Lx6-vMxHIHY/nblog-march-20-critique-of-cis-netsec.html www.secnews.physaphae.fr/article.php?IdArticle=530036 False Guideline None None NoticeBored - Experienced IT Security professional I say 'gem' because that single (albeit convoluted) statement helps us explain and focus the awareness module.  We will explain assurance in terms of confidence, integrity, trust, proof etc. and discuss the activities that get us to that happy place, or not as the case may be. Discovering any problems that need to be addressed is an important and obvious part of various forms of testing, but so too is giving the all-clear. Gaining assurance, either way, is the real goal, supporting information risk management: if you discover, later, that the testing was inept, inadequate, biased, skipped or otherwise lame, the whole thing is devalued, and worse still the practice of testing is undermined as an assurance measure. Take for example dieselgate - the diesel emissions-testing scandal involving Volkwagen vehicles: in essence, some bright spark at VW allegedly came up with a cunning scheme to defeat the emissions testing lab by switching the vehicle's computer control unit to a special mode when it detected the conditions indicating a test in progress, reverting to a less environmentally-friendly mode for normal driving. Ethics and legality aside, the scandal brought a measure of doubt onto the testing regime, and yet the trick was (eventually) discovered and the perpetrators uncloaked, bringing greater disrepute to VW. Hmmm, that little story might make an interesting case study scenario for the module. If it makes people think and talk animatedly about the information risk aspects arising (assurance in particular but there are other relevant issues too), that's a big awareness win right there. Job's a good 'un. Thank you and good night.]]> 2018-03-19T18:40:12+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/8JwiaIhdqFs/nblog-march-19-thinking-day.html www.secnews.physaphae.fr/article.php?IdArticle=527505 False None None None NoticeBored - Experienced IT Security professional We've been engaged to write a series of awareness materials on a variety of information security topics - a specific type of awareness product that we haven't produced before. So the initial part of the assignment is to clarify what the client wants, come up with and talk through our options, and draft the first one. That's my weekend spoken for!Once the first one is discussed, revised and agreed, stage two will be to refine the production process so future products will be easier and quicker to generate, better for the client and better for us.Like sausages. We're building a sausage machine. We'll plug in a topic, turn the handle and extrude a perfectly-formed sausage every time.Sounds fine in theory but on past experience that's not quite how it will work out, for two key reasons:Since the topics vary, the content of the awareness product will vary, naturally ... but so too may the structure and perhaps the writing style. Awareness content on, say, viruses or passwords is conceptually and practically a bit different to that on, say, privacy or cybersecurity. The breadth and depth of cover affects how we write, so the machine needs some 'give'. It can't be too rigid.As the string of sausages gets ever longer, we will continually refine the machine and think up new wrinkles ... which may even mean going back and reforming some of the early products. It's possible an entirely new approach may emerge as we progress, but more likely it will evolve and mature gradually. What starts out producing a string of plain beef sausages may end up churning out Moroccan lamb and mint - still definitely sausages but different flavours. Knowing that, now, the sausage machine has to be capable of being modified to some extent in the future, within certain constraints since the customer expects a reasonably consistent product. Some features being designed into the process today will remain in a month or three, while others will evaporate to be replaced by others and we're cool with that. Hopefully the client will be too!In more practical terms, the sausage machine itself consists of ]]> 2018-03-18T22:26:09+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/cijuhA-1Oj4/nblog-march-18-building-sausage-machine.html www.secnews.physaphae.fr/article.php?IdArticle=524921 False General Information None None NoticeBored - Experienced IT Security professional Of all the typical corporate departments or functions or teams, which have an assurance role?Internal Audit - audits are all about gaining and providing assurance;Quality Assurance plus related functions such as Product Assurance, Quality Control, Testing and Final Inspection, Statistical Process Control and others;Risk Management - because assurance reduces uncertainty and hence risk;IT, Information Management, Information Risk and Security Management etc. - for example, ensuring the integrity of information increases assurance, and software quality assurance is a big issue;Information Security Management - which is of course why this is an information security awareness topic;Business Continuity Management - who need assurance on everything business-critical;Health and Safety - who need assurance on everything safety-critical;Production/Operations - who use QA, SPC and many other techniques to ensure the quality and reliability of production methods, processes and products;Sales and Marketing who seek to assure and reassure prospects and customers that the organization is a quality outfit producing reliable, high-quality products, building trust in the brands and maintaining a strong reputation;Procurement - who need assurance about the raw materials, goods and services offered and provided to the organization, and about the suppliers in a more general way (e.g. will they deliver orders within specification, on time, reliably? Will the relationship and transactions be worry-free?);Finance - who absolutely need to ensure the integrity of financial information, and who perform numerous assurance measures to achieve and guarantee that;Human Resources - who seek to reassure management that the organization is finding and recruiting the best candidates and making the best of its people; Legal/Compliance - need to be sure that the organization complies sufficiently with external obligations to avoid penalties, and that internal obligations are sufficiently fulfilled to achieve business advantage;]]> 2018-03-17T08:23:37+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/lSmlTmIjEdo/nblog-march-17-assurance-functions.html www.secnews.physaphae.fr/article.php?IdArticle=520235 False None None None NoticeBored - Experienced IT Security professional The assurance word-art tick (or boot?) that we created and blogged about a few days ago is still inspiring us. In particular, some assurance-related words hint at slightly different aspects of the same core concept:AssureAssuranceAssuredAssuredlyEnsureEnsuredInsureInsuranceReassureAlong with the tongue-in-cheek terms 'man-sure' and 'lady-sure', they are all based on 'sure', being a statement of certainty and confidence.Insure is interesting: in American English, I believe it means the same as ensure in the Queen's English (i.e. being certain of something), but in the Queen's English, insure only relates to the practice of insurance, when some third-party offers indemnity against particular risks.Assured, ensured and insured are not merely the past tenses of the respective verbs, but have slightly different implications or meanings:If someone is assured of something, they have somehow been convinced and accept it as true. They internalize and no longer question or doubt their belief to the same extent as if they were not assured of it. They rest-assured, generally as a result of a third-party providing them the assurance if they don't convince themselves;Someone who ensured something made certain it was so or at least made the effort to do so (they don't always succeed!). This often means passing responsibility to a third-party who they believe will do as required;In the Queen's English, a company that insured something provided the indemnity (insurance cover) to whoever had it insured. In American English, the previous bullet applies, presumably.Reassure is diff]]> 2018-03-16T16:59:15+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/llI6rxvt7aU/nblog-march-16-word-games.html www.secnews.physaphae.fr/article.php?IdArticle=518145 False None None None NoticeBored - Experienced IT Security professional One type of assurance is audit, hence auditing and IT auditing in particular is very much in-scope for our next security awareness module.By coincidence, yesterday on the ISO27k Forum, the topic of 'security audit schedules' came up.An audit schedule is a schedule of audits, in simple terms a diary sheet listing the audits you are planning to do. The usual way to prepare an audit schedule is risk-based and resource-constrained. Here's an outline (!) of the planning process to set you thinking, with a sprinkling of Hinson tips:Figure out all the things that might be worth auditing within your scope (the 'audit universe') and list them out. Brainstorm (individually and if you can with a small group of brainstormers), look at the ISMS scope, look for problem areas and concerns, look at incident records and findings from previous audits, reviews and other things. Mind map if that helps ... then write them all down into a linear list.Assess the associated information risks, at a high level, to rank the rough list of potential audits by risk - riskiest areas at the top (roughly at first -'high/medium/low' risk categories would probably do - not least because until the audit work commences, it's hard to know what the risks really are). Guess how much time and effort each audit would take (roughly at first -'big/medium/small categories would probably do - again, this will change in practice but you have to start your journey of discovery with a first step).In conjunction with other colleagues, meddle around with the wording and purposes of the potential audits, taking account of the business value (e.g. particular audits on the list that would be fantastic 'must-do' audits vs audits that would be extraordinarily difficult or pointless with little prospect of achieving real change). If it helps, split up audits that are too big to handle, and combine or blend-in tiddlers that are hardly worth running separately. Make notes on any fixed constraints (e.g. parts of the business cycle when audits would be needed, or would be problematic; and dependencies such as pre/prep-work audits to be followed by in-depth audits to explore problem areas found earlier, plus audits that are linked to IT system/service implementations, mergers, compliance deadlines etc.).]]> 2018-03-15T07:43:59+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/k2bzLKb0YLg/nblog-march-15-scheduling-audits.html www.secnews.physaphae.fr/article.php?IdArticle=513793 False Guideline None None NoticeBored - Experienced IT Security professional ... will be resumed, soon. We've been slaving away on a side project, putting things in place, setting things up, trying things out. It's not quite ready to release yet - more tweaking required, more polishing, lots more standing back and admiring from a distance - but it's close.]]> 2018-03-13T21:27:39+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/YMnU286ShvU/nblog-march-13-normal-service.html www.secnews.physaphae.fr/article.php?IdArticle=509908 False General Information None None NoticeBored - Experienced IT Security professional Yesterday I wrote about mind mapping. The tick image above is another creative technique we use to both explore and express the awareness topic.To generate a word cloud, we start by compiling a list of words relating in some way to the area. Two key sources of inspiration are: The background research we've been doing over the past couple of months - lots of Googling, reading and contemplating; and Our extensive information risk and security glossary, a working document of 300-odd pages, systematically reviewed and updated every month and included in the NoticeBored awareness modules. Two specific terms in that word cloud amuse me: "Man-sure" and "Lady-sure" hint about the different ways people think about things. When a lay person (man or woman!) says "I'm sure", they may be quite uncertain in fact. They are usually expressing a subjective opinion, an interpretation or belief with little substance, no objective, factual evidence. It can easily be wrong and misleading. When a male or female expert or scientist, on the other hand, says "I'm sure", their opinion typically stems from experience, and carries more weight. It is less likely to be wrong, and hence provides greater assurance. This relates to integrity, a core part of information security. It's not literally about sex.Aside from integrity and assurance, we have defined more than 2,000 terms-of-art in the glossary, with key words in the definitions hyperlinked to the corresponding glossary entries. I use it like a thesaurus, following a train of thought that meanders through the document, sometimes spinning off at a tangent but always triggering fresh ideas. Updating the glossary is painstaking yet creative at the same time.Getting back to the word cloud, we squeeze extra value from the list of words by generating puzzles for the modules. Our word-searches are grids of letters that spell out the words in various directions. Finding the words 'hidden' in the grid is an interesting, fun challenge in itself, and also a learning process since the words all relate to the chosen topic.There are other aspects to the word cloud graphic:All the words are relevant to the topic, to some extent;]]> 2018-03-09T13:00:43+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/YQc51TVKiFY/nblog-march-9-word-cloud-creativity.html www.secnews.physaphae.fr/article.php?IdArticle=501787 False Guideline None None NoticeBored - Experienced IT Security professional At this early stage of the month, although we have some ideas in mind for the content of the next awareness module, they are unstructured. We need to clarify the scope and purpose of the module, developing themes to pull things together and 'tell the story'.Mind mapping is our favourite technique for that: we sketch out the topic area on a single sheet starting from a central topic word ("Assurance" this month) and arranging a few major themes around it, connecting the words to show their relationships. On paper, it starts out simply like this with 3 key themes:Then we expand on those initial themes with further details ...... and keep going until we run short of inspiration and decide to move ahead to the next stage ...]]> 2018-03-08T10:37:08+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/8w_L0GTSWm0/nblog-march-8-brainstorming-awareness.html www.secnews.physaphae.fr/article.php?IdArticle=499662 False General Information None 2.0000000000000000