This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-18T21:11:49+00:00 www.secnews.physaphae.fr NoticeBored - Experienced IT Security professional Digital Guardian logo in the side bar: we're honoured to be listed among their "top 50 infosec blogs you should be reading". Cool! Thanks Digital Guardian, purveyors of "Threat Aware Data Protection to Safeguard Your Sensitive Data from ALL THREATS!" One of their topical product lines is ransomware protection that "FILTERS OUT THE NOISE SO YOU FOCUS ON REAL THREATS".Nice! We take a similar filtering approach with our security awareness subscription service but, hey, take it easy on the CAPS there, DiGiTaL GuArDiAn!Last year we made it onto Feedspot's top 100 information security blogs list to earn a nice virtual medallion.There's more to this piece than mutual grooming and product placement though. Top-N lists are handy starting points for those seeking new sources - me included. I track a fair number of information risk and security blogs and websites routinely, specifically the ones I have discovered and liked enough to add to my bookmarks and blog aggregator. Every so often I review my selections, trimming off the ones that are either no longer actively updated or have spun away on tangents. When hunting for replacements, top N lists can be inspirational.I hope this blog inspires you, and that you find my perspective interesting. Thanks for stopping by.]]> 2018-03-06T20:21:56+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/fkV7uzTZAkg/nblog-march-6-bloggin-on-bloggin.html www.secnews.physaphae.fr/article.php?IdArticle=497222 False None None None NoticeBored - Experienced IT Security professional I've completed the revision of www.ISO27001security.com, bringing the site up to date with the status of all the ISO27k information security management standards.There are currently some 50 published ISO27k standards, by my count, with a further 12 or so in development.Way down in the weeds, there are several inconsistencies and issues within individual standards, and some gaps in the coverage. Overall, though, the standards do a pretty good job of promoting a systematic approach to information risk management (without using that specific term!).ISO/IEC standards cost about US$150 each so a full set of 50 would set you back about US$7,000 - a non-trivial amount. I've argued for years that the ISO27k standards should be free to encourage global adoption of good security practices for the benefit of society at large ... but so far only two of the set are free, and worse still it takes a determined hunter to find them since the standards bodies and commercial outlets would much rather make money.Talking of which, we will soon be hosting advertisements on the site, courtesy of Google, in order to defray our costs. It's time to stop jangling the begging bowl and look after our interests in order to keep the site going. I just hope the ads aren't too intrusive and earn us enough to pay for the hosting and administration. It would be great to redevelop the site to improve the design, especially for all our pixel-constrained mobile-phone-using visitors, but somehow I doubt there will be enough in the coffers for that.]]> 2018-03-05T14:42:07+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/c3DmdC6Jvfs/nblog-march-5-fiftieth-iso27k-standard.html www.secnews.physaphae.fr/article.php?IdArticle=495811 False None None None NoticeBored - Experienced IT Security professional That's it, we're done! The 2018 malware awareness module is on its way to NoticeBored subscribers, infecting customers with ... our passion for the topic.There are 28 different types of awareness and training material, in three parallel streams as always: Stream A: security awareness materials for staff/all employees [if !supportLists]-->1.      [endif]-->Train-the-trainer guide on malware MS Word document [if gte vml 1]> ]]> 2018-02-28T21:54:40+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/lGwDU0lQ3UU/nblog-march-1-invasion-of-cryptominers.html www.secnews.physaphae.fr/article.php?IdArticle=492308 False Malware APT 15 None NoticeBored - Experienced IT Security professional The NoticeBored awareness module now nearing completion discusses the cryptomining malware that has come to prominence since the materials were last updated a year ago.  It is hard to get terribly worked up about the theft of CPU cycles and joules while we're still battling ransomware, spyware and APTs ... but scratch a little deeper to discover that crypominers are more symptom than cause, the tip of a very chilly iceberg.Q: How do systems get infected with cryptominers?  A: Through the usual malware infection mechanisms i.e. security vulnerabilities in the IT systems and the people who use them.Q: How do the crooks benefit?A: Victims generate money for them, plainly ... but they also expose themselves and their systems to further compromise and exploitation.  Ahhhh.There are shades of the 'fraud recovery' frauds which trick the victims of 419 advance fee frauds into also spending out for mythical 'compensation' and 'lawyers fees'.  You'd have thought being suckered once was enough to put people on their guard but it seems not: victims have marked themselves out as vulnerable. "I'm down, kick me again".I'll leave it there for today as we need to finish the module.  Maybe tomorrow I'll have time to blog about the similarities between today's Bitcoin boom and the pyramid or Ponzi schemes of yore.]]> 2018-02-27T14:30:42+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/jGR6xLV10rM/nblog-february-27-bigger-picture.html www.secnews.physaphae.fr/article.php?IdArticle=491511 False None None None NoticeBored - Experienced IT Security professional The 2018 malware update awareness module is a Work In Progress. We've all but completed the awareness materials for the general staff audience, and today we'll crack on through the management and professional streams.Every year I wonder what we are going to say in the malware module, given that we've covered this topic so many times before. I worry that we might not find anything new to add, forcing us to re-hash the same old stuff in the hope of making it interesting enough to resonate with the audiences. Yet again I needn't have worried. The malware threat is constantly mutating, much like a biological virus in fact. As fast as we discover and get to grips with each form, novel attacks and new challenges arise. There's no shortage of new things to say.Cryptomining malware emerged from its lair in the middle of last year. As it happens, it's one of the more benign forms that merely consumes resources, reduces performance and increases costs, as opposed to devastating and in some circumstances life-threatening forms ... and yet it is virulent (it spreads widely and rapidly) and weakens the host (aside from running the cryptomining software, what else might be going on in the background?).Perhaps next March when we refresh the malware module yet again, we'll pick up on the biological similarities by bringing up MRSA "superbugs" that have the healthcare and pharmaceutical industries and authorities worried. What will we do if/when our antivirus controls fail us? What is the cybersecurity equivalent of 'deep cleaning the ward' using bleach, with palliative care for patients whose infections we simply cannot treat? If it came down to it, how would we fully isolate and treat an organization whose malware infection seriously threatens the rest of us? Who has the ability, and the authority, to turn off life-support or flip the kill-switch?It would be good to have kick-started the thinking and planning early, before we find ourselves wallowing around in brown stuff. Security awareness isn't purely about learning from the past, or even the present.Either way, I'm confident that in a year's time there will be something new and pressing to raise!]]> 2018-02-25T09:07:30+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/DMbHz6woiY4/nblog-february-25-malware-update-2019.html www.secnews.physaphae.fr/article.php?IdArticle=489819 False None None None NoticeBored - Experienced IT Security professional Today I've been scouring the web for news on cryptominer incidents to incorporate into next month's awareness materials on malware.As well as the usual doom-n-gloom reports from assorted antivirus companies bigging-up the cryptominer threat, I came across an interesting letter from a US hospital, formally notifying patients about an incident.The infection was identified back in September 2017, and eradicated within 4 days of detection.Although the malware infection was a relatively benign cryptominer, the hospital sent a formal notification letter to patients at the end of January 2018 since the infected system held their medical data. Full marks to the hospital management for 'fessing up to the incident and publicly disclosing it, and for apparently handling the incident in a professional and reasonably efficient manner (although arguably 4 months is an age in Internet time).They have offered free credit monitoring services, more appropriate in case of identity fraud ... which is a possibility if the malware gained privileged access to the system. I wonder, though, whether this letter was simply part of their pre-prepared generic response to a cyber-incident, perhaps a defensive move prompted by their lawyers just in case personal/medical information was disclosed inappropriately.]]> 2018-02-22T16:38:06+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/8Z7DBIvXb9w/nblog-february-22-responsible-disclosure.html www.secnews.physaphae.fr/article.php?IdArticle=488161 False None None None NoticeBored - Experienced IT Security professional Last month I blogged about consciously adopting a different style of awareness writing, with succinct tips-n-tricks supplementing, perhaps even replacing, conventional descriptive paragraphs.At the risk of becoming recursive, one of the tips included in March's malware awareness module will be for NoticeBored customers to solicit tips from their colleagues who have suffered malware incidents recently.  The idea is for the security awareness people to:Find out what happened, to whom, when and how;Speak, discreetly, to the people involved or implicated in the incidents;Explore the consequences, both for the business and for them personally;Tease out the tips - lessons worth sharing with others;Share them.Such an approach would work extremely well in some organizational cultures, but in others people can be reluctant to admit to and open up about their issues. Although it is feasible to draw out and express the key learning points anonymously, without identifying those directly involved, the process loses a lot of its awareness impact.Think about it: if someone stands up before an audience, admits to failings that caused or failed to prevent a malware incident, and is clearly affected by the whole episode, isn't that a powerful, moving message in itself, regardless of the content?So, taking my own medicine, the Hinson tip cut-to-the-chase version of this blog piece is:"Find out about malware incidents from those involved, and share the lessons as part of your awareness program." While it's not the full story, that is hopefully just enough to catch your eye and stick in your memory.]]> 2018-02-20T18:35:49+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/9ojezFtQQHw/nblog-february-20-awareness-in-small.html www.secnews.physaphae.fr/article.php?IdArticle=485960 False None None None NoticeBored - Experienced IT Security professional Integrity is a universal requirement, especially if you interpret the term widely to include aspects such as:Completeness of information;Accuracy of information;Veracity, authenticity and assurance levels in general e.g. testing and measuring to determine how complete and accurate a data set is, or is not (an important control, often neglected);Timeliness (or currency or 'up-to-date-ness') of information (with the implication of controls to handle identifying and dealing appropriately with outdated info – a control missing from ISO/IEC 27001 Annex A, I think);Database integrity plus aspects such as contextual appropriateness plus internal and external consistency (and, again, a raft of associated controls at all levels of the system, not just Codd's rules within the DBMS);Honesty, justified credibility, trust, trustworthiness, 'true grit', resilience, dependability and so forth, particularly in the humans and systems performing critical activities (another wide-ranging issue with several related controls);Responsibility and accountability, including custodianship, delegation, expectations, obligations, commitments and all that …… leading into ethics, professional standards of good conduct, 'rules', compliance and more.The full breadth of meanings and the implications of “integrity” are the key rea]]> 2018-02-17T12:25:47+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Kl9ljrR4yK0/nblog-february-17-i-part-of-cia.html www.secnews.physaphae.fr/article.php?IdArticle=480926 False Guideline None None NoticeBored - Experienced IT Security professional Malware has been a concern since the 1980's. It's an awareness topic we update and refresh every March, and yet we never fail to find something new to discuss.  Last year, we focused on ransomware, a 'real and present danger' at the time with several high-profile organizations (such as the UK National Health Service) suffering disruptive and very costly incidents.  This year, surprisingly, the ransomware risk appears to have declined according to some reports, only to be replaced it seems by the next wave: cryptocurrency mining Trojans.Meanwhile, we suspect reports of the demise of ransomware are premature. Compared to slowly milking a few Bitcoins from a large botnet of cryptominers, holding organizations' or indeed individuals' data to ransom for a few hundred dollars or more per hit seems much more lucrative – but also riskier for the criminals behind the scams.  Perhaps what's really behind this is the criminals' risk-reward tradeoff.  Then again, maybe it's just that the analysis is flawed. Perhaps ransomware was not quite as bad as it seemed last March, and remains at much the same level today. One of the perennial issues we face in researching the malware topic is that the most readily available information is published by antivirus companies, with an obvious commercial agenda to make the malware issue appear worse than it really is. Sifting through the stream of "surveys" and "reports" to find the few of any note and credibility is a tedious task, making this one of those areas where our security awareness service goes beyond the bare minimum. Rather than regurgitating the same old stuff and scaremongering, we're adding value by researching information risks and challenging the conventional wisdom.  Innovating, you could say, or being unconventionally wise.]]> 2018-02-16T14:37:13+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/gIQR4Pn3DwQ/nblog-february-16-innovative.html www.secnews.physaphae.fr/article.php?IdArticle=480927 False None None None NoticeBored - Experienced IT Security professional ISO27001security.com for ISO/IEC 27030, a standard now being developed for IoT security and privacy.I've been arguing for years that it would be appropriate, since they specify a risk-based approach to security management, for the ISO27k standards to specify the information risks they address. To that end, I've published a PIG (Probability Impact Graph) graphic from the NoticeBored security awareness module on IoT and BYOD, to set the ball rolling ...There seems little chance of persuading ISO/IEC to incorporate such a colorful image in the standard, unfortunately, but hopefully the analytical approach will at least prove useful for the project team busily drafting the new standard.On the web page I've described the red and amber zone IoT risks. I'm sure we could have an excellent discussion about those and other risks in the committee, except there is never enough time at the twice-yearly SC27 meetings to get far into the nitty-gritty of stuff like this. Instead I'll see whether I can raise any interest on the ISO27k Forum, perhaps feeding relevant content and creative suggestions to SC27 via formal comments submitted by NZ Standards - the tedious, antiquated, laborious, slow and expensive approach that we are presently lumbered with. It hardly seems worth the effort.]]> 2018-02-14T12:59:46+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/cN0W9ODGUwk/nblog-february-14-iot-security-privacy.html www.secnews.physaphae.fr/article.php?IdArticle=480928 False None None None NoticeBored - Experienced IT Security professional I've caught up with a small mountain of ISO/IEC JTC1/SC27 emails, and updated www.ISO27001.com with a smattering of news.A few new and updated standards have been released in the past 4 months or so, including ISO/IEC 27000:2008, the overview and glossary of terms used throughout ISO27k. As usual, ITTF offers legitimate FREE single-user PDF versions of ISO/IEC 27000 in both Englishand French. Please observe the copyright notice. The free ITTF PDFs are for personal use and are not to be shared or networked.Other recent (but not free) releases include ISO/IEC 27007 (management system auditing), 27019(securing SCADA/ICS process controls in the energy industry) and 27034-5(application security).ISO/IEC 27021 is an interesting new one: it explains the competences (knowledge and skills) required by ISMS professionals. It's fairly straightforward, really, but nice to see it laid out in black and white, with the implication that assorted ISO27k training courses will gradually fall into line.Perhaps we should develop an ISO27021-aligned training course. Would you like to pop down to the South Pacific to learn how to do this ISO27k ISMS stuff, or invite me over to wherever you are? If so, please get in touch. It's a lot of work to put a course together, so we'd need to establish first whether there would be sufficient demand. 😊]]> 2018-02-13T13:18:38+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/6Uhs_PLXjho/nblog-february-13-isoiec-270002018-free.html www.secnews.physaphae.fr/article.php?IdArticle=480929 False None None None NoticeBored - Experienced IT Security professional Yesterday I came up with the suggestion of using memes to spread security awareness messages from person to person, in a similar fashion to the way that computer viruses and worms spread from IT system to IT system. Today I'm trying to come up with something that people will spread among each other by word of mouth, through email and TXT etc., something funny, shocking or useful - such as tips to avoid falling prey to malware maybe, or rumors about a serious malware infection within or close to the organization.'Too close for comfort' has potential, perhaps a malware incident and business crisis narrowly averted by sheer good fortune. Or maybe we could fool workers into believing that the auditors will soon be coming to check up on the antivirus controls?Such an approach could be unethical, risky even (e.g. if it prompted workers to meddle inappropriately with antivirus configurations or audit trails, rather than ensuring that the antivirus controls were operating correctly). It would need to be carefully considered and planned, which itself constitutes an awareness activity even if, in the end, the decision is taken not to go ahead.The 'meme map' (derived from "Meme Maps: A Tool for Configuring Memes in Time and Space" by John Paull) represents the lifecycle and spatial or geographical spread of the meme. Reading from the bottom up, both the yellow area prior to the meme's release, and then the green area, are awareness opportunities.  Mapping and demonstrating the gradual spread of a security awareness meme within the organization (e.g. mapping the source of clicks on a link to a fake internal memo about the fictitious antivirus audit, or tracking calls abo]]> 2018-02-09T15:09:40+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/1Wvv-Flu9Gc/nblog-february-9-mapping-awareness-memes.html www.secnews.physaphae.fr/article.php?IdArticle=466615 False None None None NoticeBored - Experienced IT Security professional Just appearing into view along our virtual conveyor belt comes an updated module on malware, one of those perennial, almost universally-applicable security awareness topics.Aside from generally checking over and fluffing-up the content delivered in prior years, we're on the lookout for new developments, specifically any changes in the risk profile or security controls associated with malware.Something we've spotted is an alleged move away from ransomware (which was Big News this time last year, a real and present danger) towards using compromised systems for crypto currency mining. I'm not entirely convinced at this point whether that is a genuine change: maybe ransomware has indeed peaked out (I sure hope so!), maybe not, but either way mining malware could be an emerging trend, another short-lived fad, a mistaken interpretation of limited data or pure fiction invented by someone flogging antivirus software.Over a much longer timescale, commercial exploitation of malware remains evident, along with the continuing battles between black and white hats. For decades we have seen innovative and increasingly complex technologies being deployed on both sides - clever stuff, but things have more or less stalled on the human front. Despite our best efforts through awareness, education, training, phishing simulators etc., the same old social engineering tricks remain somewhat effective today at spreading malware, and there's plenty of potential there for further innovation. Novelty is a challenge for both the tech and non-tech malware defenses. This is cutting-edge stuff where established approaches gradually lose their power. Purely responding to changes on the offensive side is bound to set us on the back foot, especially given that most of those changes are unrecognized as such, initially anyway. Who knows, maybe the Next Big Thing in social engineering might be quietly ramping up right now.So, I'm sitting here thinking about how to encourage NoticeBored subscribers to up their game with more innovative malware defenses, including our creative efforts on security awareness of course but what else could they be doing? Hmmm, I wonder if security awareness messages could be delivered by malware-like infectious mechanisms? ]]> 2018-02-08T14:04:50+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/6jZKrUegCBA/nblog-february-8-making-security.html www.secnews.physaphae.fr/article.php?IdArticle=465913 False None None None NoticeBored - Experienced IT Security professional 'Protecting information' is a non-specific title. Almost everything that we do is about protecting information so what does February's NoticeBored awareness module actually cover?'Protecting information' begs questions such as:What is the information that deserves or needs to be protected?What are the risks the information is protected against - the threats, vulnerabilities and impacts?How can or should the information be protected?Who is responsible for protecting it?For the answers, we drew inspiration from the fields of information risk management, intellectual property and knowledge management, as well as information security and governance. As usual, we chose to discuss all kinds or forms of information in the typical business context - not just computer data. 'Knowledge' for instance includes workers' experience and expertise, trade secrets and know-how in general. The corresponding information risks and controls are quite diverse.Information classification is one of the key controls patiently explained. The process of classifying and protecting information is more involved than it may appear. Awareness is particularly important for organizations handling government and defense information: it's all very well stamping SECRET on your manila folders, but what does that actually mean, in practice? What does it achieve? What's the point? How does it work?The materials promote a balanced and considered approach towards protecting information. Excessively strong information security reduces legitimate access to, and utility of, the information. The very value we seek to protect can be degraded by too much security. Many information/cyber security professionals would do well to consider this paradox! Protecting the availability of information sometimes means compromising on the controls for confidentiality and integrity.]]> 2018-02-05T20:55:47+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/xUC0fXylbiI/nblog-february-5-protecting-information.html www.secnews.physaphae.fr/article.php?IdArticle=463970 False None None None NoticeBored - Experienced IT Security professional Today after the usual end-of-month rush, we completed and delivered February's security awareness module on protecting information.We have updated the NoticeBored website with an outline of the new module.  I'll have a bit more to say about it here on the blog, maybe tomorrow.  Right now I'm de-stressing with a glass of red wine and some time off in front of the TV.]]> 2018-01-31T19:09:58+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/a8o3qDAzftg/nblog-january-31-protecting-information.html www.secnews.physaphae.fr/article.php?IdArticle=462115 False None None None NoticeBored - Experienced IT Security professional The fawn was only an hour or so old. We didn't even know Maka was pregnant, let alone due today, so it was a very pleasant surprise. Mother and baby are doing well. We feel like proud grandparents.]]> 2018-01-24T17:40:49+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/0JHoat6nUfo/nblog-january-24-distracted-again.html www.secnews.physaphae.fr/article.php?IdArticle=459426 False None None None NoticeBored - Experienced IT Security professional Social engineers exploit their "knowledge" of psychology to manipulate and exploit their victims. So how about we turn the tables - use our knowledge of psychology to counter the social engineers?That thought popped unexpectedly into my head over the weekend as I was grubbing weeds in the paddock. I've been mulling it over ever since, making hardly any progress to be honest. One thing that occurs to me is that social engineers are potentially just as vulnerable to manipulation as their victims, although they have the advantage of having consciously and deliberately performed their attacks ... which could in fact be a weak point: if they believe they are in the driving seat, they may not anticipate being driven. There is some evidence of this, for example 419ers (advance fee fraudsters)  have occasionally been led along the garden path by savvy targets. Scam-baiting became A Thing about a decade ago, relatively amateurish though and risky to boot: the authorities quite rightly warn against vigilantism in general, but there were some creative schemes and hilarious trophies.A better planned, coordinated and generally more professional approach, applying proper psychology and science rather than just bitterness, retribution and belittling, has some merit as a strategy, particularly if the aim is to fire up workers' imaginations and so make them more aware of, and resistant to, the scammers. Whereas an individual organization or even a group may stand little chance of stamping out the 419ers and other social engineers, they can perhaps tilt the odds in their favor, becoming slightly harder, less attractive targets.I'm still not sure where I'm going with this. It's one of those little germs of an idea that might sprout and flourish, but more likely will disappear without trace. Perhaps me writing about it here has set YOU thinking about it, and together we can take it forward as a discussion thread. It will at least remind me when I'm checking through the blog posts at some future point, having totally forgotten about it!]]> 2018-01-22T18:30:50+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/BnqYopzr_BU/nblog-january-22-turning-tables.html www.secnews.physaphae.fr/article.php?IdArticle=459427 False None None None NoticeBored - Experienced IT Security professional Security awareness may be something you have to do for compliance reasons (mostly to avoid penalties) or something you want to do to gain the benefits, often both.Today I'll concentrate on the compliance aspects, the most straightforward part, leaving the business case for another day's blogging.Compliance pressures come at us from all sides!Laws and regulations: many information-related laws and regs mandate adequate information security, particularly those concerning privacy and governance, plus those applicable to the healthcare, financial services, government, infrastructure/utility and defense industries. Some of them specify awareness and training explicitly, others are more circumspect, typically referring to ensuring compliance without saying precisely how to achieve that.Contracts and agreements: PCI-DSS is the classic example of a contractual obligation to secure information, specifically card holder information relating to credit and debit cards. Security awareness is a mandatory requirement of PCI-DSS. Another example is the typical employment or service contract, containing clauses about securing personal and proprietary information and protecting the organization's interests. Yet another is cyber insurance: the policy small-print may include requirements along the lines of 'generally accepted standards and practises of information security', or mention particular laws and standards, or may specify particular controls (such as incident management and breach notification). Many a lawyer's fee results from the nuances in this area! Claiming that an incident occurred because workers were unaware of their security obligations would be a strong case for the prosecution, not the defense.Corporate strategies, policies and standards: many organizations have formal company rules relating to information risk and security, website privacy policies for instance. If employees don't know and care about them, what is the point in even having them? Despite being an obvious requirement (obvious to us anyway, and now you too!), awareness and training is not universal although the requireme]]> 2018-01-19T15:33:48+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Z-A917n_Eg4/nblog-january-17-compliance-case-for.html www.secnews.physaphae.fr/article.php?IdArticle=459429 False None None None NoticeBored - Experienced IT Security professional A day or so ago I wrote about organizations being pressured into security awareness for compliance reasons. With some exceptions, compliance is externally imposed and doesn't directly benefit the organization through increased profits - rather it avoids or reduces the losses and costs (including penalties) associated with noncompliance. That is still a financial benefit but with negative, oppressive connotations. Today I'm moving on to more positive, profitable matters, the business benefits arising from security awareness and training, of which there are several:Better recognition and identification of information risksMore appreciation and understanding of information risksFewer, less costly incidentsBetter governanceGreater organizational and personal resilienceOrganizational learning and sustained improvement (maturity)A genuine, deep-rooted and all-encompassing corporate security cultureDeterrenceGetting the most out of other information security controlsOther spin-off benefits e.g. inventories of information assetsYou may have spotted an underlying theme, in that most of the benefits of security awareness and training stem from better information risk management. In a sense, awareness is 'just another security tool', but one with a multitude of applications, more Swiss multitool than hammer.I am fleshing out all those bullet points into a template "Business case for an infor]]> 2018-01-19T15:30:23+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/CKdHsXBSOvA/nblog-january-18-business-case-for.html www.secnews.physaphae.fr/article.php?IdArticle=459428 False None None None NoticeBored - Experienced IT Security professional I've been talking about simplifying our awareness content, making the materials more actionable, more direct in style - and here's an example.Dipping into our stash of awareness content I discovered an awareness briefing on "Data backups" written six and a half years ago.  It's not a massive tome, just a single A4 side of information, and the content hasn't aged significantly (although "PDA" is not an acronym we hear much these days!). But the written style needs some adjustment.The original started out with a summary: "IT Department makes regular backups of data on the network drives so computer users must either store all their information on the corporate network, or make alternative backup arrangements. Make sure you have good backups before it is too late."The first sentence is passive, referring to "computer users" in the third person, rather than speaking directly to the reader. I have railed before about the term "end user" being used by IT professionals as a disparaging term with vague connotations of drug addiction - not exactly a flattering way to refer to our work colleagues!  The second sentence is much more direct: it's a keeper.Moving on, the next section headed "Why backups are so important" set the scene by outlining typical situations where computer data might be lost or corrupted, such that the only feasible response is to restore from backups - not a bad little list of incidents (malware, bugs, hackers and physical loss/damage), one we can re-use easily enough.  It's a set of bullet points, quit succinct.The next section gave advice: this took two substantial paragraphs making a big block of text.  I've rewritten that to another set of succinct bullet points, more direct and action-oriented.]]> 2018-01-16T20:21:49+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/NRE9jLZwAVw/nblog-january-16-revising-backup-tip.html www.secnews.physaphae.fr/article.php?IdArticle=459430 False None None None NoticeBored - Experienced IT Security professional The graphic is about securing data in the cloud, taking us into the realm of cloud computing and Internet security. At the end of my previous blog item, I mentioned that I'd be looking for situations where tightening security by adding additional controls is not necessarily the best approach, and sure enough here's one.Putting corporate and personal data into the cloud involves a significant increase in some information risks, compared to keeping everything in-house. Strong encryption of both data comms and storage is a substantial and obvious control - necessary but not sufficient to mitigate the cloud risks entirely. Many other information security controls can be applied to reduce the risks further. However the costs increase all the time. Extremely risk-averse organizations may take the position that cloud computing is simply too risky, even with strong controls in place, so they partially or wholly avoid it ... which also means forgoing the benefits, including significant business and information security benefits (such as the highly resilient and flexible cloud infrastructure, supporting business continuity plus proactive capacity and performance management).OK, so that's a situation we might explore for the "Protecting information" awareness module, but it's quite complex as described. We need to find a simpler, more straightforward way to express it - my task for today.]]> 2018-01-15T12:38:30+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/qpsLuFPxMec/nblog-january-15-protecting-information.html www.secnews.physaphae.fr/article.php?IdArticle=459431 False None None None NoticeBored - Experienced IT Security professional February's working title "Protecting information" is so vague as to be almost meaningless, yet it is written in an active sense, hinting at the process or practice of protecting information - the things we actually do, or should consider doing at least. We might instead have gone for "Information protection", placing more emphasis on the principles than the practices but, in keeping with yesterday's piece about engaging our reader on an individual basis, the new materials will be relatively simple and pragmatic: I'm thinking checklists and action plans, stuff that the reader can pick up and use directly.More "Microwave ready meal" than "Michelin chef's secret recipe".Leafing through our stash of awareness content, we have previously delved into information classification schemes (what they are for, how they are designed and how they typically work): this time around we might skim or ignore the theory to focus on using classification in practice, as a workplace tool - how to do it, basically.Hmmm, I wonder if I can write a Haynes Manual-style step-by-step classification guide, with pictures?We've also explored knowledge management and intellectual property rights before - again fairly academic or theoretical concerns. It will take a bit more head-scratching to think of practical applications that people can relate to. Straight-talking advice on 'What to look for in a license' maybe?  Maybe not.Another area we have covered repeatedly is information risk management, a structured approach that underpins the entire domain, including the ISO27k standards. The management aspects remain relevant for our customers' managers but for February I'm tempted to skirt around the conventional information risk and security perspective (identifying and characterising the risks, then applying security controls to mitigate them) to find real-world examples of risk avoidance, risk sharing and/or risk acceptance. So now I'm on the look-out for examples of real-world situations where tightening the controls is not necessarily the best approach .... ]]> 2018-01-12T17:54:28+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/w1ulIfUa_SY/nblog-january-11-microwave-ready-meals.html www.secnews.physaphae.fr/article.php?IdArticle=458585 False None None None NoticeBored - Experienced IT Security professional Over the past couple of months, I've written and published a suite of 'Hinson tips' on another passion of mine: amateur radio. The tips concern a cutting-edge development in digital communications, and how to get the most out of the associated software. I've had a lot of feedback on the tips, reflecting global interest in the new software and, I guess, the need for more guidance on how to use it. The reason I'm bringing it up here is that my writing style appears to have influenced the nature of the feedback I'm getting from, and my relationship with, the readers. I honestly wasn't expecting that.There was already a reasonably comprehensive help file for the program, well-written but in a fairly formal and dry technical style typical of technical manuals (not those ineptly translated from Chinese via Double Dutch!). A constant refrain is that people don't read the help file, just as we don't RTFM (Read The Flamin' Manual!). I suspect part of the reason is that 'fairly formal and dry technical style': despite amateur radio being a technical hobby, many hams are not technically-minded. Some simply enjoy using the radio to talk to people, and why not? It takes all sorts. Digital communications adds another layer of complexity through information theory and mathematics underpinning the protocols we use, and IT is a world of pain for some. To be frank, although I have a passing interest and some knowledge, I'm way out of my depth in some of those areas ... which means I empathise with those who are equally uncomfortable.There is also an active online support forum, populated by a mix of experts, somewhat experienced users and complete novices. Unfortunately, the forum is suffering a little from the recent influx of people, some of whom are very passionate (which can easily come across as opinionated, strong-willed and direct). Being a global community, a lot of hams don't understand English very well (if at all!), hence the language can be a problem for them, as well as the sometimes hostile reception anyone gets on asking a 'dumb question'. Even attempting to explain things patiently in response to a genuine question or discuss ways to respond to an issue can lead to complaints that there are 'too many messages' and we are 'going off-topic', reflecting general frustration and perhaps a lack of understanding and/or focus.So, I deliberately chose to write the tips in an accessible, readable, informal style, drawing on, interpreting and re-writing material from the help file and the forum,]]> 2018-01-11T16:06:05+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/hxhXgX0iORs/nblog-january-11-awareness-styles.html www.secnews.physaphae.fr/article.php?IdArticle=457863 False Guideline None None NoticeBored - Experienced IT Security professional The NoticeBored security awareness program moves on to the next topic for February: 'protecting information' is the working title, a deliberately vague term giving us plenty of latitude. Exactly what we will bring up, how we will raise and discuss things, the specific awareness messages we will be drawing out and so on is not determined at this point. It will become clear during January as we complete our prep-work and develop the awareness materials.This morning, in connection with a discussion thread on the ISO27k Forum, I've been contemplating information risk management in a general sense by thinking through a situation, coming up with a specific example that draws out a much broader learning point.Briefly setting the scene, the thread was started by someone asking whether it is really necessary under ISO/IEC 27001 to have a policy on risk-assessing valuable documents individually. We talked about grouping related assets together (such as 'Contents of cupboard 12') and controls (such as electronic backups) but the original poster circled back to the question of whether the ISO standard itself mandates a policy:"I understood that I need to classify our assets according to their importancy and risk. But in general, would this cupboard-labeling method work according to ISO 27001 policies? For example, we have a lot of paperform documents in three cupboards and I would sort them all in some way, and make the cupboard lockable and label the cupboard according to the sorting and put the label into my inventory list. Would that violate any ISO 27001 policy?"So this morning, I wrote this ... . . . o o o O O O o o o . . .Here's an important information security control that, as far as I ]]> 2018-01-10T10:47:49+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/qTaiLxzfQJk/nblog-january-10-archives-come-in-pairs.html www.secnews.physaphae.fr/article.php?IdArticle=457119 False None None None NoticeBored - Experienced IT Security professional The Internet of Things and Bring Your Own Device typically involve the use of small, portable, wireless networked computer systems, big on convenience and utility but small on security.  Striking the right balance between those and other factors is tricky, especially if people don't understand or willfully ignore the issues – hence education through security awareness on this topic makes a lot of sense.From the average employee's perspective, BYOD is simply a matter of working on their favorite IT devices rather than being lumbered with the clunky corporate stuff provided by most organizations. In practice, there are substantial implications for information risk and security e.g.:Ownership and control of the BYOD device is distinct from ownership and control of the corporate data and IT services;The lines between business use and personal life, and data, are blurred;The organization and workers may have differing, perhaps even conflicting expectations and requirements concerning security and privacy (particularly the workers' private and personal information on their devices);Granting access to the corporate network, systems, applications and data by assorted devices, most of which are portable and often physically remote, markedly changes the organization's cyber-risk profile compared to everything being contained on the facilities and wired LANs;Increasing technical diversity and complexity leads to concerns over supportability, management, monitoring etc., and security of course.  Complexity is the information security manager's kryptonite.IoT is more than just allowing assorted things to be connected to ]]> 2018-01-04T11:14:03+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Qu3fmeGlPRY/nblog-january-4-iot-and-byod-security.html www.secnews.physaphae.fr/article.php?IdArticle=455197 False Guideline None None NoticeBored - Experienced IT Security professional With near-perfect timing, we're into the final stages of polishing off January's awareness module on IoT and BYOD security.  I say near-perfect because this is the last weekend of 2017 with just over a day remaining until 2018. After a week of chilly and miserable weather, an unseasonal polar blast, I'd rather be out enjoying the fine weather and getting ready for the traditional new year's eve celebrations! The last section of writing took a bit longer than planned, but I'm confident we'll hit the delivery deadline. Updates to the NoticeBored website are in hand and we'll be packaging and sending the materials to subscribers tomorrow, electronically that is.Looking forward, we've selected awareness topics for first few months of 2018 and written them up on our distinctly low-tech office whiteboard. We deliberately don't plan too far ahead (who knows what will crop up?) but it takes time to research and draft the materials. Having working titles and outline scopes in mind keeps us focused and on-track. If a particularly dramatic information security incident occurs, we can always drop the current work to pick up on it, pushing the original plan out a month. With 60-odd information risk and security-related topics in the portfolio, there's not a lot we haven't covered already, to some extent. The NoticeBored back catalog is as much a source of inspiration as content, though, since the field is constantly moving. On top of that, our own interests and preferences are gradually evolving too.]]> 2017-12-30T20:57:06+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/GTH8YT-Chzo/nblog-december-30-start-is-nigh.html www.secnews.physaphae.fr/article.php?IdArticle=455198 False None None None NoticeBored - Experienced IT Security professional As the end of month deadline looms, we're close to finishing January's NoticeBored security awareness module on IoT and BYOD. Today I'm working on the awareness seminar slide deck and accompanying briefing paper for the audience group we call 'professionals', blue-collar workers essentially, specialists in IT, risk, security, audit, facilities, control, compliance etc.We dig a bit deeper into topic for that audience, but not too deep. The overriding awareness objective is to inform, intrigue, motivate and set them talking to their colleagues (other professionals plus the general and management audiences) about and around the topic. Awareness is not training, although there is a grey area and the terms are often confused. Ultimately, we hope the pros will pass on some of their knowledge and enthusiasm for the topic to others, preferably with more than just a casual nod towards the information risk and security aspects. IoT and BYOD are obviously IT-related, so the pro materials are IT-centric this month. The awareness poster image above mentions "latest hi-tech goodies" specifically to catch the eyes of geeks and technophiles, people who just love hot new gadgets - reading about them, drooling over the adverts, sometimes buying and using/playing with them, showing them off to their less fortunate playmates ... and occasionally hacking them to figure out how they really work.An article about hacking building management systems (things!) caught my beady eye today, for several reasons. It's right on-topic, for starters, exactly the kind of intriguing tech content that appeals to the pro audience we have in mind. The author's hacker mentality rings out. He has spent countless hours exploring their capabilities and vulnerabilities for more than a decade. To most of us, that's unnaturally obsessive behaviour but to him it's a hobby, a fascination or passion, fun even. I'm sure he'd do it even if he wasn't being paid to hack (he's a professional penetration tester by day).I'd love to inspire such intense passion among our customers' employees on the defensive side ... but it's hard given that I'm not there in person and anyway security awareness has a broader and more realistic goal. Some workers may be fire]]> 2017-12-28T13:51:20+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/34BqAgz6zqQ/nblog-december-28-slowly-slowly-catchee.html www.secnews.physaphae.fr/article.php?IdArticle=455199 False None None None NoticeBored - Experienced IT Security professional Normally in security circles, the word 'exploitation' has the distinctly negative and foreboding connotation of some evil miscreant wantonly attacking and taking advantage of us ... but we'll be using the word in a much more positive sense in the IoT and BYOD security awareness materials for January.The topic presents a golden opportunity to point out that information security mitigates the substantial information risks associated with IoT and BYOD, risks that would otherwise reduce, negate or even reverse the business advantages.It's not entirely plain sailing, though, since the risks are context-dependent. Someone needs to identify and evaluate the risks and the corresponding security controls, in order to determine firstly whether the risks are truly of concern to the organization (they can't be avoided or accepted), and secondly whether the security controls are necessary and justified since there are costs as well as benefits.We've pump-primed the process by doing the risk and security analysis in a generic way - a starting point for subscribers to consider and take forward. We don't pretend to know all about all the information risks each customer faces, nor the information security control options open to them. We're definitely not attempting to do the analysis for them, rather to inspire them to do it themselves. The awareness materials are the prompt to set them thinking and the motivation to get them going.]]> 2017-12-27T13:46:26+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/HC4dKWqnKdI/nblog-december-27-inspirational.html www.secnews.physaphae.fr/article.php?IdArticle=455200 False None None None NoticeBored - Experienced IT Security professional New Zealand Information Security Manual (NZISM) - in effect the government's information security policy manual, or at least the public non-secret element - was released this month:NZISM is painstakingly maintained and published by the Government Communications Security Bureau (GCSB) - our spooks in other words. It is a substantial tome, well over six hundred A4 pages split across two volumes.Part 1 (365 pages) covers:A brief introduction to the topic and the manual, in the NZ government context;Governance arrangements including overall controls such as accountability and responsibility, and compliance through system certification and accreditation, audits and reviews;Policies, plans, Standard Operating Procedures plus emergency and incident response procedures;Change management;Business continuity and Disaster Recovery management; Physical security;Personnel security (including security awareness;Infrastructure security (well, cabling and TEMPEST anyway);Communications systems and devices (e.g. cellphones and wearables);Product security (acquiring commercial goods and services);Storage media (lifecycle management).Part 2 (another 300 pages) covers:Software security (e.g. hardened Standard Operating]]> 2017-12-26T20:01:58+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/ma5RLNq2V1M/nblog-december-26-government-security.html www.secnews.physaphae.fr/article.php?IdArticle=455201 False None None None NoticeBored - Experienced IT Security professional Over on the ISO27k Forum, we've been discussing one of my favourite topics: auditing, or more precisely the question of auditor independence. How independent should an auditor be? What does that even mean, in this context? SPOILER ALERT: there's rather more to it than reporting lines.My experienced IT auditor friend Anton posted some relevant definitions from ISACA, including this little gem:"Independence of mind: the state of mind that permits the expression of a conclusion without being affected by influences that compromise professional judgement, thereby allowing an individual to act with integrity and exercise objectivity and professional scepticism."While I agree this is an extremely important factor, I have a slightly different interpretation. 'Independence of mind', to me, is the auditor's mental capacity to examine a situation free of the prejudice or bias that naturally afflicts people who have been in or dealing with or managing or indeed suffering from the situation, plus all that led up to it, and all the stuff around it (the context), including all the 'constraints' or 'reasons' or 'issues' that make it 'a situation' at all. It's more about the auditor making a back-to-basics theoretical assessment, thinking through all the complexities and (hopefully!) teasing out the real underlying reasons for whatever has happened, is happening, and needs to happen next. The ability to report stuff (ISACA's "expression of a conclusion") is only part of it: figuring out how the situation ought to be in theory, then looking at it in practice, gathering objective, factual evidence, doing the analysis, probing further and focusing on the stuff that matters most (the 'root causes'), are at least as important audit activities as reporting.Here's a little exercise to demonstrate why independence matters: next time you drive or are driven on a familiar route, make an extra special effort to spot and look carefully at EVERY road sign and potential hazard along the way. Concentrate on the task (as well as driving safely, please!). Say out loud ever]]> 2017-12-21T15:49:45+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/0Ehzv5_5TRs/nblog-december-21-auditor-independence.html www.secnews.physaphae.fr/article.php?IdArticle=453296 False Guideline None None NoticeBored - Experienced IT Security professional Surveys typically show that: Most organizations have some form of BYOD scheme encouraging or permitting workers to use their own laptops, smartphones and tablets for work; andIoT is spreading fast but still has a long way to go before it peaks.We infosec geeks may throw up our hands in horror ... but the facts remain: BYOD and IoT are popular, now. They are here to stay and almost certain to expand.It's too late now for us to bleat on about the information risks and security concerns*. The train has long since left the station.So how should we handle this situation? An obvious approach is to retrospectively identify, assess and treat the information risks as best we can, emphasizing threats such as hackers, malware, theft or loss of information, and inappropriate disclosure, and promoting security controls such as - well, that's where it gets tricky because we have limited options for technical controls, and (despite our best efforts!) security awareness is never going to be a total cure for employees being incautious or careless. Being so negative and constrained, it's hardly a convincing argument. You could say it's also behind the times, fighting the last war as it were.Instead, we're taking a more proactive and upbeat line in the NoticeBored content for January. There are business opportunities in going with the flow, embracing BYOD and IoT (where appropriate), making the best of the rapidly evolving technology and forging ahead. Maybe we can't fix everything today, but we surely can make tomorrow better. Here's a single example: if a company's widgets can be smartened-up and networked, they might just catch the wave. Innovation is a vital component of brand value for many organizations, a common strategic driver. Provided the technology, security and privacy aspects are sufficiently well addressed, smart, networked widgets may be used to gather information about how the widgets are used in practice by real customers, en masse, giving valuable insight to drive furthe]]> 2017-12-19T20:52:40+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/n5boUpIqPmM/nblog-december-19-sticky-ends.html www.secnews.physaphae.fr/article.php?IdArticle=452282 False None None None NoticeBored - Experienced IT Security professional From a worker's perspective, BYOD is 'simply' about being allowed to work on his/her own ICT devices, rather than having to use those owned and provided by the organization.  What difference would that make? It's straightforward, isn't it?Good questions! There are numerous differences in fact, some of which have substantial implications for information risk, security and privacy. For example, ownership and control of the device is distinct from ownership and control of the data: so what happens when a worker leaves the organization (resigns or is 'let go'), taking their devices with them? Aside from any corporate data on the devices, they had been permitted access to the corporate network, systems, apps and data.  The corporate IT support professionals had been managing the devices, and probably had access to any personal data on them.  Lines are blurred.In a similar vein, IoT is more than just allowing assorted things to be accessed through the Internet and/or corporate networks. Securing things is distinctly challenging when the devices are diverse, often inaccessible and have limited storage, processing and other capabilities ... but if they are delivering business- or safety-critical functions, the associated risks may be serious.The complexities beneath the surface make this a challenging topic for security awareness: we need to help workers (general staff, managers and specialists, remember) appreciate and address the underlying issues, without totally confusing them with techno-babble. That means simplifying things just enough but no more, a delicate balancing act.In reality, dividing the awareness audience into those three groups lets us adjust the focus, nature and depth of the materials accordingly. Managers, for instance, have a particular interest in the risk management, compliance and governance aspects that are of little concern to workers in general. At the same time, the awareness materials should generate opportunities for the three audience groups to interact, which means finding common ground and shared interests, points for discussion. That's what we're working on now.]]> 2017-12-18T15:32:02+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/y4xRnkIDRV8/nblog-december-18-complexities-of.html www.secnews.physaphae.fr/article.php?IdArticle=451400 False None None None NoticeBored - Experienced IT Security professional I've been a bit distracted the past day or two by the arrival of a calf called Nellie. Amelia, her mum, had been waddling dejectedly around the paddock for ages, almost as wide as she is tall, complaining about her sore back and practicing her breathing exercises.After the heat of recent weeks, the weather has now turned a bit cooler, wet and stormy which is probably a nice change for Amelia but a bit of a challenge for little Nellie, so we're keeping a close eye on them both.The joys of rural NZ!]]> 2017-12-14T11:58:04+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/UFxfjpYpftA/nblog-december-14-distracted.html www.secnews.physaphae.fr/article.php?IdArticle=449926 False None None None NoticeBored - Experienced IT Security professional Today we've been working on a model policies concerning IoT and BYOD security.We offer two distinct types of policy:Formal information security policies explicitly defining the rules, obligations and requirements that must be satisfied, with a strong compliance imperative relating to management's authority.  These are the internal corporate equivalent of laws ... although we go to great lengths to make them reasonably succinct (about 3 sides), readable and understandable by everyone, not just lawyers familiar with the archaic and arcane legal lexicon (such as has heretofore in the present clause been ably demonstrated, m'lud).Informal - or at least semi-formal - Acceptable Use Policies that are more advisory and motivational in nature. These compare pragmatic examples of acceptable (in green) against unacceptable (red) uses to illustrate the kinds of situation that workers are likely to understand.  They are even more succinct - just a single side of paper.So, we now have four security policy templates for IoT and BYOD.Although they don't contain huge volumes of content and are relatively simple, it takes a fair bit of time and effort to research, design and prepare them. Part of our challenge is that we don't have a particular organization in mind - these are generic templates giving customers a reasonably complete and hopefully useful starting point that they can then customize or adapt as they wish. Those customers who already have policies covering IoT and BYOD might find it helpful to compare theirs against ours, particularly in terms of keeping them up to date with ever-changing technologies and risks, while also being readable and pragmatic. Having been developing policies for close to 30 years, I've learnt a trick or two along the way!The policies will be delivered to NoticeBored subscribers in January's security awareness module, and are available to purchase either individually or as a suite from us.  Contact me (Gary@isect.com) for details.]]> 2017-12-13T15:58:28+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/nUmjek5XcPE/nblog-december-13-iot-byod-security.html www.secnews.physaphae.fr/article.php?IdArticle=449115 False None None None NoticeBored - Experienced IT Security professional What's hot in toyland this Christmas?Way back when I was a kid, shortly after the big bang, it was Meccano and Lego for me. I still value the mechanical skills I learnt way back then. Give me a box of thin metal strips full of holes, a plentiful supply of tiny nuts and bolts, and some nobbly plastic bricks, and I'll build you an extraordinary space station complete with spinning artificial gravity module. Or I might just chew them.Today's toys supplement the child's imagination with the software developers'. There are apps for everything, running on diminutive devices more powerful than those fridge-sized beige boxes I tended for a hundred odd scientists (some very odd) in my first real job.Writing about tech toys in the shops this Christmas, Stuart Miles says:"For many, the days of just building a spaceship out of Lego or playing a game of Monopoly are long gone. Today, kids want interactive tech toys that are powered by an app or that connect to the internet. They want animals that learn and grow as you play with them, or robots that will answer back."Some toys are autonomous while others are networked - they are things.  Microphones and cameras are often built-in for interaction, and we've already seen a few news reports about them being used for snooping on families.  All fairly innocuous, so far ... but what about those high-tech toys we grownups are buying each other this year?  Some will find their way into the office, the home office at least, where snooping has different implications.]]> 2017-12-12T20:31:46+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/cq8rxLCxmmQ/nblog-december-11.html www.secnews.physaphae.fr/article.php?IdArticle=448556 False None None None NoticeBored - Experienced IT Security professional Despite it being more than 7 years since I drew that diagram in Visio, it immediately makes sense. It tells a story. Working clockwise from 1 o'clock, it steps through the main wireless networking technologies that were common in 2010, picking out some of the key information security concerns for each of them.  It's not hard to guess what I was thinking about.The arrows draw the reader's eye in the specified direction along each path linking together related items. Larger font, bold text and the red highlight the main elements, leading towards and emphasizing "New risks" especially. Sure enough today we have to contend with a raft of personal, local, mesh, community and wide area networks, in addition to the those shown. When the diagram was prepared, we didn't know exactly what was coming but predicted that new wireless networking technologies would present new risks. That's hardly ground-breaking insight, although pointing out that risks arise from the combination of threats, vulnerabilities and impacts hinted at the likelihood of changes in all three areas, a deliberate ploy to get the audience wondering about what might be coming, and hopefully thinking and planning ahead.It's time, now, to update the diagram and adapt it to reflect the current situation for inclusion in January's awareness module. The process of updating the diagram is as valuable as the product - researching and thinking about what has changed, how things have changed, what's new in this spa]]> 2017-12-08T10:10:13+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/1MSMMxCqhRQ/nblog-december-8-cybersecurity.html www.secnews.physaphae.fr/article.php?IdArticle=446680 False Guideline None None NoticeBored - Experienced IT Security professional Today we went on a tiki-tour of the forest in search of a few pine saplings of just the right size, shape and density to serve as Christmas trees. Naturally, the best ones were in the brambles or on the side of a near vertical slope but, hey, that's all part of the fun.I guess 'Web-enabled remotely-controllable LED Christmas tree lights' are The Thing this year.  Ooh the sheer luxury of being able to program an amazing light show from your mobile phone!So what are the information risks in that scenario? Let's run through a conventional risk analysis.THREATSElves meddling with the light show, causing frustration and puzzlement.Pixies making the lights flash at a specific frequency known to trigger epileptic attacks.Naughty pixies intent on infecting mobile phones with malware, taking control of them and stealing information, via the light show app.Hackers using yet-another-insecure-Thing as an entry point into assorted home ... and corporate networks (because, yes, BYOD doubtless extends to someone bringing in Web-enabled lights to brighten up the office Christmas tree this year).VULNERABILITIESIrresistibly sexy new high-technology stuff. Resistance is futile. Christmas is coming. Santa is king.Inherently insecure Things (probably ... with probability levels approaching one). Blind-spots towards information risk and security associated with Things, especially cheap little Things in all the shops. Who gives a stuff about cybersecurity for web-enabled Christmas tree lights? Before you read this blog, did it even occur to you as an issue? Are you still dubious about it?  Read on!Does anyone bother security-testing them, or laying down rules about bringing them into the home ]]> 2017-12-07T11:16:01+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/m69RKWJzMh8/nblog-december-7-santas-slaves-bearing.html www.secnews.physaphae.fr/article.php?IdArticle=445844 False Guideline None None NoticeBored - Experienced IT Security professional latest issue outlines some of the tricks used by phishers to lure their victims initially."It is not breaking news that phishing is the leading cause of data breaches in the modern world. It is safe to ask why that is the case though, given how much of this email gets caught up in our spam filters and perimeter defenses. One trick sophisticated attackers use is triggering emotional responses from targets using simple and seemingly innocuous messaging to generate any response at all. Some messaging does not initially employ attachments or links, but instead tries to elicit an actual reply from the target. Once the attackers establish a communication channel and a certain level of trust, either a payload of the attacker's choosing can then be sent or the message itself can entice the target to act."That same technique is used by advertisers over the web in the form of lurid or intriguing headlines and images, carefully crafted to get us to click the links and so dive into a rabbit warren of further items and junk, all the while being inundated with ads. You may even see the lures here or hereabouts (courtesy of Google). Once you've seen enough of them, you'll recognize the style and spot the trigger words - bizarre, trick, insane, weird, THIS and so on, essentially meaning CLICK HERE, NOW!They are curiously attractive, almost irresistible, even though we've groped around in the rabbit warrens before and suspect or know what we're letting ourselves in for. But why is that? 'Curiously' is the key: it's our natural curiosity that leads us in. It's what led you to read this sentence. Ending the previous paragraph with a rhetorical question was my deliberate choice. Like magpies or trout chasing something shiny, I got you. You fell for it. I manipulated you.     Sorry.There are loads more examples along similar lines - random survey statistics for instance ("87% of X prone to Y") and emotive subjects ("Doctors warn Z causes cancer"). We have the newspapers to thank for the very term 'headline', not just the tabloid/gutter press ("Elvis buried on Mars") but the broadsheets and more up-market magazines and journals, even scientific papers. The vast majority of stuff we read has titles and headings, large and bold in style, both literally and figuratively. Postings on this blog all have short titles and a brief summary/description, and some of the more detailed pieces have subheadings providing structure and shortcuts for readers who lack the time or inclination to read every word ... which hints at another issue, information overload. Today's Web is so vast that we're all sipping from the fire hose.And that ]]> 2017-12-05T08:24:37+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/3LVcWWqpfYw/nblog-december-5-lurid-headline.html www.secnews.physaphae.fr/article.php?IdArticle=444167 False Guideline APT 15 None NoticeBored - Experienced IT Security professional Today I've been hunting  for word-art programs or services. We've been happily using Wordle for a good while now. It has worked well, despite a few minor niggles:It runs in Internet Explorer, but not Chrome;It creates cloud shapes, blobs not distinct shapes;It feeds on word lists, not URLs.There are several alternatives. The hands image above was generated quite simply in WordArt. WordClouds is another option. There are more: Google knows where to find them.  I'll be trying them out during December. The combination of words and graphics amuses me, and hopefully catches a few eyes out there too. Catching eyes and imaginations is what we do.]]> 2017-12-04T21:33:39+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/HEb94V1XYu0/nblog-december-4-word-clouds.html www.secnews.physaphae.fr/article.php?IdArticle=443664 False None None None NoticeBored - Experienced IT Security professional Next up on the NoticeBored conveyor belt is an awareness module on the security aspects of BYOD and IoT.Aside from being topical IT acronyms, both (largely) involve portable ICT devices - wireless-networked self-contained portable electronic gizmos. We've covered BYOD and IoT security before, separately, but it makes sense to put them together for a change of focus.As things steadily proliferate, workers are increasingly likely to want to wear or bring them to work, and carry on using them. The security implications are what we'll be exploring in the next module.]]> 2017-12-02T18:10:22+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/gKUd6xmqVqk/nblog-december-2-next-topic.html www.secnews.physaphae.fr/article.php?IdArticle=443350 False None None None NoticeBored - Experienced IT Security professional We close off the year with a fresh look at social engineering, always a topical issue during the holiday/new-year party season when we let our hair down.  Generally speaking, we are less guarded and more vulnerable than usual to some forms of social engineering.  The sheer variety of social engineering is one of the key messages in this month's awareness materials. This module concerns:Social engineering attacks including phishing and spear-phishing, and myriad scams, con-tricks and frauds;The use of pretexts, spoofs, masquerading, psychological manipulation and coercion, the social engineers' tradecraft;Significant information risks involving blended or multimode attacks and insider threats.The NoticeBored module is designed to appeal to virtually everyone in the organization,regardless of their individual preferences and perspectives.  A given individual may not value everything in the module, but hopefully there will be something that catches their attention – and that something may not even be the NoticeBored awareness materials as such, but perhaps a casual comment or oblique criticism from a peer or manager relating to the topic, which in turn was prompted by the NoticeBored content. The NoticeBored posters, for instance, are deliberately thought-provoking, puzzling even.  Rather than spoon-feeding people with lots of written information, we choose striking images to express various challenging and often complex concepts visually.  We hope people will notice the posters, wonder what they are on about, and maybe chat about them … which is where the learning happens.Explore the thinking that went into these awareness materials, and by all means tag-along with us as we develop next month's module, on the NoticeBored blog.]]> 2017-12-01T08:45:23+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/ePZODAtPK0k/nblog-december-1-social-engineering.html www.secnews.physaphae.fr/article.php?IdArticle=442494 False None None None NoticeBored - Experienced IT Security professional We've been busier than ever the past week or so, particularly with the NoticeBored materials on social engineering. It is a core topic for security awareness since workers' vigilance is the primary control, hence a lot of effort goes into preparing materials that are interesting, informing, engaging and motivational. It's benign social engineering! The materials are prepared and are in the final stage now, being proofread before being delivered to subscribers later today.This is a bumper module with a wealth of content, most of which is brand new. I blogged previously about the A-to-Z guides on social engineering scams, con-tricks and frauds, methods and techniques, and controls and countermeasures. I'll describe the remainder of the materials soon, once everything is finished and out the door. Meanwhile, I must get on: lots to do!]]> 2017-11-30T07:25:14+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Patn4IM7lBQ/nblog-november-30-social-engineering.html www.secnews.physaphae.fr/article.php?IdArticle=441907 False None None None NoticeBored - Experienced IT Security professional Figuring out how to organize, resource and conduct internal audits of an ISO/IEC 27001 Information Security Management System can be awkward for small organizations.Independence is the overriding factor in auditing of all forms. For internal auditing, it's not just a question of who the auditors report to and their freedom to 'say what needs to be said' (important though that is), but more fundamentally their mindset, experience and attitude. They need to see things with fresh eyes, pointing out and where necessary challenging management to deal with deep-seated long-term 'cultural' issues that are part of the fabric in any established organization. That's hard if they are part of the day-to-day running of the organization, fully immersed in the culture and (for managers in small organizations especially) partly responsible for the culture being the way it is. We all have our biases and blind spots, our habits and routines: a truly independent view hopefully does not - at least, not entirely the same one!ISO/IEC 27001 recommends both management reviews and internal audits. The people you have mentioned may well be technically qualified to do both but (especially without appropriate experience/training, management support and the independent, critical perspective I've mentioned) they may not do so well at auditing as, say, consultants. The decision is a business issue for you and your management: do the benefits of having a truly independent and competent audit outweigh the additional cost? Or do you think your own people would do it well enough at lower cost?As the customer, you get to specify exactly what you want the consultants to bid for. A very tightly scoped and focused internal audit for a relatively small and simple ISMS might only take a day or two of consulting time, keeping the costs down. On the other hand, they will be able to dig deeper and put more effort into the reporting and achieving improvements if you allow them more time for the job – again, a management decision, worth discussing with potential consultants.One strategy you might consider is to rotate the internal audit responsibility among your own people, having different individuals perform successive audits. That way, although they are not totally independent, they do at least have the chance to bring different perspectives to areas that they would not normally get involved in. It would help to have a solid, standardized audit process though, so each of the auditors is performing and reporting the audit work in a similar way … and to get you started and set that up, you might like to engage a consultant for the first audit, designing and documenting the audit process, providing checklist and reporting templates etc., ]]> 2017-11-28T22:34:29+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/d6YaDTjTZfE/iso27k-internal-audits-for-small.html www.secnews.physaphae.fr/article.php?IdArticle=440667 False Guideline None None NoticeBored - Experienced IT Security professional I didn't quite finish the A-to-Z on social engineering methods yesterday as planned but that's OK, it's coming along nicely and we're still on track. I found myself dipping back into the A-to-Z on scams, con-tricks and frauds for inspiration or to make little changes, and moving forward to sketch rough notes on the third and final part of our hot new security awareness trilogy: an A-to-Z on the controls and countermeasures against social engineering. Writing that is my main task for today, and all three pieces are now progressing in parallel as a coherent suite.It's no blockbuster but I have a good feeling about this, and encouraging feedback from readers who took me up on my offer of a free copy of the first part.Along the way, a distinctive new style and format has evolved for the A-to-Zs, using big red drop caps to emphasize the first item under each letter of the alphabet. I've created and saved a Word template to make it easier and quicker to write A-to-Zs in future - a handy tip, that, for those of you who are singing along at home, writing your own awareness and training content.I'd like to include some graphics and examples to illustrate them and lighten them up a bit, but with the deadline fast approaching that may have to wait until they are next updated. Getting the entire awareness module across the line by December 1st comes first, which limits the amount of tweaking time I can afford - arguably a good thing as I find this topic fascinating, and I could easily prepare much more than is strictly necessary for awareness purposes. Aside from that, the release of an updated OWASP top 10 list of application security controls prompted me to update our information security glossary with a couple of new definitions, and a radio NZ program about a book fair in Edinburgh (!) prompted me to explain improv sessions as a creative suggestion for the train-the-trainer guide for the social engineering module.]]> 2017-11-22T16:30:57+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/v2WM2ROYpu0/nblog-november-22-to-z-of-social.html www.secnews.physaphae.fr/article.php?IdArticle=437513 False None Uber None NoticeBored - Experienced IT Security professional On a roll from yesterday's A-to-Z catalog of scams, con-tricks and frauds, I'm writing another A-Z today, this time focusing on social engineering techniques and methods.  Yesterday's piece was about what they do.  Today's is about how they do it.Given my background and the research we've done, it's surprisingly easy to find appropriate entries for most letters of the alphabet, albeit with a bit of creativity and lateral thinking needed for some (e.g. "Xtreme social engineering"!).  That's part of the challenge of writing any A to Z listing ... and part of the allure for the reader. What will the Z entry be?  As of this moment, I don't actually know but I will come up with zomething!Both awareness pieces impress upon the reader the sheer variety of social engineering, while at the same time the alphabetical sequence provides a logical order to what would otherwise be a confusing jumble of stuff. Making people aware of the breadth and diversity of social engineering is one of the key learning objectives for December's NoticeBored module. Providing structured, useful, innovative awareness content is what we do.We hope to leave a lasting impression that almost any social interaction or communication could be social engineering - any email or text message, any phone call or conversation, any glance or frown, any blog item (am I manipulating your thoughts? Am I persuading you to subscribe to NoticeBored? Look deeply into my eyes. Concentrate on the eyes. You are starting to feel drowsy ...)Yes, hypnosis will make an appearance in today's A-Z.  It's not entirely serious!Tomorrow, after completing the second, I'd like to complete the set with a third piece concerning the controls against social engineering. Can we come up ]]> 2017-11-21T20:39:43+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/E-h1qi-p89M/nblog-november-21-to-z-of-social.html www.secnews.physaphae.fr/article.php?IdArticle=436928 False None None None NoticeBored - Experienced IT Security professional A productive couple of days' graft has seen what was envisaged to be a fairly short and high-level general staff awareness briefing on social engineering morph gradually into an A-to-Z list of scams, con-tricks and frauds.It has grown to about 9 pages in the process. That may sound like a tome, over-the-top for awareness purposes ... and maybe it is, but the scams are described in an informal style in just a few lines each, making it readable and easily digestible. The A-to-Z format leads the reader naturally through a logical sequence, perhaps skim-reading in places and hopefully stopping to think in others.For slow/struggling readers, there are visual cues and images to catch their eyes but let's be honest: this briefing is not for them. They would benefit more from seminars, case studies, chatting with their colleagues and getting involved in other interactive activities (which we also support through our other awareness content). The NoticeBored mind maps and posters, for instance, express things visually with few words.Taking a step back from the A-Z list, the sheer variety and creativity of scams is fascinating, and I'm not just saying that because I wrote it! That's a key security awareness lesson in itself. Social engineering is hard to pin down to a few simple characteristics, in a way that workers can be expected to recognize easily. Some social engineering methods, such as ordinary phishing, are readily explained and fairly obvious but even then there are more obscure variants (such as whaling and spear phishing) that take the technique and threat level up a gear. It's not feasible for an awareness program to explain all forms of social engineering in depth, literally impossible in fact. It's something that an intensive work or college course might attempt, perhaps, for fraud specialists who will be fully immersed in the topic, but that's fraud training, not security awareness. We can't bank on workers taking time out from their day-jobs to sit in a room, paying full attention to their lecturers and scribbling notes for hour after hour. There probably aren't 'lecturers' in practice: most of this stuff is delivered online today, pushed out impersonally through the corporate intranet and learning management systems.Our aim is to grab workers']]> 2017-11-20T18:14:49+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/sT7BZ8qe3dQ/nblog-november-20-a-to-z-catalog-of.html www.secnews.physaphae.fr/article.php?IdArticle=435790 False Guideline None None NoticeBored - Experienced IT Security professional A report for the UK Institute of Directors by Professor Richard Benham encourages IoD members to develop “a formal cyber security strategy”.As is so often the way, 'cyber' is not explicitly defined by the authors although it is strongly implied that the report concerns the commercial use of IT, the Internet, digital systems and computer data (as opposed to cyberwar perpetrated by well-resourced nation states - a markedly different interpretation of 'cyber' involving substantially greater threats).A 'formal cyber security strategy' would be context dependent, reflecting the organization's business situation. That broader perspective introduces other aspects of information risk, security, governance and compliance. All relevant aspects need to be considered at the strategic level, including but not just 'cyber security'. Counteracting or balancing the desire to lock down information systems and hence data so tightly that its value to the business is squeezed out, 'cyber security strategy' should be closely aligned with, if not an integral part of, information management. For instance it should elaborate on proactively exploiting and maximising the value of information the organization already holds or can obtain or generate, working the asset harder for more productive business purposes. In some circumstances, that means deliberately relaxing the security, consciously accepting the risks in order to gain the rewards. I find it ironic that the professor is quoted:“This issue must stop being treated as the domain of the IT department and be the subject of boardroom policy. Businesses need to develop a cyber security policy, educate their staff, review supplier co]]> 2017-11-19T15:03:39+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/kkJXUz9Z9R8/iod-advises-members-to-develop-cyber.html www.secnews.physaphae.fr/article.php?IdArticle=435791 False None None None NoticeBored - Experienced IT Security professional Looking back, I see that I've blogged quite a few times in different contexts about color.For example, most of the security metrics I discuss are colored, and color is one of several important factors when communicating metrics, drawing the viewer's eye towards certain aspects for emphasis. We talk of white hats and black hats, red teams and so on.Traffic light RAG coloring (Red-Amber-Green) is more or less universally understood to represent a logical sequence of speed, intensity, threat level, concern or whatever - perhaps an over-used metaphor but effective nonetheless. Bright primary colors are commonly used on warning signs and indications, sometimes glinting or flashing for extra eye-catchiness.Red alert is a pleonasm!Jeff Cooper, father of the "modern technique" of handgun shooting, raised the concept of Condition White, the state of mind of someone who is totally oblivious to a serious threat to their personal safety. Cooper's Color Code is readily adapted to the information risk and security context, for example in relation to a worker's state of alertness and readiness for an impending hack, malware infectio]]> 2017-11-16T14:51:52+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/ov6frr5FO6k/nblog-november-16-color-coding-awareness.html www.secnews.physaphae.fr/article.php?IdArticle=433884 False None None None NoticeBored - Experienced IT Security professional Security awareness involves persuading, influencing and you could say manipulating people to behave differently ... and so does social engineering. So could social engineering techniques be used for security awareness purposes?The answer is a resounding yes - in fact we already do, in all sorts of ways.  Take the security policies and procedures, for instance: they inform and direct people to do our bidding. We even include process controls and compliance checks to make sure things go to plan. This is manipulative.Obviously the motivations, objectives and outcomes differ, but social engineering methods can be used ethically, beneficially and productively to achieve awareness. Exploring that idea even reveals some novel approaches that might just work, and some that are probably best avoided or reversed. Social engineering method, technique or approach Security awareness & training equivalents Pretexting: fabricating plausible situations ]]> 2017-11-15T07:10:03+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/0M6KpX10hG8/nblog-november-15-ethical-social.html www.secnews.physaphae.fr/article.php?IdArticle=433046 False None None None NoticeBored - Experienced IT Security professional 50 Best Information Security Blogs. Fantastic! Thank you, top10vpn.com ... and congrats to the other top blogs on the list, many of which I read and enjoy too. It's humbling to be among such august company.We update this blog frequently in connection with the security awareness materials we're preparing, on security awareness techniques in general, or on hot infosec topics of the day. Blogging helps get our thoughts in order and expand on the thinking and research that goes into the NoticeBored modules. More than just an account of what's going on, updating the blog (including this very item) is an integral part of the production process.A perennial theme is that it's harder than it appears to security awareness properly. Anyone can scrabble together and push out a crude mishmash of awareness content (typically stealing or plagiarizing other people's intellectual property - tut tut) but if they don't really appreciate what it all means, nor how to apply the principles of awareness, training and adult education, they are unlikely to achieve much. It's all too easy to add to the clutter and noise of modern life, more junk than mail.Simply understanding what awareness is intended to achieve is a challenge for some! As I blogged the other day, being aware is not the ultimate goal, just another step on the journey - a crucial distinction. It could be said that this lack of understanding, rather than the usual lame excuse - lack of funds - is the main reason that security awareness programs falter or fail. I'm sure there are many other reasons too:Lack of creativity: people gradually tune-out of dull, uninspiring approaches and come to ignore the same old same old (they get Bored of the Notices). If all the awareness program ever blabbers on about is compliance, privacy and phishing, over and over like a cracked record, don't be surprised if the audience nods off or slips quietly away for something more stimulating;Poor quality communications: ]]> 2017-11-14T13:22:31+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/h1MP88--AOU/nblog-november-14-50-best-infosec-blogs.html www.secnews.physaphae.fr/article.php?IdArticle=432285 False None None None NoticeBored - Experienced IT Security professional So much of human interaction involves techniques that could legitimately be called social engineering that we're spoilt for choice on the awareness front for December.  December's topic exemplifies the limitations of "cybersecurity" with its myopic focus on IT and the Internet. Social engineers bypass, undermine or totally ignore the IT route with all its tech controls, and that's partly what makes them such a formidable threat. IT may be a convenient mechanism for identifying, researching and communicating with potential victims, for putting on the appearance of legitimate, trustworthy individuals and organizations, and for administering the scams, but it's incidental to the main action: fooling the people.Maybe it's true that you can't fool all of the people all of the time, depending on precisely what is meant by 'all'. I think it's fair to say that we are all (virtually without exception) prone, predisposed or vulnerable to social engineering of one form or another. We can't help it: social interaction is genetically programmed into us and reinforced throughout our lives from the moment we're born, or even before. Some expectant mothers report their babies respond to the music and other sounds around them. A newborn baby probably recognizes its mother's and other familiar voices and sounds immediately. To what extent it trusts or could be fooled by them is a separate issue though!The idea that we are inherently vulnerable, while powerful, is only part of the story. We're also inherently capable of social engineering. We have the capacity, the tools and capabilities to influence and manipulate others to varying extents. Again, that newborn baby is sending out an avalanche of signals to humans in the area, from the moment of its first gasp and cry. The communications may be non-verbal but they are loud and clear!]]> 2017-11-14T09:24:29+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/BIC-wBqeuEA/nblog-november-13-rich-seam.html www.secnews.physaphae.fr/article.php?IdArticle=432286 False None None None NoticeBored - Experienced IT Security professional This colorful image popped onto my screen as I searched our stash of security awareness content for social engineering-related graphics. It's a simple but striking visual expression of the concept that security awareness is not the ultimate goal, but an important step on the way towards achieving a positive outcome for the organization. A major part of the art of raising awareness in any area is actively engaging with people in such a way that they think and behave differently as a result of the awareness activities. For some people, providing cold, hard, factual information may be all it takes, which even the most basic awareness programs aim to do. That's not enough for the majority though: most of us need things to be explained to us in terms that resonate and motivate us to respond in some fashion. In physical terms, we need to overcome inertia. In biology, we need to break bad habits to form better ones.Social engineering is a particular challenge for awareness since scammers, fraudsters and other social engineers actively exploit our lack of awareness or (if that fails) subvert the very security mechanisms we put in place. "Your password has expired: pick a new one now to avoid losing access to your account!" is a classic example used by many a phisher. It hinges on tricking victims into accepting the premise (password expired) at face value and taking the easy option, clicking a link that leads them to the phisher's lair while thinking they are going to a legitimate password-change function. Our raising awareness of the need to choose strong passwords may be counterproductive if employees unwittingly associate phishing messages with user authentication and security!Part of our awareness approach in December's NoticeBored materials on social engineering will be to hook-in to our natural tendency to notice something amiss, something strange and different. Humans are strong at spotting patterns at a subconscious level. For instance, did you even notice the gradation from red to green on the ladder image? That was a deliberate choice in designing the image, a fairly crude and obvious example ... once it has been pointed out anyway! See if you can spot the other, more subtle visual cues (and by all means email me to see what you missed!). ]]> 2017-11-10T16:37:41+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/qMI3qId4ol0/nblog-november-10-one-step-at-time.html www.secnews.physaphae.fr/article.php?IdArticle=430861 False Guideline None None NoticeBored - Experienced IT Security professional It has taken several days spread over several weeks to cut back the brambles to locate the pipeline as it climbs out of the gulley where the stream flows, chainsaw the fallen firs off the line, then replace the munted (broken) bits of pipe with modern high-density polythene pressure pipe and fittings. Last evening, I was elated to hear the sound of water flowing into the stock tanks above the paddocks where the now-thirsty sheep and cattle live. Don't tell a]]> 2017-11-07T18:38:07+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/3NjCizNS4G8/nblog-november-7-pipes-and-bikes.html www.secnews.physaphae.fr/article.php?IdArticle=428818 False None None None NoticeBored - Experienced IT Security professional ISO27k Forum about ISO27k certification auditors checking information security controls, and a response about compliance audit requirements. It's a backgrounder, an essay or a rant if you like. Feel free to skip it, or wait until you have a spare 10 mins, a strong coffee and the urge to read and think on!]“Sampling” is an important concept in both auditing and science. Sampling (i.e. selecting a sample of a set or population for review) is necessary because under most circumstances it is practically impossible to assess every single member  – in fact it is often uncertain how many items belong to the set, where they are, what state they are in etc. There is often lots of uncertainty.For example, imagine an auditor needs to check an organization's “information security policies” in connection with an internal audit or certification/compliance audit.  Some organizations make that quite easy by having a policy library or manual or database, typically a single place on the intranet where all the official corporate policies exist and are maintained and controlled as a suite. In a large/diverse organization there may be hundreds of policies, thousands if you include procedures and guidelines and work instructions and forms and so forth. Some of them may be tagged or organized under an “information security” heading, so the auditor can simply work down that list … but almost straight away he/she will run into the issue that information security is part of information risk is part of risk, and information security management is part of risk management is part of management, hence there should be lots of cross-references to other kinds of policy. A “privacy policy”, for instance, may well refer to policies on identification and authentication, access control, encryption etc. (within the information security domain) plus other policies in areas such as accountability, compliance, awareness and training, incident management etc. which may or may not fall outside the information security domain depending on how it is defined, plus applicable privacy-related laws and regulations, plus contracts and agreements (e.g.nondisclosure agreements) … hence the auditor could potentially end up attempting to audit the entire corporate policy suite and beyond! In practice, that's not going to happen.]]> 2017-11-03T09:35:50+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/qjlX8og15Qs/nblog-november-3-audit-sampling-long.html www.secnews.physaphae.fr/article.php?IdArticle=427480 False Guideline None None NoticeBored - Experienced IT Security professional this time around. GDPR is a major shake-up in European privacy laws with global implications. Does your organization know what's coming? Do you understand the implications? Will you (your employees, IT systems, policies, procedures and websites) plus your suppliers and business partners, be ready by May 2018?One of six new high-res poster imagesprovided in November's NoticeBored moduleBringing workers up to speed on privacy through awareness and training is an essential part of business for all organizations. Persuading everyone to take care of the personal information they handle means more than just informing them about their compliance obligations: they need to be sufficiently motivated to change their ways.The break-glass poster is meant to catch the eye and make people think. It's not literal, of course, but every organization should have a suitable process in place to handle reporting of privacy breaches plus other incidents and near-misses. Encouraging people to report issues is one of the objectives of the awareness materials. The 3-day breach reporting deadline under GDPR will be challenging even for organizations that have a strong approach to privacy. For those with low awareness, it may prove impossible.Taking that idea a step further, in addition to poster graphics, NoticeBored subscribers have the benefit of seminar slide-decks and briefings, FAQs, policy and procedure templates and the usual range of goodies designed to make it easy to raise awareness in this important area. It's basically a privacy and GDPR awareness kit.So what about you? What are you doing in the way of awareness on privacy, GDPR and compliance? If awareness is just another thing on your lengthy to-do list, get in touch, preferably well before May 25th 2018 - urgently if your organization is blissfully unaware of what's coming. Management-level awareness is the key to making stuff happen. Let us help you with that.]]> 2017-11-02T10:01:10+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/V_TiUPvJims/nblog-november-1-privacy-gdpr-update.html www.secnews.physaphae.fr/article.php?IdArticle=426852 False None None None NoticeBored - Experienced IT Security professional Last night as darkness draped itself across the IsecT office, an eerie silence descended. No more tippy tappy on the keyboards, the writing finished, our job almost done for another month - the end of another chapter. A fantastic horror/thriller on the movie channel delivered the perfect stress antidote, a different kind of tension entirely. More poppycocck than Hitchcock but fun nevertheless.Today we've packaged up November's privacy awareness materials, just under 100 megs of it, ready to deliver to our subscribers, and updated the website with details of the new module. My energy sapped, even strong coffee has lost its potency. It's time for a break! I'll have a bit more to say about the module tomorrow, if I evade the demons and survive the night that is.]]> 2017-10-31T13:48:56+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/CuxNqu7fR8Y/nblog-october-31-spooky-happenings-in-nz.html www.secnews.physaphae.fr/article.php?IdArticle=425487 False None None None NoticeBored - Experienced IT Security professional Today we're busy finalizing the privacy awareness materials for delivery to subscribers imminently. It is always a bit fraught at this time of the month as the deadline looms but things are going well this time around - no IT hardware failures or other crises at least. The new materials are proofread and gleaming, ready to package up and upload as soon as the poster graphics come in. I even managed a few hours off yesterday to visit friends at the radio club. Luxury!We'll have a bit of a break before starting the next awareness module on social engineering, long enough hopefully to repair a broken pipe supplying water for the animals. I've been patiently chainsawing fallen pine trees out of the way for some while now, finding three breaks in the pipe so far. The stock water tanks have nearly run dry so it's a priority to fix the breaks, pump the water and finish the job. Our contingency plans involve carting water around in portable containers or getting a tanker delivery direct to the tanks, not exactly ideal with temperatures starting to climb towards summer, and a pregnant 'house cow' due to give birth any day now. We'll update the NoticeBored website soon too with details of the privacy module, taking the opportunity to make a few other changes while we're at it. I need to update ISO27001security.com as well, incorporating some additional materials kindly donated for the ISO27k Toolkit. It's all systems go here!]]> 2017-10-30T15:59:25+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/0VkLexeYe50/nblog-october-30-polish-til-it-gleams.html www.secnews.physaphae.fr/article.php?IdArticle=424901 False None None None NoticeBored - Experienced IT Security professional Earlier this month, I blogged about personal data being valuable and hence worth protecting like any asset. But what about commercial exploitation such as selling it to third parties? Is that OK too?Some companies find it perfectly acceptable to Hoover-up all the personal information they can to use or sell to third parties, whereas others take a more conservative and (to my mind) ethical position, limiting personal data collection, using it for necessary internal business activities and refusing to sell or disclose it further (not even to the authorities in the case of Apple). The EU position on this is clear: personal information belongs to the people, not the corporations. Since privacy is a fundamental human right, people must retain control over their personal information, including the ability to limit its collection, accuracy, use and disclosure. The US position is ambiguous, at best. Efforts to tighten-up US laws around privacy and surveillance have been lackluster so far, often being stalled or knocked back by those same tech companies that are busy profiting from personal information, or by the spooks.With the battle lines drawn up, once GDPR comes into effect next May the charge is on. Privacy and unrestricted commercial exploitation of personal information are essentially incompatible, so something has to give. We've already witnessed the failure of a half-baked attempt at self-regulation (Safe Harbor) and it seems Privacy Shield is also faltering. What next?One possibility is a commercial response, where organizations increasingly decline doing business with US corporations that openly exploit and fail to protect personal information. That, coupled with the massive fines under GDPR, might finally drive home the message where it hurts them most: the bottom line. As Rana Foroohar from the Financial Times puts it "Privacy is a competitive advantage. Technology co]]> 2017-10-29T11:54:31+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/ADpSxBANDdg/nblog-october-29-peddling-personal-data.html www.secnews.physaphae.fr/article.php?IdArticle=424902 False None None None NoticeBored - Experienced IT Security professional Motherboard reveals a catalog of issues and failings within Equifax that seem likely to have contributed to, or patently failed to prevent, May's breach of sensitive personal information on over 145 million Americans, almost half the population.Although we'll be using the Equifax breach to illustrate November's awareness materials on privacy, we could equally have used them in this month's module on security culture since, according to BoingBoing:"Motherboard's Lorenzo Franceschi-Bicchierai spoke to several Equifax sources who described a culture of IT negligence and neglect, in which security audits and warnings were routinely disregarded, and where IT staff were unable to believe that their employers were so cavalier with the sensitive data the company had amassed."'A culture of IT negligence and neglect' is almost the opposite of a security culture, more of a toxic culture you could say. Workers who simply don't give a stuff about information security or privacy are hardly likely to lift a finger if someone reports issues to them, especially if (as seems likely) senior managers are complicit, perhaps even the source of the toxin. Their lack of support, leadership, prioritization and resourcing for the activities necessary to identify and address information risks makes it hard for professionals, staff members and even management ]]> 2017-10-27T15:57:11+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/99HkfmTAlqc/nblog-october-27-equifax-cultural-issues.html www.secnews.physaphae.fr/article.php?IdArticle=424386 False Guideline Equifax None NoticeBored - Experienced IT Security professional Control is at the core of privacy - not just information security controls but a person's control over personal information about themselves, and their self-control. It's fundamentally a matter of choice, whether or not to disclose our personal information, when, to whom, and how it is to be used and secured ... which presents a conundrum for those of us who choose to use social media, cellphones, email, the web and so on - the chattering classes.Every time I update this very blog (and sometimes even when I don't!), I'm revealing a bit more about myself. As with my body language, the way I express things may be as telling as the literal content. In the midst of writing the security awareness materials on privacy, I'm especially conscious of that aspect right now so I'm being extra careful about what I say here and (to some extent) how I say it ... but I'm only human. There are limits to my ability to control myself. Those of you who have been tracking and reading this blog for a while now could probably identify my style of writing, pointing out characteristics that have caught your eye, both good points and bad. I'm talking (well writing!) about metadata gleaned from this blog and perhaps other sources that tells you it's probably me at the keyboard - things such as:My choice of language, vocabulary and grammar, doubtless including spelling and grammatical errors, inconsistencies and quirks some of which I am probably not aware of, and others perhaps deliberate;My phrasing, sentence and paragraph structure, sentence length, word length; My use of punctuation, parenthesis, ellipses, bullet points, CaPiTaLs, abbreviations etc. (and, yes, italicising non-English words and abbreviations is a habit I picked up decades ago in the science labs);The way I quote, cite and reference sources, paying respect to those whose efforts I draw upon (the scientific approach, again);Idioms and turns-of-phrase, ways of expressing things that hint at my cultural background and gram]]> 2017-10-20T21:01:04+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/1fLOMiaUGnM/nblog-october-20-privacy-personal-choice.html www.secnews.physaphae.fr/article.php?IdArticle=421431 False None None None NoticeBored - Experienced IT Security professional Today I've been thinking and writing about privacy risks, comparing the differing perspectives of individual people and organizations.Something that stands out from the risk analysis is that, despite journalists, authorities, privacy pro's and victims being aghast when privacy breaches occur, we all gladly accept significant privacy risks as a matter of course. In a few cases (e.g. tax), we have virtually no choice in the matter, but mostly we choose to share our personal information, trusting that the recipients will protect it on our behalf.To be honest, privacy doesn't even enter our minds most of the time. It doesn't occur to us, because of our blase attitudes.Admittedly, it would take extreme measures to be reasonably assured of complete privacy, and even then there would still be risks: consider people in 'witness protection schemes' for example, or moles, spies, criminals and terrorists doing their level best to remain anonymous, below the radar. We know they don't always succeed.Extremists aside, ordinary people like you and me mostly pay scant attention to our privacy. We use the Internet, and cellphones, and all manner of government and commercial services either under our own names, or with superficial efforts to conceal our identities. We share or post selfies online, email and text others, and wander about in public spaces under the full gaze of myriad CCTV cameras. We use our credit and debit cards to buy stuff, register for various services, and generally anticipate nothing untoward ... which in turn places even more pressure on the organizations and individuals to whom we disclose our personal information, hence the reason that privacy laws such as GDPR are so important in a societal sense.Attitudes have changed markedly within a generation or three. Way back when I was a naive young lad, the very concept of taking, let alone sharing explicit selfies was alien to me. Porn was available, of course, but access was discreet, guilt-ridden and exceptional, despite the raging hormones. As Victorian values have relaxed, we've been through "free love", page 3 girls, Hugh Heffner, tolerated or legalized prostitution, gay rights and other largely sexual revolutions - in most Western nations anyway: clearly there are cultural discrepancies with distinct differences of opinion o]]> 2017-10-16T18:37:18+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/A1qbD7oQd6Q/nblog-october-16-is-privacy-lost-cause.html www.secnews.physaphae.fr/article.php?IdArticle=418781 False None None None NoticeBored - Experienced IT Security professional There are several good reasons for protecting personal information, of which compliance with privacy laws and regulations is just one. For example, personal information can be extremely valuable in its own right - a business asset in fact. Consider the adverse consequences of personal information being lost or corrupted, perhaps the result of a system/hardware failure, a software bug, an inept or malicious system administrator, malware, ransomware or ....  well anything that can damage/destroy or deny legitimate access to information could of course affect personal information. In a sense, it is "just" information. At the same time, its commercial value is strongly linked to its confidentiality. This is why we are invited to pay $thousands for various mailing lists, offers which we either ignore or robustly decline since we are strongly ethical and most certainly not spammers! It's why sales professionals jealously guard their personal contacts. They are truly concerned about identity theft, as opposed to identity fraud. Treating personal information as a business asset worth protecting and exploiting puts an unusual slant on privacy. In particular, it emphasizes the commercial value of controls securing personal information, beyond the begrudging 'avoidance of fines' angle. It's also, I believe, a way to increase the pressure on senior management to do what needs to be done in order to secure personal information, even if they are not that fussed about privacy laws - a carrot-and-stick approach.We'll expand on this and other good reasons to take privacy seriously in November's awareness module. ]]> 2017-10-14T09:00:24+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/_25PNt46UkM/nblog-october-14-different-tack.html www.secnews.physaphae.fr/article.php?IdArticle=418505 False None None None NoticeBored - Experienced IT Security professional Business Continuity Institute's Horizon Scan 2017 report.The report's headline data come from a survey of 666 business continuity and risk management professionals from Europe and North America (mostly), concerning their perceptions about threats and incidents ... and immediately a few issues spring out at me.First of all, the survey population is naturally biased given their field of expertise: although sizable, this was clearly not a random sample. As with all professionals, they probably overemphasize the things that matter most to them, meaning serious incidents that actually or are believed to threaten to disrupt their organizations. It's no surprise at all that 88% of BC pro's are concerned or extremely concerned about "cyber attack" - if anything, I wonder what planet the remaining 12% inhabit! On the other hand, BC pro's ought to know what they are talking about, so their opinions are credible ... just not as much as hard, factual data concerning the actual incidents.On that score, this year's report provides information on actual incidents:"A new metric introduced in the BCI Horizon Scan Report measures actual disruption levels caused by the threats listed in figure 1 in order to provide a comparison against organizations' concerns. Figure 2 shows a contrast between the levels of disruption caused by a particular threat and how concerned an organization is about it. The study shows the actual causes of business disruption slightly differ from the threats practitioners list as significant concerns. The top causes of business disruption according to the same respondents include unplanned IT and telecommunications outages (72%), adverse weather (43%), interruption to utility supply (40%), cyber attacks (35%) and security incidents (24%)."The discrepancy between BC pros' perceptions and reality is quite marked. I'll come back to that in a moment.Second, the way incidents (and/or threats - the report is somewhat ambiguous over the difference) are described puzzles me.  Here are the top 7, ranked according to the proportion of respondents who claimed to be "extremely concerned":Cyber attack (e.g. malware, denial of service) Data breach (i.e. loss or theft of confidential information) Unplanned IT and telecom outages Security incident (e.g. vandalism, theft, fraud, protest) ]]> 2017-10-13T10:09:20+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/_cqEfgwUXNU/nblog-october-13-data-breach-reality.html www.secnews.physaphae.fr/article.php?IdArticle=418036 False None None None NoticeBored - Experienced IT Security professional This month we are updating the privacy awareness module for delivery in November, with a particular focus on GDPR just six months away. By the time it comes into force in May 2018, compliance with the EU General Data Protection Regulation will be a strategic objective for most organizations, thanks to the potential for massive fines and adverse publicity for any who are caught in contravention. Provided they are aware of it, we believe managers will welcome assurance either that everything is on track to make the organization compliant by the deadline, or that GDPR is definitely not applicable to them. Our job is to make managers aware of GDPR, emphasizing the governance and compliance plus information risk and security management aspects - updating corporate privacy policies for example, and ensuring that suppliers and business partners are on-track as well as the organization itself. If cloud service providers were struggling to meet the compliance deadline, for instance, there would be implications for their customers - another thing for management to consider. A GDPR compliance checklist would therefore be a worthwhile and timely addition to the NoticeBored materials.The task of achieving GDPR compliance largely falls to IT and compliance specialists. Our awareness objectives for that audience are more tactical in nature, relating to project management, technical challenges and change management. The compliance checklist may help them consider the compliance project status from management's perspective, perhaps re-prioritizing and re-energizing the remaining activities.For the general worker awareness audience, we plan to tackle the personal angle, addressing rhetorical questions such as "What's all the fuss?", "What's GDPR?" and "What's in it for me?" ... suggesting three awareness posters similar to the one above. We'll be developing those and other ideas into a brief for the graphics team this weekend.GD]]> 2017-10-07T07:37:18+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/mYMU9Ag_HNg/nblog-october-7-privacy-update.html www.secnews.physaphae.fr/article.php?IdArticle=416180 False None None None NoticeBored - Experienced IT Security professional We've just updated the NoticeBored website to describe the new awareness module on security culture and delivered the latest batch of security awareness materials to subscribers.  Culture is a nebulous, hand-waving concept, hard to pin down and yet an important, far-reaching factor in any organization. The new module (the 63rd topic in our bulging security awareness portfolio) is essentially a recruitment drive, aimed at persuading workers to join and become integral parts of the Information Security function. The basic idea is straightforward in theory but in practice it is a challenge to get people to sit up and take notice, then to change their attitudes and behaviors. During September, we developed a two-phased approach:Strong leadership is critically important which means first convincing management (all the way up to the exec team and Board) that they are the lynch-pins. In setting the tone at the top, the way managers treat information risk, security, privacy, compliance and related issues has a marked effect on the entire organization. Their leverage is enormous, with the potential to enable or undermine the entire approach, as illustrated by the Enron, Sony and Equifax incidents.With management support in the bag, the next task is to persuade workers in general to participate actively in the organization's information security arrangements. Aside from directly appealing to staff on a personal level, we enlist the help of professionals and specialists since they too are a powerful influence on the organization - including management. October's awareness materials follow hot on the heels of the revised Information Security 101 module delivered in September. That set the scene, positioning information security as an essential part of modern business. Future modules will expand on different aspects, each one reinforcing the fundamentals ... which is part of the process of enhancing the security cu]]> 2017-10-02T10:51:19+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/yjh0ibrM7ck/nblog-october-2-2-phase-approach-to.html www.secnews.physaphae.fr/article.php?IdArticle=413781 False Guideline Equifax None NoticeBored - Experienced IT Security professional Well, despite Finagle's Law, we've limped home over the finishing line.  Another tidy stack of NoticeBored security awareness content is packaged up and will shortly be ready for our subscribers to download, customize and deploy.'Security culture' is the 63rd awareness topic we've covered, among the most challenging module to develop and yet also the most rewarding: it's clear, in retrospect, what an important topic this is for any organization that takes information security seriously enough to run an awareness program. In short, there is no better mechanism than an effective security awareness program with which to foster a security culture. How on Earth have we ducked the issue for so long?  Perhaps it's a maturity thing. Perhaps it's cultural: we are forging new paths, heading way off the track well-beaten by more conventional security awareness programs. Just in case you missed it, there's so much more tosecurity awareness than phishing!I pity organizations that rely solely on their security and privacy policies. 'Laying down the law' is undoubtedly an important part of the process, necessary but not sufficient. If it were, speed limit signs coupled with the threat of prosecution would have long since curbed driving incidents: we'd be left dealing with genuine accidents, mechanical failures and so forth, but excess speed would hardly ever be an issue. Patently, it is not ... and that's despite the parallel investment in awareness, training and education. It doesn't take much to imagine the carnage on our roads if 'laying down the law' was all that happened.]]> 2017-10-01T20:32:41+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/_6GRDuGPYlw/nblog-october-1-security-culture-module.html www.secnews.physaphae.fr/article.php?IdArticle=413782 False None Equifax None NoticeBored - Experienced IT Security professional Finagle's law elaborates on Sod's law: not only will anything that can go wrong, go wrong, but it will do so at the worst possible time.With our self-imposed end of month deadline fast approaching, October's awareness module was close to being completed ... until a hardware failure caused a day's delay. A solid state disk drive gave up the ghost without warning last night. Naturally being highly security-aware we have backups, lots of backups, but rebuilding/restoring the system on a new disk inevitably takes time. Bang went my Saturday!October's module is entirely new, being a new awareness topic for us, so it has taken longer than normal to prepare the module, leaving little slack in our schedule. Such is life. So, tomorrow I'll be slogging through what remains of the weekend, doing my level best to catch up and complete the materials for delivery on Monday, hopefully.On the upside, our backups worked! We had enough spare hardware to survive this incident with relatively little impact except a day's lost work and elevated stress levels. An unplanned business continuity exercise.]]> 2017-09-30T22:12:42+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/xaLOUC287Aw/nblog-september-30-complying-with.html www.secnews.physaphae.fr/article.php?IdArticle=413783 False None None None NoticeBored - Experienced IT Security professional On the ISO27k Forum this morning, a member from a financial services company asked for some advice on aligning IT and Security with overall corporate/business strategies.  He said, in part: "Organizational level strategic plan, covering its core business, has been derived. And it includes what is expected form Technology and Security departments,  I.E. to keep customers, shareholders happy and to provide safe and secure technology services.   [I need] to prepare a strategic plan decoded from organization's strategy, specifically for Technology and Security department, with goals, objectives, principles etc.  So for achieving this, my approach is to understand each business strategy and determine the possible ways that Technology and Security team can help it. Business strategy -> Technology strategy -> Security Strategy"I strongly support the idea of explicitly linking 'our stuff' with corporate/business strategies (plus initiatives, projects and policies) but 'our stuff' is more than just technology security, or IT security, or cybersecurity, or data security .... I encourage everyone to refer to information risk, defined as 'risk pertaining to information', an all-encompassing term for what we are managing and doing. Especially in the strategic context, we should all be thinking beyond securing bits and bytes.  [The mere fact that they have a department, team or whatever named "Security" that he and presumably others consider a part of, if not very closely tied to, "Technology", strongly suggests a very IT-centric view in the organization. To me, there's the merest whiff of a governance issue there: treating this as 'IT's problem', with the emphasis on security (as in controls, restrictions and prohibitions, as much as protection and safety) is a common but, in my view, sadly misguided and outdated approach - a widespread cultural issue in fact.]Identifying information risk aspects of the corporate strategies is a creative risk assessment activity. In stark contrast to financial risks, information risks tend to be largely unstated, if not unrecognized, at that level but can generally be teased out from the assumptions (both explicit and implicit). For instance, if a business strategy talks about "Expanding into a new market", consider what that actually means and how it will be achieved, then examine each of those proposed activities f]]> 2017-09-29T13:04:05+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Mo0Ap-nM2G8/nblog-september-29-strategic-alignment.html www.secnews.physaphae.fr/article.php?IdArticle=413299 False None None None NoticeBored - Experienced IT Security professional The Coming Software Apocalypse is a long, well-written article about the growing difficulties of coding extremely complex modern software systems. With something in the order of 30 to 100 million lines of program code controlling fly-by-wire planes and cars, these are way too large and complicated for even gifted programmers to master single-handedly, while inadequate specifications, resource constraints, tight/unrealistic delivery deadlines, laziness/corner-cutting, bloat, cloud, teamwork, compliance assessments plus airtight change controls, and integrated development environments can make matters worse. Author James Somers spins the article around a central point. The coding part of software development is a tough intellectual challenge: programmers write programs telling computers to do stuff, leaving them divorced from the stuff - the business end of their efforts - by several intervening, dynamic and interactive layers of complexity. Since there's only so much they can do to ensure everything goes to plan, they largely rely on the integrity and function of those other layers ... and yet despite being pieces of a bigger puzzle, they may be held to account for the end result in its entirety.As if that's not bad enough already, the human beings who actually use, manage, hack and secure IT systems present further challenges. We're even harder to predict and control than computers, some quite deliberately so! From the information risk and security perspective, complexity is our kryptonite, our Achilles heel.Author James Somers brings up numerous safety-related software/system incidents, many of which I have seen discussed on the excellent RISKS List.  Design flaws and bugs in software controlling medical and transportation systems are recurrent topics on RISKS, due to the obvious (and not so obvious!) health and safety implications of, say, autonomous trains and cars.All of this has set me thinking about 'safety' as a future awareness topic for NoticeBored, given the implications for all three of our target audiences:Workers in general increasingly rely on IT systems for safety-critical activities. It won't be hard to think up everyday examples - in fact it might be tough to focus on just a few!With a bit of prompting, manager]]> 2017-09-28T13:46:22+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/BGqwfkmIlxs/nblog-september-28-safe-secure.html www.secnews.physaphae.fr/article.php?IdArticle=412870 False None None None NoticeBored - Experienced IT Security professional A discussion thread on CISSPforum about the security consequences of (some) software developers taking the easy option by grabbing code snippets off the Web rather than figuring things out for themselves (making sure they are appropriate and, of course, secure) set me thinking about human nature. We're all prone to 'taking the easy option'. You could say humans, and in fact all animals, are inherently lazy. Given the choice, we are inclined to cut corners and do the least amount possible, making this the default approach in almost all circumstances. We'd rather conserve our energy for more important things such as feeding and procreating.Yesterday, Deborah mentioned being parked at a junction in town near a one-way side road. In the few minutes she was there, she saw at least 3 cars disregard the no-entry signs, breaking the law rather than driving around the block to enter the side road from the proper direction. Sure they saved themselves a minute or so, but at what cost? Aside from the possibility of being fined, apparently there's a school just along the side road. It's not hard to imagine kids, teachers and parents rushing out of school in a bit of a hurry to get home, looking 'up the road' for oncoming vehicles and not bothering to look 'down the road' (yes, they take the easy option too).The same issue occurs often in information security. 'Doing the right thing' involves people minimizing risks to protect information, but there's a cost. It takes additional time and effort, compared to corner-cutting. Recognizing that there is a right and a wrong way is a starting point - easy enough when there are bloody great "No entry" signs on the road, or with assorted warning messages, bleeps, popup alerts and so forth when the computer spots something risky such as a possible phishing message. Informing people about risks and rules is part of security awareness, but it's not enough. We also need to persuade them to act appropriately, making the effort that it takes not to cut the corner.You may think this is a purely personal matter: some people are naturally compliant law-abiding citizens, others are naturally averse to rules (sometimes on principle!), with a large swathe in the middle who are ambiguous or inconsistent, some plain ignorant or careless. How they react depends partly on the particular circumstances, including their past experience in similar situations ... which hints at another aspect of security awareness, namely the educational value of describing situations, explaining the consequences of different courses of action, guid]]> 2017-09-27T13:08:17+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/ARJBMBTJWqU/nblog-september-27-compliance-culture.html www.secnews.physaphae.fr/article.php?IdArticle=412461 False None None None NoticeBored - Experienced IT Security professional 5 ways to create a bulletproof security culture by Brian Stafford. Brian's 5 ways are, roughly: Get Back to Basics - address human behaviors including errors. Fair enough. The NoticeBored InfoSec 101 awareness module we updated last month is precisely for a back-to-basics approach, including fundamental concepts, attitudes and behaviors.Reinvent the Org Chart - have the CISO report to the CEO. Brian doesn't explain why but it's pretty obvious, especially if you accept that the organization's culture is like a cloak that covers everyone, and strong leadership is the primary way of influencing it. The reporting relationship is only part of the issue though: proper governance is a bigger consideration, for example aligning the management of information risks and assets with that for other kinds of risk and asset. Also security metrics - a gaping hole in the governance of most organizations.Invest in Education - "Any company that seeks to have a strong security culture must not only offer robust trainings to all employees-including the c-suite-but also encourage professional development opportunities tailored to their unique focus areas." Awareness, training and education go hand-in-hand: they are complementary.Incentivize & Reward Wanted Behavior e.g. by career advancement options. Again, the InfoSec 101 module proposes a structured gold-silver-bronze approach to rewards and incentives, and I've discussed the idea here on the blog several times. Compliance reinforcement through rewards and encouragement is far more positive and motivational than the negative compliance enforcement approach through pressure, penalties and grief. Penalties may still be necessary but as a last resort than the default option.Apply the Right Technology - hmm, an important consideration, for sure, although I'm not sure what this has to do with security culture. I guess I would say that technical controls need to work in concert with non-tech controls, and the selection, operation, use and management of all kinds of control is itself largely a human activity. The fact that Brian included this as one of his 5 ways betrays the widespread bias towards technology and cybersecurity. I'd go so far as to call it myopic.Personally, and despite]]> 2017-09-25T15:51:23+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/u0XSphLPuS4/nblog-september-24-five-step.html www.secnews.physaphae.fr/article.php?IdArticle=411410 False Guideline None None NoticeBored - Experienced IT Security professional October's awareness module is gradually taking shape. The management and professionals' seminar slide decks and notes are about 80% done. They're quite intenst, earnest and rather dull though, so we need something inspiring to liven things up a bit. More thinking and digging around required yet.Meanwhile, the staff/general materials are coming along too. The next 7 days will be busy, systematically writing, revising, aligning and polishing the content until it gleams and glints in the sun - talking of which, we set the clocks forward an hour tonight for summer time: it has been a long, wet NZ Winter this year.]]> 2017-09-23T18:02:02+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/cgM1rHSp4nQ/nblog-september-23-security-culture-sit.html www.secnews.physaphae.fr/article.php?IdArticle=411411 False None None None NoticeBored - Experienced IT Security professional Aside from concerning the attitudes and values shared within groups, or its use in microbiology (!), there's another meaning of 'culture' relating to being suave and sophisticated. In the information risk and security context, it's about both being and appearing professional, exuding competence and quality - and that can be quite important if you consider the alternative. Given the choice, would you be happy interacting and doing business with an organization that is, or appears to be, uncultured - crude, slapdash, unreliable etc.? Or would you be somewhat reluctant to trust them?There are some obvious examples in the news headlines most weeks: any organization that suffers a major privacy breach, hack, ransomware or other incident comes across as a victim and arguably perhaps culpable for the situation. It's hardly a glowing endorsement of their information risk, security, privacy and compliance arrangements! Contrast their position against the majority of organizations, particularly the banks that exude trustworthiness. Corporate cultures, brands and reputations are bound strongly together.The two meanings of 'culture' are linked in the sense that the overall impression an organization portrays is the combination of many individual factors or elements. Through marketing, advertising and promotions, public relations, social media etc., management naturally strives to present a polished, impressive, business-like, trustworthy external corporate image, but has limited control over all the day-to-day goings on. Myriad interactions between workers and the outside world are largely independent, driven by the individuals, individually, and by the corporate culture as a whole.Management may try to control the latter, espousing 'corporate values' through motivational speeches and posters, but in most organizations it's like herding cats or plaiting fog. Much like managing change, managing the corporate culture is a tough challenge in practice. Realistically, the best management can hope for is to influence things in the right direction, perhaps rounding-off the sharpest corners and presenting a more consistently positive front.  ]]> 2017-09-22T08:59:43+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/UIQYEOhQLbc/nblog-september-22-cultured-security.html www.secnews.physaphae.fr/article.php?IdArticle=410792 False Guideline None None NoticeBored - Experienced IT Security professional This plopped into my inbox last evening at about 8pm, when both ANZ customers and the ANZ fraud and security pros are mostly off-guard, relaxing at home. It's clearly a phishing attack, obvious for all sorts of reasons (e.g. the spelling and grammatical errors, the spurious justification and call to action, the non-ANZ hyperlink, oh and the fact that I don't have an ANZ account!) - obvious to me, anyway, and I hope obvious to ANZ customers, assuming they are sufficiently security-aware to spot the clues.I guess the phishers are either hoping to trick victims into disclosing their ANZ credentials directly, or persuade them to reveal enough that they can trick the bank into accepting a change of the mobile phone number presumably being used for two-factor authentication, or for password resets.Right now (8 am, 12 hours after the attack) I can't see this particular attack mentioned explicitly on the ANZ site, although there is some basic guidance on "hoax messages" with a few other phishing examples. The warnings and advice are not exactly prominent, however, so you need to go digging to find the information, which means you need to be alert and concerned enough in the first place, which implies a level of awareness - a classic chicken-and-egg situation. I presume ANZ has other security awareness materials, advisories and reminders for customers. If not, perhaps we can help!Aside from the authentication and fraud angle, I'm interested in the cultural aspects. Down here in NZ, people generally seem to be quite honest and trusting: it's a charming feature of the friendly and welcoming Pacific culture that pervades our lives. Given its size and history, things may be different in Australia - I don't know. But I do know that phishing and other forms of fraud are problematic in NZ. The Pacific culture is changing, becoming more careful as a result of these and other scams, but very slowly. Increasing distrust and cynicism seems likely to knock the corners off the charm that I mentioned, with adverse implications for tourism and commerce - in other words cultural changes can create as well as solve problems. The same issue applies within organizations: pushing security awareness will lead (eventually, if sustained) to changes in the corporate culture, only some of which are beneficial. It's possible to be too security-conscious, too risk-averse, to the point that it interferes with business. October's awareness seminar and briefings for management will discuss a strategic approach ai]]> 2017-09-20T08:27:57+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/1v0znioAgjk/nblog-september-20-phishing-awareness.html www.secnews.physaphae.fr/article.php?IdArticle=409839 False Guideline None None NoticeBored - Experienced IT Security professional For some while now, I've been contemplating what security culture actually means, in practice. Thinking back to the organizations in which I have worked, they have all had it some extent (otherwise they probably wouldn't have employed someone like me!) but there were differences in the cultures. What were they?Weaknesses in corporate security cultures are also evident in organizations that end up on the 6 o'clock news as a result of security and privacy incidents. In the extreme, the marked absence of a security culture implies more than just casual risk-taking. There's a reckless air to them with people (including management - in fact managers in particular) deliberately doing things they know they shouldn't, not just bending the rules and pushing the boundaries of acceptable behavior but, in some cases, breaking laws and regulations. That's an insecurity culture!The strength of the security culture is a relative rather than absolute measure: it's a matter of degree. So, with my metrics hat on, what are the measurable characteristics? How would we go about measuring them? What are the scales? What's important to the organization in this domain?A notable feature of organizations with relatively strong security cultures is that information security is an endemic part of the business - neither ignored nor treated as something special, an optional extra tacked-on the side (suggesting that 'information risk and security integration' might be one of those measurable characteristics). When IT systems and business processes are changed, for instance, the information risk, security and related aspects are naturally taken into account almost without being pushed by management. On a broader front, there's a general expectation that things will be done properly. By default, workers generally act in the organization's best interests, doing the right thing normally without even being asked. Information security is integral to the organization's approach, alongside other considerations and approaches such as quality, efficiency, ethics, compliance and ... well ... maturity.  Maturity hints at a journey, a sequence of stages that organizations go through as their security culture emerges and grows stronger. That's what October's ]]> 2017-09-19T07:01:06+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/NPF1nW0vA20/nblog-september-19-what-is-security.html www.secnews.physaphae.fr/article.php?IdArticle=409415 False None None None NoticeBored - Experienced IT Security professional An article bemoaning the lack of an iconic image for the field of “risk management” (e.g. the insurance industry) applies to information risk and security as well. We don't really have one either. Well maybe we do: there are padlocks, chains and keys, hackers in hoodies and those Anonymous facemasks a-plenty (a minute's image-Googling easily demonstrates that). Trouble is that the common images tend to emphasize threats and controls, constraints and costs. All very negative. A big downer.Information risk and security may never be soft and cuddly ... but I'm sure we can do more to distance ourselves from the usual negative imagery and perceptions. I really like the idea of information security being an enabler, allowing the organization do stuff (business!) that would otherwise be too risky. So I'll be spending idle moments at the weekend thinking how to sum that concept up in an iconic image. Preferably something pink and fluffy, with no threatening overtones.]]> 2017-09-15T14:13:45+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/N4dfrXZwoZo/nblog-september-15-symbolic-security.html www.secnews.physaphae.fr/article.php?IdArticle=409081 False None None None NoticeBored - Experienced IT Security professional Inspired perhaps by yesterday's blog about the Security Culture Framework, today we have been busy on a security culture survey, metrics being the first stage of the SCF. We've designed a disarmingly straightforward single-sided form posing just a few simple but carefully-crafted questions around the corporate security culture. Despite its apparent simplicity, the survey form is quite complex with several distinct but related purposes or objectives:Although the form is being prepared as an MS Word document with the intention of being self-completed on paper by respondents (primarily general staff), the form could just as easily be used for an online survey on the corporate intranet, a survey app, or a facilitated survey (like shoppers being stopped in the shopping mall by friendly people with clipboards ... and free product samples to give away).The survey form is of course part of our security awareness product, linking-in with and supporting the other awareness content in October's module on 'security culture', and more broadly with the ongoing awareness program.  The style and format of the form should be instantly familiar to anyone who has seen our awareness materials. A short introduction on the form succinctly explains what 'security culture' means and why it is of concern and value to the organization, hence why the survey is being carried out. I'm intrigued by the idea of positioning the entire organization as a 'safe pair of hands' that protects and looks after information: a reasonable objective given the effort involved in influencing the corporate security culture. Even the survey form is intended to raise awareness, in this case making the subtle point that management cares enough about the topic to survey workers' security-related perceptions and behaviors including their attitudes towards management. Conducting the survey naturally implies that management will consider and act appropriately on the results. We take that implied obligation seriously, and will have more to say about it in the module's train-the-trainer guide. The survey is more than just a paper exercise or an awareness item: respondents will have perfectly reasonable expectations merely as a result of participating.The survey questions themselves are designed to gather measurable responses i.e. data on a few key criteria or aspects of 'security culture'.  We have more work to do on the questions, and even when we're done we hope our customers will adapt them to suit their specific needs (e.g.]]> 2017-09-13T20:07:44+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/lE9e-J45pds/nblog-september-13-surveying-corporate.html www.secnews.physaphae.fr/article.php?IdArticle=409082 False None None None NoticeBored - Experienced IT Security professional In preparing for our forthcoming awareness module on security culture, I've been re-reading and contemplating Kai Roer's Security Culture Framework (SCF) - a structured management approach with 4 phases.1. Metrics: set goals and measureSpeaking as an advocate of security metrics, this sounds a good place to start - or at least it would be if SCF explored the goals in some depth first, rather than leaping directly into SMART metrics: there's not much point evaluating or designing possible metrics until you know what needs to be measured. In this context, understanding the organization's strategic objectives would be a useful setting-off point. SCF talks about 'result goals' (are there any other kind?) and 'learning outcomes' (which implies that learning is a goal - but why? What is the value or purpose of learning?): what about business objectives for safely exploiting and protecting valuable information?SCF seems to have sidestepped more fundamental issues. What is the organization trying to achieve? How would what we are thinking of doing support or enable achievement of those organizational objectives? Security awareness, and information security as a whole, is not in itself a goal but a means to an end. I would start there: what is or are the ends? What is information security awareness meant to achieve? Having discussed that issue many times before, I'm not going to elaborate further on today, here except to say that if the Goals are clear, the Questions arising are fairly obvious, which in turn makes it straightforward to come up with a whole bunch of possible Metrics (the GQM method). From there, SMART is not such a smart way to filter out the few metrics with a positive value to the organization, whereas the PRAGMATIC metametrics method was expressly designed for the purpose.SCF further muddies the waters by mentioning a conventional Lewin-style approach to change management (figure out where you are, identify where you want to be, then systematically close the gap) plus Deming's Plan-Do-Check-Act approach to quality assurance. I'm not entirely convinced these are helpful in setting goals and identifying measures. I would have preferred to elaborate on the process of analyzing the organization's core business, teasing ou]]> 2017-09-12T16:58:10+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/GzFb9imonVw/nblog-september-12-security-culture.html www.secnews.physaphae.fr/article.php?IdArticle=409083 False None None None NoticeBored - Experienced IT Security professional Last night we watched a documentary on the History Channel about 9-11 - a mix of amateur and professional footage that took me back to a Belgian hotel room in 2001, watching incredulously as the nightmare unfolded on TV. Tonight there are more 9-11 documentaries, one of which concerns The War On Terror. As with The War On Drugs and The War On Poverty, we're never going to celebrate victory as such: as fast as we approach the target, it morphs and recedes from view. It's an endless journey.The idea of waging war on something is a rallying cry, meant to sound inspirational and positive. In some (but not all) cultures it is ... and yet, in a literal sense, it's hard to imagine any sane, level-headed person truly relishing the thought of going to war. According to Margaret Atwood, "War is what happens when language fails", in other words when negotiations fail to the point that violent action is perceived as the best, or last remaining, option.In truth, The War On Whatever involves more than just violent action: the negotiations don't stop, they just change. In public, they evolve into rhetoric and propaganda, fake news and extremism intended to elicit deeply emotional responses. In private, there's the whole issue of reaching agreement, defining the bottom line, stopping the untenable costs, saving face and redefining the boundaries.National cultures and attitudes towards war and safety go way beyond the remit of our awareness service, and yet the corporate security culture has its roots in human perceptions, beliefs, ethics and moral values. We're unlikely to make much headway in changing those, although that alone needn't stop us trying! Hopefully we can influence some attitudes and hence some behaviors, perhaps drawing on cultural cues as part of the process.There's plenty more to say on security culture as we work our way through the month: I promise future episodes will be less jingoistic and more upbeat. ]]> 2017-09-11T18:11:13+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/GDgePzyR4G0/nblog-september-11-security-culture.html www.secnews.physaphae.fr/article.php?IdArticle=409084 False None None None NoticeBored - Experienced IT Security professional Aside from the elevator pitch, another short awareness item in our newly-revised Information Security 101 module is a course completion certificate, simply acknowledging that someone has been through the induction or orientation course.I say 'simply' but as usual with NoticeBored, there's more to it.For a start, some of us (especially those who consider ourselves 'professionals') just love our certificates: our qualifications and the letters before/after our names mean something to us and hopefully other people. This is a personal thing with cultural relevance, and it's context-dependent (my 30-year-old PhD in microbial genetics has next to nothing to do with my present role!). My even older cycling proficiency certificate is meaningless now, barely a memory, but at the time I was proud of my achievement. Receiving it boosted my self-esteem, as valuable a benefit as being able to demonstrate my prowess on two wheels. I'm tempted to use Cprof on my business cards just to see if anyone reads them!On the other hand, a certificate indicating a pass mark in some assessment or test can be misleading. The driving test, for example, is a fairly low hurdle in terms of all the situations that a driver may have to deal with over the remainder of their driving career. There is clearly a risk that a newly-certified and licensed driver might be over-confident as a result of passing the test and going solo, a time when accidents are more likely hence some countries encourage a subsequent period of driving with special P-plates (meaning probationary, or passed or potential or ...) in the hope that others will give new drivers more space. In risk terms, there are risk-reduction benefits in letting new drivers continue to hone their new-found skills, offsetting the increased risk of incidents.In the same way with the InfoSec 101 course completion certificate, we're glad to acknowledge the personal achievement and boost people's self-esteem (yay - something positive associated with information risk and security!), although there is a risk they might believe themselves more competent in this area that they truly are. On balance, we'd rather deal with that issue, in part through the ongoing security awareness activities that delve deeper into areas covered quite superficially in the 101 module, across a br]]> 2017-09-08T18:35:37+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/xX_2ChS3hFk/nblog-september-8-security-certification.html www.secnews.physaphae.fr/article.php?IdArticle=409085 False Guideline None None NoticeBored - Experienced IT Security professional I've blogged about passwords several times. It's a zombie topic, one that refuses to go away or just lie down and die quietly.On CISSPforum, we've been idly chatting about user authentication for a week or so. The consensus is that passwords are a lousy way to authenticate, for several reasons.First the obvious.  Passwords are:Hard to remember, at least good ones are, especially if we are forced to think up new ones periodically for no particular reason;Generally weak and easily guessed, due to the previous point;Sometimes generated and issued not chosen or changeable by the user;Readily shared or disclosed (e.g. by watching us type), or written down;Readily obtained by force, coercion, deception and other forms of social engineering such as phishing or password reset tricks, or interception, or hacking, or brute force attacks, or spyware or .. well clearly there are lots of attacks;Often re-used (for different sites/apps etc., and over time).Next comes some less obvious, more pernicious lousiness:Badly-designed sites/systems sometimes prevent us using strong passwords (e.g. they must be less than 20 characters with no spaces nor special characters ...; must be typed or clicked manually - no automation allowed);Poor guidance on choosing passwords encourages poor choices, Passwords are sometimes weakened covertly by even lousier sites/systems (e.g. we can enter complex 50 character passwords but they only actually use 6, or store them in plaintext, or use a pathetically weak or broken hashing algorithm, often without a salt ...).In short, passwords are not a reliable way to authenticate people. As a security control, they are weak to mediocre at best, not strong ... which is obvously]]> 2017-09-06T16:33:56+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/6Qa41xgqTA4/nblog-september-6-passwords-are-dead.html www.secnews.physaphae.fr/article.php?IdArticle=409086 False None None None NoticeBored - Experienced IT Security professional part 1 and part 2, here's the closing paragraph:As a manager, you play a vital governance, leadership and oversight rôle.  Please make the effort to engage with and support the security awareness program, discuss information risk and security with your colleagues, and help us strengthen the corporate security culture.In classical marketing terms, it's the call-to-action for people who have been lured and hooked. Having presented our case, what do we actually want them to do?  Compared to the preceding two, the third paragraph is quite long. While we could easily have dropped the first sentence, it serves a purpose. It shows deference to the management audience, acknowledging their influential and powerful status, gently reminding them that they are expected to direct and oversee things. Essentially (in not so many word), it says "Pay attention! This is an obligation, one of your duties as a manager."The final sentence, including those three words in bold, was especially tricky to write for the InfoSec 101 module. What is it, exactly, that we expect senior managers to do in relation to this very broad introductory-level topic? Think about that question for a moment. There are many possible answers e.g.:Show leadershipDemonstrate commitmentSupport the Information Security Management System (in an ISO27k organization)Get actively involved in information risk and security management activities, such as risk assessment and risk treatment decisionsRaise the profile and priority of information risk and security mattersProvide adequate resources to do this stuff properly for once (!)Encourage or enforce compliance]]> 2017-09-04T15:31:24+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/NbPNifgSwUg/nblog-september-4-infosec-101-elevator.html www.secnews.physaphae.fr/article.php?IdArticle=409087 False Guideline None None NoticeBored - Experienced IT Security professional Yesterday, I started telling you about one of the smallest deliverables in our awareness portfolio, the elevator pitch aimed at senior executive management. Despite its diminutive size, a lot of effort goes into selecting and fine-tuning those 100-odd words.[Sorry if this detailed deconstruction of the pitch one paragraph at a time is tedious but I think it's useful to understand the design, the purpose of the page and the thinking that goes into it. As far as I know, we are the only security awareness provider specifically targeting senior management in this way. I've made disparaging comments in the past about awareness programs aimed at "end-users": neglecting other employees - especially managers and professionals - seems incredibly short-sighted to me, a bit like trying to teach the passengers how to drive a car, ignoring the driver and the mechanics.] OK, pressing swiftly ahead, the elevator pitch can be interrupted at any point. If someone is presenting or talking it through with an exec, they may well need to break off answer questions or respond to comments. If a busy exec is quickly skimming the piece online or on paper, they might get distracted by a phone call or email. We may only have their attention fleetingly, if at all. If we're lucky, the exec will swallow the bait and be hooked ... so the second paragraph has the essential barb:Cybersecurity is important but there's more to it than IT. Information security enables the business to exploit information in ways that would otherwise be too risky.'Cybersecurity' is all the rage, of course. It's a term we see frequently in the media.  Although it's rarely defined, it is generally interpreted as IT and network security, specifically around Internet-related tech incidents such as hacking and malware. That's all very well, but what about all the rest of information risk and security? What about social engineering scams and frauds, piracy, industrial espionage and so forth? What about the whole insider-threat thing: where does that fit in relation to 'cyber'? Oh, hang on a moment: explain]]> 2017-09-03T12:28:08+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/PQ1pxSXsKlo/nblog-september-3-infosec-101-elevator.html www.secnews.physaphae.fr/article.php?IdArticle=409088 False None None None NoticeBored - Experienced IT Security professional The elevator pitch is an awareness format we developed specifically for busy senior executives and other senior managers. Its main aim is to tell them just enough so they know what the awareness topic concerns. We'd like to intrigue them, prompting them to ask questions and seek more information, ideally influencing their decisions and actions as they go about their business in a more secure fashion.The 'elevator pitch' name and button panel image alludes to the idea of condensing a complex subject down to a short statement that could literally be expressed during a short elevator ride. We don't actually envisage someone standing there in the elevator car reading out a prepared script to the captive audience, so much as being primed and ready to respond off-the-cuff to an informal opener from an exec along the lines of "So, how are things with you?".We limit ourselves to about 100 words per topic. As you'll see from the example above, that works out to just 3 paragraphs or so, of 2 or 3 sentences each. It takes a surprising amount of effort to put things across so succinctly: the real art is in figuring out what's appropriate to leave out, and how to express the essentials in a way likely to resonate with senior managers.Imagine being a fisherman selecting some juicy morsel to bait the hook. Ideally the pitch needs to catch the target's eye, intriguing them and sparking their imagination so they gulp it down ... but being realistic, very few execs are going to have the time and interest to drop everything and focus on information security, at least not on the strength of a snatched conversation in the elevator or a casual corridor chat.  Let's look at the InfoSec 101 elevator pitch in more detail, breaking it down a paragraph at a time:Information is a valuable but vulnerable business asset that requires protection against risks. Responding to the risks through suitable controls involves all those who create, use and handle information.  Yes, that's everyone.Those first few words are crucial, explicitly positioning information risk and security as a busine]]> 2017-09-02T14:17:13+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/OP-YjOnGB8Q/nblog-september-2-infosec-101-elevator.html www.secnews.physaphae.fr/article.php?IdArticle=409089 False None None None NoticeBored - Experienced IT Security professional When someone initially joins an organization, they immediately start absorbing the corporate culture – 'the way we do things here' – gradually becoming a part of it. Most organizations run security orientation or induction sessions to welcome newcomers and kick-start the cultural integration process, with individual sessions lasting between a few minutes and a few hours depending on the topics to be covered, local practice, and of course the audience (e.g. there may be a quick-start process for managers, and more in-depth training for technical specialists).Let's be honest: orientation tends to be as dull as a lecture on the dangers of teenage pregnancy. It's trial-by-fire, something to be endured rather than enjoyed. The new NoticeBored Information Security 101 module covers common information risks (e.g. malware) and controls that are more-or-less universal (e.g. antivirus). The awareness materials are deliberately succinct and quite superficial: they outline key things without delving into the details.  Given the context of a continuous NoticeBored-style security awareness program delivering a stream of fresh materials, there's no need to cover everything about information risk and security in one hit. The pressure's off. Relax! All we really need in the induction session do is help newcomers set off on the right foot, engaging them as integral and valuable parts of the organization's Information Security Management System. That leaves room to focus on an even more important objective, one that we will expand upon in next month's module. Building relationships between Information Security professionals and business people in general, makes a huge difference to the corporate security culture. Think about it: would you rather pick up the phone to the friendly professional who took time to meet you when you joined the organization, or a total stranger?]]> 2017-09-01T10:00:07+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/4ugaYmPEX3c/nblog-september-1-back-to-basics.html www.secnews.physaphae.fr/article.php?IdArticle=409090 False None None None NoticeBored - Experienced IT Security professional Some security awareness programs simply broadcast messages at the organization. Messages flow from the Information Security function to the audience - specifically an audience dubbed "end users" in many cases, a disparaging term implying low-level staff who use computers (neglecting all others). A more effective approach, however, is to emphasize social networking and socialization of security as a primary driver of cultural change, with bidirectional communications increasing the chances that the awareness program reflects and responds to the business.Establishing a strong social network of friends and supporters of information security throughout the organization takes commitment and sustained effort on the part of the entire Information Security function. The payback over the medium to long-term, however, makes it an approach well worth considering. An actively engaged and supportive social network will keep the awareness program, and in fact the information security program as a whole, business-aligned and relevant to current security issues in the organization, broadening and deepening the department's influence. On top of that, you can achieve far more through a distributed network of supportive contacts than you can possibly manage alone.Support from senior management is great but, in our experience, many of the most well-connected and influential workers are low-ranking individuals. They are 'people people' with the common touch, a natural flair for social interaction. This is why we're providing a template rôle description for the Information Security Awareness Contact in September's Information Security 101 module to get you started if you decide to structure and formalize the rôle to this extent. That may not be appropriate or necessary, depending on how your organization handles such issues. Speak to your management and HR about the concept before going too far down that line, including aspects such as recruiting, guiding/coordinating, motivating and rewarding people who accept the rôle. Colleagues in HR, Security Administration, IT/PC Support, Business Continuity, Risk Management, Compliance and Health & Safety may have similar social networks already in place (e.g. departmental reps, fire marshals and first responders). Invest some time in meeting both those colleagues and their best contacts to find out how the arrangements work on both sides, pick up useful tips ... and hopefully make a few solid-gold contacts of your own.]]> 2017-08-31T17:01:53+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/G2zkrdTJ1aI/nblog-august-31-strengthening.html www.secnews.physaphae.fr/article.php?IdArticle=409091 False None None None NoticeBored - Experienced IT Security professional On ISO27k Forum this morning, an FAQ made yet another appearance. SR asked:"I am planning to do risk assessment based on Process/Business based. Kindly share if you have any templates and also suggest me how it can be done."Bhushan Kaluvakolan responded first by proposing a risk assessment method based on threats and vulnerabilities (and impacts, I guess), a classical information-security-centric approach that I've used many times. Fair enough.I followed up by proposing an alternative (and perhaps complementary) business-centric approach that I've brought up previously both on the Forum and here on NBlog:Consider the kinds of incidents and scenarios that might affect the process, both directly and indirectly. Especially if the process is already operating, check for any incident reports, review/audit comments, known issues, management concerns, expert opinions etc., and/or run a risk workshop with a range of business people and specialists to come up with a bunch of things – I call them 'information risks'. This is a creative, lateral thinking process – brainstorming. Focus on the information, as much as possible, especially information that is plainly valuable/essential for the business. If necessary, remind the experts that this is a business situation, a genuine organizational concern that needs pragmatic answers, not some academic exercise in precision.Review each of those information risks in turn and try to relate/group them where applicable. Some of them will be more or less severe variants on a common theme (e.g. an upstream supply chain incident can range from mild e.g. minor delays and quality issues on non-critical supplies, to severe e.g. sudden/unanticipated total failure of one or more key suppliers due to some catastrophe, such as the Japanese tsunami). Others will be quite different in nature (e.g. various problems with individual employees, IT systems etc.). A neat way to do this is to write each risk on a separate sticky note, then stick them on a white board and briefly explain them, then move them into related/different groups of various sizes and shapes.]]> 2017-08-30T09:19:09+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/PNQ9jviA7QA/nblog-august-30-information-risk.html www.secnews.physaphae.fr/article.php?IdArticle=409092 False None Wannacry None NoticeBored - Experienced IT Security professional According to Google's Blogger stats, over the weekend this blog topped 1 million page views so I guess we must be doing something right! It would be hard to come up with something new to say every day, if it weren't for the fact that we are all bombarded by stuff from other blogs and groups, from advisories and committees, and from several billion Websites. There's lots of stuff going on in the world of infosec which keeps me interested and hopefully you too.My main concern is the human as opposed to technological aspects, hence my overriding interest in promoting good practices in information risk and security governance and management (especially ISO27k and security metrics), security awareness, policies, procedures etc. to keep a lid on social engineering scams, frauds, hacks and malware attacks, ineptitude, thievery, spying, piracy and so forth. Having said that, managing technology requires understanding it (IT especially) so I try my best to keep an eye on that too. And the physical side. And compliance. And risk management.  And business ...I interpret and react to the news rather than simply passing things on, an approach I hope rubs off on you. I'm expressing personal opinions here, hopefully adding value based on my experience and knowledge. I encourage you all to think about what you read, reinterpret it in your context, be critical and by all means disagree with me. I don't hold all the answers. I know I am outspoken, cranky and off-base sometimes. I'm human too. This blog is my catchpa!OK, must press on. We have sick animals to tend plus an awareness module to complete. Back soon.]]> 2017-08-28T08:34:54+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/bZhDixfLvwo/nblog-august-27-thanks-million.html www.secnews.physaphae.fr/article.php?IdArticle=409093 False None None None NoticeBored - Experienced IT Security professional The Information Security 101 awareness module update is going well. We might even finish slightly ahead of the deadline, provided I can resist the temptation to keep polishing and adding to the content!One of the deliverables is a 'menu' of rewards for workers who uphold the information risk and security practises, controls and behaviors we wish to encourage. The rewards are divided into bronze, silver and gold categories.Bronze rewards are generally free or cheap, and yet welcome - a nice way to thank workers for simply participating in awareness seminars, case study/workshop session or quiz maybe. Here are just a few examples:A phone call, personal thank-you note and/or emailLetter of participation or commendation to be placed in the employee's personnel file (whatever that means!)Relaxed dress code for the recipient – for a defined period such as a day or a week Generic certificate acknowledging a level of competence (e.g. on completion of security induction training - there's a template in the module)Note and/or photo on hall-of-fame, newsletter and/or the Security Zone (Information Security's intranet website - again there's a generic website design specification in the module)Plain (dull bronze) pin badge or sticker with awareness program logoPlain (dull bronze) staff pass lanyard with awareness program logo and stock message (such as how to contact the Help Desk or Site Security)Moving up a level, silver awards are more valuable and attractive, requiring a little more money and effort:[if !supportLists]-->Polo/tee-shirt printed with corporate and/or awareness program logo and a relevant quotation or catch-phrase]]> 2017-08-25T14:13:47+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/OIVLvoiY32E/nblog-august-25-awareness-boosters.html www.secnews.physaphae.fr/article.php?IdArticle=409094 False Guideline None None NoticeBored - Experienced IT Security professional I'm currently working on a couple of interrelated matters concerning ISO/IEC JTC 1/SC 27 business. One is the possibility of renaming and perhaps re-scoping the committee's work. The other is a study period exploring cybersecurity.They are related because cyber is a hot potato - a bandwagon no less. Some on the committee are raring to disable the brakes and jump aboard.When asked to describe what cybersecurity is, one expert replied "Budget!". That's more than just a cynical retort. Cyber risk, cyber security, cyber threats, cyber attacks, cyber incidents and cyberinsurance are all over the headlines. Several countries have invested in cyber strategies and units. There is money in cyber, so that's a good thing, right?As I've said before, the focus on cyber is problematic for several reasons, not least distinctly different interpretations of the very term, a gaping chasm separating two distinct domains of understanding:In informal use (including most journalists and commentators in the blogophere), cyber means almost anything to do with IT, the Internet in particular. The primary concerns here are everyday hackers and malware (or rather "viruses").In (some?) government and defense circles, cyber alludes to cyberwar, meaning state-sponsored extreme threats exploiting all means possible to compromise an enemy's critical infrastructures, IT systems, comms, economy and society. Compared to the other interpretation, this off-the-scale nastiness requires a fundamentally different approach. Firewalls and antivirus just won't cut it, not by a long chalk. If anything, those everyday hackers and malware are a source of chaff, handy to conceal much more insidious compromises such as APT (Advanced Persistent Threats) and malicious processor hardware/firmware. Authorities stockpiling rather than disclosing vulnerabilities, and building red teams like there's no tomorrow, hints at what's going on right now.As if that's not enough, every man and his dog is either coming up with his own unique definition or ducking the issue by remaining (deliberately?) vague and imprecise. There's little consensus, hence lots of confusion and talking at cross purposes.It is entirely possible that SC 27 might find itself lumbered with the cyber moniker because it's sexy, in which case those diffe]]> 2017-08-24T18:20:50+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/cDU_ewMmo3U/nblog-august-24-hot-potato-or-mash.html www.secnews.physaphae.fr/article.php?IdArticle=409095 False None None None NoticeBored - Experienced IT Security professional Further to yesterday's ISO27k Forum thread and blog piece, I've been contemplating the idea of extending the security awareness program into an "outreach" initiative for Information Security, or at least viewing it in that way. I have in mind a planned, systematic, proactive approach not just to spread the information risk and security gospel, but to forge stronger more productive working relationships throughout the organization, perhaps even beyond.  Virtually every interaction between anyone from Information Security and The Business is a relationship-enhancing opportunity, a chance to inform, communicate/exchange information in both directions, assist, guide, and generally build the credibility and information Security's brand. Doing so has the potential to:Drive or enhance the corporate security culture through Information Security becoming increasingly respected, trusted, approachable, consulted, informed and most of all used, rather than being ignored, feared and shunned (the "No Department");Improve understanding on all sides, such as identifying business initiatives, issues, concerns and demands for Information Security involvement, at an early enough stage to be able to specify, plan, resource and deliver the work at a sensible pace rather than at the last possible moment with next to no available resources; also knowing when to back-off, leaving the business to its own devices if there are other more pressing demands, including situations where accepting information risks is necessary or appropriate for various business reasons;Encourage and facilitate collaboration, cooperation and alignment around common goals;Improve the productivity and effectiveness of Information Security by being more customer-oriented - always a concern with ivory-tower expert functions staffed by professionals who think they (OK, we!) know best;Improve the management and treatment of information risks as a whole through better information security, supporting key business objectives such as being able to exploit business opportunities that would otherwise be too risky, while complying with applicable laws and regulations.]]> 2017-08-23T13:14:19+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/r3CdR4cAALs/nblog-august-23-information-security.html www.secnews.physaphae.fr/article.php?IdArticle=409096 False Cloud APT 37 None NoticeBored - Experienced IT Security professional A relatively simple and naive question on the ISO27k Forum this morning set me thinking. "RP" asked:"Does anybody have a generic [set of] high level questions for business departments other than IT, that can be asked during gap assessment?"As is so often the way with newcomers to the Forum, RP evidently hasn't caught up with past Forum threads (e.g. we recently chatted about various forms of gap analysis, and the markedly different ways that people [including dentists!] use and interpret the term), paid scant attention to forum etiquette (e.g. he/she didn't tell us his/her name), and provided little to no context in which to address the question (e.g. what size and kind of organization is it? What industry/sector? Does it have a functional, certified and mature ISO27k ISMS already, is it working towards one, or is RP just idly thinking about it over coffee?).Despite that, a couple of us responded as best we could, making assumptions about the context, the meaning and purpose of the 'gap assessment', and RP's situation. I suggesting posing questions along these lines:"What kinds of information do you use? Tell me more. Which is the most important information for your business activities, and why? What would happen if it was lost, damaged, out of date, inaccurate, incomplete, misleading, fraudulent, or disclosed e.g. on the Web?Roughly how much of the information you handle is classified? How much is SECRET/TOP-SECRET? [You'd probably need to be security cleared, and have management support, to get a meaningful answer to that!]What information do you generate? What happens to it? Where does it go? Who uses it, and for what? Would it matter to them if it stopped coming, or was late, or inaccurate, or incomplete, or was disclosed on the Web?When was the last time you examined your information risks? What was the result? Show me! What changed as a result?When was the last time you completed a business impact analysis and business continuity p]]> 2017-08-22T15:51:29+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/yozlS8hvyCU/nblog-august-22-what-to-ask-in-gap.html www.secnews.physaphae.fr/article.php?IdArticle=409097 False Guideline None None NoticeBored - Experienced IT Security professional Further to yesterday's piece about a free ISMS audit guideline, I normally prepare Internal Controls Questionnaires to structure and record my audit fieldwork.  As the illustrative extract above shows, these work nicely as landscape tables in MS Word with the following 4 columns:Check: these are the audit tests, written before the audit fieldwork starts. As well as the classic audit 'show me' and 'tell me about ...', I much prefer open-ended questions and general prompts such as 'check', 'review' and 'evaluate'. ICQs are intended to be used by reasonably competent and experienced  auditors, not spouted verbatim by novices.   [The ISMS audit guideline includes an extensive but generic set of audit checks ready to cut-n-paste into this column, then trim and modify according to your specific audit requirements and situation.]SWOT: these record the auditor's first impressions - an initial evaluation of the findings. Is this area a Strength (the findings are good, risks well under control), a Weakness (there are some issues but nothing too desperate), an Opportunity (generally meaning an 'opportunity for improvement' i.e. a change that will benefit the business) or a Threat (a significant risk or concern that ought to be addressed in order to avoid a serious incident)?Notes: briefly state the audit findings. Factual evidence is crucially important to the audit process, and needs to be recorded carefully. For example, I sometimes quote the precise words spoken by auditees in audit interviews, and incorporate or cite relevant extracts from policies, procedures, logs, reports etc. The auditor's comments and interpretation are a valuable output too (e.g. explaining the context and possible consequences), but strong facts speak for t]]> 2017-08-21T11:38:34+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/XpQ1ErcyqBU/nblog-august-21-internal-control.html www.secnews.physaphae.fr/article.php?IdArticle=409098 False None None None NoticeBored - Experienced IT Security professional Over the last few weeks, I've been busy with a virtual team of volunteers updating an ISMS audit guideline written prior to the 2011 release of the ISO/IEC standards 27007 (Guidelines for information security management systems auditing) and 27008 (Guidelines for auditors on information security controls). One of our goals at the time was to contribute to the development of the standards.Meantime, not only have those two standards been published, but ISO/IEC 27001 and 27002 have also been updated ... so there was a lot of updating to do.Our guideline is aimed at internal auditors, specifically IT auditors tasked with auditing either:the management system parts of an Information Security Management System; orthe information security controls being managed by the ISMS.In ISO27k, the management system is a combined governance and management framework - a structured approach similar to those for managing quality assurance, environmental protection and more. Auditing it is fairly straightforward because 27001 is quite explicit about what it should be. The guideline goes beyond certification auditing, though. Even if the ISMS fulfills the requirements of the standard, it may not satisfy the organization's needs. ]]> 2017-08-20T08:05:50+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/uGziPkFciPg/nblog-august-20-free-iso27k-audit.html www.secnews.physaphae.fr/article.php?IdArticle=409099 False None None None NoticeBored - Experienced IT Security professional That sums-up our approach to using security awareness as a mechanism to foster a 'culture of security'.  In the spirit of yesterday's blog, rather than wax lyrical, I'll let the diagram speak for itself.  'Nuff said.]]> 2017-08-18T18:09:14+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/i_hD63bFydw/nblog-august-18-security-culture.html www.secnews.physaphae.fr/article.php?IdArticle=409100 False None None None NoticeBored - Experienced IT Security professional Today I've revised the management seminar for Information Security 101. Given our deliberately wide brief, there's quite a lot to say even at the relatively superficial 101/introductory level, so we're using thought-provoking pictures (mind maps, process diagrams and conceptual imagery) in place of reams of text and tedious bullet points. The whole seminar works out at just 12 slides ... at least that's the management seminar slide deck we'll be providing to subscribers. They can adapt the content, perhaps incorporating extras or indeed cutting back on the supplied content - and that's fine by us.In fact, more than that, we actively recommend it! Much as we would like to offer awareness materials tailored for each customer, we simply don't have the resources. For starters, we would need to spend time getting to know and then keeping abreast of each customer's specific circumstances and needs ... and being information security related, there are confidentiality implications in that. Instead, we prefer to invest in research and development of high-quality cutting-edge awareness content, delivering editable materials that our valued customers can customize as they wish.Keeping up with the field is quite a challenge, a fun one for us. In the 3 years or so since the InfoSec 101 module was last revised, we've witnessed the rise of BYOD, ransomware and cybersecurity. Current issues include IoT security and, looking forward, GDPR is set to make big waves in privacy in less than a year's time.Most months we encourage customers to check and update their induction and other training course materials, picking and choosing from each new batch of NB content as appropriate. On a more subtle level, we're gently hinting that they should be proactively maintaining and refreshing their awareness and training content as a whole because outdated material can literally be worse than useless. If you work for a mid- to large-sized fairly mature organization, chances are your security awareness content includes stuff that is no longer relevant and misses out on emerging issues, even if you have someone dedicated to running the awareness and training program. If you are in a small organization with very limited resources, or one that depends on course materials updated 'whenever, if-ever', is it any surprise if newcomers get the impression that information security is unimportant, not a priority?]]> 2017-08-17T14:41:54+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/9WUPJwFwnBM/nblog-august-17-infosec-101-for.html www.secnews.physaphae.fr/article.php?IdArticle=409101 False None None None NoticeBored - Experienced IT Security professional [if gte vml 1]> [if !vml]-->[endif]-->A public draft of NIST SP800-53 revision 5 is worth checking out.Major changes in this draft:"Making the security and privacy controls more outcome-based by changing the structure of the controls;Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls;Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework;]]> 2017-08-16T10:45:46+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/27BlRUMT4b4/nblog-august-16-nist-sp800-53-draft-v5.html www.secnews.physaphae.fr/article.php?IdArticle=409102 False None None None NoticeBored - Experienced IT Security professional We've updated more stuff for the Infosec 101 module today:8 two-page case studies based on commonplace incidents; 13 one-page scam alerts on common scams (yes, 13); Generic job descriptions for an Information Security Awareness Manager, plus an Awareness Officer, and Awareness Contacts (part timers, distributed throughout the organization). Ticks are appearing and darkening on the contents listing at a reasonable rate.Meanwhile, over on the ISO27k Forum, we've been discussing terminology and the pros and cons of various information security frameworks, and CISSP Forum has been yakkin' about quantum crypto key exchange and fake news.  Oh and we've arranged for the tractor repair man to come over tomorrow to fix a broken valve and solenoid, and I popped down to the vet for antibiotics for 3 sick animals.Quite a varied and productive day, all in all.]]> 2017-08-15T16:10:26+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/EKePJUptUcg/nblog-august-15-work-goes-on.html www.secnews.physaphae.fr/article.php?IdArticle=409103 False None None None NoticeBored - Experienced IT Security professional Today I'm revising the InfoSec 101 presentation for general employees, starting with a brief introductory slide addressing questions along the lines of "What's the point of information security?" and "Why are you even telling me about it?".It's not as easy as you might think to answer such fundamental questions, simply, for someone who may have no background or interest in the topic. So I went Googling for inspiration, and came across this neat list of infosec benefits from a company called Global Strategic:Demonstrates a clear commitment to data security- including confidentiality and strict accessibility rules;Provides procedures to manage risk;Keeps confidential information secure;Provides a significant competitive advantage;Ensures a secure exchange of information;Creates consistency in the delivery our services;Allows for inter-operability between organizations or groups within an organization;Builds a culture of security;Protects the company, assets, shareholders, employees and clients;Gives assurance that a third party provider takes your data security (and your business) as seriously as you doSome of those are not terribly helpful for our awareness purposes. A benefit of information security is security or protection [of information], yes, but that's obvious from the phrase! It doesn't move us forward.Risk management is definitely a core purpose of infosec. I'm not keen on the idea that infosec 'provides procedures' though. Infosec is an overall approach, rather than simply a set of procedures or processes. "Infosec lets us manage risks" is closer to the mark, I think, or maybe "We use infosec to manage information risks". Hmmm.Competitive advantage is another good one, although I think I would prefer talk about 'enabling the business'. Whereas managers are presumably familiar with the concept of competitive advantage, I'm not sure about general employees. 'Enabling' is a fairly complex concept too, so "Infosec is good for business" would be an even better way to express it.Re the notions of securely exchanging information and inter-operability: those seem quite narrow and specific to me - parts of infosec, for sure, but arguably too obscure for a relatively naive audience. They are technocentric, too, whereas we are keen to position infosec more broadly than just IT or cybersecurity. ]]> 2017-08-14T15:29:01+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/GDvGJk7R8PM/nblog-august-14-why-infosec.html www.secnews.physaphae.fr/article.php?IdArticle=409104 False None None None NoticeBored - Experienced IT Security professional Another basic information security practice is updating e.g.:Patch promptly (update software)Lock-n-load (physical security)Counter cons (social engineering)Nuke nasties (update antivirus) Read rules (security policies)Those short alliterative phrases are memory-joggers to catch people's imagination and remind them about the things they ought to be doing regularly.Conspicuously missing from the list is changing passwords: once upon a time, it was generally accepted practice to force people to change their passwords every few weeks or months. I have never quite understood the rationale for this. It takes effort to think up and commit to memory yet another strong password, and there are security costs when people forget their passwords, so what's the benefit? I suppose it might frustrate someone who has been surreptitiously watching a colleague enter their password every day, trying to figure out what they are typing ... but really? Arguably it would reduce the success rate of repeated brute-force password guesses - that ought to be triggering alarms anyway. I just don't get it and nor, now, does NIST:"Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."That comes from NIST Special Publication 800-63B - Digital Identity Guidelines: Authentication and Lifecycle Management, published in June and recently picked up by the security press.The list of things to include in the InfoSec 101 awareness module is becoming clearer by the day.]]> 2017-08-13T18:00:58+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/QJcvaMAsfoU/nblog-august-13-updating.html www.secnews.physaphae.fr/article.php?IdArticle=409105 False None None None