NoticeBored blog

The president of a company that develops software for oil and gas exploration was sentenced to 12 months' supervised probation and fined $2,500 for hacking a competitor using an airport's wireless network connection, according to eWeek. The company is also facing charges that it sold restricted software products to Cuba, potentially implying a wider governance failure if proven rather than simply a rogue employee, albeit a very senior one.

Governance concerns are also raised by the alleged hacking of the World Bank's systems by an IT outsourcing supplier although the supplier denies the accusations. The supplier's website proudly announces that it won "the coveted Golden Peacock Global Award for Excellence in Corporate Governance for 2008" [an award that I personally hadn't heard of, but what do I know?], so it is possible that, if true, the hacker was a lone Black Hat that the company's award-winning governance processes failed to identify and/or stop.

Labels: Governance, Hacking

What makes hackers tick? Who are they? What is the difference between hacking and cracking? Are phreaks and social engineers hackers too? And most of all what can we do to avoid being hacked? We can't promise to answer these questions fully but our latest NoticeBored security awareness module does at least address them.

Please sign-up here to receive the free monthly awareness newsletter. We will be using Google Groups in future rather than Topica to circulate the newsletters but unfortunately this means everyone on the current mailing list must make the effort to join the Google Group to continue getting them [we'd have migrated all your email addresses ourselves except that some might consider that a privacy violation!].

Labels: Awareness, Hacking

Anti-Terrorist and Monitory Crimes Division.
Federal Bureau Of Investigation.
J. Edgar. Hoover Building, Washington D.C
Telephone Number : (206) 984 - 0470

ATTN: BENEFICIARY

This is to Officially inform you that it has come to our notice and we have thoroughly completed an Investigated with the help of our Intelligence Monitoring Network System that you are having an illegal transaction with Impostors claiming to be Prof. Charles C. Soludo of the Central Bank Of Nigeria, Mr. Patrick Aziza, Mr Frank Nweke, none officials of Oceanic Bank, none officials of Zenith Bank and some impostors claiming to be the Federal Bureau Of Investigation agents.

Oh, OK, so I'm supposed to suspend disbelief for a moment and accept that the FBI is writing to me out of the blue, with a grammatically incorrect and anonymous email, warning me about impostors from Nigeria? Right. Let's see what they want ...

During our Investigation, it came to our notice that the reason why you have not received your payment is because you have not fulfilled your Financial Obligation given to you in respect of your Contract/Inheritance Payment.

So therefore, we have contacted the Federal Ministry Of Finance on your behalf and they have brought a solution to your problem by coordinating your payment in the total amount of $800,000.00 USD which will be deposited into an ATM CARD which you will use to withdraw funds anywhere of the world. You now have the lawful right to claim your funds which have been deposited into the ATM CARD.

I haven't fulfilled by Financial Obligation, eh? And you want to send me an ATM CARD which, by some curious method I don't understand, will contain $800 grand? Why the Spurious Capitals, SUNSHINE?

Since the Federal Bureau of Investigation has been involved in this transaction, you are now to be rest assured that this transaction is legitimate and completely risk-free as it is our duty to Protect and Serve citizens of the United States Of America. All you have to do is immediately contact the ATM CARD CENTER via E-mail for instructions on how to procure your Approval Slip which contains details on how to receive and activate your ATM CARD for immediate use to withdraw funds being paid to you. We have confirmed that the amount required to procure the Approval Slip will cost you a total of $150 USD which will be paid directly to the ATM CARD CENTER agent via Western Union Money Transfer / MoneyGram Money Transfer. Below, you shall find contact details of the Agent whom will process your transaction:

I guess I should expect the ATM CARD to be processed by an ATM CARD CENTER, but I'm a bit puzzled about the need to procure an Approval Slip. Surely the mighty FBI can just make a deposit straight into my bank account? I don't have $ 150 USD to fritter away on this kind of nonsense, especially via Western Union or MoneyGram. Last time I checked, I was not criminally insane.

CONTACT INFORMATION

NAME: MR. Paul Bryant

EMAIL: atmworldcenter991@gmail.com

Immediately contact Mr. Paul Bryant of the ATM Card Centre with the following information:

Full Name:
Address:
City:
State:
Zip Code:
Direct Phone Number:
Current Occupation:
Bank Name:

Oh, but I thought I was dealing with the ATM CARD CENTER. Is this a different place? Or have they just discovered that marvellous invention called CAPS LOCK? Surely the mighty FBI already knows my address, phone number, current occupation and the name of the bank that, apparently, has been scamming me? After all, it was they who supposedly discovered the scam.

Once you have sent the required information to Mr. Uzoma Dominic he will contact you with instructions on how to make the payment of $150 USD for the Approval Slip after which he will proceed towards delivery of the ATM CARD without any further delay. You have hereby been authorized/guaranteed by the Federal Bureau Of Investigation to commence towards completing this transaction, as there shall be NO delay once payment for the Approval Slip has been made to the authorized agent.

Oh oh, I see Mr Paul Bryant has taken a leave of absense half way through this email. Poor Mr Bryant. I guess he's gone to spend all the advance fees he's been making lately.

Once you have completed payment of $150 to the agent in charge of this transaction, immediately contact me back so as to ensure your ATM CARD gets to you rapidly.

FBI Director
Robert Mueller.

NOTE: To ensure you have been AUTHORIZED to pay the required fee's stated above, kindly find below an Authorized Signature and also our Federal Bureau Of Investigation NSB ( National Security Branch ) Seal to accurately guarantee your safety towards completing this transaction.

Phew, what a relief! A seal to accurately guarantee my safety! I'll put it in my wallet in place of the $150 USD shall I?

Labels: Fraud

As the title suggests, Will your cellphone spill your secrets focuses on privacy exposures from lost cellphones but the same considerations apply to other gizmos of course.

The loss of a gizmo is more than just a privacy issue: we become very attached to, if not dependent on them. Speaking personally, I'm terrible at remembering names let alone phone numbers, email addresses, passwords and so forth, so I rely heavily on the technology to do the remembering for me. Naturally, being a security freak, I use encryption and other controls to protect such sensitive information so the privacy side is less of a concern than me simply losing access to all that valuable information ... so don't forget backups. Decent backups. Off-line backups with the backup media stored securely. It's a bit of a pain to take them but it's far worse to lose a gizmo (whether by leaving it on the back seat of a cab on the roof of a car, having it stolen, dropping it in a puddle or some other accident or hardware failure ... actually, thinking about it, there are quite a few ways!) and not to be able to recover the data.

Here are some simple tips to reduce the risk:
- Transfer new phone numbers from your cellphone to a diary/contacts database such as Outlook every so often, and while you're at it, look through the contacts for any that should be put on your phone. Try to make this a routine activity, perhaps once a month or two;
- Make a separate database of important contacts, for example to feed a form letter notifying them of change-of-address details. Keep a copy of this with you when you travel;
- Use encryption and other available access controls such as a PIN code to unlock your phone/SIM card, PDA etc.;
- Avoid taking all your gizmos with you when traveling - just the ones you need - and try to keep them physically about your person (e.g. not in checked-in hold baggage);
- Make an inventory of your gizmos with models, serial numbers, distinguishing marks etc. so that if you lose any, you can at least describe them properly to the Police or the Lost And Found office;
- Use those 'distinguishing marks' proactively to identify your gizmos e.g. mark the case with your name, phone number, email address or whatever, trying not to make the privacy exposure even worse but making it easier for finders to return them to you;
- Don't forget to erase personal data properly from gizmos when disposing of them. A simple 'delete' is unlikely to be sufficient. See NIST's SP800-88 for the full nine yards.

Labels: Availability, Mobile, Privacy

"Ultraportable" lightweight slimline laptops are all the rage, apparently (I've been using them for years already - ahead of my time maybe, or just wary of the old luggable portables?). A Computerworld piece "Small laptops pose a big security threat" claims that because they run with "a stripped down" Linux or Windows XP operating system instead of, presumably, Vista, they are inherently insecure. Well maybe there are drawbacks but I'm not entirely convinced that they are significant - properly configured, I would rate XP and Linux at least as if not more secure than Vista.

On the physical security front, there are arguments both ways. Ultraportables may have less physical protection making them more vulnerable to knocks (less so the ones with solid state hard drives) and they are perhaps more likely to be lost or stolen due to their portability. On the other hand, I carry mine in a standard briefcase or portfolio rather than an obvious "laptop bag", making theft less likely I hope.

The article's comments on WiFi and USB connectivity are irrelevant since the same applies to standard laptops and I really don't agree with the author's comments to the effect that ultraportables are treated carelessly like toys, except perhaps in the case of the very cheap ones anyway. The truth is that, for many years now, the value of personal and corporate data on the average PC has far outstripped its hardware replacement value. The equipment is, in corporate terms, disposable with near zero book value though the data on it or accessible from it may well be the most valuable asset [not] on the company's books.

The article's final points about the need for user security awareness ring true at least.

"Employee education in acceptable-usage practices is a must, regardless of the IT security systems used, Enderle says. Leja agrees. "You have to count on continual security awareness," she says. "Make sure that [students or employees are] being conscientious, and then use the few tools that do exist to help."

Hear hear!

Labels: Mobile

In the past year, the British Government admits to having lost:

• 53 computers
• 36 BlackBerrys
• 30 mobile phones
• 4 memory sticks; and
• 4 disc drives.

If we assume that the devices had just 1 Gb of data storage each (a low estimate for some I'm sure), that's 127 Gb of data gone walkies. Some of them were hopefully strongly encrypted - let's be generous and say half, bringing the exposure down to 63.5 Gb of unencrypted data. By my calculation, that's equivalent to a pile of printed papers more than 50 feet high:

The reported numbers of lost devices is certainly an underestimate, since (a) it's self reported by government officials; (b) it excludes the Ministry of Defense and Home Office who did not respond to the request for information; (c) government employees probably use, and lose, personal devices for official work; and (d) it excludes other formats e.g. lost CD/DVD ROMs and actual papers.

As to whether it is acceptable for Her Majesty's Government to lose at least 50 feet of printed papers per year, that depends on whether your privacy was compromised I guess.

Labels: Mobile, Physical, Privacy, Secrecy, Trust

Looks like McCain's team need to read the latest NoticeBored module on security for gizmos ... oh wait, it's too late. They sold at least one information-packed Blackberry to a reporter ...

Labels: Mobile, Privacy

The security risks associated with social networking sites such as FaceBook and LinkeDin are pointed out by a well-balanced piece on Search Security by David Sherry, CISO of Brown University. Unusually for this kind of article, the author describes a reasonably comprehensive range of security controls that organizations might adopt to minimize the risks. I'm pleased to note that security policies and awareness are among the recommendations, and in fact the security issues arising from social networking can be used as an awareness-raising topic:

"Social networking risks are also a great way to enhance security awareness throughout an organization and build convergence with key decision makers and leaders. Social networking is a familiar term, but one that may not conjure up risks to the enterprise. Many other areas of the corporation, while focusing on risk and some aspects of security, may need to be educated and consulted when creating a policy or modifying your appropriate use policy. Include senior representatives from human resources, risk management, privacy, physical security, audit and legal in your preparations and response to social networking risks. A stronger partnership, and ultimately a stronger policy and process, will surely result from reaching out to them."

Our recent NoticeBored security awareness module on social engineering used example scenarios based on LinkeDin and other social networking sites for exactly this purpose. We suspect few managers think of LinkeDin as a social networking site, let alone consider the security implications of publishing all sorts of personal information about themselves. It's a useful topic to get their attention.

Labels: Awareness, Social engineering

I can't resist re-posting this hilarious 419 scam fresh from my inbox, allegedly from innocent Natalya pictured above from the JPG attached to "her" email - I say "her" because the sender was listed as Frederick somebody, hardly a common ladies' name where I come from!

Hi! I ask you to read this letter, it will not borrow a lot of your time. This letter not
advertising, but this letter from usual Russian woman which wishes to meet the man of she dream...
My name is Natalya. I'm 28 years old. My friends speak, that I - very cheerful and sociable woman
and I have good sense of humour. I like to learn something new, to travel, walk on a nature. But
unfortunately, I did not manage to meet the man to which I could trust, be very close with him and love
him.
At my age it is time to me to reflect on family, children. But all men whom I met, did not concern
to this seriously. Therefore I have decided to try to find the man in other country. I have addressed in
agency of acquaintances and to me have offered to dispatch my letter, I have agreed... If there is even
one chance from thousand, I am ready... I believe... I so would like to give my heart, the love my
favourite person.


If you have read my letter and wish to continue dialogue, write on mine e-mail: natalyakorobkova@googlemail.com


If you will write to me only for game or to receive my photos, I ask you to stop it.
If you have decided to answer my letter, I ask you tell about yourself. It will be interesting to
me to know about you more.
What is your name?
How old are you? Your city.
Would you like to meet the woman for love?
So, I finish the letter, thanks, that you have read it. I hope, that I shall receive the answer
from you. And this hope allows me to look at the world in another way...
Please be in earnest to my letter very much. Also be fair.

I wish you good day.
Natalya.

Good day to you. Go forth and multiply, Natalya.

Labels: Awareness, Fraud

Despite our standard subscription charges being probably the lowest in the marketplace, some prospective customers struggle to find any money for security awareness. We are very conscious of the global credit crunch and financial turmoil out there so, for a trial period, we are offering a special SME version of NoticeBored for less than US$1,000 per year. Read more about NoticeBored Lite.

Labels: Awareness

December's NoticeBored module covers security issues associated with gizmos. Please visit the website or read the newsletter to discover what gizmos are and find out about the security issues.

Labels: Awareness, Mobile

A key finding from the 2008 information security survey by PwC is that organizations are spending more on security technologies but need to achieve a better balance:

"One of the best ways of improving enterprise-wide visibility into the crucial details of actual security incidents is to match technology investments with an equally robust commitment to the other principal drivers of security’s value: the critical business and security processes that support technology, and the people that administer them."

Technology is a bottomless pit for security investment: one can always spend more on security hardware and software but after the basics (such as antivirus and firewalls) are covered, the returns diminish. Organizations should be complementing their technological investments with security awareness and training.

"What matters, of course, is improving an organization’s ability to defend and prevent attacks on an ongoing basis—without distracting people from the every-day operational needs of the business or incurring the exorbitantly high price tags associated with a reactive response to an unexpected (but foreseeable) crisis. And that requires getting key information about the risks to an organization’s data and systems very quickly from the front row to everyone else in the house. Expanding security awareness at every level of the enterprise is essential."

Labels: Awareness

Surveys and news items suggest that social engineering attacks are on the rise in terms of scale and sophistication, as well as number. A new 40-page white paper from ENISA:

• outlines social engineering methods such as pretexting, phishing, spear phishing and vishing;
• presents an interview with acknowledged social engineer Kevin Mitnick;
• discusses three studies portraying how easily naive/untrained users are manipulated;
• identifies five defence measures; and
• offers a checklist to fight social engineering based on the mnemonic LIST (Legitimacy, Importance, Source, Timing).

While technical controls can help to some extent for example by identifying emails that might be phishers, research on undergraduates (described in the paper) demonstrates the effectiveness of repeated security awareness/training.

Labels: Awareness, Social engineering

The eponymous man in the street may think information security primarily involves technical security controls but in fact other types of control are equally important in protecting information assets. For example, physical controls (locks, gates, fire/intruder/water alarms etc.), legal and regulatory controls (data protection/privacy laws, PCI DSS, HIPAA etc.) and procedural controls (policies, procedures, guidelines, management reviews, audits etc.). Most security risks are countered by a combination of controls from these different categories. Social engineering is fairly unusual in that technical controls are more or less irrelevant: social engineers aim to bypass the technology completely either by physically penetrating the organization or by fooling employees into giving them unauthorized access to information assets. We have covered awareness of physical security controls and compliance obligations in other NoticeBored modules but November’s module concentrates on pretexting, phishing and other techniques used by social engineers to fool employees.

Policies, procedures and guidelines are essential controls against social engineering, but these are useless unless employees both know about them and follow them in practice. Social engineering is therefore a particularly important security awareness topic, one of our “core topics” in fact that merits being covered annually in all awareness programs. Employees need to be taught about how social engineers work in order to spot them and stop them. It’s a tricky task since social engineers are adept at finding ways to build and exploit trust, slipping quietly beneath the corporate radar. The best social engineering attacks are never detected. Our aim is not to completely prevent social engineering attacks from succeeding but to create significant barriers that block simple attacks and frustrate more advanced ones, such that social engineers hopefully move along to softer targets.

One of the issues we cover, for instance, concerns the publication of personal details by employees on social networking sites. Names, addresses and birthdates are fabulous starting points for enterprising identity thieves and social engineers to pretend to be someone. Being cautious about what you publish is a simple control but is only valuable if you appreciate the risk sufficiently to be careful, hence the value of awareness.

Find out what's in the awareness module and read all about the NoticeBored service.

Labels: Awareness, Social engineering

Here's a crude attempt to get me to install malware, fresh from my inbox:

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.


Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.

Doh!

I wonder how many non-infosec professionals would fall for it though.

Labels: Malware, Social engineering

Police are using technology to capture criminals, for example by fitting out vehicles with CCTV and leaving them in vulnerable locations to lure car thieves. The CCTV images are so good that it's easy to make out the criminal's facial features and sometimes even his name and birth date tattoo'd on his neck (doh!).

But consider the question about whether such activity is ethical. From most perspectives (other than the criminals'!), it seems acceptable since the recording devices are within someone's property space which is clearly being violated by the criminals. One might argue that leaving such an attractive lure in a vulnerable place is entrapment, encouraging an otherwise law-abiding person to step over the line and break in, but what do you think? This is a good topic for a tea-time discussion in the average office.

UPDATE Oct 17th: Here's another situation with similar ethical issues. The FBI has allegedly been running DarkMarket, a carders' web exchange for stolen credit card numbers. What a great way to capture details about the criminals, the cards and the culture, but is it ethical? To make it work, they had to let a significant number of carders' transactions go ahead without interference, leading to millions of pounds worth of fraudulent purchases and costs for the card holders and/or credit card companies, banks and retailers concerned, in the same way that undercover drugs cops let and in fact help drug deals proceed until they have the opportunity to spring the trap.

Labels: Awareness, Ethics, Physical

My colleague Rob Slade, renowned for his book reviews, has just circulated a glowing review of the book Computer Ethics by Deborah Johnson. I say "glowing" deliberately: Rob has published many harsh reviews and, in my experience, they are generally well deserved. The relatively few books that Rob likes stand out as somewhat exceptional and, again, in my experience are well worth reading. Rob knows his stuff. I find him hard but fair. In short, I trust Rob's judgement on computer security books.

Ethically I should point out that I have not actually read Johnson's book myself - I am merely passing on a recommendation. If you have read it and would like to put me straight, please comment below!

Labels: Ethics

A fellow inmate of CISSPforum sent us a link today to an interesting piece in the Boston Globe regarding the victim of a laptop theft using remote access software to log on to his machine and, in due course, identify the suspected thief's name and address as he typed it into a website. At last, an ethical use for a Remote Access Trojan (RAT)!

The Web is awash with organizations offering to license their RATs and keylogging Trojans but, so far as I can see, they are mostly aiming at the "Spy on your spouse" market. Some of them claim to be aiming at "Spy on your employees" or "Spy on your children", as if that legimitises their activities but speaking personally, I find these uses unethical too. Spouses, employees and children ALL have legitimate expectations of privacy, whether online or off. To me, spying on them as they use the computers is essentially the same as spying on them in the Real World. It's underhand and unfair. Putting yourself in their shoes, how would you like to be spied upon?

[Aside: presumably there is a market for counter-espionage techniques, software that identifies RATs etc. and responds in some appropriate fashion, perhaps feeding the spies false information or simply cutting the link, the IT equivalent of firing a poison pellet into the spy's calf!].

That said, an incident close to home has made me reconsider my ethical position when a close family member discovered that her child was being 'groomed' through online chatrooms. The discovery came not through spy software but good ol' fashioned parenting - keeping a close eye on the little ones and protecting their interests. In this case, the parents' concern was justified and the groomer was stopped in his tracks, but I'm not saying that "the end justifies the means". If my relative had used spy software, I would still have found it distasteful. I think. But that's my personal perspective: you may see things differently.

Anyway, the use of spy software to recover a stolen computer seems perfectly reasonable and indeed entirely legitimate to me. The thief has no reasonable expectation of privacy while using stolen equipment. Maybe I wouldn't go so far as to say the thief has no rights at all (he is still a human being after all) but privacy is not one of them. The Globe mentions similar cases where owners have turned on built-in cameras to photograph those who are using their stolen systems - again, that's not unreasonable to me, just a creative use of technology.

Of course, thieves will see things differently.

Labels: Ethics, Hacking, Malware

Why is it that so many organizations expect their software developers and other IT people to “do” information security, yet they don’t bother to train them in the art?

A new security awareness briefing pack contains a set of notelets (short briefings) to help those involved in managing and delivering IT system developments fulfill their information security obligations.

The notelets fall into two groups:

1. Technical notelets introduce common information security controls, explain generic control requirements and outline the options available to satisfy those requirements.
2. Development process notelets outline information security issues that ought to be taken into account during most software developments (including ‘end user computing’ projects such as spreadsheet programs).

Although all the notelets are succinct double-sided items, the briefing pack contains 33 of them and hence with introduction and copyright notice is some 70 pages in total.
Download the complete pack here (1Mb PDF file).

The editable MS Word version of the pack is available free of charge on request by NoticeBored customers. An earlier version of the pack was delivered in the module on ‘SDLC integration’ in 2006.

Labels: Awareness, Development

Whereas most months we revise and reissue NoticeBored security awareness modules on topics we've covered before, this month we've written a completely new one on ethics and morality in information security. To be fair, its something we have touched on several times but it seemed appropriate to go into a bit more depth for once.

Ethical people and indeed organizations act in accordance with principles of conduct that are generally considered correct, appropriate or proper. In respect of information security, ethical behavior reinforces procedural controls. Unethical people who disregard the principles and ignore procedures weaken security, just as a rusty door bolt can jeopardize physical security. However, there is more to ethics than mere compliance. We all face ethical decisions and dilemmas from time to time, situations in which our internal values, beliefs guide our actions as much as external pressures.

The NoticeBored newsletter explores the risks around ethics and sets the scene for the remainder of the awareness module. The module covers aspects such as:

• Responsible disclosure of security vulnerabilities
• Cheating and hacking
• Management responsibilities to set the right ethical tone at the top
• Employee responsibilities to uphold ethical principles
• Whistleblowing on unethical practices
• The slippery slope from entirely ethical to entirely unethical behaviors.
  

As always, the newsletter is freely available to all as a PDF file but you'll need to subscribe to the NoticeBored awareness service for the MS Word version, plus around 36Mb of other awareness materials (including 6 posters, 3 seminar presentations, 4 screensavers, several briefings and guidelines, a crossword, an awareness test and a survey, a discussion paper on ethics metrics, a board agenda, awareness activities and an internal controls questionnaire to review your organization's ethical security controls).

Labels: Awareness, Ethics

A blog entry by Gerry O’Neill, CEO of the Institute of Information Security Professionals, gives us an update on the IISP's progress towards defining and implementing a certification process for its members. 

Gerry acknowledges a handful of existing certifications (such as CISSP, CISM, CISA and MSc) from which ISSP appears to have borrowed a few ideas (e.g. referring to a "common body of knowledge", presumably similar to the CISSP CBK?).  He identifies certain characteristics of a profession, including "a ‘licence to practice’, based around a core of specialist knowledge, skills and disciplines, regulated by a professional body and, crucially, with business recognition of its value."  The ‘licence to practice’ idea works well for professions such as medicine, accountancy and law but these professions are clearly much older than information security.  Whether the IISP can first establish itself as a recognised professional body, secondly impose regulations and standards on its members, and thirdly achieve broad acceptance by the general public and the authorities is an open question at this point.  They have set themselves a worthwhile but extremely difficult task, attempting to shortcut the thousands of years that other professions have had to develop their professional practices. 

While there will be a Disciplinary Committee to ensure compliance with the IISP Code of Conduct, I wonder whether they will also establish a professional practices and ethics board to assess claims from the public or authorities that its members are incompetent, incapable, unethical or otherwise unsuitable to be called information security professionals?  Policing the members and upholding the highests professional standards is another important though difficult role for a professional body - it's an integrity issue for the individuals concerned, the professional body and indeed the profession as a whole.

The Institute has defined a list of 33 skills as a basis for both developing and assessing information security professionals.  Three items in the list caught my eye: I1 Research, I2 Academic Research and I3 Applied Research.  Most security certifications (other than MSc and similar academic qualifications) emphasise practical expertise and implementation skills rather than research.  As a former research scientist myself, I welcome the emphasis on original research which will both help advance the profession and provide an entry route for students.

All in all, I'm interested to see this initiative develop and welcome the IISP extending its remit from the UK to the rest of the world, in due course. 

Labels: Governance, Infosec