This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-18T22:10:39+00:00 www.secnews.physaphae.fr NoticeBored - Experienced IT Security professional The business benefits of developing an information security strategy and accompanying security architecture/design include: Being proactive, taking the lead in this area - more puppeteer than puppet; Designing a framework or structure to support the organisation's unique situation and needs; Positioning and guiding the management of information risk and security within other aspect of the organisation's architecture/design e.g. its IT and information architecture (showing information flows, networked systems, databases, services etc.), complementing and supporting various other business strategies and architectures such as cloud first, artificial intelligence, IIoT, big data, new products, new markets ...);Providing a blueprint, mapping-out and clarifying the organisational structure, governance arrangements and accountabilities for information risk and security relative to other parts of the business such as IT, physical security, Risk, legal/compliance, HR, operations, business continuity, knowledge management ...; Defining a coherent sequence or matrix of strategic initiatives (projects, investments, business and technology changes ...) over the next N years, embedding information risk management ever deeper into the fabric of the organisation and strengthening the information security arrangements in various ways (e.g. systematically phasing-out and replacing aged/deprecated security technologies while researching, piloting and then adopting new ones such as blockchain and post-quantum crypto);Driving the development and maturity of the information risk and security management function, covering its priorities, internal structure and external working relationships, governance etc.; Bringing clarity and direction (focus!), reducing complexity and uncertainty associated with myriad 'other options' that are discounted or put on hold;Seizing opportunities to align and support various departments, processes, systems, partners, projects/initiatives, budgets, plans etc., finding and exploiting points of common interest, avoiding awkward conflicts and gaps;Identifying key objectives for information risk and security ]]> 2022-08-09T11:26:08+00:00 http://blog.noticebored.com/2022/08/the-business-case-for-security-strategy.html www.secnews.physaphae.fr/article.php?IdArticle=6206656 False Guideline None None NoticeBored - Experienced IT Security professional glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):]]> 2022-08-06T10:46:21+00:00 http://blog.noticebored.com/2022/08/a-glossy-nicely-constructed-and.html www.secnews.physaphae.fr/article.php?IdArticle=6150878 False Malware,Vulnerability,Threat,Patching,Guideline,Medical,Cloud APT 38,APT 19,APT 10,APT 37,Uber,APT 15,Guam,APT 28,APT 34 None NoticeBored - Experienced IT Security professional  Prompted by some valuable customer feedback earlier this week, I've been thinking about how best to update the SecAware policy template on software/systems development. The customer is apparently seeking guidance on integrating infosec into the development process, which begs the question "Which development process?". These days, we're spoilt for choice with quite a variety of methods and approaches. Reducing the problem to its fundamentals, there is a desire to end up with software/systems that are 'adequately secure', meaning no unacceptable information risks remain. That implies having systematically identified and evaluated the information risks at some earlier point, and treated them appropriately - but how?The traditional waterfall development method works sequentially from business analysis and requirements definition, through design and development, to testing and release - often many months later. Systems security ought to be an integral part of the requirements up-front, and I appreciate from experience just how hard it is to retro-fit security into a waterfall project that has been runnning for more than a few days or weeks without security involvement.A significant issue with waterfall is that things can change substantially in the course of development: the organisation hopefully ends up with the system it originally planned, but that may no longer be the system it needs. If the planned security controls turn out to be inadequate in practice, too bad: the next release or version may be months or years away, if ever (assuming the same waterfall approach is used for maintenance, which is not necessarily so*). The quality of the security specification and design (which drives the security design, development and testing) depends on the identification and evaluation of information risks in advance, predicting threats, vulnerabilities and impacts likely to be of concern at the point of delivery some time hence.In contrast, lean, agile or rapid application development methods cycle through smaller iterations more quickly, presenting more opportunities to update security ... but also more chances to break security due to the hectic pace of change. A key problem is to keep everyone focused on security throughout the process, ensuring that whatever else is going on, sufficient attention is paid to the security aspects. Rapid decision-making is part of the challenge here. It's not just the method that needs to be agile!DevOps and scrum approaches use feedback from users on each mini-release to inform the ongoing development. Hopefully security is part of that feedback loop so that it improves incrementally at the same time, but 'hopefully' is a massive clue: if users and managers are not sufficiently security-aware to push for improvements or resist degradat]]> 2022-07-22T17:10:27+00:00 http://blog.noticebored.com/2022/07/security-in-software-development.html www.secnews.physaphae.fr/article.php?IdArticle=5871325 False Guideline None None NoticeBored - Experienced IT Security professional Online Safety Bill. It is written in extreme legalese, peppered with strange terms defined in excruciating detail, and littered with internal and external cross-references, hardly any of which are hyperlinked e.g.]]> 2022-07-10T13:41:08+00:00 http://blog.noticebored.com/2022/07/complexity-simplified.html www.secnews.physaphae.fr/article.php?IdArticle=5638390 False Guideline APT 10 None NoticeBored - Experienced IT Security professional  Compliance is a concern that pops up repeatedly on the ISO27k Forum, just this  morning for instance. Intrigued by ISO 27001 Annex A control A.18.1.1 "Identification of applicable legislation and contractual requirements", members generally ask what laws are relevant to the ISMS. That's a tough one to answer for two reasons.  Firstly, I'm not a lawyer so I am unqualified and unable to offer legal advice. To be honest, I'm barely familiar with the laws and regs in the UK/EU and NZ, having lived and worked here for long enough to absorb a little knowledge. The best I can offer is layman's perspective. I feel more confident about the underlying generic principles of risk, compliance, conformity, obligations, accountabilities, assurance and controls though, and have the breadth of work and life experience to appreciate the next point ...Secondly, there is a huge range of laws and regs that have some relevance to information risk, security, management and the ISMS. The mind map is a brief glimpse of the landscape, as I see it ...That's a heady mix of laws and regs that apply to the organisation, its officers and workers, its property and finances, its technologies, its contracts, agreements and relationships with employees and third parties including the authorities, owners, suppliers, partners, prospects and customers, and society at large. There are obligations relating to how it is structured, operated, governed, managed and controlled, plus all manner of internal rules voluntarily adopted by management for business reasons (some of which concern obligations under applicable laws and regs). Noncompliance and nonconformity open the can-o-worms still wider with obligations and expectations about 'awareness', 'due process', 'proof' and more, much more.That A.18.1.1 control is - how shall I put it - idealistic:"All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization."All requirements?! Oh boy! Explicit! Documented! Maintained! This is bewildering, scary stuff, especially for relatively inexperienced infosec or cybersecurity professionals who seldom set foot outside of the IT domain. We're definitely in the]]> 2022-07-05T11:41:40+00:00 http://blog.noticebored.com/2022/07/the-discomfort-zone.html www.secnews.physaphae.fr/article.php?IdArticle=5555746 False Guideline None None NoticeBored - Experienced IT Security professional News emerged during June of likely further delays to the publication of the third edition of ISO/IEC 27001, this time due to the need to re-align the main body clauses with ISO's revised management systems template. The planned release in October is in some doubt. Although we already have considerable discretion over which information security controls are being managed within our ISO/IEC 27001 Information Security Management Systems today, an unfortunate side-effect of standardisation, harmonisation, adoption, accreditation and certification is substantial inertia in the system as a whole. It's a significant issue for our field where the threats, vulnerabilities, impacts and controls are constantly shifting and often moving rapidly ahead of us … but to be honest it's equally problematic for other emerging and fast-moving fields. Infosec is hardly special in this regard. Just look at what's happening in microelectronics, IT, telecomms, robotics, environmental protection and globalisation generally for examples. One possible route out of the tar-pit we've unfortunately slid into is to develop forward-thinking 'future-proof' standards and release them sooner, before things mature, but that's a risky approach given uncertainties ahead. It would not be good for ill-conceived/premature standards to drive markets and users in inappropriate directions. It's also tough for such a large, ponderous, conservative committee as ISO/IEC JTC 1/SC 27. However, the smart city privacy standard ISO/IEC TS 27570 is a shining beacon of light, with promising signs for the developing security standards on Artificial Intelligence and big data security too. I wish I could say the same of 'cyber', cloud and IoT security but (IMNSHO) the committee is struggling to keep pace with these fields, despite some fabulous inputs and proactive support from members plus the likes of the Cloud Security Alliance and NIST.  The floggings will continue until morale improves.Another tar-pit escape plan involves speeding-up the standards development process, perhaps also the promotion, accreditation and certification processes that follow each standard's publication – but again there are risks in moving ahead too fast, compromising the quality and value of the standards, damaging ISO/IEC's established brands. ]]> 2022-07-02T12:23:41+00:00 http://blog.noticebored.com/2022/07/standards-development-tough-risky.html www.secnews.physaphae.fr/article.php?IdArticle=5501958 False Guideline None None NoticeBored - Experienced IT Security professional  For some curious reason, the Statement of Applicability steals the limelight in the ISO27k world, despite being little more than a formality. Having recently blogged about the dreaded SoA, 'nuff said on that.Today I'm picking up on the SoA's shy little brother, the Risk Treatment Plan. There's a lot to say and think about here, so coffee-up, settle-down, sit forward and zone-in.ISO/IEC 27001 barely even acknowledges the RTP. Here are the first two mentions, tucked discreetly under clause 6.1.3:]]> 2022-06-24T13:40:08+00:00 http://blog.noticebored.com/2022/06/the-sadly-neglected-risk-treatment-plan.html www.secnews.physaphae.fr/article.php?IdArticle=5350915 False Threat,Guideline APT 19,APT 10 4.0000000000000000 NoticeBored - Experienced IT Security professional security policy templates and ISO27k ISMS materials.The main change was to distinguish conformity from compliance - two similar terms that I admit I had been using loosely and often incorrectly for far too long. As I now understand them:Compliance refers to fulfilling binding (mandatory) legal, regulatory and contractual obligations; Conformity concerns fulfilling optional (discretionary) requirements in standards, agreements, codes of ethics etc. It's a fine distinction with implications for the associated information risks, given differing impacts: Noncompliance may lead to legal enforcement action (fines/penalties), other costly sanctions (such as more intrusive monitoring by the authorities and perhaps revocation of operating licenses) and business issues (such as reputational damage and brand devaluation, plus the costs of defending legal action). The consequences of nonconformity may be trivial or nothing at all if nobody even cares, but can also involve business issues such as inefficiencies, excess costs and so on, particularly if customers, business partners, the authorities or other stakeholders are seriously concerned at management's apparent disregard for good security practices.Certification of an organisation's ISMS, then, demonstrates its conformity with, not compliance to, ISO/IEC 27001 - well in most cases anyway, where management voluntarily chooses to adopt and conform to the standard. If they are obliged by some mandatory, legally-binding requirement (an applicable law or regulation, or perhaps terms in a formal contract with a supplier or customer, or perhaps a law or regulation), I guess they must comply. Putting that another way, nonconformity is an option. Noncompliance isn't.Anyway, having adjusted the terminology and tweaked the SecAware materials, I took the opportunity to prepare two new 'bulk deal' packages - a comprehensive suite of information security policy templates, and a full set of ISO27k ISMS materials. I'm hoping to persuade customers to spend invest a little more for greater returns. The SecAware policies, for instance, are explicitly designed to work best as a whole, an integrated and coherent suite as opposed to an eclectic collection of policies on various discrete topics. In recent years, I have developed a spreadsheet to track the mesh of relationships between policies:]]> 2022-06-19T09:54:39+00:00 http://blog.noticebored.com/2022/06/the-matrix-policy-edition.html www.secnews.physaphae.fr/article.php?IdArticle=5259269 False Guideline None None NoticeBored - Experienced IT Security professional Subclause 6.1.3 of ISO/IEC 27001:2013 requires compliant organisations to define and apply an information security risk treatment process to:a) select appropriate information security risk treatment options, taking account of the risk assessment results;The 'risk treatment options' (including the information security controls) must be 'appropriate' and must 'take account of ' (clearly relate to) the 'risk assessment results'. The organisation cannot adopt a generic suite of information security controls simply on the basis that they have been recommended or suggested by someone - not even if they are noted in Annex A.b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen;NOTE Organizations can design controls as required, or identify them from any source.This requirement clearly specifies the need to determine all the controls that the organisation deems necessary to mitigate unacceptable information risks. Note, however, that it doesn't actually demand they are fully implemented: see point d) below.c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted; NOTE 1 Annex A contains a comprehensive list of control objectives and controls. Users of this International Standard are directed to Annex A to ensure that no necessary controls are overlooked. NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and cont]]> 2022-06-06T10:06:44+00:00 http://blog.noticebored.com/2022/06/the-dreaded-statement-of-applicability.html www.secnews.physaphae.fr/article.php?IdArticle=5001393 False Guideline None None NoticeBored - Experienced IT Security professional In relation to professional services, management responsibilities are shared between client and provider, except where their interests and concerns diverge. Identifying and exploiting common interests goes beyond the commercial/financial arrangements, involving different levels and types of management:Strategic management: whereas some professional services may be seen as short-term point solutions to specific issues ("temping"), many have longer-term implications such as the prospect of repeat/future business if things work out so well that the engagement is clearly productive and beneficial to both parties. Establishing semi-permanent insourcing and outsourcing arrangements can involve substantial investments and risks with strategic implications, hence senior management should be involved in considering and deciding between various options, designing and instituting the appropriate governance and management arrangements, clarifying responsibilities and accountabilities etc. Organisations usually have several professional services suppliers and/or clients. Aside from managing individual relationships, the portfolio as a whole can be managed, perhaps exploiting synergistic business opportunities (e.g. existing suppliers offering additional professional services, or serving other parts of the client organisation or its business partners). Tactical and operational management: planning, conducting, monitoring and overseeing assignments within a professional services engagement obviously involves collaboration between client and provider, but may also affect and be affected by the remainder of their business activities. A simple example is the provision and direction of the people assigned to assignments, perhaps determining their priorities relative to other work obligations. If either party's management or workforce becomes overloaded or is distracted by other business, the other may need to help out and perhaps take the lead in order to meet agreed objectives - classic teamwork.Commercial management: negotiating and entering into binding contracts or agreements can be a risky process. Getting the best value out of the arrangements includes not just the mechanics of invoicing and settling the bills accurately and on time, but getting the most out of all the associated resources, including the information content.  Relationship management: anyone over the age of ten will surely appreciate that relationships are tough! There are just so many dimensions to this, so much complexity and dynamics. In respect of professional services, there are both organisational and personal relationships to manage, while 'manage' is more about guiding, monitoring and reacting than directing and controlling. Despite the formalities of laws, contracts and policies, relationships seemingly play by their o]]> 2022-05-14T17:22:46+00:00 http://blog.noticebored.com/2022/05/managing-professional-services.html www.secnews.physaphae.fr/article.php?IdArticle=4603514 False Guideline None None NoticeBored - Experienced IT Security professional 2022-05-11T10:30:05+00:00 http://blog.noticebored.com/2022/05/how-many-metrics.html www.secnews.physaphae.fr/article.php?IdArticle=4575064 False Guideline None 3.0000000000000000 NoticeBored - Experienced IT Security professional Last evening I completed and published another SecAware infosec policy template addressing ISO/IEC 27002:2022 clause 8.11 "Data masking":"Data masking should be used in accordance with the organization's topic-specific policy on access control and other related topic-specific, and business requirements, taking applicable legislation into consideration."The techniques for masking or redacting highly sensitive information from electronic and physical documents may appear quite straightforward. However, experience tells us the controls are error-prone and fragile: they generally fail-insecure, meaning that sensitive information is liable to be disclosed inappropriately. That. in turn, often leads to embarrassing and costly incidents with the possibility of prosecution and penalties for the organisation at fault, along with reputational damage and brand devaluation.The policy therefore takes a risk-based approach, outlining a range of masking and redaction controls but recommending advice from competent specialists, particularly if the risks are significant.The $20 policy template is available here.Being a brand new policy, it hasn't yet had the benefit of the regular reviews and updates that our more mature policies enjoy ... so, if you spot issues or improvement opportunities, please get in touch.As usual, I have masked/redacted the remainder of the policy for this blog and on SecAware.com by making an image of just the first half page or so, about one eigth of the document by size but closer to one quarter of the policy's information value. So I'm giving you about $5's worth of information, maybe $4 since the extract is just an image rather than an editable document. On that basis, similar partial images of the 80-odd security policy templates offered through SecAware.com are worth around $320 in total. It's an investment, though, a way to demonstrate the breadth, quality, style and utility of our products and so convince potential buyers like you to invest in them.  ]]> 2022-05-11T09:24:18+00:00 http://blog.noticebored.com/2022/05/data-masking-and-redaction-policy.html www.secnews.physaphae.fr/article.php?IdArticle=4574987 False Guideline None None NoticeBored - Experienced IT Security professional Having introduced this blog series and covered information risks applicable to the preliminary and operational phases of a professional services engagement, it's time to cover the third and final phase when the engagement and business relationship comes to an end.Eventually, all relationships draw to a close. Professional services clients and providers go their separate ways, hopefully parting on good terms unless there were unresolved disagreements, issues or incidents (hinting at some information risks).It is worth considering what will/might happen at the end of a professional services engagement as early as the preliminary pre-contract phase. Some of the controls need to be predetermined and pre-agreed in order to avoid or mitigate potentially serious risks later-on. Straightforward in principle ... and yet easily neglected in the heady rush of getting the engagement going. This is not unlike a couple drawing up their "pre-nup" before a wedding, or a sensible organisation making suitable business continuity arrangements in case of severe incidents or disasters ahead. A potentially significant information risk in the concluding phase stems from the inappropriate retention by either party of [access to] confidential information obtained or generated in the course of the engagement - whether commercially sensitive or personal information. Imagine the implications of, say, a law firm being hit by a ransomware attack, office burglary or insider incident, giving miscreants access to its inadequately-secured client casework files and archives. Meta-information about the engagement, assignment/s and contracts may also be commercially-sensitive, for instance if the supplier deliberately under-priced the contract to secure the business and gain a foothold in the market, only to find it uneconomic to deliver the contracted services - a decidedly embarrassing situation if disclosed.Information risks in this phase are amplified if the relationship e]]> 2022-04-24T12:23:00+00:00 http://blog.noticebored.com/2022/04/professional-services-concluding-phase.html www.secnews.physaphae.fr/article.php?IdArticle=4499057 False Ransomware,Guideline None None NoticeBored - Experienced IT Security professional ISO/IEC 27002:2022 is another potential nightmare for the naïve and inexperienced policy author.  Policy scoping Despite the context and presumed intent, the title of the standard's policy example ("secure development") doesn't explicitly refer to software or IT. Lots of things get developed - new products for instance, business relationships, people, corporate structures and so on. Yes, even security policies get developed! Most if not all developments involve information (requirements/objectives, specifications, plans, status/progress reports etc.) and hence information risks ... so the policy could cover those aspects, ballooning in scope from what was presumably intended when the standard was drafted.Even if the scope of the policy is constrained to the IT context, the information security controls potentially required in, say, software development are many and varied, just as the development and associated methods are many and varied, and more poignantly so too are the information risks.  Policy development Your homework challenge, today, is to consider, compare and contrast these five markedly different IT development scenarios:Commercial firmware being developed for a small smart actuator/sensor device (a thing) destined to be physically embedded in the pneumatic braking system of commercial vehicles such as trucks and coaches, by a specialist OEM supplier selected on the basis of lowest price. A long-overdue technical update and refresh for a German bank's mature financial management application, developed over a decade ago by a team of contractors long since dispersed or retired, based on an obsolete database, with fragmentary documentation in broken English and substantial compliance implications, being conducted by a large software house based entirely in India. A cloud-based TV program scheduling system for a global broadcaster, to be delivered iteratively over the next two years by a small team of contractors under the management of a consultancy firm for a client that freely admits it barely understands phase 1 and essentially has no idea what might be required next, or when.A departmental spreadsheet for time recording by home workers, so their time can be tracked and recharged to clients, and their productivity can be monitored by management.Custom hardware, firmware and autonomous software required for a scientific exploration of the Marianas trench - to be deployed in the only two deep-sea drones in existence that are physically capable of delivering and recovering the payload at the extreme depths required.You may have worked in or with projects/initiatives vaguely similar to one, maybe even two or three of these, but probably not all five - and th]]> 2022-04-23T18:06:15+00:00 http://blog.noticebored.com/2021/10/topic-specific-example-1111-secure.html www.secnews.physaphae.fr/article.php?IdArticle=4497069 False Patching,Guideline None None NoticeBored - Experienced IT Security professional Following-on from the preliminary phase I covered yesterday, the longest phase of most professional services engagements is the part where the services are delivered. With the contractual formalities out of the way, the supplier starts the service, providing consultancy support or specialist advice. The client receives and utilises the service. Both 'sides' are important to both parties, since a professional service that isn't delivered and used doesn't generate value for the client, and is unlikely to lead to repeat business - such as additonal assignments:Deliberately taking a simplistic view once again, I have represented 'assignments' (which may be projects, jobs, tasks or whatever) as discrete pieces of work, each with a beginning, middle and end:  Things are never so neat and tidy in practice. Some assignments may never really get off the ground, and some gradually diminish or peter out rather than coming to an abrupt end. On-again-off-again assignments are challenging to plan and resource. Assignments may blend into each other or split apart. If the same supplier resources (mostly people) are involved in multiple assignments, possibly for multiple clients, t]]> 2022-04-23T12:40:00+00:00 http://blog.noticebored.com/2022/04/professional-services-operational.html www.secnews.physaphae.fr/article.php?IdArticle=4496171 False Guideline None None NoticeBored - Experienced IT Security professional "Risk management procedures are fundamental processes to prepare organisations for a future cybersecurity attack, to evaluate products and services for their resistance to potential attacks before placing them on the market, and to prevent supply chain fraud" says ENISA in the report "RISK MANAGEMENT STANDARDS - Analysis of standardisation requirements in support of cybersecurity policy" published in March 2022. Not to be left behind, ENISA - originally the European Network and Information Security Agency (an official agency of the EU) - leapt aboard the cyber bandwagon, rebranding itself "The European Union Agency for Cybersecurity" when it became a permanent EU agency under the European Cybersecurity Act, regulation (EU) 2019/881. Despite the vague title, RISK MANAGEMENT STANDARDS in fact primarily concerns "risk management [and] security of ICT products, ICT services and ICT processes" where 'risk' means "any reasonably identifiable circumstance or event having a potential adverse effect on the security of network and information systems." Apparently, "The main goal of risk management is (in general) to protect ICT products (software, hardware, systems, components, services) and business assets, and minimise costs in cases of failures. Thus it represents a core duty for successful business or IT management." In other words, the ENISA document revolves around IT risks, primarily, although it does casually mention 'enterprise risk management' which takes in operational, market, supply chain, project, strategic and other risks. Unfortunately, I haven't dug deep enough yet to reveal actual defiinitions of key terms such as "cybersecurity" or "sector". Evidently, we are supposed to just know what they mean. It doesn't help that the cited "Methodology for Sectoral Cybersecurity Asssessments 2021" official download appears to be broken, but consulting another source I see that it doesn't even define those terms anyway. Furthermore, an embedded diagram suggests an unconventional interpretation of 'risk' and 'exposure', while 'threat' seemingly disregards unintentional and untargeted threats such as generic malware, accidents and storms: ]]> 2022-04-23T11:09:24+00:00 http://blog.noticebored.com/2022/04/eu-to-standardise-on-iso-31000-and.html www.secnews.physaphae.fr/article.php?IdArticle=4496047 False Guideline None None NoticeBored - Experienced IT Security professional a guideline on the information risk, security and privacy aspects of professional services. I introduced a simplistic 3-phase model for the business relationship through which one or more professional services assignments are delivered and consumed. Today, I'm exploring the preliminary phase.Before professional services are delivered, client and provider form a business relationship. They determine the professional services required and offered, and of course negotiate the commercial arrangements. They also have the opportunity to decide how the services are to be provided, and how both the assignment/s and the business relationship are to be managed.Contracting is an important control in its own right with significant information and commercial risks associated. The contract may for instance: Be inappropriate for either organisation, the relationship and/or the professional service/s; Be informal, undocumented, invalid and hence unenforceable;Bypass or shortcut due process;Be uneconomic for either party; Be unfair, biased and perhaps unethical;Lead to problems if an assignment fails or the whole relationship turns sour, perhaps as a result of an incident. Contracting is a chance for both organisations to think forward, discuss and agree the governance, management, compliance, security/privacy, control and assurance needed for the remainder of the professional services lifecycle (both phases!). It may be infeasible, later on, to modify the terms or specify additional requirements and the associated arrangements for integrity, confidentiality, incident management etc., especially if relationship issues arise.Also at this stage, client and provider conduct some form of due diligence checks on each other, exploring factors such as solvency, competence, qualifications, certifications and reputations. The manner in which both parties participate in this phase can be a valuable predictive indicator - a big clue as to how things are likely to pan out later e.g.:Appreciation of the each party's capabilities and concerns, plus their common interests in making a commercial success of the planned assignment/s and the business relationship as a whol]]> 2022-04-22T09:26:38+00:00 http://blog.noticebored.com/2022/04/professional-services-preliminaries.html www.secnews.physaphae.fr/article.php?IdArticle=4490303 False Vulnerability,Guideline None None NoticeBored - Experienced IT Security professional 2022-04-21T17:39:36+00:00 http://blog.noticebored.com/2022/04/information-risk-and-security-for.html www.secnews.physaphae.fr/article.php?IdArticle=4486142 False Guideline None None NoticeBored - Experienced IT Security professional  This week in an ISO27k Forum thread about selecting information security controls from ISO/IEC 27002, Ross told us "cost is always A factor, however more accurately, the "Cost-Benefit Ratio" may become a deciding factor. A general principle is that the cost of implementing a risk treatment should never exceed the value of the asset being protected. Determining the 'value' of the 'asset' might be tricky (eg. impact to brand value when considering consequential reputational risk), however someone within an organisation often has an existing view on this value."Clearly security controls should save more than they cost, hence in theory organisations should only invest in, operate and maintain controls that are valuable ... but in reality, value-based information risk and security management is far from straightforward.For starters, we have no choice with some controls: even in a greenfield situation such as a high-tech startup, the very act of designing and building the company depends on a raft of governance and managment controlsNext consider the costs. Controls have lifecycles incurring costs at every stage, starting even before we develop or procure them since someone has to determine the requirements, then specify and search for solutions, then implement and configure them. Once operational, there are costs associated with using controls, plus generally they need to be monitored, managed and maintained, and perhaps eventually retired or replaced. Being tricky to measure, it is tempting to ignore these costs, lumping them in with all the other costs of doing business ... which may explain the failure of some kinds of control. Complex controls require significant care and attention to keep them operating efficiently and effectively. Thirdly, consider the benefits. Information security controls rarely eliminate information risks: usually, the best we can hope for is partial mitigation - reducing the probability and/or impact of certain types of incident - and even that is uncertain without associated controls such as monitoring, compliance and assurance. What is the $ value of reducing information risks? If a given control had  not been selected and put into operation, how costly would any corresponding incidents]]> 2022-04-15T09:09:24+00:00 http://blog.noticebored.com/2022/04/value-based-infosec.html www.secnews.physaphae.fr/article.php?IdArticle=4451281 False Guideline None None NoticeBored - Experienced IT Security professional Despite the excellent work done to restructure and update the standard, I still feel some commonplace 'good practice' information security controls are either Missing In Action or inadequately covered by ISO/IEC 27002:2022, these nine for example:Business continuity controls, covering resilience, recovery and contingency aspects in general, not just in the IT security or IT domains. ISO 22301 is an excellent reference here, enabling organisations to identify, rationally evaluate and sensibly treat both high probability x low impact and low probability x high impact information risks (the orange zone on probability impact graphics), not just the obvious double-highs (the reds and flashing crimsons!). Therefore, '27002 could usefully introduce/summarise the approach and refer readers to '22301 and other sources for the details.Availability and integrity controls supporting/enabling the exploitation of high-quality, up-to-date, trustworthy business information and opportunities for legitimate purposes within the constraints of applicable policies, laws, regulations etc., even when this means deliberately taking chances (accepting risks!) to secure business opportunities. Also, I'd like to see, somewhere in the ISO27k series, clearer advice on how to tackle the trade-off between control and utility: information that is too tightly secured loses its value, just as it does if inadequately secured ... and that in turn leads to the idea of at least mentioning financial and general business controls relating to information risk and security (e.g. budgeting, project investments, resourcing, cost accounting, incident and impact costing, valuing intangible assets, directing and motivating specialists: these are all import but tricky areas, so advice would help improve the effectiveness and efficiency of information security). [Some of this is covered, albeit quite academically rather than pragmatically, in ISO/IEC 27014 and '27016, and outside the ISO27k realm.]Health and safety controls protecting 'our most valuable assets', providing a supportive work environment that is conducive to getting the most out of our people, and ensuring the safety of our customers using our products. As with business continuity, H&S is pretty well covered by other standards plus laws and regs ... although, arguably, there's much more left to say, yet, on mental health (e.g. the long-term adverse health effects of excessive stress, both on and off the job), with significant implications for information risks ]]> 2022-03-15T16:36:29+00:00 http://blog.noticebored.com/2022/03/the-nine-controls-isoiec-27002-missed.html www.secnews.physaphae.fr/article.php?IdArticle=4282237 False Guideline None None NoticeBored - Experienced IT Security professional Today I completed and published a 20-page white paper about 'control attributes', inspired by those used in ISO/IEC 27002:2022The concept behind the paper has been quietly brewing for a couple of months or more, taking the past few weeks to crystallise into words in a form that I'm happy to share publicly.In a nutshell, 'attributes' are characteristics or features that can be used to categorise, sort or rank information security controls by various criteria. That simplistic concept turns out to unlock some powerful possibilities, described pragmatically in the paper. It's a more innovative and valuable technique than it may appear.Along the way, I regret inadvertently upsetting the team of JTC 1/SC 27 editors working on ISO/IEC 27028 by sharing an incomplete draft with them in the hope it might become the basis of the initial draft of the new standard.  During a Zoom meeting. At 3:00am, NZ time. I wasn't at my best. Ooops.Anyway, now the paper is 'finished' and published, I'm hoping to prompt debate and insightful comments, gathering useful feedback and especially improvement suggestions from readers, leading in turn to a better document to submit (through the proper process, this time!) to the SC 27 project team. We may unfortunately have missed our opportunity to deliver a complete 'donor document' to use as the first working draft of the new standard but all is not lost. The paper's suggestions on how to use attributes will, I hope, make a substantial contribution to the second working draft, and in time inform the issued standard. It is published under a Creative Commons licence. Exposure, discussion and insightful comment is what I'm after so, in addition to this blog, I have notified the 4,500 members of the ISO27k Forum about the paper and released it to an unknown number of LinkeDinners.Care to join the gang? Download the paper here.Share and discuss it with your peers and colleagues.Rip it to shred]]> 2022-03-01T20:18:41+00:00 http://blog.noticebored.com/2022/03/infomation-security-control-attributes.html www.secnews.physaphae.fr/article.php?IdArticle=4206047 False Guideline None None NoticeBored - Experienced IT Security professional mentioned recently here on the blog that there can be strategic elements to policies, just as there are operational aspects to the supporting procedures and guidelines. With the new year fast approaching, I'd like to explore that further today.Warning: your blinkers are coming off. Prepare for the glare.Take for instance the corporate responses to COVID-19. Out of necessity, organisations in lockdown shifted rapidly from on-site office work and in-person meetings to home-working, using video conferencing, email and collaborative approaches. Although that may have been a purely reactive, un-pre-planned response to the global crisis that erupted (despite prior pandemics and warnings arising from increasing international travel), it was facilitated by longer-term planned, strategic changes and investments in a resilient workforce with flexible working practices and positive attitudes, strong relationships within and without the organisation, plus appropriate tools and technologies - in particular the cloud (since about 2000) and, of course, IT (since about 1970). Thinking about it, the very concept of 'office work', or indeed 'work', stretches back still further, along with 'business', 'commerce', 'profit' and 'money'. Gradual shifts in human society on an almost evolutionary scale have led to where we are right now ... and will continue going forward, presenting strategic challenges and opportunities to those who are awake to the possibilities ahead (both positive and negative), sufficiently resilient to cope with adversity yet resourceful, strong enough and well-positioned to surge forward when it makes sense. In some organisations, policies and practices for home/virtual working were hastily developed and adopted during and in response to the COVID outbreak. In others, either the policies and practices were already in place, or there was no specific need for them since flexible, tech-enabled working was very much the norm already. A few laggards are still struggling to catch up even today, and failing to thrive in adversity may mean failing to survive in perpetuity. [Aside: how on Earth can today's politicians justify holding a climate change conference as a physical, in-person event, during COVID no less, rather than virtually, on-line? Are we even on the same planet? Shakes head in disbelief.]The relation goes both ways: policies can prompt strategic changes, and vice versa. Thinking forward, virtual working presents opportunities for global collaboration on an unprecedented scale, with reduced costs, increased efficiencies, access to a global talent pool and of course global markets. 'Globalization' is not just about establishing a widespread physical presence and brands: it's also about harnessing a widely distributed and culturally diverse workforce, harnessing technology to link, leverage and exploit the very best of the best. ]]> 2021-11-27T09:26:57+00:00 http://blog.noticebored.com/2021/11/weaving-strategies-with-policies.html www.secnews.physaphae.fr/article.php?IdArticle=3712965 False Guideline None None NoticeBored - Experienced IT Security professional ISO/IEC 27002:2022 is another potential nightmare for the naïve and inexperienced policy author. Despite the context, the title of the standard's policy example ("secure development") doesn't explicitly refer to software or IT. Lots of things get developed - new products for instance, business relationships, corporate structures and so on. Yes, even security policies get developed! Most if not all developments involve information (requirements/objectives, specifications, plans, status/progress reports etc.) and potentially substantial information risks ... so the policy could cover those aspects, ballooning in scope from what was presumably intended when the standard was drafted.Even if the scope of the policy is constrained to the IT context, the information security controls potentially required in, say, software development are many and varied, just as the development and associated methods are many and varied, and more poignantly so are the information risks. Your homework challenge, today, is to consider, compare and contrast these five markedly different IT development scenarios:Commercial firmware being developed for a small smart actuator/sensor device (a thing) destined to be physically embedded in the pneumatic braking system of commercial vehicles such as trucks and coaches, by a specialist OEM supplier selected on the basis of lowest price. A long-overdue technical update and refresh for a German bank's mature financial management application, developed over a decade ago by a team of contractors long since dispersed or retired, based on an obsolete database, with fragmentary documentation in broken English and substantial compliance implications, being conducted by a large software house based entirely in India. A cloud-based TV program scheduling system for a global broadcaster, to be delivered iteratively over the next two years by a small team of contractors under the management of a consultancy firm for a client that freely admits it barely understands phase 1 and essentially has no idea what might be required next, or when.A departmental spreadsheet for time recording by home workers, so their time can be tracked and recharged to clients, and their productivity can be monitored by management.Custom hardware, firmware and autonomous software required for a scientific exploration of the Marianas trench - to be deployed in the only two deep-sea drones in existence that are physically capable of delivering and recovering the payload at the extreme depths required.You may have worked in or with projects/initiatives vaguely similar to one, maybe even two or three of these, but probably not all five - and these are just a few random illustrative examples plucked from the millions of such activities going on right now. The sheer number and variety of possibilities is bewildering, so how on earth can one draft a sensible policy?As is the way with ISO27k, the trick is to focus on the information ]]> 2021-10-23T16:00:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/9OkGaAP3f2E/topic-specific-example-1111-secure.html www.secnews.physaphae.fr/article.php?IdArticle=3551830 False Patching,Guideline None None NoticeBored - Experienced IT Security professional ISO/IEC 27002, being the only one of eleven example titles in the standard that explicitly states "information security".  I ask myself why? Is there something special about the management of events classed as 'information security incidents', as opposed to other kinds? Hmmmm, yes there are some specifics but I'm not entirely convinced of a need for a distinct, unique policy. I feel there is more in common with the management of all kinds of incident than there are differences in respect of infosec incidents, hence "Incident management policy" makes more sense to me.Here's one I prepared earlier.Organisations deal with events and incidents all the time. Aside from the humdrum routines of business, things don't always go to plan and unexpected situations crop up. Mature organisations typically have incident management policies already, plus the accompanying procedures and indeed people primed and ready to respond to 'stuff' at the drop of a hat. Wouldn't it make sense, therefore, to ensure that "information security incidents" are handled in much the same way as others?That's fine for mature organisations. For the rest, the SecAware information security policy template on incident management concentrates on the specifics of infosec incidents and outlines incident management in general. A workable infosec policy can prompt the development and maturity of incident management by:Documenting and formalising things - particularly the process, expressing management's expectations and requirements in clear terms (e.g. striking the right balance between investigating and resolving incidents, especially where business continuity is a factor).Stabilising the working practices, de-cluttering things, making them more consistent and hence amenable to management control.Enabling reviews and audits, leading to systematic process improvement where appropriate.Discouraging inappropriate shortcuts (e.g. ineptly investigating serious issues, compromising important forensic evidence) while facilitating escalation and management decisions where appropriate (e.g. determining whether forensic investigation is justified). ]]> 2021-10-18T20:19:51+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/U2aFEkEyMwc/topic-specific-policy-611-information.html www.secnews.physaphae.fr/article.php?IdArticle=3526425 False Guideline None None NoticeBored - Experienced IT Security professional "Information transfer" is another ambiguous, potentially misleading title for a policy, even if it includes "information security". Depending on the context and the reader's understanding, it might mean or imply a security policy concerning:Any passage of information between any two or more end points - network datacommunications, for instance, sending someone a letter, speaking to them or drawing them a picture, body language, discussing business or personal matters, voyeurism, surveillance and spying etc.One way flows or a mutual, bilateral or multilateral exchange of information.Formal business reporting between the organisation and some third party, such as the external auditors, stockholders, banks or authorities.Discrete batch-mode data transfers (e.g. sending backup or archival tapes to a safe store, or updating secret keys in distributed hardware security modules), routine/regular/frequent transfers (e.g. strings of network packets), sporadic/exceptional/one-off transfers (e.g. subject access requests for personal information) or whatever. Transmission of information through broadcasting, training and awareness activities, reporting, policies, documentation, seminars, publications, blogs etc., plus its reception and comprehension.  Internal communications within the organisation, for example between different business units, departments, teams and/or individuals, or between layers in the management hierarchy."Official"/mandatory, formalised disclosures to authorities or other third parties.Informal/unintended or formal/intentional communications that reveal or disclose sensitive information (raising confidentiality concerns) or critical information (with integrity and availability aspects). Formal provision of valuable information, for instance when a client discusses a case with a lawyer, accountant, auditor or some other professional. Legal transfer of information ownership, copyright etc. between parties, for example when a company takes over another or licenses its intellectual property.Again there are contextual ramifications. The nature and importance of information transfers differ between, say, hospitals and health service providers, consultants and their clients, social media companies and their customers, and battalion HQ with operating units out in the field. There is a common factor, however, namely information risk. The in]]> 2021-10-15T12:40:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/MHAW1fkbrQs/topic-specific-policy-411-information.html www.secnews.physaphae.fr/article.php?IdArticle=3516936 False General Information,Guideline APT 17 None NoticeBored - Experienced IT Security professional This piece is different to the others in this blog series. I'm seizing the opportunity to explain the thinking behind, and the steps involved in researching and drafting, an information security policy through a worked example. This is about the policy development process, more than the asset management policy per se. One reason is that, despite having written numerous policies on other topics in the same general area, we hadn't appreciated the value of an asset management policy, as such, even allowing for the ambiguous title of the example given in the current draft of ISO/IEC 27002:2022.  The standard formally but (in my opinion) misleadingly defines asset as 'anything that has value to the organization', with an unhelpful note distinguishing primary from supporting assets. By literal substitution, 'anything that has value to the organization management' is the third example information security policy topic in section 5.1 ... but what does that actually mean?Hmmmm. Isn't it tautologous? Does anything not of value even require management? Is the final word in 'anything that has value to the organization management' a noun or verb i.e. does the policy concern the management of organizational assets, or is it about securing organizational assets that are valuable to its managers; or both, or something else entirely?  Well, OK then, perhaps the standard is suggesting a policy on the information security aspects involved in managing information assets, by which I mean both the intangible information content and (as applicable) the physical storage media and processing/communications systems such as hard drives and computer networks?Seeking inspiration, Googling 'information security asset management policy' found me a policy by Sefton Council along those lines: with about 4 full pages of content, it covers security aspects of both the information content and IT systems, more specifically information ownership, valuation and acceptable use:1.2. Policy Statement The purpose of this policy is to achieve and maintain appropriate protection of organisational assets. It does this by ensuring that every information asset has an owner and that the nature and value of each asset is fully understood. It also ensures that the boundaries of acceptable use are clearly defined for anyone that has access to ]]> 2021-10-14T17:20:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/RzQfkTDBmhs/topic-specific-policy-311-asset.html www.secnews.physaphae.fr/article.php?IdArticle=3512451 False Tool,Guideline APT 17 None NoticeBored - Experienced IT Security professional It could be argued that 'management' of all kinds (including information risk and security management) is or rather shouldbe a rational process, meaning that managers should systematically gather and evaluate information, take account of sound advice, make sensible decisions, put in place whatever is necessary to implement the decisions etc., all the time acting in the organization's best interests, furthering its business objectives, strategies, policies etc. In practice, there are all manner of issues with that approach that complicate matters, frustrate things, and lead to 'suboptimal' situations that may be - or at least appear to be - irrational, inappropriate or unnecessary. In particular, there are numerous paradoxes. For examples:The obvious core objective of a typical commercial company to make a substantial profit for its owners may conflict with various ethical and legal objectives to spend money on protecting and furthering the wider interests of society and individuals - including their privacy. There's a fine line between motivating/supporting/encouraging/directing and demotivating/micro-managing/exploiting employees. Efficiency in most matters comes at the cost of effectiveness, and vice versa. They say quality is free, but is that a lie? ]]> 2021-07-29T16:36:24+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/XFApGQz-u1o/pinball-management.html www.secnews.physaphae.fr/article.php?IdArticle=3146681 False Guideline None None NoticeBored - Experienced IT Security professional ^ Although it's tempting to dismiss such questions as rhetorical, trivial or too difficult, there are reasons for taking them seriously*. Today I'm digging a little deeper into the basis for posing such tricky questions, explaining how we typically go about answering them in practice, using that specific question as an example. OK, here goes.The accepted way of determining the sufficiency of controls is to evaluate them against the requirements. Adroitly sidestepping those requirements for now, I plan to blabber on about the evaluation aspect or, more accurately, assurance.Reviewing, testing, auditing, monitoring etc. are assurance methods intended to increase our knowledge.  We gather relevant data, facts, evidence or other information concerning a situation of concern, consider and assess/evaluate it in order to:Demonstrate, prove or engender confidence that things are going to plan, working well, sufficient and adequate in practice, as we hope; andIdentify and ideally quantify any issues i.e. aspects that are not, in reality, working quite so well, sufficiently and adequately. Assurance activities qualify as controls to mitigate risks, such as information risks associated with information risk and security management e.g.: Mistakes in our identification of other information risks (e.g. failing to appreciate critical information-related dependencies of various kinds); Biases and errors in our assessment/evaluation of identified information risks (e.g. today's obsessive focus on “cyber” implies down-playing, perhaps even ignoring other aspects of information security, including non-cyber threats such as physical disasters and hum]]> 2021-06-26T17:27:23+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/XARVjFUnZq8/are-our-infosec-controls-sufficient.html www.secnews.physaphae.fr/article.php?IdArticle=2985374 False Malware,Guideline None None NoticeBored - Experienced IT Security professional Just a brief note today: it's a lovely sunny Saturday morning down here and I have Things To Do.I'm currently enjoying another book by one of my favourite tech authors: Yossi Sheffi's ]]> 2021-04-24T09:47:20+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/TT_yFFhUTew/pre-shocks-and-after-shocks.html www.secnews.physaphae.fr/article.php?IdArticle=2686094 False Guideline None None NoticeBored - Experienced IT Security professional the ISO27k Forum, someone naively suggests that we should Keep It Simple Stupid. After all, an ISO27k ISMS is, essentially, simply a structured, systematic approach for information risk management, isn't it? At face value, then, KISS makes sense. In practice, however, factors that complicate matters for organizations designing, implementing and using their ISMSs include different: Business contexts – different organization sizes, structures, maturities, resources, experiences, resilience, adaptability, industries etc.; Types and significances of risks – different threats, vulnerabilities and impacts, different potential incidents of concern; Understandings of 'information', 'risk' and 'management' etc. – different goals/objectives, constraints and opportunities, even within a given organization/management team (and sometimes even within someone's head!); Perspectives: the bungee jumper, bungee supplier and onlookers have markedly different appreciations of the same risks; Ways of structuring things within the specifications of '27001, since individual managers and management teams have the latitude to approach things differently, making unique decisions based on their understandings,]]> 2021-04-23T15:58:38+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/z4BraQ4C6tI/kiss-or-optimise-your-iso27k-isms.html www.secnews.physaphae.fr/article.php?IdArticle=2681635 False Guideline None None NoticeBored - Experienced IT Security professional On Sunday I blogged about preparing four new 'topic-specific' information security policy templates for SecAware. Today I'm writing about the process of preparing a policy template.First of all, the fact that I have four titles means I already have a rough idea of what the policies are going to cover (yes, there's a phase zero). 'Capacity and performance management', for instance, is one requested by a customer - and fair enough. As I said on Sunday, this is a legitimate information risk and security issue with implications for confidentiality and integrity as well as the obvious availability of information. In my professional opinion, the issue is sufficiently significant to justify senior management's concern, engagement and consideration (at least). Formulating and drafting a policy is one way to crystallise the topic in a form that can be discussed by management, hopefully leading to decisions about what the organisation should do. It's a prompt to action.At this phase in the drafting process, I am focused on explaining things to senior management in such a way that they understand the topic area, take an interest, think about it, and accept that it is worth determining rules in this area. The most direct way I know of gaining their understanding and interest is to describe the matter 'in business terms'. Why does 'capacity and performance management' matter to the business? What are the strategic and operational implications? More specifically, what are the associated information risks? What kinds of incident involving inadequate capacity and performance can adversely affect the organization?Answering such questions is quite tough for generic policy templates lacking the specific business context of a given organisation or industry, so we encourage customers to customise the policy materials to suit their situations. For instance:An IT/cloud service company would probably emphasise the need to maintain adequate IT capacity and performance for its clients and for its own business operations, elaborating on the associated IT/cyber risks.A healthcare company could mention health-related risk examples where delays in furnishing critical information to the workers who need it could jeopardise treatments and critical care.A small business might point out the risks to availability of its key workers, and the business implications of losing its people (and their invaluable knowledge and experience i.e. information assets) due to illness/disease, resignation or retirement. COVID is a very topical illustration. An accountancy or law firm could focus on avoiding issues caused by late or  incomplete information - perhaps even discussing the delicate balance between those two aspects (e.g. there a]]> 2021-04-13T11:17:11+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Jut-vvWbIKA/policy-development-process-phase-1.html www.secnews.physaphae.fr/article.php?IdArticle=2628026 False Guideline None None NoticeBored - Experienced IT Security professional We're currently preparing some new information risk and security policies for SecAware.com.  It's hard to find gaps in the suite of 81 policy templates already on sale (!) but we're working on these four additions:Capacity and performance management: usually, an organization's capacity for information processing is managed by specialists in IT and HR.  They help general management optimise and stay on top of information processing performance too.  If capacity is insufficient and/or performance drops, that obviously affects the availability of information ... but it can harm the quality/integrity and may lead to changes that compromise confidentiality, making this an information security issue.  The controls in this policy will include engineering, performance monitoring, analysis/projection and flexibility, with the aim of increasing the organisation's resilience. It's not quite as simple as 'moving to the cloud', although that may be part of the approach.Information transfer: disclosing/sharing information with, and obtaining information from, third party organisations and individuals is so commonplace, so routine, that we rarely even think about it.  This policy will outline the associated information risks, mitigating controls and other relevant approaches.Vulnerability disclosure: what should the organisation do if someone notifies it of vulnerabilities or other issues in its information systems, websites, apps and processes? Should there be mechanisms in place to facilitate, even encourage notification? How should issues be addressed?  How does this relate to penetration testing, incident management and assurance?  Lots of questions to get our teeth into!Clear desks and screens: this is such a basic, self-evident information security issue that it hardly seems worth formulating a policy. However, in the absence of policy and with no 'official' guidance, some workers may not appreciate the issue or may be too lazy/careless to do the right thing. These days, with so many people working from home, the management oversight and peer pressure typical in corporate office settings are weak or non-existent, so maybe it is worth strengthening the controls by reminding workers to tidy up their workplaces and log off.  It's banale, not hard! The next release of ISO/IEC 27002 will call these "topic-specific information security policies" focusing on particular issues and/or groups of people in some detail, whereas the organisation's "information security policy" is an overarching, general, ]]> 2021-04-11T14:52:31+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/947ehLndxmU/infosec-policy-development.html www.secnews.physaphae.fr/article.php?IdArticle=2619342 False Guideline None None NoticeBored - Experienced IT Security professional It feels like 'just the other day' to me but do you recall "Y2k" and all that? Some of you reading this weren't even born back then, so here's a brief, biased and somewhat cynical recap.For a long time prior to the year 2000, a significant number of software programmers had taken the same shortcut we all did back in "the 90s". Year values were often coded with just two decimal digits: 97, 98, 99 ... then 00, "coming ready or not!"."Oh Oh" you could say. "OOps".When year counters went around the clock and reset to zero, simplistic arithmetic operations (such as calculating when something last happened, or should next occur) would fail causing ... well, potentially causing issues, in some cases far more significant than others.Failing coke can dispensers and the appropriately-named Hornby Dublo train sets we could have coped with but, trust me, you wouldn't want your heart pacemaker, new fangled fly-by-wire plane or the global air traffic control system to decide that it had to pack up instantly because it was nearly 100 years past its certified safe lifetime. Power grids, water and sewerage systems, transportation signalling, all manner of communications, financial, commercial and governmental services could all have fallen in a heap if the Y2k problems wasn't resolved in time, and this was one IT project with a hard, immutable deadline, at a time when IT project slippage was expected, almost obligatory. Tongue-in-cheek suggestions that we might shimmy smoothly into January 1st [19]9A were geekly-amusing but totally impracticable. In risk terms, the probability of Y2k incidents approached 100% certain and the personal or societal impacts could have been catastrophic under various credible scenarios - if (again) the Y2k monster wasn't slain before the new year's fireworks went off ... and, yes, those fancy public fireworks display automated ignition systems had Y2k failure modes too, along with the fire and emergency dispatch systems and vehicles. The combination of very high probability and catastrophic impact results in a risk up at the high end of a tall scale. So, egged-on by information security pro's and IT auditors (me, for instance), management took the risk seriously and invested significant resources into solving "the Y2k issue". Did you spot the subtle shift from "Y2k" to "the Y2k issue"? I'll circle back to that in just a moment. Individual Y2k programming updates were relatively straightforward on the whole (with some interesting exceptions, mostly due to prehistoric IT systems still in use well past their best-before dates, with insurmounta]]> 2021-01-10T10:34:21+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/0xVDEQAmq2s/y2k-20-risk-covid-and-internet-issue.html www.secnews.physaphae.fr/article.php?IdArticle=2165023 False Guideline None None NoticeBored - Experienced IT Security professional Yet another good question came up on the ISO27k Forum today*. Someone asked whether to add the company's Facebook page to their information asset register (implying that it would need to be risk-assessed and secured using the Information Security Management System processes), or whether the asset should be the Facebook account (ID and password, I guess)**.From the marketing/corporate perspective, good customer relations are perhaps the most valuable information assets of all, along with other external relations (e.g. your suppliers, partners, prospective and former customers, regulators/authorities and owners) and internal relations (the workforce, including staff, management, contractors, consultants and temps, plus former and prospective workers). It's tempting to think of these as just categories or faceless corporations, but in reality the interactions are between individual human beings, so social relationsin general are extremely important in business.  There are numerous mechanisms that generate, support and maintain good customer relations, Facebook for example. Likewise for other relations (e.g. ISO27k Forum!). You might think of them as simply apps or information services, often cloud based, often commercial services provided by third parties hence limiting what is on offer and your options or influence over the infosec, privacy and other requirements.  There are also related processes and activities, some of which have infosec, privacy and other implications e.g. I have a bank pestering me right now for identification info which they need from me as part of the anti money laundering regs: it's a pain for me and for them, but they have to comply with the laws and regs. Workforce relationship management and 'industrial relations' is a huge part of 'management', with governance, compliance and other implications and risks. Overall, relationship management is, clearly, an important part of business success, or indeed failure when things go horribly wrong (e.g. look up the Ratners jewelers fiasco in the UK, and just look around at the difficulties arising from COVID-19: our people and myriad relationships are under extreme stress this year, not just our organisations). Summing up, I encourage everyone to think big in terms of the scope of information assets, with a strong emphasis on the information that matters most to the business, the organization, and its strategic objectives. The IT systems and services are merely business tools: what matters most is the business information generated/processed by them.* As I've said before, it's funny how often a simple, seemingly basic or naive question on ISO27k Forum leads to something more revealing when the answers and debate sta]]> 2020-10-08T05:41:06+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/yi7jHwNMpPE/nblog-oct-8-is-facebook-asset.html www.secnews.physaphae.fr/article.php?IdArticle=2148825 False Guideline None None NoticeBored - Experienced IT Security professional Are you responsible for your organisation's information security or cybersecurity budget? Are you busily putting the finishing touches to your 2021 budget request, still working on it, just thinking about it, or planning to do it, honestly, when you next come up for breath?Budgeting is generally a dreaded, stressful management task. Not only do we have to figure out the figures but we typically anticipate a tough battle ahead leading (probably) to a disappointing outcome and yet more problems.On top of that, 2020 has been an exceptional year thanks to COVID. The business and information security implications of knowledge workers suddenly working from home, en masse, are still playing out now, while the economic impacts of COVID do not bode well for any of next year's budgets except perhaps for the manufacture of vaccines, masks, gloves, sanitiser and respirators.A substantial part of information security expenditure is (whatever we may believe as professionals) discretionary. The decision to go for ISO/IEC 27001 certification, for instance, flows largely from management's appreciation of the business value of investing in information risk and security management good practices. There may be specific drivers such as incidents, compliance pressures or demands from business owners, partners and prospective customers, but even then there are numerous options and factors to consider such as:The objectives for the Information Security Management System - what it is expected to achieve;How broadly or narrowly to scope the ISMS;At what pace to implement the standard, and how precisely;What resources to assign to the implementation, not least a suitable implementation project manager/consultant and project team;Priorities for this work relative to other business activities, objectives and requirements, making adjustments as necessary (both initially and as the project proceeds when stuff comes up - as COVID did, for instance);Alignment with other corporate projects and initiatives e.g. exploiting strategic opportunities to update various systems, policies and processes for security and other reasons, at the same time;Change management aspects: does the organisation have the capacity and appetite first to adopt and assimilate the ISMS, and secondly to get the most out of it; Project risks e.g. the possibility that things probably w]]> 2020-09-27T17:59:17+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/ZKVsWHrDvlg/nblog-sept-27-2021-infosec-budget.html www.secnews.physaphae.fr/article.php?IdArticle=2148826 False Guideline None None NoticeBored - Experienced IT Security professional The New Zealand Stock Exchange is having a rough week.  Under assault from a sustained DDoS attack, its web servers have crumpled and fallen in an untidy heap again today, the fourth day of embarrassing and costly disruption.DDoS attacks are generally not sophisticated hacks but crude overloads caused by sending vast volumes of data to overwhelm the servers.  The Host Error message above shows "RedShield" which appears to be a security service remarkably similar to a Web Application Firewall (although the company claims to be producing something far better) ...If so, RedShield appears to be passing DDoS traffic to the stock exchange web servers which can't cope. Presumably, this particular DDoS attack does not fit the profile of the attacks that RedShield is designed to block, in other words RedShield is patently not preventing the DDoS.I don't know whether RedShield is supposed to block DDoS traffic and is failing to do so, or if DDoS protection is simply not part of the RedShield service. Either way, it appears a DDoS attack is causing business impacts.]]> 2020-08-28T15:19:43+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/DRgby8YTNjc/nblog-aug-28-nz-stock-exchange-ddos.html www.secnews.physaphae.fr/article.php?IdArticle=2148830 False Guideline None None NoticeBored - Experienced IT Security professional A couple of days ago I blogged about MURAL, just one of many creative tools supporting collaborative working. If you missed it, please catch up and contemplate about how you might use tools such as that right now for teamworking during the COVID19 lockdowns.Today I've been thinking about 'the new normal' as the world emerges from the pandemic, inspired by the intersection of two threads.Firstly, thanks to a Zoom session with participants and presenters from Queensland, I've been reading-up on "industry 4.0". I'm not totally au fait with it yet but as I see it the key distinguishing features are:Ever-increasing automation of manufacturing, with smart devices and robotics supplementing the capabilities of both manual and knowledge workers;Industrial IoT, coupling sensors and actuators on the production line with each other, allowing workers to interact with the machinery through screens and keyboards etc. and a growing  layer of automation smarts and networking;Ever-increasing reliance on IT, data, analytics, systems and artificial intelligence (with implications for risk, resilience, reliability and security);New capabilities, particularly in the specification and design areas - such as virtual reality simulations and rapid prototyping of jigs, machines and products by "additive manufacturing" (industrial 3D printers);An increasing focus on adding value through knowledge work in research and development plus product service/support, de-emphasising the manufacturing production core activities (which, I guess, started with the off-shoring of manufacturing to low-wage economies, and is now leading to both on- and off-shore automated manufacturing);  Rapid innovation and change, leading to difficulties in strategic corporate planning (with credible planning horizons falling to just a couple of years!) and personal career planning (e.g. how can workers learn to use tools and techniques that either aren't refined enough to be taught, perhaps not even invented yet?);Shortages of people with the requisite skills, knowledge and adaptability, able to thrive despite the challenges and seize opportunities as they arise.]]> 2020-08-27T18:50:44+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/aNv7pK12tsE/nblog-aug-27-creative-teamwork-post.html www.secnews.physaphae.fr/article.php?IdArticle=2148831 False Guideline None None NoticeBored - Experienced IT Security professional MURAL today.MURAL is a 'digital workspace for visual collaboration' by virtual teams.   The animated demonstration on their home page caught my beady eye. Here's a static snapshot as a small group of people are busy placing/moving blobs on a graphic, presumably while discussing what they are doing on a parallel channel (e.g. Zoom):]]> 2020-08-21T05:23:45+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/TkxYG4SEY68/nblog-aug-20-creative-teamwork-in.html www.secnews.physaphae.fr/article.php?IdArticle=2148834 False Guideline None None NoticeBored - Experienced IT Security professional Some time back I bumped into a handy management guide on information risk - a double-sided leaflet from the Information Assurance Advisory Council. In 2015, it inspired a security awareness briefing explaining that colourful process diagram, which has now morphed into a further 5-page briefing on Information Risk Management, soon to join the SecAware ISMS templates.Googling for the IAAC guide led me to a cluster of FREE Directors' Guides from the IAAC offering useful, relevant guidance for senior management:Why Information Risk is a Board Level Issue - is a backgrounder including this apt and succinct explanation:"Information Risk encompasses all the challenges that result from an organisation's need to control and protect its information."Governance and Structures - describes directors' governance responsibilities relating to information risk:"Directors need to put in place the arrangements and processes by which responsibilities are distributed and significant information risk decisions are to be made and reviewed."Information Risk Management Approach - encourages directors to support the remainder of the organisation in fulfilling their responsibilities for information risk, ensuring strategic alignment between risk management and business objectives.Realising the Benefits - outlines the business benefits of good information risk management in terms of: efficiency; agility; manageability; exploitation of new opportunities (more confidently expanding into new areas of business); customer retention; brand strengthening; cost-efficient compliance; and dealing efficiently with incidents."Good information risk mitigation supports organisational strategies and tactical agil]]> 2020-08-19T19:48:48+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Fb9FiI1qHp0/nblog-aug-19-iaac-directors-guides.html www.secnews.physaphae.fr/article.php?IdArticle=2148835 False Studies,Guideline None None NoticeBored - Experienced IT Security professional This morning I've been studying the final draft of the forthcoming second edition of ISO/IEC 27014 "Governance of information security", partly to update ISO27001security.com but mostly out of my fascination with the topic.Section 8.2.5 of the standard specifies the governance objective to "Foster a security-positive culture":"Governance of information security should be built upon entity culture, including the evolving needs of all the interested parties, since human behaviour is one of the fundamental elements to support the appropriate level of information security. If not adequately coordinated, the objectives, roles, responsibilities and resources can conflict with each other, resulting in the failure to meet any objectives. Therefore, harmonisation and concerted orientation between the various interested parties is very important. To establish a positive information security culture, top management should require, promote and support coordination of interested party activities to achieve a coherent direction for information security. This will support the delivery of security education, training and awareness programs. Information security responsibilities should be integrated into the roles of staff and other parties, and they should support the success of each ISMS by taking on these responsibilities."Not bad that although, personally, I would have mentioned senior management setting 'the tone at the top', in other words influencing the entire corporate culture through their leadership, decisions, direction and control, particularly in the way they behave.For example, even though management may formally insist upon ethical behaviour as a policy matter, if managers in fact act unethically, push the boundaries of ethicality through their decisions and priorities, or simply tolerate (turn a blind eye to, fail to address) unethical/dubious activities, that can severely erode if not destroy the value of the policy. Workers observant enough to spot the disconnect between theory and practice are, in effect, enabled or even encouraged to decide for themselves whether to comply with the policy. In a disciplinary situation, management's failure to enforce compliance with ]]> 2020-08-10T11:44:49+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/vcwOkXVtKNk/nblog-aug-8-musing-on-isoiec-27014.html www.secnews.physaphae.fr/article.php?IdArticle=2148837 False Guideline None None NoticeBored - Experienced IT Security professional Today we've been chatting about this on the ISO27k Forum: "Let's assume that the company is willing to accept risks with a potential financial impact less than $50k. Obviously after performing risk assessment, we need to decide which treatment option we should follow. In case when the potential impact of the risk is below $50k - (risk appetite), we should accept the risk, right?  My question is: what happens if for some reason, multiple Low Risks (below risk appetite value/already accepted) occur at the same time? Should the Risk Appetite represent an aggregation of all low risks or just reflect the appetite for a single risk?"I suggested considering 'coincident risks' as another entire category or class of risks, some of which may well be above the risk appetite/acceptance threshold even if the individual risks fall below it. It gets worse. There are many other coincidences, errors, failures, issues and exceptional circumstances that could occur - in extremis, it's an infinite set of possibilities given all the permutations and combinations.Our collective failure to identify and take seriously the possibility of a pandemic landed us in the poo we're in now. Even those organisations that did have pandemic controls in place have found the going tougher than anticipated, some discovering that their stockpile of sanitizer and masks had not been properly stored and maintained, and hence was next to useless when called upon. Trust me, it can be a sobering exercise to run a risk workshop focused on rare but extremely impactful events, the outliers that we tend to ignore in routine risk management because it's hard enough dealing with the commonplace extreme events, let alone the rarities. Every well-managed organisation needs to deal sensibly with the scarily vague “something else happens and lands us in serious trouble” situations, when classical scenario planning runs out of steam. There are far too many possibilities to even enumerate, let alone evaluate and treat individually: a more general-purpose approach is required. ]]> 2020-07-17T16:53:31+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/WffQMmJ56QM/nblog-july-17-appetite-for-risk.html www.secnews.physaphae.fr/article.php?IdArticle=2148843 False Guideline None None NoticeBored - Experienced IT Security professional "The Winning Business Case: how to create a compelling conceptual, analytical and pitch model that your audience will love" is a free eBook from OCEG - more than 20,000 words of advice about generating and pitching a business case for investment in some sort of risk-based project or initiative.The Open Compliance and Ethics Group identifies as: "a global nonprofit think tank that helps organizations reliably achieve objectives, address uncertainty and act with integrity ... We inform, empower, and help advance our 85,000+ members on governance, risk management, and compliance (GRC). Independent of specific professions, we provide content, best practices, education, and certifications to drive leadership and business strategy through the application of the OCEG GRC Capability Model™ and Principled Performance®. An OCEG differentiator, Principled Performance enables the reliable achievement of objectives while addressing uncertainty and acting with integrity. Our members include c-suite, executive, management, and other professionals from small and midsize businesses, international corporations, nonprofits, and government agencies. Founded in 2002, OCEG has locations around the globe."The eBook lays out and explains 15 activities or steps in the process. The sequence and of course the details within each step may vary according to circumstances but it's a comprehensive, well-written document, worth studying if you need to justify investment in risk or security management projects or related areas such as  compliance, assurance, cybersecurity, business continuity and ISO27k. With some adjustments, the process could also be valuable for operational budgets too: securing next year's budget for a business department or function is similar to getting approval for a project, especially if management takes a longer-term, strategic view rather than being solely annual in focus. Thinking more broadly still, it could be useful for other kinds of proposal, such as when bidding for consultancy work. Maybe if prospective clients had a bet]]> 2020-07-16T13:45:31+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/FdUnAVESxrM/nblog-july-16-tips-on-preparing.html www.secnews.physaphae.fr/article.php?IdArticle=2148844 False Guideline None 3.0000000000000000 NoticeBored - Experienced IT Security professional Consulting for small organisations lately to design and implement their ISO/IEC 27001 Information Security Management Systems, resourcing constraints often come to light, particularly the lack of information security expertise and knowledge in-house. I have previously taken this to indicate lack of understanding, support and commitment from senior management, insufficient priority relative to all the other important stuff going on, hence my abiding interest in elaborating on the business case for investing in information risk and security management. Currently, though, I'm gaining a new-found appreciation of the realities of running a small business where even IT may be done on a shoestring, leaving information security way out on a limb. With barely enough cash-flow to sustain the business during COVID-19 and the obvious need to focus on core business activities, it's no surprise if ISO27k implementation and certification projects take a back seat for now. That delaying tactic, however, leaves the business more exposed meanwhile, increasing the probability and impacts of incidents that should have been avoided, prevented or mitigated. It can lead to missed business opportunities and customer defections as they turn to certified competitors rather than waiting for the assurance an ISO/IEC 27001 compliance certificate would bring. It reduces trust and devalues brands. All in all, it's a risky approach.Putting the ISMS implementation on hold is not the only option, however. With some creative thinking, it is possible to keep the project moving along, albeit at a slower pace:A bare-bones minimalist ISMS, barely adequate to satisfy the standard's mandatory requirements, may not deliver all the business benefits of good practice information risk and security management ... but it is both certifiable and better than nothing. A small but perfectly formed ISMS demonstrates the organisation's genuine commitment to information risk and security management, gaining the assurance value of the certificate to third parties without the investment necessary for a full-blown ISMS. Furthermore it is a perfectly valid and sensible starting point, a platform or basis from which to mature the organization's information risk and security management practices as and when it proves its value. It's a pragmatic approach. Being a pragmatist, I like that. Partnering with consultants reduces the pressure on employees, demonstrates management's support (more than just the intention to resume the ISMS project 'at some point'), and keeps up the momentum. Based on our practical experience and knowledge of the standards, we can generally help clients navigate the process by the shortest and most direct route, perhaps making small diversions only where it makes business sense. Speaking for myself, I'm happy to regulate m]]> 2020-07-10T19:01:37+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/PPeuZVTVToM/nblog-july-11-small-but-perfectly.html www.secnews.physaphae.fr/article.php?IdArticle=2148846 False Guideline None None NoticeBored - Experienced IT Security professional [if gte vml 1]> [if !vml]-->[endif]-->  As usual, these are relatively crude and (for most reasonably alert people) easy to spot thanks to the obvious spelling and grammatical errors, often using spurious technobabble and urgency as well as the fake branding and sender email address in an attempt to trick victims. The 'blocked emails' and 'storage limit' memes are popular in my spam box right now, suggesting that these are basic phishing-as-a-service or phishing-kit products being used by idiots to lure, hook, land and gut other idiots. They are, however, using my first name in place of “Dear subscriber” or “Hello, how are you doing?” that we used to see, implying the use of mailmerge-type content customisation with databases of email addresses and other info on potential victims*.Moving up the scale, some current phishing attempts are more sophisticated, more convincing. Sometimes it's just a lucky coincidence e.g. when the lure glints alluringly because it just happens to mention something I am currently doing - for example if I am dealing with American Express o]]> 2020-06-18T07:58:14+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/hnJ1NrJMf5o/nblog-june-17-phishing-evolution.html www.secnews.physaphae.fr/article.php?IdArticle=1779374 False Ransomware,Spam,Guideline None None NoticeBored - Experienced IT Security professional Aside from the conventional 'gap analysis', it is possible to do a 'fill analysis' to discover the things that the organization is doing successfully already – its strengths, foundations on which to build. The analytical processes are almost the same but a fill analysis aims to identify, learn from and expand upon the strengths - the positives - whereas a gap analysis involves hunting down and addressing the weaknesses - the negatives.These are complementary not alternative approaches.So, for instance, if the organization is poor at compliance, OK at policies and excellent at impact assessment: A gap analysis would focus on closing the compliance gaps;]]> 2020-05-25T08:14:25+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/zCAttVzcmfw/nblog-may-25-gap-and-fill.html www.secnews.physaphae.fr/article.php?IdArticle=1779376 False Guideline None None NoticeBored - Experienced IT Security professional ... Despite the history and the experts' warnings that a pandemic was likely to happen again at some point, it turns out we were ill-prepared for it, not as resilient as we thought and should have been... Experts disagree on the details, sometimes even the fundamentals, and love their models... Commentary and advice is plentiful, but sound, reasoned, appropriate advice by competent advisors is at a premium and partly lost in the noise... Whereas information is important, information integrity, quality and trustworthiness are vital, hence there is also value in assurance and other information controls, including the pundits' reputations and credibility... Most of us are non-experts, hence it is tricky for us to distinguish fact from fiction and make sense of conflicting advice ... Perfect, complete information is seldom available, so there are bound to be compromises and errors - and we should be ready to spot and deal with them too... Controls against COVID-19 are imperfect, at best; some are purely for appearance sake; some are as much use as a bubble level in space; others are literally worse than useless (the cure really can be worse than the disease!); in most cases, we simply don't know how well they will work in practice... Many people and organizations struggle to cope with a serious crisis, whereas some shine and thrive - but even the best may crumble at some point... They are all about risk and risk management, not just protection, control, safety and security: we are where we are partly as a result of our prior decisions about priorities, resources etc. ... We are mutually dependent and hence collectively vulnerable since total isolation is impract]]> 2020-05-03T13:19:31+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/EXqosjErYCs/nblog-may-3-covid-19-is-like-infosec.html www.secnews.physaphae.fr/article.php?IdArticle=1779379 False Guideline None None NoticeBored - Experienced IT Security professional The NZ politicians and news media are updating us daily on selected COVID-19 statistics (metrics), particularly concerning NZ of course but also the global situation. Countries with the largest numbers (regardless of which metric) are naturally media-fodder.It's fair to ask, though, what all these numbers mean, why we should care about them, and why they are being reported rather than others.As with information risk and security metrics, there are various audiences of the metrics with numerous concerns, objectives, purposes, uses for or interests in them e.g.:Those actually managing the national response, day-by-day, need to know how they are doing relative to their plans and intentions, and how they might improveCentral and local government politicians giving oversight and direction to the response ... with a keen eye on their popular standing, given that an election is in the offing (unless deferred) ... plus administrators in the civil serviceThe Treasury and Inland Revenue, overseeing the financial aspects of NZ's impacts from COVID-19, not least the costs of the controls and handouts intended to keep businesses and other organizations afloat, the national debt and tax burden on those who make it through The stock market and financial industry generally - interested for the same reasonsThe NZ general public with a personal, familial and general interest in the situation, mostly concerned non-specialistsThe news media - specifically journalists, editors and proprietors  The social media - specifically bloggers, Twits, Facebookers, community members and influencers, commentators and assorted 'interested parties' ... including me Specialists in public health, infectious disease, virology, epidemiology, genetics, risk and incident management etc.Healthcare professionals - in particular those planning for, leading and administering the public health response to COVID-19The police and justice system, largely responsible for administering the lockdown and dealing with noncompliance ]]> 2020-03-31T19:48:03+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/3BiPoJH7-uw/nblog-march-31-nz-lockdown-day-6-of-n.html www.secnews.physaphae.fr/article.php?IdArticle=1779383 False Guideline None None NoticeBored - Experienced IT Security professional I bumped into an insightful piece by Jeff Immelt 'Lead through a crisis' yesterday. This paragraph really caught my eye: I agree there are material differences between us in how we react under pressure, differences that are exaggerated during a crisis. The same applies to social groups and families as well as work teams: some of us are (or at least give the appearance of being) fully on top of things, some are 'coping', some are struggling, and some are in turmoil, overwhelmed by it all.The current situation reminds me of the Kübler-Ross grieving curve. Here's a version I've used to help explain our emotional responses to traumatic events such as information security incidents and changes:]]> 2020-03-25T08:31:13+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/bGiJBS_oFLE/nblog-march-25-coping-with-covid-crisis.html www.secnews.physaphae.fr/article.php?IdArticle=1779389 False Guideline None None NoticeBored - Experienced IT Security professional I've slightly shifted and revised the wording of some of the risks but there's nothing really new (as far as I know anyway). Reports of panic buying from the UK and US are concerning, given the possible escalation to social disorder and looting … but hopefully sanity will soon return, aided by the authorities promoting “social distancing” and “self-isolation”. Meanwhile, I hope those of you responsible for physically securing corporate premises have appropriate security arrangements in place. Remotely monitored alarms and CCTV are all very well, but what if the guards that would be expected to do their rounds and respond to an incident are off sick or isolated at home? Do you have contingency arrangements for physical security?'Sanity' is a fragile condition: there is clearly a lot of anxiety, stress and tension around, due to the sudden social changes, fear about the infectious disease etc., which is my rationale for including 'mental health issues' in the middle of the PIG. There is some genuinely good news in the medical world concerning progress on coronavirus testing, antiviral drugs and vaccines, although it's hard to spot among the large volume of dubious information and rumours sloshing around on social media (another information risk on the PIG).  There's even some good news for infosec pro's. COVID-19 is a golden opportunity for those of us with an interest in security awareness and business continuity. Essentially, we are in the midst of a dramatic case study.]]> 2020-03-23T13:19:46+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/8pYI6uW9T8c/nblog-march-20-covid-19-pig-update.html www.secnews.physaphae.fr/article.php?IdArticle=1779391 False Patching,Guideline None None NoticeBored - Experienced IT Security professional Top left, the reported shortages of toilet rolls, facemasks, hand sanitiser and soap qualify as information incidents because they are the result of panic buying by people over-reacting to initial media coverage of shortages. The impacts are low because most people are just not that daft. Fear, Uncertainty and Doubt, however, is largely what drives those panic buyers. To an extent, I blame the media (mostly social media but also the traditional news media, desperate for their next headline) for frenziedly whipping up a storm of information. There are potentially significant personal and social consequences arising from FUD that I'll cover later.In amongst the frenzied bad news, there are a few good things coming out of this incident. The global scientific, medical and public services communities are quietly sharing information about the virus, infections, symptoms, morbidity, treatments, contributory factors, social responses etc. There is excellent work going on to characterise the virus, understand its morphology and genetics, understand the disease progression, understand the modes of transmission etc. It's a shame this isn't as widely reported as the bad news but I think I understand why that is: scientists, generally, are reluctant to publish information they aren't reasonably sure about, and "reasonably sure" means if a reporter asks for a categorical statement of fact, most scientists will at least hesitate if not refuse. An example of this is the face mask issue: good quality face masks are designed to trap small particles but not as small as viruses. They help by impeding airborne particles and so reducing the spread of airborne viruses, but do not total]]> 2020-03-21T06:49:12+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/IM_L8W65sJE/nblog-march-13-covid-19-information.html www.secnews.physaphae.fr/article.php?IdArticle=1779395 False Guideline None None NoticeBored - Experienced IT Security professional From my narrow perspective as a practitioner, manager and consultant in the field, some 20-30 years ago, Business Continuity Planning revolved around IT Disaster Recovery which generally involved (at the time) either powering up an alternative data centre or hiring a few servers on the back of a truck and plugging them in to restore services taken out when the data centre was flooded/burnt. It was almost entirely IT focused, expensive, and could cope with very few disaster scenarios (there still had to be somewhere for the truck to park up and plug in, while the backups to be restored had to have survived miraculously, plus of course the rest of the organization - including the alternative data centre plus the people and associated essential services).From that primitive origin, BCP started to get better organised, with scenario planning and tabletop exercises, and actual 'management' instead of just 'planning' - leading to Business Continuity Management. The scenarios expanded, and before long organisations realised that they couldn't reasonably plan and prepare playbooks for every possible situation, every single risk. Also, the process linkages with incident management grew stronger, including the shortcuts necessary to escalate serious incidents, authorise and initiate significant responses quickly etc. Oh and warm-site and hot-site concepts appeared, along with Recovery Time Objective, Recovery Point Objective and a few other basic metrics. Then, about 10 to 15 years ago, resilience popped out of the ether as a supplement for IT DR and other recovery approaches, the idea being to do whatever it takes to maintain essential services supporting essential business processes. Even today, some organisations struggle with this concept, and yet "high availability" systems and networks, dual-live/distributed systems, load-sharing, multi-sourced supplies, customer diversity etc. are reasonably straightforward and generally-accepted concepts. I guess they have trouble joining the dots - particularly in the area of workforce resilience, and the cultural aspects of "We WILL get through this: now, what can I do to help? Here, hold my beer ..."  During the past 10 years or so, true contingency approaches have appeared, in some organizations at least, partly in rec]]> 2020-03-17T08:58:05+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/nGa8yovECII/nblog-march-17-covid-19-bcm.html www.secnews.physaphae.fr/article.php?IdArticle=1779393 False Guideline None None NoticeBored - Experienced IT Security professional Whereas usually our awareness and training modules focus in some depth on one of the 70 information security topics in our portfolio, Information Security 101 is a broad but shallow module. It is intended to bring workers quickly up to speed on the basics of information risk and security during security induction courses, for periodic refresher training, or when launching an awareness program.As soon as a new worker arrives, they start absorbing and being assimilated into the corporate culture, picking up 'the way we do things here'. Sensible organizations run orientation sessions to welcome newcomers and kick-start the cultural integration.InfoSec 101 covers common information risks (e.g. malware) and information security controls (e.g.& antivirus). The materials are deliberately succinct, outlining key aspects without delving into the details. We're not trying to tell workers everything about information risk and security all at once but to set them off on the right foot, engaging them as integral and valuable parts of the organisation's Information Security Management System. It's a gentle introduction, more splash in the paddling pool than high dive at the deep end!First impressions matter, so the module helps Information Security, HR or training professionals deliver interesting and engaging awareness sessions accompanied by impressive, top-quality supporting materials. Establishing personal contacts throughout the organization gradually expands the Information Security team across the enterprise - more 'eyes and ears' out there. This alone would be well worth the investment!As well as induction or orientation purposes, InfoSec]]> 2020-02-29T16:46:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/iNmHz5NCc00/nblog-march-infosec-101-module-released.html www.secnews.physaphae.fr/article.php?IdArticle=1570351 False Guideline None None NoticeBored - Experienced IT Security professional Fueled by a lot of Brahms and a wee tot of rum, half an hour's idle brainstorming on the purpose and objectives for information security awareness generated the following little Liszt:Rites, ritualsRite of passageRitual slaughterReligionsBelief systems Cult, visionary leader, positional power, faithSheep, lemmingsWolves, packs, threats, skillsGroup-think, conformityCompliance, rules, constraints, in the boxIndividuality, creativity, nonconformity, freedom, out of the boxHippies, communes, cliquesHallucinogensNoncomplianceCultural norms, expectationsCounter-cultural, bucking trendsConventions, habits, preferencesAutomatic behaviours, instinctsSocialising infosecSocial pressure, influence, shared valuesSocial acceptabilitySocial structures, hierarchies, linksNetworks and relationshipsFamilies, organizations, departments, teams, groups, cliquesNationsInteractions]]> 2020-02-19T18:03:26+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/f6dvh1QqVW4/nblog-feb-19-brahms-and-liszt.html www.secnews.physaphae.fr/article.php?IdArticle=1570356 False Guideline None None NoticeBored - Experienced IT Security professional "Simplicity is the default unless there's a good business reason to do something else. What is typically lacking are the business reasons ..."That comment on CISSPforum set me pondering during this morning's caffeine fix. We've been chatting about some training webinar sessions recently promoted by (ISC)2. Some say they over-simplify information security to the point of trivialising and perhaps misleading people.If you follow NBlog, you'll know that this month I have been slaving away on an awareness module covering malware, a topic we've covered many times before - particularly the avoidance or prevention of infections but this year a customer asked us for something on publicly disclosing incidents in progress, a disarmingly simple request that turned into a fascinating foray into the post-malware-infection incident management and resolution phase for a change. I've been exploring and writing about what does, could or should happen after malware 'hits' - from that dramatic moment the ransomware demands appear on everyone's screens, for example. What follows is quite an intricate and frantic dance, in fact, involving management, IT and other staff, customers, suppliers and partners, regulators/authorities, journalists and the news + social media etc. plus the Incident Management Team, infosec and business continuity pros trying to keep everything on track, the legal team figuring out who to sue, the compliance pros wondering how not to get sued, and various hired-hands helping with forensics, disinfection and finding then retrospectively plugging whatever holes were initially exploited by the malware. All the while, the menacing hackers and cybercrims are wielding big coshes in the shape of threats to make the disruption permanent and terminal, and/or to disclose whatever juicy tidbits of corporate and personal info they've previously stolen (the CEO's emails, or browser history perhaps?). And all the while the systems, data, business processes/activities, websites and apps are being maintained, recovered or restored. Brands and relationships are under pressure, along with all the dancers. It's an intensely stressful time for them, I'm sure. The approach we've taken is to explore the timeline of an actual incident, in real time as it happens (as it happens), building a case study around the ongoing Travelex ransomware incident: the sequence forms a convenient thread to lead people through the story, thinking about what's going on at each stage and imagining how it would be if a similar incident happened 'here'. I've drawn up a simplified Travelex incident timeline in the same style as the one I drew for the Sony Pictures Entertainment fiasco 5 years back, pointing out some of the key events plus the phases of the overall process. The new Travelex version ('in press'!) is simpler ]]> 2020-01-30T11:02:19+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Y6zr23iZHO8/nblog-jan-30-simplicity-itself.html www.secnews.physaphae.fr/article.php?IdArticle=1570365 False Ransomware,Malware,Guideline None None NoticeBored - Experienced IT Security professional On Tuesday, data privacy day, privacy will be top of the agenda.Well, OK, not top exactly, not even very high if I'm honest.And apart from mine, I'm not sure whose agenda I'm talking about.Evidently it's about "data privacy", not other kinds of privacy, oh no.If I'm coming across just a little cynically, then evidently I need to try harder.I bumped into data privacy day while searching for something privacy related - I forget exactly what, now. Otherwise, it would surely have passed me by, and maybe you too, dear blog reader.Anyway, data privacy day appears to date back to Jan 28th 1981 when Convention 108 was signed in conventional Europe. "The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" was among the first, if not the very first, data protection regulation, predating today's privacy laws and regs.In 2006, the Council of Europe launched Data Privacy Day as an annual event on January 28th.Data privacy day was later taken up by some American organizations. ]]> 2020-01-29T05:23:20+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/W8E8PbYn2JI/nblog-jan-25-data-privacy-day.html www.secnews.physaphae.fr/article.php?IdArticle=1516890 False Guideline None None NoticeBored - Experienced IT Security professional Seems I'm not the only ravenous shark circling the Travelex ransomware incident.Over at the Institute of Chartered Accountants in England and Wales website, Kirstin Gillon points out there are learning opportunities for senior management in this "horror story".Specifically, Kirstin suggests posing six awkward questions of those responsible for managing incidents and risks of this nature ...Rhetorical questions of this nature are not a bad way to get management thinking and talking about the important issues arising - a valuable activity in its own right although it falls some way short of taking decisions leading to appropriate action. Admittedly, there's an art to framing and posing such questions. Kirstin's questions are along the right lines, a good starting point at least.Faced with such questions, some Boards and management teams will immediately 'get it', initiating further work to explore the issues, evaluate the risks and controls more deeply, and if appropriate propose corrective actions to a]]> 2020-01-27T16:54:17+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/6qgXcicvfDM/nblog-jan-27-mdcisos-question-time.html www.secnews.physaphae.fr/article.php?IdArticle=1516889 False Ransomware,Malware,Guideline None None NoticeBored - Experienced IT Security professional On the ISO27k Forum lately we've been discussing something that comes up repeatedly, a zombie topic you could say since the discussion is never really settled to everyone's complete satisfaction. There's always more to say.The discussion concerns the disarmingly simple phrase "information asset", used in some but no longer defined in any of the ISO27k standards. Among other things, we've discussed whether people/workers can be classed as information assets, hence information risks associated with people potentially fall within scope of an ISO27k ISMS.Yesterday, Mat said:"Knowledge is generally broken down into three different types - explicit, implicit, and tacit. When we are talking about classing employees as an asset or simply treating the information that they know as an asset, I think maybe this can be broken down further using these different knowledge types. Explicit knowledge is knowledge that is easily transferable, can be recorded and stored. Things like standard work instructions, guides, procedures, policies. Due to the nature of this information, it seems obvious to class the information itself as the asset here - you can mitigate the risk of information loss simply by recording the information. Implicit knowledge is the practical application of explicit knowledge. This can include knowing your way around a particular security product, or a particular piece of equipment. This type of knowledge is difficult to record, however, things like best practices are the best attempt although it's difficult to include the entire background knowledge of the best practice. Due to this, loss of this information is difficult to completely mitigate, and hence, I think the employee here could be classed as the information asset. The best mitigation is to keep the employee. Tacit knowledge is the practical application of implicit knowledge. Examples of this are knowing not only a particu]]> 2020-01-24T08:37:48+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/ctVidOal-9w/nblog-jan-24-information-data-knowledge.html www.secnews.physaphae.fr/article.php?IdArticle=1506669 False Guideline None None NoticeBored - Experienced IT Security professional At the bottom of a Travelex update on their incident, I spotted this yesterday:Customer PrecautionsBased on the public attention this incident has received, individuals may try to take advantage of it and attempt some common e-mail or telephone scams. Increased awareness and vigilance are key to detecting and preventing this type of activity. As a precaution, if you receive a call from someone claiming to be from Travelex that you are not expecting or you are unsure about the identity of a caller, you should end the call and call back on 0345 872 7627. If you have any questions or believe you have received a suspicious e-mail or telephone call, please do not hesitate to contact us. Although I am not personally aware of any such 'e-mail or telephone scams', Travelex would know better than me - and anyway even if there have been no scams as yet, the warning makes sense: there is indeed a known risk of scammers exploiting major, well-publicised incidents such as this. We've seen it before, such as fake charity scams taking advantage of the public reaction to natural disasters such as the New Orleans floods, and - who knows - maybe the Australian bushfires.At the same time, this infosec geek is idly wondering whether the Travelex warning message and web page are legitimate. It is conceivable that the cyber-criminals and hackers behind the ransomware incident may still have control of the Travelex domains, webservers and/or websites, perhaps all their corporate comms including the Travelex Twitter feeds and maybe even the switchboard behind that 0345 number. I'm waffling on about corporate identity theft, flowing on from the original incident.I appreciate the scenario I'm postulating seems unlikely but bear with me and my professional paranoia for a moment. Let's explore the hypot]]> 2020-01-22T09:00:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/tIKSOS4dN4A/nblog-jan-22-further-lessons-from.html www.secnews.physaphae.fr/article.php?IdArticle=1503295 False Ransomware,Malware,Patching,Guideline APT 15 None NoticeBored - Experienced IT Security professional As if following a cunning plan (by sheer conicidence, in fact) and leading directly on from my last two bloggings about business continuity exercises, Belgian manufacturing company Picanol suffered a ransomware infection this week, disabling its IT and halting production of high-tech weaving machines at its facilities in Ypres, Romania and China.Fortunately, Picanol's corporate website is still up and running thanks to Webhosting.be, hence management was able to publish this matter-of-fact press release about the incident:Unsurprisingly, just a few short days after it struck, technical details about the "massive ransomware attack" are sparse at this point. The commercial effects, though, are deemed serious enough for trading in its shares to have been suspended on the Brussels bourse. There's already plenty of information here for a case study in February's awareness module. Through a brief scenario and a few rhetorical questions, we'll prompt workers to consider the implications both for Picanol and for their own organizations. If a similar malware incident occurred here, knocking out IT and production for at lea]]> 2020-01-18T09:00:04+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/9PNzfvaciv4/nblog-jan-18-business-discontinuity.html www.secnews.physaphae.fr/article.php?IdArticle=1501881 False Ransomware,Malware,Studies,Guideline None None NoticeBored - Experienced IT Security professional A couple of days ago here on NBlog I wrote: "One screamingly-obvious lesson from the rash of ransomware incidents is that we need to anticipate malware infections when the preventive controls fail, which means strengthening the security protecting our business-critical systems and being ready to recover IT services and data efficiently following incidents." That's not all.Anticipating that, despite all we do to prevent them, malware infections are still likely to occur implies the need for several post-event controls.  These are the kinds of controls I have in mind:Reliable, efficient, effective, top-quality incident response and management processes - in particular, speed is almost always of the essence in malware incidents, and the responses need to be well-practiced - not just the run-of-the-mill routine infections but the more extreme/serious "outbreaks";Decisive action is required, with strong leadership, clear roles and responsibilities, and of course strong awareness and training both for the response team and for the wider organization;Clarity around priorities for action e.g. halt the spread, assess the damage, find the source/cause, recover;Technological controls, of course, such as network segmentation (part of network architectural design), traffic filtering and (reliable!) isolation of segments pending their being given the all-clear;Clarity around priorities for reporting including rapid escalation and ongoing progress updates, in parallel with the other activities;Forensics, where appropriate, feasible and helpful (e.g. which preventive controls failed, why, and what if anything can be done to strengthen them);]]> 2020-01-06T19:24:42+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/KizzfUNMsGQ/nblog-jan-6-post-malware-incident.html www.secnews.physaphae.fr/article.php?IdArticle=1497042 False Ransomware,Malware,Guideline None None NoticeBored - Experienced IT Security professional Through the Pakistan Software Export Board of the Ministry of IT & Telecom, the Pakistan government is subsidising 80% of the cost of consultants and auditors to advise and certify Pakistani IT companies against ISO 20000 (ITIL) and ISO/IEC 27001 (information security). With over 5,000 companies in Pakistan offering Business Process Outsourcing and IT services, this represent a substantial investment, reflecting the government's intention to raise standards in the industry. Good on them! If only other governments would follow their lead.]]> 2019-12-27T18:30:47+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/oR2aWtWfP8A/nblog-dec-27-pakistan-supports-iso27k.html www.secnews.physaphae.fr/article.php?IdArticle=1495731 False Guideline None None NoticeBored - Experienced IT Security professional headline news around the globe, a tragedy that sadly resulted in several deaths, currently estimated at 13.  Also, yesterday in NZ there were roughly 90 other deaths (as there are every day), roughly two thirds of which were caused by cardiovascular diseases or cancer:So, yesterday, the proportion of deaths in NZ caused by "Natural disasters" spiked from 0% to 13%. Today, it is likely to fall back to 0%. "Natural disasters" will have caused roughly 0.04% of the ~33,500 deaths in NZ during 2019 ... but judging by the news media coverage today, you'd have thought NZ was a disaster zone, a lethal place - which indeed it is for ~33,500 of us every year. Very very few, though, expire under a hail of molten rock and cloud of noxious fumes, viewable in glorious Technicolor on social media.Those 13 tourists who perished yesterday chose to see NZ's most active volcano up close, real close. You may be thinking "Ah but if they'd known it would erupt, they wouldn't have gone" ... but they did know it was a possibility: for at least some of the 13, that was the very reason they went. It's euphemistically called "adventure tourism". The possibility of death or serious injury is, perversely, part of the attraction, the thrill of it. Recent warnings from geologists about the increased threat of eruption on White Island would, I'm sure, have been carefully considered by the tourist companies involved, plus I guess they may have noticed changes in the amount of steam and sulfur lingering in the air. Tourists are explicitly warned about the dangers and instructed on the safety aspects. I gather one of the dead was a local, an employee of the tourist company. Aside perhaps from the geologists, it's hard to think of anyone more aware of the risk.Having weighed-up the risks and rewards, the 13 enjoyed an amazing spectacle, doing the equivalent of 'clicking the go-away button' to dismiss computer security warnings despite facing, in their case, the ultimate impact. While I suspect their final moments would have been literally petrifying, hopefully the extra-special buzz leading up to it made it worthwhile. At that point, h]]> 2019-12-13T13:57:03+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Bx9exPjhr4I/nblog-dec-10-brutal-lesson-in-risk.html www.secnews.physaphae.fr/article.php?IdArticle=1495740 False Threat,Guideline None None NoticeBored - Experienced IT Security professional Yesterday I wrote about what the White Island eruption teaches us about risk management, in particular the way we decide how to deal with or "treat" identified risks. ISO/IEC 27005 describes 4 risk treatment options:Avoid the risk by deliberately not getting ourselves into risky situations - not getting too close to a known active volcano for example;Modify the risk: typically we mitigate (reduce) the risk through the use of controls intended to reduce the threats or vulnerabilities and hence the probability, or to reduce the impacts;Retain the risk: this is the default - more on this below;Share the risk: previously known as "risk transfer", this involves getting the assistance of third parties to deal with our risks, through insurance for instance, or liability clauses in contracts, or consultants' advice.Risk management standards and advisories usually state or imply that these 'options' are exclusive, in other words alternatives from which we should choose just one treatment per risk. ISO/IEC 27005 says "Controls to reduce, retain, avoid, or share the risks should be selected". In fact, they are nonexclusive options since they all involve an element of risk retention. The sentence should perhaps read "Controls to reduce, retain, avoid, and share the risks should be selected".*Risk retention is inevitable because of the very nature of risk. We can never be totally certain of risk, up to the point that the probability reaches 1 when an incident occurs (which, arguably, means it is no longer a risk but a certainty!). We might have misunderstood it, or made mistakes in our analysis. Our risk treatments might not work out as expected, perhaps even failing spectacularly when we least expect it, or conversely working so well that the risk never eventuates. Our insurers and partners might reneg]]> 2019-12-11T08:00:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/fL3qkL1iMYI/nblog-dec-11-risk-treatments.html www.secnews.physaphae.fr/article.php?IdArticle=1495739 False Guideline None None NoticeBored - Experienced IT Security professional an interview for CIO Dive, Maersk's recently-appointed CISO Andy Powell discussed aligning the organization with these five 'key operating principles':"The first is trust. The client has got to trust us with their data, to trust us to look at their business. So we've got to build trust through the cybersecurity solutions that we put in place. That is absolutely fundamental. So client trust, client buy-in has been fundamental to what we tried to drive as a key message. The second is resilience. Because you've got to have resilient systems because clients won't give you business if you're not resilient ... The third really is around the fact that security is everybody's responsibility. And we push that message really hard across the company … be clear about what you need to do and we train people accordingly. ...The fourth one really is accountability of security and I have pushed accountability for cyber risk to the business. ... And the final piece, and this has been one of the big call outs of my team to everybody, is that security is a benefit, not a burden. The reason I say that is people's perception is that security will slow things down, will get in the way ... the reality is that if you involve security early enough, you can build solutions that actually attract additional clients."Fair enough Andy. I wouldn't particularly quarrel with any of them, but as to whether they would feature in my personal top-five I'm not so sure. Here are five others they'd be competing against, with shipping-related illustrations just for fun:Governance involves structuring, positioning, setting things up and guiding the organization in the right overall direction - determining then plotting the optimal route to the ship's ultimate destination, loading up with the right tools, people and provisions. Corporate governance necessarily involves putting things in place for both protecting and exploiting information, a vital and valuable yet vulnerable business asset;Information is subject to risks that can and probably should be managed proactively, just as a ship's captain doesn't merely accept the inclement weather and various other hazards but, where appropriate, actively mitigates or avoids them, dynamically reacting and adjusting course as things change;Flexibility and responsiveness, along with resilience and ro]]> 2019-12-03T17:12:11+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/8b7e865ezZk/nblog-dec-3-infosec-driving-principles.html www.secnews.physaphae.fr/article.php?IdArticle=1495742 False Tool,Guideline NotPetya None NoticeBored - Experienced IT Security professional Although 7 Ways to Improve Employee Development Programs by Keith Ferrazzi in the Harvard Business Review is not specifically about information security awareness and training, it's straightforward to apply it in that context. The 7 ways in bold below are quoted from Keith's paper, followed by my take.1. Ignite managers' passion to coach their employees.  I quite like this one: the idea is to incentivize managers to coach the workforce. As far as I'm concerned, this is an inherent part of management and leadership, something that can be enabled and encouraged in a general manner not just through explicit (e.g. financial) incentives. For me, this starts right at the very top: a proactive CEO, MD and executive/leadership team is in an ideal position to set this ball rolling on down the cascade - or not. If the top table is ambiguous or even negative about this, guess what happens! So, right there is an obvious strategy worth pursuing: start at, or at the very least, include those at the very top of the organization ... which means taking their perspectives and addressing their current information needs, preferred learning styles and so forth (more below: directors and execs are - allegedly - as human as the rest of us!).2. Deal with the short-shelf life of learning and development needs. 'Short shelf-life' is a nice way to put it. In the field of information risk and security, the emergence of novel threats that exploit previously unrecognized vulnerabilities causing substantial business impacts, is a key and recurrent challenge. I totally agree with the need to make security awareness an ongoing, ideally continuous activity, drip-feeding workers with current, pertinent information and guidance all year long rather than attempting to dump everything on them in a once-in-a-blue-moon event, session or course. Apart from anything else, keeping the awareness materials and activities topical makes them more interesting than stale old irrelevant and distracting junk that is 'so last year' (at best!).3. Teach employees to own their career development. An interesting suggestion, this, especially for the more involved infosec topics normally taught through intensive training courses rather than general spare-time awareness activities. I'm not sure off-hand how this suggestion would work in practice, but it occurs to me that periodic employee appraisals and team meetings provide ample opportunities to offer training and encourage workers to take up whatever suits their career and personal development aspirations.]]> 2019-11-26T17:57:12+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/hDNag6pZp6Q/nblog-nov-26-7-ways-to-improve-security.html www.secnews.physaphae.fr/article.php?IdArticle=1495745 False Guideline None None NoticeBored - Experienced IT Security professional ISO/IEC 27000:2018 looking for quotable snippets to use on our awareness posters in January. Although there's plenty of good content, I can't help but notice a few rough edges, such as this:“Conducting a methodical assessment of the risks associated with the organization's information assets involves analysing threats to information assets, vulnerabilities to and the likelihood of a threat materializing to information assets, and the potential impact of any information security incident on information assets. The expenditure on relevant controls is expected to be proportionate to the perceived business impact of the risk materializing.” [part of clause 4.5.2]. First off, here and elsewhere the '27000 text uses the term “information asset” which is no longer defined in the standard since the committee couldn't reach consensus on that. Readers are left to figure out the meaning for themselves, with the possibility of differing interpretations that may affect the sense in places. The term is, or probably should be, deprecated.Secondly, the first sentence is long and confusing – badly constructed and (perhaps) grammatically incorrect. “Vulnerabilities to” is incomplete: vulnerabilities to what? Shouldn't that be “vulnerabilities in” anyway? Threats get mentioned twice for no obvious reason, overemphasizing that aspect. “Likelihood” is a vague and problematic word with no precise equivalent in some languages - it too should probably be deprecated. The final clause as worded could be interpreted to mean that the process is only concerned with potential impacts on information assets, whereas incidents can cause direct and/or indirect/consequential impacts on systems, organizations, business relationships, compliance status, reputations and brands, commercial prospects, profits, individuals, partners, society at large and so forth, not all of which are information assets (as commonly interpreted, anyway!).  Thirdly, do “the organization's information assets” include personal information? Some might argue that personal information belongs to the person concerned – the data subject – not the organiza]]> 2019-11-07T10:31:27+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/xP_UGEqhdio/nblog-nov-6-insight-into-iso27k-editing.html www.secnews.physaphae.fr/article.php?IdArticle=1495752 False Threat,Guideline None None NoticeBored - Experienced IT Security professional Perusing a CIS paper on metrics for their newly-updated recommended network security controls (version 7), several things strike me all at once, a veritable rash of issues.Before reading on, please at least take a quick squint at the CIS paper. See what you see. Think what you think. You'll get more out of this blog piece if you've done your homework first. You may well disagree with me, and we can talk about that. That way, I'll get more out of this blog piece too![Pause while you browse the CIS paper on metrics][Further pause while you get your thoughts in order]]]> 2018-03-20T10:30:42+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Lx6-vMxHIHY/nblog-march-20-critique-of-cis-netsec.html www.secnews.physaphae.fr/article.php?IdArticle=530036 False Guideline None None NoticeBored - Experienced IT Security professional One type of assurance is audit, hence auditing and IT auditing in particular is very much in-scope for our next security awareness module.By coincidence, yesterday on the ISO27k Forum, the topic of 'security audit schedules' came up.An audit schedule is a schedule of audits, in simple terms a diary sheet listing the audits you are planning to do. The usual way to prepare an audit schedule is risk-based and resource-constrained. Here's an outline (!) of the planning process to set you thinking, with a sprinkling of Hinson tips:Figure out all the things that might be worth auditing within your scope (the 'audit universe') and list them out. Brainstorm (individually and if you can with a small group of brainstormers), look at the ISMS scope, look for problem areas and concerns, look at incident records and findings from previous audits, reviews and other things. Mind map if that helps ... then write them all down into a linear list.Assess the associated information risks, at a high level, to rank the rough list of potential audits by risk - riskiest areas at the top (roughly at first -'high/medium/low' risk categories would probably do - not least because until the audit work commences, it's hard to know what the risks really are). Guess how much time and effort each audit would take (roughly at first -'big/medium/small categories would probably do - again, this will change in practice but you have to start your journey of discovery with a first step).In conjunction with other colleagues, meddle around with the wording and purposes of the potential audits, taking account of the business value (e.g. particular audits on the list that would be fantastic 'must-do' audits vs audits that would be extraordinarily difficult or pointless with little prospect of achieving real change). If it helps, split up audits that are too big to handle, and combine or blend-in tiddlers that are hardly worth running separately. Make notes on any fixed constraints (e.g. parts of the business cycle when audits would be needed, or would be problematic; and dependencies such as pre/prep-work audits to be followed by in-depth audits to explore problem areas found earlier, plus audits that are linked to IT system/service implementations, mergers, compliance deadlines etc.).]]> 2018-03-15T07:43:59+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/k2bzLKb0YLg/nblog-march-15-scheduling-audits.html www.secnews.physaphae.fr/article.php?IdArticle=513793 False Guideline None None NoticeBored - Experienced IT Security professional Yesterday I wrote about mind mapping. The tick image above is another creative technique we use to both explore and express the awareness topic.To generate a word cloud, we start by compiling a list of words relating in some way to the area. Two key sources of inspiration are: The background research we've been doing over the past couple of months - lots of Googling, reading and contemplating; and Our extensive information risk and security glossary, a working document of 300-odd pages, systematically reviewed and updated every month and included in the NoticeBored awareness modules. Two specific terms in that word cloud amuse me: "Man-sure" and "Lady-sure" hint about the different ways people think about things. When a lay person (man or woman!) says "I'm sure", they may be quite uncertain in fact. They are usually expressing a subjective opinion, an interpretation or belief with little substance, no objective, factual evidence. It can easily be wrong and misleading. When a male or female expert or scientist, on the other hand, says "I'm sure", their opinion typically stems from experience, and carries more weight. It is less likely to be wrong, and hence provides greater assurance. This relates to integrity, a core part of information security. It's not literally about sex.Aside from integrity and assurance, we have defined more than 2,000 terms-of-art in the glossary, with key words in the definitions hyperlinked to the corresponding glossary entries. I use it like a thesaurus, following a train of thought that meanders through the document, sometimes spinning off at a tangent but always triggering fresh ideas. Updating the glossary is painstaking yet creative at the same time.Getting back to the word cloud, we squeeze extra value from the list of words by generating puzzles for the modules. Our word-searches are grids of letters that spell out the words in various directions. Finding the words 'hidden' in the grid is an interesting, fun challenge in itself, and also a learning process since the words all relate to the chosen topic.There are other aspects to the word cloud graphic:All the words are relevant to the topic, to some extent;]]> 2018-03-09T13:00:43+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/YQc51TVKiFY/nblog-march-9-word-cloud-creativity.html www.secnews.physaphae.fr/article.php?IdArticle=501787 False Guideline None None NoticeBored - Experienced IT Security professional Integrity is a universal requirement, especially if you interpret the term widely to include aspects such as:Completeness of information;Accuracy of information;Veracity, authenticity and assurance levels in general e.g. testing and measuring to determine how complete and accurate a data set is, or is not (an important control, often neglected);Timeliness (or currency or 'up-to-date-ness') of information (with the implication of controls to handle identifying and dealing appropriately with outdated info – a control missing from ISO/IEC 27001 Annex A, I think);Database integrity plus aspects such as contextual appropriateness plus internal and external consistency (and, again, a raft of associated controls at all levels of the system, not just Codd's rules within the DBMS);Honesty, justified credibility, trust, trustworthiness, 'true grit', resilience, dependability and so forth, particularly in the humans and systems performing critical activities (another wide-ranging issue with several related controls);Responsibility and accountability, including custodianship, delegation, expectations, obligations, commitments and all that …… leading into ethics, professional standards of good conduct, 'rules', compliance and more.The full breadth of meanings and the implications of “integrity” are the key rea]]> 2018-02-17T12:25:47+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Kl9ljrR4yK0/nblog-february-17-i-part-of-cia.html www.secnews.physaphae.fr/article.php?IdArticle=480926 False Guideline None None NoticeBored - Experienced IT Security professional Over the past couple of months, I've written and published a suite of 'Hinson tips' on another passion of mine: amateur radio. The tips concern a cutting-edge development in digital communications, and how to get the most out of the associated software. I've had a lot of feedback on the tips, reflecting global interest in the new software and, I guess, the need for more guidance on how to use it. The reason I'm bringing it up here is that my writing style appears to have influenced the nature of the feedback I'm getting from, and my relationship with, the readers. I honestly wasn't expecting that.There was already a reasonably comprehensive help file for the program, well-written but in a fairly formal and dry technical style typical of technical manuals (not those ineptly translated from Chinese via Double Dutch!). A constant refrain is that people don't read the help file, just as we don't RTFM (Read The Flamin' Manual!). I suspect part of the reason is that 'fairly formal and dry technical style': despite amateur radio being a technical hobby, many hams are not technically-minded. Some simply enjoy using the radio to talk to people, and why not? It takes all sorts. Digital communications adds another layer of complexity through information theory and mathematics underpinning the protocols we use, and IT is a world of pain for some. To be frank, although I have a passing interest and some knowledge, I'm way out of my depth in some of those areas ... which means I empathise with those who are equally uncomfortable.There is also an active online support forum, populated by a mix of experts, somewhat experienced users and complete novices. Unfortunately, the forum is suffering a little from the recent influx of people, some of whom are very passionate (which can easily come across as opinionated, strong-willed and direct). Being a global community, a lot of hams don't understand English very well (if at all!), hence the language can be a problem for them, as well as the sometimes hostile reception anyone gets on asking a 'dumb question'. Even attempting to explain things patiently in response to a genuine question or discuss ways to respond to an issue can lead to complaints that there are 'too many messages' and we are 'going off-topic', reflecting general frustration and perhaps a lack of understanding and/or focus.So, I deliberately chose to write the tips in an accessible, readable, informal style, drawing on, interpreting and re-writing material from the help file and the forum,]]> 2018-01-11T16:06:05+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/hxhXgX0iORs/nblog-january-11-awareness-styles.html www.secnews.physaphae.fr/article.php?IdArticle=457863 False Guideline None None NoticeBored - Experienced IT Security professional The Internet of Things and Bring Your Own Device typically involve the use of small, portable, wireless networked computer systems, big on convenience and utility but small on security.  Striking the right balance between those and other factors is tricky, especially if people don't understand or willfully ignore the issues – hence education through security awareness on this topic makes a lot of sense.From the average employee's perspective, BYOD is simply a matter of working on their favorite IT devices rather than being lumbered with the clunky corporate stuff provided by most organizations. In practice, there are substantial implications for information risk and security e.g.:Ownership and control of the BYOD device is distinct from ownership and control of the corporate data and IT services;The lines between business use and personal life, and data, are blurred;The organization and workers may have differing, perhaps even conflicting expectations and requirements concerning security and privacy (particularly the workers' private and personal information on their devices);Granting access to the corporate network, systems, applications and data by assorted devices, most of which are portable and often physically remote, markedly changes the organization's cyber-risk profile compared to everything being contained on the facilities and wired LANs;Increasing technical diversity and complexity leads to concerns over supportability, management, monitoring etc., and security of course.  Complexity is the information security manager's kryptonite.IoT is more than just allowing assorted things to be connected to ]]> 2018-01-04T11:14:03+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Qu3fmeGlPRY/nblog-january-4-iot-and-byod-security.html www.secnews.physaphae.fr/article.php?IdArticle=455197 False Guideline None None NoticeBored - Experienced IT Security professional Over on the ISO27k Forum, we've been discussing one of my favourite topics: auditing, or more precisely the question of auditor independence. How independent should an auditor be? What does that even mean, in this context? SPOILER ALERT: there's rather more to it than reporting lines.My experienced IT auditor friend Anton posted some relevant definitions from ISACA, including this little gem:"Independence of mind: the state of mind that permits the expression of a conclusion without being affected by influences that compromise professional judgement, thereby allowing an individual to act with integrity and exercise objectivity and professional scepticism."While I agree this is an extremely important factor, I have a slightly different interpretation. 'Independence of mind', to me, is the auditor's mental capacity to examine a situation free of the prejudice or bias that naturally afflicts people who have been in or dealing with or managing or indeed suffering from the situation, plus all that led up to it, and all the stuff around it (the context), including all the 'constraints' or 'reasons' or 'issues' that make it 'a situation' at all. It's more about the auditor making a back-to-basics theoretical assessment, thinking through all the complexities and (hopefully!) teasing out the real underlying reasons for whatever has happened, is happening, and needs to happen next. The ability to report stuff (ISACA's "expression of a conclusion") is only part of it: figuring out how the situation ought to be in theory, then looking at it in practice, gathering objective, factual evidence, doing the analysis, probing further and focusing on the stuff that matters most (the 'root causes'), are at least as important audit activities as reporting.Here's a little exercise to demonstrate why independence matters: next time you drive or are driven on a familiar route, make an extra special effort to spot and look carefully at EVERY road sign and potential hazard along the way. Concentrate on the task (as well as driving safely, please!). Say out loud ever]]> 2017-12-21T15:49:45+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/0Ehzv5_5TRs/nblog-december-21-auditor-independence.html www.secnews.physaphae.fr/article.php?IdArticle=453296 False Guideline None None NoticeBored - Experienced IT Security professional Despite it being more than 7 years since I drew that diagram in Visio, it immediately makes sense. It tells a story. Working clockwise from 1 o'clock, it steps through the main wireless networking technologies that were common in 2010, picking out some of the key information security concerns for each of them.  It's not hard to guess what I was thinking about.The arrows draw the reader's eye in the specified direction along each path linking together related items. Larger font, bold text and the red highlight the main elements, leading towards and emphasizing "New risks" especially. Sure enough today we have to contend with a raft of personal, local, mesh, community and wide area networks, in addition to the those shown. When the diagram was prepared, we didn't know exactly what was coming but predicted that new wireless networking technologies would present new risks. That's hardly ground-breaking insight, although pointing out that risks arise from the combination of threats, vulnerabilities and impacts hinted at the likelihood of changes in all three areas, a deliberate ploy to get the audience wondering about what might be coming, and hopefully thinking and planning ahead.It's time, now, to update the diagram and adapt it to reflect the current situation for inclusion in January's awareness module. The process of updating the diagram is as valuable as the product - researching and thinking about what has changed, how things have changed, what's new in this spa]]> 2017-12-08T10:10:13+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/1MSMMxCqhRQ/nblog-december-8-cybersecurity.html www.secnews.physaphae.fr/article.php?IdArticle=446680 False Guideline None None NoticeBored - Experienced IT Security professional Today we went on a tiki-tour of the forest in search of a few pine saplings of just the right size, shape and density to serve as Christmas trees. Naturally, the best ones were in the brambles or on the side of a near vertical slope but, hey, that's all part of the fun.I guess 'Web-enabled remotely-controllable LED Christmas tree lights' are The Thing this year.  Ooh the sheer luxury of being able to program an amazing light show from your mobile phone!So what are the information risks in that scenario? Let's run through a conventional risk analysis.THREATSElves meddling with the light show, causing frustration and puzzlement.Pixies making the lights flash at a specific frequency known to trigger epileptic attacks.Naughty pixies intent on infecting mobile phones with malware, taking control of them and stealing information, via the light show app.Hackers using yet-another-insecure-Thing as an entry point into assorted home ... and corporate networks (because, yes, BYOD doubtless extends to someone bringing in Web-enabled lights to brighten up the office Christmas tree this year).VULNERABILITIESIrresistibly sexy new high-technology stuff. Resistance is futile. Christmas is coming. Santa is king.Inherently insecure Things (probably ... with probability levels approaching one). Blind-spots towards information risk and security associated with Things, especially cheap little Things in all the shops. Who gives a stuff about cybersecurity for web-enabled Christmas tree lights? Before you read this blog, did it even occur to you as an issue? Are you still dubious about it?  Read on!Does anyone bother security-testing them, or laying down rules about bringing them into the home ]]> 2017-12-07T11:16:01+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/m69RKWJzMh8/nblog-december-7-santas-slaves-bearing.html www.secnews.physaphae.fr/article.php?IdArticle=445844 False Guideline None None NoticeBored - Experienced IT Security professional latest issue outlines some of the tricks used by phishers to lure their victims initially."It is not breaking news that phishing is the leading cause of data breaches in the modern world. It is safe to ask why that is the case though, given how much of this email gets caught up in our spam filters and perimeter defenses. One trick sophisticated attackers use is triggering emotional responses from targets using simple and seemingly innocuous messaging to generate any response at all. Some messaging does not initially employ attachments or links, but instead tries to elicit an actual reply from the target. Once the attackers establish a communication channel and a certain level of trust, either a payload of the attacker's choosing can then be sent or the message itself can entice the target to act."That same technique is used by advertisers over the web in the form of lurid or intriguing headlines and images, carefully crafted to get us to click the links and so dive into a rabbit warren of further items and junk, all the while being inundated with ads. You may even see the lures here or hereabouts (courtesy of Google). Once you've seen enough of them, you'll recognize the style and spot the trigger words - bizarre, trick, insane, weird, THIS and so on, essentially meaning CLICK HERE, NOW!They are curiously attractive, almost irresistible, even though we've groped around in the rabbit warrens before and suspect or know what we're letting ourselves in for. But why is that? 'Curiously' is the key: it's our natural curiosity that leads us in. It's what led you to read this sentence. Ending the previous paragraph with a rhetorical question was my deliberate choice. Like magpies or trout chasing something shiny, I got you. You fell for it. I manipulated you.     Sorry.There are loads more examples along similar lines - random survey statistics for instance ("87% of X prone to Y") and emotive subjects ("Doctors warn Z causes cancer"). We have the newspapers to thank for the very term 'headline', not just the tabloid/gutter press ("Elvis buried on Mars") but the broadsheets and more up-market magazines and journals, even scientific papers. The vast majority of stuff we read has titles and headings, large and bold in style, both literally and figuratively. Postings on this blog all have short titles and a brief summary/description, and some of the more detailed pieces have subheadings providing structure and shortcuts for readers who lack the time or inclination to read every word ... which hints at another issue, information overload. Today's Web is so vast that we're all sipping from the fire hose.And that ]]> 2017-12-05T08:24:37+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/3LVcWWqpfYw/nblog-december-5-lurid-headline.html www.secnews.physaphae.fr/article.php?IdArticle=444167 False Guideline APT 15 None NoticeBored - Experienced IT Security professional Figuring out how to organize, resource and conduct internal audits of an ISO/IEC 27001 Information Security Management System can be awkward for small organizations.Independence is the overriding factor in auditing of all forms. For internal auditing, it's not just a question of who the auditors report to and their freedom to 'say what needs to be said' (important though that is), but more fundamentally their mindset, experience and attitude. They need to see things with fresh eyes, pointing out and where necessary challenging management to deal with deep-seated long-term 'cultural' issues that are part of the fabric in any established organization. That's hard if they are part of the day-to-day running of the organization, fully immersed in the culture and (for managers in small organizations especially) partly responsible for the culture being the way it is. We all have our biases and blind spots, our habits and routines: a truly independent view hopefully does not - at least, not entirely the same one!ISO/IEC 27001 recommends both management reviews and internal audits. The people you have mentioned may well be technically qualified to do both but (especially without appropriate experience/training, management support and the independent, critical perspective I've mentioned) they may not do so well at auditing as, say, consultants. The decision is a business issue for you and your management: do the benefits of having a truly independent and competent audit outweigh the additional cost? Or do you think your own people would do it well enough at lower cost?As the customer, you get to specify exactly what you want the consultants to bid for. A very tightly scoped and focused internal audit for a relatively small and simple ISMS might only take a day or two of consulting time, keeping the costs down. On the other hand, they will be able to dig deeper and put more effort into the reporting and achieving improvements if you allow them more time for the job – again, a management decision, worth discussing with potential consultants.One strategy you might consider is to rotate the internal audit responsibility among your own people, having different individuals perform successive audits. That way, although they are not totally independent, they do at least have the chance to bring different perspectives to areas that they would not normally get involved in. It would help to have a solid, standardized audit process though, so each of the auditors is performing and reporting the audit work in a similar way … and to get you started and set that up, you might like to engage a consultant for the first audit, designing and documenting the audit process, providing checklist and reporting templates etc., ]]> 2017-11-28T22:34:29+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/d6YaDTjTZfE/iso27k-internal-audits-for-small.html www.secnews.physaphae.fr/article.php?IdArticle=440667 False Guideline None None NoticeBored - Experienced IT Security professional A productive couple of days' graft has seen what was envisaged to be a fairly short and high-level general staff awareness briefing on social engineering morph gradually into an A-to-Z list of scams, con-tricks and frauds.It has grown to about 9 pages in the process. That may sound like a tome, over-the-top for awareness purposes ... and maybe it is, but the scams are described in an informal style in just a few lines each, making it readable and easily digestible. The A-to-Z format leads the reader naturally through a logical sequence, perhaps skim-reading in places and hopefully stopping to think in others.For slow/struggling readers, there are visual cues and images to catch their eyes but let's be honest: this briefing is not for them. They would benefit more from seminars, case studies, chatting with their colleagues and getting involved in other interactive activities (which we also support through our other awareness content). The NoticeBored mind maps and posters, for instance, express things visually with few words.Taking a step back from the A-Z list, the sheer variety and creativity of scams is fascinating, and I'm not just saying that because I wrote it! That's a key security awareness lesson in itself. Social engineering is hard to pin down to a few simple characteristics, in a way that workers can be expected to recognize easily. Some social engineering methods, such as ordinary phishing, are readily explained and fairly obvious but even then there are more obscure variants (such as whaling and spear phishing) that take the technique and threat level up a gear. It's not feasible for an awareness program to explain all forms of social engineering in depth, literally impossible in fact. It's something that an intensive work or college course might attempt, perhaps, for fraud specialists who will be fully immersed in the topic, but that's fraud training, not security awareness. We can't bank on workers taking time out from their day-jobs to sit in a room, paying full attention to their lecturers and scribbling notes for hour after hour. There probably aren't 'lecturers' in practice: most of this stuff is delivered online today, pushed out impersonally through the corporate intranet and learning management systems.Our aim is to grab workers']]> 2017-11-20T18:14:49+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/sT7BZ8qe3dQ/nblog-november-20-a-to-z-catalog-of.html www.secnews.physaphae.fr/article.php?IdArticle=435790 False Guideline None None NoticeBored - Experienced IT Security professional This colorful image popped onto my screen as I searched our stash of security awareness content for social engineering-related graphics. It's a simple but striking visual expression of the concept that security awareness is not the ultimate goal, but an important step on the way towards achieving a positive outcome for the organization. A major part of the art of raising awareness in any area is actively engaging with people in such a way that they think and behave differently as a result of the awareness activities. For some people, providing cold, hard, factual information may be all it takes, which even the most basic awareness programs aim to do. That's not enough for the majority though: most of us need things to be explained to us in terms that resonate and motivate us to respond in some fashion. In physical terms, we need to overcome inertia. In biology, we need to break bad habits to form better ones.Social engineering is a particular challenge for awareness since scammers, fraudsters and other social engineers actively exploit our lack of awareness or (if that fails) subvert the very security mechanisms we put in place. "Your password has expired: pick a new one now to avoid losing access to your account!" is a classic example used by many a phisher. It hinges on tricking victims into accepting the premise (password expired) at face value and taking the easy option, clicking a link that leads them to the phisher's lair while thinking they are going to a legitimate password-change function. Our raising awareness of the need to choose strong passwords may be counterproductive if employees unwittingly associate phishing messages with user authentication and security!Part of our awareness approach in December's NoticeBored materials on social engineering will be to hook-in to our natural tendency to notice something amiss, something strange and different. Humans are strong at spotting patterns at a subconscious level. For instance, did you even notice the gradation from red to green on the ladder image? That was a deliberate choice in designing the image, a fairly crude and obvious example ... once it has been pointed out anyway! See if you can spot the other, more subtle visual cues (and by all means email me to see what you missed!). ]]> 2017-11-10T16:37:41+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/qMI3qId4ol0/nblog-november-10-one-step-at-time.html www.secnews.physaphae.fr/article.php?IdArticle=430861 False Guideline None None NoticeBored - Experienced IT Security professional ISO27k Forum about ISO27k certification auditors checking information security controls, and a response about compliance audit requirements. It's a backgrounder, an essay or a rant if you like. Feel free to skip it, or wait until you have a spare 10 mins, a strong coffee and the urge to read and think on!]“Sampling” is an important concept in both auditing and science. Sampling (i.e. selecting a sample of a set or population for review) is necessary because under most circumstances it is practically impossible to assess every single member  – in fact it is often uncertain how many items belong to the set, where they are, what state they are in etc. There is often lots of uncertainty.For example, imagine an auditor needs to check an organization's “information security policies” in connection with an internal audit or certification/compliance audit.  Some organizations make that quite easy by having a policy library or manual or database, typically a single place on the intranet where all the official corporate policies exist and are maintained and controlled as a suite. In a large/diverse organization there may be hundreds of policies, thousands if you include procedures and guidelines and work instructions and forms and so forth. Some of them may be tagged or organized under an “information security” heading, so the auditor can simply work down that list … but almost straight away he/she will run into the issue that information security is part of information risk is part of risk, and information security management is part of risk management is part of management, hence there should be lots of cross-references to other kinds of policy. A “privacy policy”, for instance, may well refer to policies on identification and authentication, access control, encryption etc. (within the information security domain) plus other policies in areas such as accountability, compliance, awareness and training, incident management etc. which may or may not fall outside the information security domain depending on how it is defined, plus applicable privacy-related laws and regulations, plus contracts and agreements (e.g.nondisclosure agreements) … hence the auditor could potentially end up attempting to audit the entire corporate policy suite and beyond! In practice, that's not going to happen.]]> 2017-11-03T09:35:50+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/qjlX8og15Qs/nblog-november-3-audit-sampling-long.html www.secnews.physaphae.fr/article.php?IdArticle=427480 False Guideline None None NoticeBored - Experienced IT Security professional Motherboard reveals a catalog of issues and failings within Equifax that seem likely to have contributed to, or patently failed to prevent, May's breach of sensitive personal information on over 145 million Americans, almost half the population.Although we'll be using the Equifax breach to illustrate November's awareness materials on privacy, we could equally have used them in this month's module on security culture since, according to BoingBoing:"Motherboard's Lorenzo Franceschi-Bicchierai spoke to several Equifax sources who described a culture of IT negligence and neglect, in which security audits and warnings were routinely disregarded, and where IT staff were unable to believe that their employers were so cavalier with the sensitive data the company had amassed."'A culture of IT negligence and neglect' is almost the opposite of a security culture, more of a toxic culture you could say. Workers who simply don't give a stuff about information security or privacy are hardly likely to lift a finger if someone reports issues to them, especially if (as seems likely) senior managers are complicit, perhaps even the source of the toxin. Their lack of support, leadership, prioritization and resourcing for the activities necessary to identify and address information risks makes it hard for professionals, staff members and even management ]]> 2017-10-27T15:57:11+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/99HkfmTAlqc/nblog-october-27-equifax-cultural-issues.html www.secnews.physaphae.fr/article.php?IdArticle=424386 False Guideline Equifax None NoticeBored - Experienced IT Security professional We've just updated the NoticeBored website to describe the new awareness module on security culture and delivered the latest batch of security awareness materials to subscribers.  Culture is a nebulous, hand-waving concept, hard to pin down and yet an important, far-reaching factor in any organization. The new module (the 63rd topic in our bulging security awareness portfolio) is essentially a recruitment drive, aimed at persuading workers to join and become integral parts of the Information Security function. The basic idea is straightforward in theory but in practice it is a challenge to get people to sit up and take notice, then to change their attitudes and behaviors. During September, we developed a two-phased approach:Strong leadership is critically important which means first convincing management (all the way up to the exec team and Board) that they are the lynch-pins. In setting the tone at the top, the way managers treat information risk, security, privacy, compliance and related issues has a marked effect on the entire organization. Their leverage is enormous, with the potential to enable or undermine the entire approach, as illustrated by the Enron, Sony and Equifax incidents.With management support in the bag, the next task is to persuade workers in general to participate actively in the organization's information security arrangements. Aside from directly appealing to staff on a personal level, we enlist the help of professionals and specialists since they too are a powerful influence on the organization - including management. October's awareness materials follow hot on the heels of the revised Information Security 101 module delivered in September. That set the scene, positioning information security as an essential part of modern business. Future modules will expand on different aspects, each one reinforcing the fundamentals ... which is part of the process of enhancing the security cu]]> 2017-10-02T10:51:19+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/yjh0ibrM7ck/nblog-october-2-2-phase-approach-to.html www.secnews.physaphae.fr/article.php?IdArticle=413781 False Guideline Equifax None NoticeBored - Experienced IT Security professional 5 ways to create a bulletproof security culture by Brian Stafford. Brian's 5 ways are, roughly: Get Back to Basics - address human behaviors including errors. Fair enough. The NoticeBored InfoSec 101 awareness module we updated last month is precisely for a back-to-basics approach, including fundamental concepts, attitudes and behaviors.Reinvent the Org Chart - have the CISO report to the CEO. Brian doesn't explain why but it's pretty obvious, especially if you accept that the organization's culture is like a cloak that covers everyone, and strong leadership is the primary way of influencing it. The reporting relationship is only part of the issue though: proper governance is a bigger consideration, for example aligning the management of information risks and assets with that for other kinds of risk and asset. Also security metrics - a gaping hole in the governance of most organizations.Invest in Education - "Any company that seeks to have a strong security culture must not only offer robust trainings to all employees-including the c-suite-but also encourage professional development opportunities tailored to their unique focus areas." Awareness, training and education go hand-in-hand: they are complementary.Incentivize & Reward Wanted Behavior e.g. by career advancement options. Again, the InfoSec 101 module proposes a structured gold-silver-bronze approach to rewards and incentives, and I've discussed the idea here on the blog several times. Compliance reinforcement through rewards and encouragement is far more positive and motivational than the negative compliance enforcement approach through pressure, penalties and grief. Penalties may still be necessary but as a last resort than the default option.Apply the Right Technology - hmm, an important consideration, for sure, although I'm not sure what this has to do with security culture. I guess I would say that technical controls need to work in concert with non-tech controls, and the selection, operation, use and management of all kinds of control is itself largely a human activity. The fact that Brian included this as one of his 5 ways betrays the widespread bias towards technology and cybersecurity. I'd go so far as to call it myopic.Personally, and despite]]> 2017-09-25T15:51:23+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/u0XSphLPuS4/nblog-september-24-five-step.html www.secnews.physaphae.fr/article.php?IdArticle=411410 False Guideline None None NoticeBored - Experienced IT Security professional Aside from concerning the attitudes and values shared within groups, or its use in microbiology (!), there's another meaning of 'culture' relating to being suave and sophisticated. In the information risk and security context, it's about both being and appearing professional, exuding competence and quality - and that can be quite important if you consider the alternative. Given the choice, would you be happy interacting and doing business with an organization that is, or appears to be, uncultured - crude, slapdash, unreliable etc.? Or would you be somewhat reluctant to trust them?There are some obvious examples in the news headlines most weeks: any organization that suffers a major privacy breach, hack, ransomware or other incident comes across as a victim and arguably perhaps culpable for the situation. It's hardly a glowing endorsement of their information risk, security, privacy and compliance arrangements! Contrast their position against the majority of organizations, particularly the banks that exude trustworthiness. Corporate cultures, brands and reputations are bound strongly together.The two meanings of 'culture' are linked in the sense that the overall impression an organization portrays is the combination of many individual factors or elements. Through marketing, advertising and promotions, public relations, social media etc., management naturally strives to present a polished, impressive, business-like, trustworthy external corporate image, but has limited control over all the day-to-day goings on. Myriad interactions between workers and the outside world are largely independent, driven by the individuals, individually, and by the corporate culture as a whole.Management may try to control the latter, espousing 'corporate values' through motivational speeches and posters, but in most organizations it's like herding cats or plaiting fog. Much like managing change, managing the corporate culture is a tough challenge in practice. Realistically, the best management can hope for is to influence things in the right direction, perhaps rounding-off the sharpest corners and presenting a more consistently positive front.  ]]> 2017-09-22T08:59:43+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/UIQYEOhQLbc/nblog-september-22-cultured-security.html www.secnews.physaphae.fr/article.php?IdArticle=410792 False Guideline None None NoticeBored - Experienced IT Security professional This plopped into my inbox last evening at about 8pm, when both ANZ customers and the ANZ fraud and security pros are mostly off-guard, relaxing at home. It's clearly a phishing attack, obvious for all sorts of reasons (e.g. the spelling and grammatical errors, the spurious justification and call to action, the non-ANZ hyperlink, oh and the fact that I don't have an ANZ account!) - obvious to me, anyway, and I hope obvious to ANZ customers, assuming they are sufficiently security-aware to spot the clues.I guess the phishers are either hoping to trick victims into disclosing their ANZ credentials directly, or persuade them to reveal enough that they can trick the bank into accepting a change of the mobile phone number presumably being used for two-factor authentication, or for password resets.Right now (8 am, 12 hours after the attack) I can't see this particular attack mentioned explicitly on the ANZ site, although there is some basic guidance on "hoax messages" with a few other phishing examples. The warnings and advice are not exactly prominent, however, so you need to go digging to find the information, which means you need to be alert and concerned enough in the first place, which implies a level of awareness - a classic chicken-and-egg situation. I presume ANZ has other security awareness materials, advisories and reminders for customers. If not, perhaps we can help!Aside from the authentication and fraud angle, I'm interested in the cultural aspects. Down here in NZ, people generally seem to be quite honest and trusting: it's a charming feature of the friendly and welcoming Pacific culture that pervades our lives. Given its size and history, things may be different in Australia - I don't know. But I do know that phishing and other forms of fraud are problematic in NZ. The Pacific culture is changing, becoming more careful as a result of these and other scams, but very slowly. Increasing distrust and cynicism seems likely to knock the corners off the charm that I mentioned, with adverse implications for tourism and commerce - in other words cultural changes can create as well as solve problems. The same issue applies within organizations: pushing security awareness will lead (eventually, if sustained) to changes in the corporate culture, only some of which are beneficial. It's possible to be too security-conscious, too risk-averse, to the point that it interferes with business. October's awareness seminar and briefings for management will discuss a strategic approach ai]]> 2017-09-20T08:27:57+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/1v0znioAgjk/nblog-september-20-phishing-awareness.html www.secnews.physaphae.fr/article.php?IdArticle=409839 False Guideline None None NoticeBored - Experienced IT Security professional Aside from the elevator pitch, another short awareness item in our newly-revised Information Security 101 module is a course completion certificate, simply acknowledging that someone has been through the induction or orientation course.I say 'simply' but as usual with NoticeBored, there's more to it.For a start, some of us (especially those who consider ourselves 'professionals') just love our certificates: our qualifications and the letters before/after our names mean something to us and hopefully other people. This is a personal thing with cultural relevance, and it's context-dependent (my 30-year-old PhD in microbial genetics has next to nothing to do with my present role!). My even older cycling proficiency certificate is meaningless now, barely a memory, but at the time I was proud of my achievement. Receiving it boosted my self-esteem, as valuable a benefit as being able to demonstrate my prowess on two wheels. I'm tempted to use Cprof on my business cards just to see if anyone reads them!On the other hand, a certificate indicating a pass mark in some assessment or test can be misleading. The driving test, for example, is a fairly low hurdle in terms of all the situations that a driver may have to deal with over the remainder of their driving career. There is clearly a risk that a newly-certified and licensed driver might be over-confident as a result of passing the test and going solo, a time when accidents are more likely hence some countries encourage a subsequent period of driving with special P-plates (meaning probationary, or passed or potential or ...) in the hope that others will give new drivers more space. In risk terms, there are risk-reduction benefits in letting new drivers continue to hone their new-found skills, offsetting the increased risk of incidents.In the same way with the InfoSec 101 course completion certificate, we're glad to acknowledge the personal achievement and boost people's self-esteem (yay - something positive associated with information risk and security!), although there is a risk they might believe themselves more competent in this area that they truly are. On balance, we'd rather deal with that issue, in part through the ongoing security awareness activities that delve deeper into areas covered quite superficially in the 101 module, across a br]]> 2017-09-08T18:35:37+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/xX_2ChS3hFk/nblog-september-8-security-certification.html www.secnews.physaphae.fr/article.php?IdArticle=409085 False Guideline None None NoticeBored - Experienced IT Security professional part 1 and part 2, here's the closing paragraph:As a manager, you play a vital governance, leadership and oversight rôle.  Please make the effort to engage with and support the security awareness program, discuss information risk and security with your colleagues, and help us strengthen the corporate security culture.In classical marketing terms, it's the call-to-action for people who have been lured and hooked. Having presented our case, what do we actually want them to do?  Compared to the preceding two, the third paragraph is quite long. While we could easily have dropped the first sentence, it serves a purpose. It shows deference to the management audience, acknowledging their influential and powerful status, gently reminding them that they are expected to direct and oversee things. Essentially (in not so many word), it says "Pay attention! This is an obligation, one of your duties as a manager."The final sentence, including those three words in bold, was especially tricky to write for the InfoSec 101 module. What is it, exactly, that we expect senior managers to do in relation to this very broad introductory-level topic? Think about that question for a moment. There are many possible answers e.g.:Show leadershipDemonstrate commitmentSupport the Information Security Management System (in an ISO27k organization)Get actively involved in information risk and security management activities, such as risk assessment and risk treatment decisionsRaise the profile and priority of information risk and security mattersProvide adequate resources to do this stuff properly for once (!)Encourage or enforce compliance]]> 2017-09-04T15:31:24+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/NbPNifgSwUg/nblog-september-4-infosec-101-elevator.html www.secnews.physaphae.fr/article.php?IdArticle=409087 False Guideline None None NoticeBored - Experienced IT Security professional The Information Security 101 awareness module update is going well. We might even finish slightly ahead of the deadline, provided I can resist the temptation to keep polishing and adding to the content!One of the deliverables is a 'menu' of rewards for workers who uphold the information risk and security practises, controls and behaviors we wish to encourage. The rewards are divided into bronze, silver and gold categories.Bronze rewards are generally free or cheap, and yet welcome - a nice way to thank workers for simply participating in awareness seminars, case study/workshop session or quiz maybe. Here are just a few examples:A phone call, personal thank-you note and/or emailLetter of participation or commendation to be placed in the employee's personnel file (whatever that means!)Relaxed dress code for the recipient – for a defined period such as a day or a week Generic certificate acknowledging a level of competence (e.g. on completion of security induction training - there's a template in the module)Note and/or photo on hall-of-fame, newsletter and/or the Security Zone (Information Security's intranet website - again there's a generic website design specification in the module)Plain (dull bronze) pin badge or sticker with awareness program logoPlain (dull bronze) staff pass lanyard with awareness program logo and stock message (such as how to contact the Help Desk or Site Security)Moving up a level, silver awards are more valuable and attractive, requiring a little more money and effort:[if !supportLists]-->Polo/tee-shirt printed with corporate and/or awareness program logo and a relevant quotation or catch-phrase]]> 2017-08-25T14:13:47+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/OIVLvoiY32E/nblog-august-25-awareness-boosters.html www.secnews.physaphae.fr/article.php?IdArticle=409094 False Guideline None None NoticeBored - Experienced IT Security professional A relatively simple and naive question on the ISO27k Forum this morning set me thinking. "RP" asked:"Does anybody have a generic [set of] high level questions for business departments other than IT, that can be asked during gap assessment?"As is so often the way with newcomers to the Forum, RP evidently hasn't caught up with past Forum threads (e.g. we recently chatted about various forms of gap analysis, and the markedly different ways that people [including dentists!] use and interpret the term), paid scant attention to forum etiquette (e.g. he/she didn't tell us his/her name), and provided little to no context in which to address the question (e.g. what size and kind of organization is it? What industry/sector? Does it have a functional, certified and mature ISO27k ISMS already, is it working towards one, or is RP just idly thinking about it over coffee?).Despite that, a couple of us responded as best we could, making assumptions about the context, the meaning and purpose of the 'gap assessment', and RP's situation. I suggesting posing questions along these lines:"What kinds of information do you use? Tell me more. Which is the most important information for your business activities, and why? What would happen if it was lost, damaged, out of date, inaccurate, incomplete, misleading, fraudulent, or disclosed e.g. on the Web?Roughly how much of the information you handle is classified? How much is SECRET/TOP-SECRET? [You'd probably need to be security cleared, and have management support, to get a meaningful answer to that!]What information do you generate? What happens to it? Where does it go? Who uses it, and for what? Would it matter to them if it stopped coming, or was late, or inaccurate, or incomplete, or was disclosed on the Web?When was the last time you examined your information risks? What was the result? Show me! What changed as a result?When was the last time you completed a business impact analysis and business continuity p]]> 2017-08-22T15:51:29+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/yozlS8hvyCU/nblog-august-22-what-to-ask-in-gap.html www.secnews.physaphae.fr/article.php?IdArticle=409097 False Guideline None None