NoticeBored blog

A newly published report from the Australian National Audit Office into information security awareness and training for Australian government agencies is somewhat ambiguous in tone. The ANAO has previously recommended that agencies "develop and schedule periodic education and awareness programs for non-security personnel addressing agency security standards", "develop a structured and proactive security awareness education and training strategy" or "promote security aftercare arrangements in security education and training activities" - in other words, they have clearly been advised to sharpen up their act in this area. The latest report says:

"Overall, the audit concluded that the security awareness and training arrangements at the audited organisations were generally adequate and operating as intended. Nevertheless, there is considerable scope to enhance the effectiveness of the organisations’ security awareness and training programs. The main areas for improvement relate to more thoughtful planning, including tailoring the approaches used in light of the organisations’ security risk profiles, and better monitoring to help identify security awareness techniques that are not effective or working well. In addition, the audited organisations would benefit from improved record keeping to assist them manage the timely delivery of, and attendance at, security awareness training."

So although they are 'generally adequate', the security awareness and training arrangements evidently need better planning, monitoring and record-keeping. Only one of the four agencies audited had an actual awareness and training plan - the rest presumably make it up as they go along.

The report continues: "none of the organisations had any training or briefings targeted at the
roles and responsibilities of security cleared staff". I find this somewhat hard to believe. Security cleared staff presumably handle protectively marked information, systems etc., but despite the clearances, their obligations towards protecting those information assets are not spelled out to them? Seems odd. It's not as if the requirements are undefined - the government's Protective Security Manual surely lays out the most important aspects in black and white.

"None of the audited organisations had regular and structured processes in place to assess the impact and success (or otherwise) of their security awareness and training activities." So the agencies are investing an unknown but presumably significant amount in security awareness and training but not bothering to see whether all this public money is well spent?

This is hardly rocket science. Awareness and training strategies, plans and metrics are straightforward enough, aren't they?

Oh well, perhaps we can anticipate sales enquiries from our Australian colleagues. We'd love to help them with planning, delivering and measuring best practice awareness and training programs ...

Labels: Awareness

Here's a scam I've not seen before, received by email:

Hello, My name is Raphael Scott I would be in your country for a seven days business meeting with 10 people. Do you have any vehicle or vehicles we could use during the period of our stay. The vehicle(s) would needed during on the following dates: ARRIVAL DATE: 23TH APRIL 2010 DEPARTURE DATE: 30TH APRIL 2010 Remember our movement basically from airport to hotel and venue conference, about 20 miles within the vicinity. Your duty is only to arrange vehicles and drivers that will contain 10 people for seven days. We would be happy if you could provide us with any of the following 2 mini buses , 2 sedans, 8 to 16 cheater bus or a Limousine. Let know a quote or estimate for the seven days. We would need the car with a driver. I would send a deposit via credit card details as soon as this booking is confirmed. I hope you do accept credit cards? Kindly email me if you have availability on those dates, also tell me the area you operate in your country. Kindly confirm this booking with the vehicle details and total cost for the 7 days. Best Regards Raphael Scott 28 Montague Street London WC2B 5BP +447011196388

I presume the intention is to get victims to launder credit card payments, as money mules, in much the same way as those lame requests along the lines of "I want to buy your products. Do you take credit cards? Please send me your prices ...".

I feel a bit sorry for those who fall for this kind of nonsense, but on the other hand some of them are just greedy and must surely know this is not legit.

Steer well clear.

Labels: Awareness, Fraud

Malware, an old favorite, is the security awareness topic for this month's NoticeBored module. One of the issues noted in the awareness materials is that of user PCs picking up infections simply by visiting infectious websites ... like for example a 'bargain shopping' site in Australia that had evidently been exploited by hackers. According to the news report, certain browsers warned users when they visited the site and hopefully, if the users were aware enough to take note of the warnings and not override the technical controls, that would have significantly reduced the risk of being infected. On top of that, the malware was probably recognized by normal antivirus software, further reducing the risk. However, unaware users without these controls may well have drawn the short straw, and to make matters worse they may still be blissfully ignorant of the infection.

Labels: Awareness, Malware

Consonus, a US data-center/co-location facility provider that prides itself on its "highly secure and reliable data centers", suffered a rather embarrassing physical security incident at one of its data centers on Saturday February 20th. An email from the Consonus data center manager to his customers indicates that an Inergen automated fire suppression system was accidentally triggered during a routine 6-monthly inspection of the fire system. This incident somehow damaged a large number of disks in the facility - I understand from other less reliable sources that as many as five hundred disks may have bitten the dust. Oops.

The point of this blog posting is not to poke fun at Consonus, who have clearly invested heavily in state-of-the-art controls and appear to have a comprehensive approach to information security, but rather to indicate that control failure remains a risk that we should all consider, no matter how strong we believe our controls may be.

In this incident, disk damage was evidently not the anticipated result of triggering the fire suppression system. It was an unforseen risk, exactly the kind of thing that contingency planning is designed to mitigate. I wonder how many of Consonus' customers either buy its optional disaster recovery and data protection (evidently meaning backup and archival) services, or have their own contingency controls in place, or didn't but now wish they did ...

At the same time, this incident is probably not generating the kind of publicity that Consonus would welcome (although there's truth in the saying that there's no such thing as bad publicity!). I wonder if their customer services team has its own contingency plan for this kind of event?

This unfortunate incident would form the basis of an excellent case study for security awareness purposes, but it's far from isolated. The truth is that unpredictable and costly information security incidents happen more often than most people realize [and here I'm talking in general terms, explicitly not referring to Consonus!]. In the course of my career, I have seen many and, I'm ashamed to admit, been personally involved in a few.

Investing in high availability technologies and strong security measures still cannot guarantee that essential IT services will be 100% available under all circumstances. Testing the fire system 'outside normal office hours' reduces but does not eliminate the risks. Siting IT facilities above the anticipated '100-year flood level' is merely gazing into some weather man's crystal balls. 'Uninterruptible power supply' is an oxymoron.

Even if information security is truly taken to heart by an enlightened senior management, as IT technologies and services get ever more complex, some types of coincident or catastrophic failure (including those caused by the very security controls we are implementing) become more not less likely.


Contingency planning depends on contingency thinking, which starts with someone posing the inevitable "What if ...?". There's a fine art to getting managers to suspend their rather charming but somewhat dubious trust in technology just long enough to consider what might happen if things don't in fact work perfectly, while at the same time not going so far as to be accused of just spreading FUD or constantly crying wolf (which is where classic "worst case scenarios" can easily lead). This is exactly the area where security awareness really helps in that it aligns information security and business thinking, focusing everyone on the risks and controls with the benefit of knowledge of what can, and indeed does, go wrong in similar situations elsewhere.

And that's why case studies make such good awareness tools. Better to learn from other people's misfortunes than to suffer them yourself.

Labels: Awareness, DCP, Physical

As if to mark the release of our latest security awareness module on cryptography*, Stephen Murdoch and Ross Anderson of Cambridge University have released a highly critical report into the security of the Veri fed by Visa and MasterCard SecureCode authentication systems. True to one of the central messages in the awareness materials, their main complaints revolve not around the cryptography, per se, but rather the implementation. It seems the banks, credit card companies, merchants and service providers have failed to pay sufficient attention to the poor human beings who use the system. Human factors significantly weaken a design that probably looks great on paper.

* Not so, of course, it was purely a coincidence.

Labels: Authentication, Awareness, Crypto

I can barely believe the cheek of this email that plopped into my inbox today:

HELP HAITI LONDON
13 Liverpool Road,
Islington, London,
N1 0RW

Dear.Friend

On Tuesday, a catastrophic earthquake struck near Port-au-Prince almost the whole of Haiti. The full extent of the damage is still being assessed, but the death toll -- already in the thousands -- is climbing fast.

This is the worst earthquake to hit the area in more than 200 years. Entire communities have been ripped apart and as many as 3 million people have been directly affected, including tens of thousands of American citizens who are in Haiti.

Haiti is racing to confront the enormous devastation -- and the OFA community can help.
Footage is pouring in of homes collapsing, Haitians carrying injured family members, and hospitals being overrun in what was already the poorest nation in the Western Hemisphere.

we have directed this means of contact individuals to respond with a swift, coordinated, and aggressive effort to save lives. Personnel from the United States and our partners in the international community are on the ground in damaged areas right now, working side by side with the Haitian people. They're providing food, water, and sanitation supplies, saving lives and helping Haitians,please your help is also needed

Despite the fact that we are experiencing tough financial times now we encourage those who can to reach out and help. It's in times like these that we must show the kind of compassion and humanity that has defined the best of our national character for generations.

PLEASE FOR NOW YOU CAN SEND YOUR DONATIONS BY WESTERN UNION TO OUR HELP HAITI LONDON CORDINATIOR ANN BROWN WITH THE BELOW INFORMATION,NO AMOUNT ITS TOO SMALL HELP AND GOD WILL BLESS YOU!!

Receiver:Ann Brown
Location:London Uk
Email: helphaitinow@consultant.com
send her all related information or call john on +447031842276

Please if you make any donation send us the following informations for reference .
1) Your full name:

2) Sex:

3) Age:

4) Occupation:

5) Mobile / Telephone Number:

6) Country:

6) Nationality:

As this story continues to unfold, I hope you will continue to keep the people of Haiti in your thoughts and prayers, as well as the many Haitian-Americans who have done so much to enrich our country and who are worried about friends and loved ones in this time of need.

Thank you,

David Cole

Just in case you missed the rather obvious signs of a 419 scam such as the rotten grammar and spellings and other inconsistencies, there's a completely unnecessary request for personal information to cap it all off.

Scumbags.

Labels: Awareness, Social engineering

A report from Government Technology caught my eye this morning: CSI Computer Crime and Security Survey Shows Poor Security Awareness Training in Public and Private Sectors. "Mmmm, looks interesting" I thought, especially when I saw this:

"But respondents also expressed even greater concern over a perceived lack of proper security awareness training for users at endpoints. A whopping 43.4 percent of them said that less than 1 percent of their security budget was allocated to awareness training, and 55 percent said current investments in this area were inadequate.

"I think that's too bad it is that way, but consider that you could cut half of the losses simply by taking care of that problem," Richardson said.

Twenty-five percent of respondents said more than 60 percent of financial losses came from accidental breaches by insiders, not external hacks, and 16.1 percent said 81 to 100 percent of all losses came from accidental breaches as well."

So, less than 60% of organizations surveyed spend at least 1% of their 'security budget' (whatever that means) on 'awareness training' (whatever that means also). I can't say I'm surprised by that but I'd like to know more and check the original source for details.

The GovTech report didn't include a link to the survey, merely a link to the CSI website. There's an obvious link to the survey on CSI's home page, but Heuston we have a problem: it seems the only way to obtain the survey is either to purchase membership of CSI, for over US$200, or obtain a 'free preview' of the report .... which requires me to enter a bunch of personal information.

If, as the GovTech article, suggests there really is a problem with security awareness, it seems rather ironic that the CSI report is not freely available to all without invading our privacy. The report sounds like it might be useful from an awareness perspective but not at that price.

Similar surveys are freely available from many other organizations. Guess I can live without CSI's.

Labels: Awareness

In connection with this month's NoticeBored awareness materials on the security aspects of software development, I've been listening to a podcast by Ralph Hood and Kim Howell (two Microsofties) about how both privacy and wider information security issues are integrated into Microsoft's development practices.

From a non-US perspective, the very idea that privacy and security are "opposite sides of the same coin" seems a little weird. For most of the rest of the world, privacy has long been acknowledged as a subset of information security, being essentially the confidentiality of information about specific individuals. But, as host Julia Allen mentions in the podcast, the US is still shifting from the idea that it's perfectly OK to collect all sorts of personal information from people and use it as you wish.

One of the interesting approaches discussed in the podcast is that personal information needed purely for aggregation or statistical purposes should be collected and held only temporarily, then deleted as soon as possible. Personal information in server logs, for example, may be parsed out, analyzed and deleted by a regular process. While this would make post-hoc validation of the data difficult, this slight drawback is outweighed by the privacy advantages for those who supply their information.

The podcast is one of the excellent Security for business leaders series by CERT at Carnegie Mellon University. An impressive range of podcasts is available to download.

Labels: Awareness, Confidentiality, Development, Privacy

Thanks to a link posted to an email reflector, I've just stumbled across a 2006 PhD thesis that examined a number of approaches to information security awareness in order to develop design guidelines for awareness programs and activities. The research was mentored by Professor Mikko Siponen, leader of Oulu University's Information Systems Security Research Center in Finland. The thesis, "A design theory for information security awareness" by Petri Puhakainen is well written. As usual for a scientific PhD thesis, it starts by briefly reviewing existing literature in the field of information security awareness, then goes on to present the author's research experiments, findings and conclusions.

The thesis uses cognitive theories on how learning and behavioural changes are understood to occur to evaluate common awareness practices. For example, "Communication is presented as a continuous process where the parties should take turns and create information to be shared, interpreted, and reinterpreted until a sufficient degree of mutual understanding and agreement is achieved to enable collective action. The outcomes of the communication process are social (mutual understanding, agreement, and collective action) and individual (perceiving, interpreting, understanding, and believing)." (page 78).

As I read it, Petri (in common with many others in this field) often confuses 'awareness' with 'training', for example discussing a research case involving quite narrow training on the use of encryption for confidential email as a security awareness exercise. To my mind, awareness is intended to achieve a generalized appreciation or understanding of information security throughout the enterprise as a whole, while training is intended to focus on a specific problem area or development need for specific individuals or teams. Awareness aims to change employees' behaviour in quite subtle but broad ways (cultural development), while training aims to change employees' behaviour more overtly under quite specific circumstances (personal development). These are quite distinct aims that are usually satisfied by different teaching/training and moticational/awareness methods.

By stating "At least in large organizations, it is not possible to aim at mutual understanding by engaging all employees in the conversation process. Such approach would be expensive and slow, making [it] unfeasible." (also on page 78), Petri arguably misunderstands the value of broad-based enterprise-wide security awareness programs that inform and engage employees throughout the corporation but without the expense normally associated with classroom training sessions.

All arguments aside, the previous two paragraphs hint at the value of reading petri's thesis in depth, exploring the many embedded references and thinking critically about what the author presents. As an information security professional with more than two decades experience and a penchant for both academic and pragmatic writings on the subject, I'm delighted to have learnt new things and found useful new references in the thesis. Good job Petri!

Labels: Awareness

The following extraordinary sentence launched yet another tedious social enginering 419 scam in my spam box:

"Take notice that based on the UNITED NATIONS government inauguration of this committee which extended to all countries which combined with the United Nation Anti-crime commission to alleviate and redeem the image and past wounds of our dear citizens and foreign firms who were duped, defrauded, scammed and abandoned by some impostors who indiscriminately use the name of God, Office of governors, Presidency, Banks etc to slight down our dignities to international communities."

Most 419ers are clearly one sandwich short of a picnic as all they seem to do is replay the same old scams over and over. The 'clever' ones add daft little elaborations and the rest duly plagiarise them without actually understanding how dumb they end up sounding.

This cretin continued: "Many banks have been in bankruptcy today, Universal firms, Companies due to the activity of these hoodlums. However, investigation have shown that these people have dropped over 500,000 clients after collecting their money, many committed suicide and others living by the grace of God," [that comma ended the paragraph].

By the third paragraph, the bizarre language had actually become quite entertaining: "Meanwhile, we have a committee whose duties are to re-commend [sic] genuine contractors, loan bidders, next of kin (inheritance payment), foreign firms who have completed all the U.S government normal payment requirements but abandoned due to take over of some sacked officials who take Government papers to collect money and leave the beneficiary half way." He's obviously read far too many emails by his friends in the back-street Internet cafe, and mashed them all together in his tiny pin-head, as if that somehow enhances the magic.

After a boring fourth paragraph, we discover that his CAPS-LOCK key is evidently sticking: "We also have endorsed your payment to FALCON BANK TO PAY YOU THROUGH A DIPLOMATIC COURIER SERVICE without prejudice and will need a confirmation of all your communication until you finally receive your money so as to investigate more so to find out more facts on this issues, it will be well appreciated if you can provide us some vital information on how you have been scammed. The U.N government is using this opportunity to compensate the entire victim who some have duped."

The 'U.N Government'?! Gosh, I must have missed that election. Silly me.

"So you are advice to contact Mr. Felix De Lapaz to mail to you a certified check which can be cashed anywhere in the world and the amount is $250,000.00 U.S.D(TWO HUNDRED AND FIFTY THOUSAND UNITED STATES DOLLARS)." Now, just in case the rest of this tripe somehow escaped my beady and rather jaundiced eye, I clearly smell a very large malodorous rat as most of this cheapskate scammer's peers are offering me many MILLIONS (all in CAPS of course, spelt out for me word-by-word as if this somehow adds credibility to those crazy digits).

After asking me to cough up a little personal information ("Please fill the following form for documentations:"), the numbskull ends with this: "As soon as you give him the following he will mail your compensation cheque to you. THIS IS PROUDLY SPONSORED BY "THE U.N CAMPAIGN TEAM AGAINST ONLINE SCAMS"." So, this is a sponsored scam, eh? I'm sorely tempted to write back to see if I can discover how he managed to secure such high-powered sponsorship ... but then I come to my senses and realise that bozos like this are simply not worth the electrons.

Still, at least I got yet another entertaining case study out of it. And a wry smile.

Labels: Awareness, Email, Fraud, Social engineering

A set of policies, presented as checklists or guidelines for employees, explains typical rules for employees who use blogs or other social media:

"The Disclosure Best Practices Toolkit is a draft series of checklists to help companies, their employees, and their agencies learn the appropriate and transparent ways to interact with blogs, bloggers, and the people who interact with them.

We believe in the principles of transparency and openness, and this document is a way of making this real on the inside. Our goal is not to create or propose new industry standards or rules. These checklists are open source training tools designed to help educate the hundreds or thousands of employees in any large corporation the appropriate ways to interact with the social media community."

The authors evidently have a bee in their bonnet about people disclosing any pecuniary interest in the matters on which they are writing. If adapted to become corporate policies, management may wish to be crystal clear about the limits on employees discussing the organization, its products, customers or related matters in any public forum (including all social media), particularly if all such pronouncements should normally be explicitly sanctioned by Public Relations, Law, Marketing or other interested parties.

Note: this may be just as much an issue for employees (or indeed contractors, consultants and others) blogging 'in their own time' as for those blogging at work.

Labels: Awareness, Social engineering

The CBC Blogging Manifesto is not unlike a skeleton corporate policy about blogging by employees. Even in this succinct original form, it would be an interesting advisory or discussion piece for your intranet Security Zone.

Labels: Awareness, Social engineering

Social networking has become extremely popular of late and is getting lots of coverage on new and traditional news media. Given the fact that a great deal of network/Internet use and applications have traditionally been social in nature, this is hardly surprising: what is more surprising is that the media and technology pundits seem to feel that we need to have a special term for it. Like most Internet and IT developments, it’s more evolution than revolution, and in fact more hype than substance in many cases.

Businesses are making use of interactive social media for corporate (primarily marketing) purposes. While these applications are, at the moment, more projected than proven, it is undeniable that many enterprises are either openly examining social networking and so-called Web 2.0 technologies, or are facing covert use of these systems and technologies by rogue employees. Either way, employees need to find out about the concerns and security dangers related to such use before landing themselves, their family, friends and colleagues, and maybe even their employers, in trouble.

Humans are social animals. Social networking websites such as MySpace, Facebook and Twitter, plus associated network applications, provide a conduit for social interaction by individuals, for example keeping in touch with family and friends, making new acquaintances and friends, and often publishing details of their normally private and personal activities on the Interwebnet.

The primary information security risks relating to social networking and social media can be classed as social engineering - the deliberate manipulation of vulnerable people in order to gain control over the information assets they own or have access to, and the use of information so obtained to deceive or manipulate others. With systems and networks getting ever more complex, ordinary users are getting more and more remote from the underlying technologies, which opens them to new threats from hackers who know how to turn the technologies and processes to their advantage.

You can find out more about the information security risks associated with social networking in this month’s NoticeBored security awareness newsletter, and take a look at what's in store in the new awareness module here.

Labels: Awareness, Social engineering

Privacy is both a narrow, intensely personal issue relating to the individual, and a broad democratic principle relating to society at large. It’s one of those things in life that perhaps we don’t truly appreciate until it’s gone – ask anyone who has suffered intrusive media coverage for instance, lost their identity to an identity thief, or had their medical, personnel or credit card data records “lost presumed stolen”.

A lay person might define personal information as “Details about someone that they would consider private.” That definition may make perfect sense to you and me but is probably too subjective for the courts. Personal information is defined more narrowly in the legislation, but annoyingly the definitions vary between countries.

Read more about what’s in September’s NoticeBored module and the free security awareness newsletter, or follow along with us on Twitter or our blog as we continue gathering links to interesting privacy news.

Labels: Awareness, Privacy

1. General employees or staff have broad responsibilities for information security and need to know the simple things such as choosing good passwords, running antivirus and backing up their data. For them, security is an incidental aspect of their work and home life that most don't really consider without some conscious effort being made to make them aware;
2. Managers and Directors have specific governance and compliance obligations in respect of information security although they may not at first appreciate this. They are invariably busy people, yet take an interest in high level security strategies, policies and so forth. Getting managers on board with information security significantly improves the chances of the awareness program resonating with staff and ultimately being successful;
3. IT professionals have an obvious interest in the more technical IT security controls. They are broadly expected to design, implement and operate most of the IT security controls on behalf of general IT users throughout the organization, yet it is not uncommon to find that IT pros have had limited exposure to even fundamental information security principles during their formal education, let alone leading security practices such as federated identity management and multifactor authentication.
   

• The Back Catalog, a comprehensive library of awareness materials covering more than 30 information security topics - ideal to get your awareness program off to a flying start without having to wait for the monthly NoticeBored deliveries.
  
• A generic information security policy manual based on the good security practices and controls recommended by ISO/IEC 27002. Organizations that are implementing Information Security Management Systems use our manual to develop their own custom set of policy principles, axioms and detailed policy statements reflecting the ISO27k standards.
  
• A range of over 200 high-quality security awareness posters, supplied as JPG images for customers to customize and brand, then print as many hardcopies as they actually need at no extra charge.
  
• A set of Internal Controls Questionnaires covering some 31 information security topics. These are useful prompts or guides for risk assessments, gap analysis, internal audits or management reviews, helping customers assess the extent to which their security controls actually mitigate the organization's information security risks. The questions posed are deliberately open-ended to encourage intelligent and flexible application, as opposed to the usual brain-dead compliance tick-lists that achieve so little in practice.
  

Labels: Awareness

Last month a story broke about employees of the company behind Twitter being hacked. TechCrunch has published details of the incident, and the comments on their story identify some of the possible controls. In short:
- A Twitter employee uses Gmail
- Gmail has a password reset function that sends the user's password to a pre-registered email account
- The Twitter employee had originally configured Gmail to use a Hotmail email account for this
- The Hotmail account was unused for months and lapsed
- The hacker requested and obtained the same Hotmail email address [it looks like the hacker was able to guess the address, preumably it was a similar address to the Gmail account]
- The hacker told Gmail to reset and send him the Gmail account password via the Hotmail address that he now owns, which it did
- The hacker then logged on to the Twitter employee's Gmail account
- One of the emails he could now access was the original "Welcome to Gmail" type notice with the original password, so the hacker was able to reset the Gmail password back to the one the real user knew, before the real user noticed it had been changed
- Through information disclosed between Twitter employees by email, and by guessing his passwords to other Web systems, the hacker obtained a further bunch of confidential information including access to the email accounts of senior Twitter execs
- The hacker eventually disclosed the hack to the news media for some reason, causing public embarrassment to Twitter and fears about their evident insecurity

Labels: Awareness, Email, Fraud, Hacking, incident, Social engineering

An article about responsible Twittering hints at a broader concern for all social media, and in fact all forms of communication between the office and the outside world. Examples in the article include people falsely claiming to represent their employers and disclosing sensitive information via Twitter, plus Twitter being used to direct potential victims to infectious sites hosting malware. People have done the same kinds of things for years using email, telephone, blogs, bulletin boards, IM, VoIP and so on - even letters in the post: the incidents are pretty similar though the communications media vary.

This obviously raises questions about how to reduce the risks without unduly interfering with legitimate business communications. Technical controls offer limited assistance e.g. blocking IM will block legitimate IM activities, and determined users can sometimes find ways around such blocks anyway. Automatically appended email disclaimers have dubious legal validity, particularly those that are written or modified by amateurs. Policies and procedures can help but only if employees are made aware of, accept and comply with them, which requires awareness activities (such as this month's NoticeBored module) and compliance activities (such as management oversight - basically taking an interest in what staff are doing at their desks).

Risk avoidance is arguably the most effective control, in other words discouraging or preventing unnecessary office communications outside the organization. However this is likely to have an adverse impact on legitimate business activities, and hence costs.

Since the controls are evidently not perfect, wise organizations make contingency arrangements in preparation for situations when the controls fail and incidents occur. Examples:

• Incident notification and specific response procedures covering these kinds of incident;
• Response procedures include 'damage limitation' using legal actions (e.g. those disclaimers and Non Disclosure Agreeand Public Relations (e.g. stock press releases ready to issue);
• "Learning the lessons" which means using incidents (particularly those suffered by the organization but also its peers and others in the public domain) as case studies and training materials;
• Disciplinary procedures taking account of incidents of this nature, typically using examples.

[Scary postscript: the Pentagon thinks there is value in 'instant comms', if only soldiers can be persuaded not to disclose little things such as battle plans ...] [Or is this just a crude attempt by the US to encourage foreign militia to permit their soldier to use Twitter ?]

Labels: Awareness, Email, Malware, Office, Risk

We've released a thoroughly refreshed and updated awareness module on office security, covering physical and IT security in the workplace. It includes email security and security for other forms of office messaging and inter-personal communications such as IM and VoIP.

Labels: Awareness, Email, Office, Physical

Dear friends of NoticeBored,

Digital forensics - the capture and analysis of digital evidence for
use in court - is an increasingly important topic not just for law
enforcement but for ordinary organizations and even individuals. The
forensic investigation of computers, cellphones, PDAs, USB memory
sticks etc. is a tedious, painstaking process involving the systematic
collection, storage, examination, analysis and interpretation of the
data they contain.

Digital forensics is a completely new topic for NoticeBored, our 35th
information security focus area so far. While we do not know of any
competing security awareness products that cover forensics, it’s a
fascinating topic for those who enjoy whodunnit thrillers or watch CSI
Miami. Awareness of the procedures and issues involved in digital or
computer forensics might just interest technical employees enough to
take up the challenge and complete the training, and should give
management the basic knowledge to be able to select and/or work with
digital forensic services from third party specialists or indeed the
police and forensic science units.

While almost all of the awareness materials are only available to our customers, the newsletter is available as a read-only PDF file

All the best,
Gary

Labels: Awareness, Forensics

Writing in Computerworld, author Jennifer Bayuk offers some innovative suggestions on how best to write information security policies that are effective and workable in practice. I particularly like the way she emphasizes taking time to canvas management on their perspectives on the value and hence need to protect their information assets, drawing out management's control objectives as a prelude to drafting the actual policy statements. She's talking about an implicit risk assessment approach, I guess: I have successfully used risk workshops and so forth to achieve essentially the same ends, namely explicit management understanding and support for information security. It works.

Jennifer mentions the use of standards such as ISO27k, COBIT and the ISF Standard of Good Practice, all of which I would agree form a sound basis for developing reasonably comprehensive policy sets - in fact, it could be argued that organizations should perhaps use a synthesis of all three, plus relevant NIST SP800 standards and all applicable legal or regulatory or contractual compliance/security obligations and relevant strategic goals in relation to protecting information assets ... except that such an approach would soon get completely out of hand in practice. The true art of policy writing is to say all that needs to be said, no more, no less, clearly and in a manner that motivates the audiences to comply. Yes, audiences, for there are several.

I would however take exception to Jennifer's comment that "these documents [meaning the security standards] are inherently generic and do not state specific management objectives for security". ISO/IEC 27002 is generic, granted, but it comes remarkably close to laying out a suite of management-level security objectives (called "control objectives" in the standard) that would apply to virtually any organization. Several other standards take a similar line, and most in fact start from the position "First, managers, examine your risks and determine your information security priorities ...". The guidance they go on to offer is not meant to be prescriptive, rather it is like an a la carte menu of popular controls that, by implication, represent generally accepted good practice.

Our very own information security policy manual is based around the structure and guidance from ISO/IEC 27002. Although the whole manual is over 100 pages long, it incorporates a set of 39 management-level "security axioms" derived from 27002's 39 control objectives and threaded throughout the manual, plus a selection of 7 even higher level security principles. The axioms and principles are repeated in an appendix of just under three pages that should not be too much of a burden for management, even ADHD senior management, to consider and hopefully approve or mandate. The remaining 100-odd pages then lay out the mid-level details which are primarily aimed at information security practitioners and direcly correspond to those control objectives approved by management. There is a coherence to this design that I commend to others and I must say our policy manual is selling very well, thank you, so I submit that's the real proof of the pudding.

Finally, Ms Bayuk says next to nothing about the hardest part of security policies, which is not in fact writing them or getting them approved: it's implementing them and gaining compliance in real organizations, facing real day-to-day crises and strategic challenges, with employees and third parties who generally "have better things to do than worry about security" and would love to point the finger at Someone Else. Management simply laying down the rules is not in itself sufficient, even if (in our policy manual anyway), the CEO has a paragraph right at the start saying, basically, "This is important, do it or else". Security awareness activities provide the oil to slip the policies quietly into place. Awareness combines information provision ("This is what the policies say") with pragmatic guidance (procedures, guidelines etc.) but most of all it motivates people to do something different. Believe me, there are far more subtle forms of motivation than "Do this or else", for example finding creative angles on security topics pointing out that it is generally in employees' own best interests to behave securely. The rather negative comply-or-die-punk approach may work for some people some of the time, but on the whole, do-this-to-help-yourself-and-the-organization is a far more positive approach and an easier sell. Both types of message delivery are needed as they complement, between them pretty much covering the lot.

We have just updated our policy manual to reflect the release of ISO/IEC 27000 and continue to incorporate our understanding of good security practices at every opportunity. Even our generic policy template is very much a living document, not least because in security, someone keeps on moving the bloody goalposts!


PS Sorry for lack of blogging lately, I've just not been in a creative mood following the death of my father. They say bereavement affects people in different ways and now I think I understand what they mean.

Labels: Awareness, Governance

I've been reading and thinking today about a revised NIST Special Publicatio SP800-16, currently released for public comment. If you are genuinely interested in making security awareness more effective, I recommend setting aside an hour or three to read and consider the draft document.

To whet your appetite, here are just a few short paragraphs from one section of the draft, with my own thoughts and comments cited below.

Under section 2.2.1 of SP800-16, NIST says:

"Awareness is not training (1). Security awareness is a blended solution of activities (2) that promote security, establish accountability, and inform the workforce of security news (3). Awareness seeks to focus an individual’s attention on an issue or a set of issues (4). The purpose of awareness presentations is simply to focus attention on security (4). Awareness presentations are intended to allow individuals to recognize information security concerns and respond accordingly. (2)

In awareness activities the learner is a recipient of information, whereas the learner in a training environment has a more active role. (2) Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate job performance. (5)

A few examples of information security awareness materials/activities include:
• Events, such as an information security day,
• Briefings (program- or system-specific or issue-specific)
• Promotional/specialty trinkets with motivational slogans,
• A security reminder banner on computer screens, which comes up when a user logs on,
• Security awareness video tapes, and
• Posters or flyers. (6)

Effective information security awareness efforts must be designed with the recognition that people tend to practice a tuning-out process called acclimation. If a stimulus, originally an attention-getter, is used repeatedly, the learner will selectively ignore the stimulus. (6) Thus, awareness delivery must be on-going, creative, and motivational, with the objective of focusing the learner's attention so that the learning will be incorporated into conscious decision-making. This is called assimilation, a process whereby an individual incorporates new experiences into an existing behavior pattern. (3 & 5)

Learning achieved through a single awareness activity tends to be short-term, immediate, and specific. For example, if a learning objective is “to facilitate the increased use of effective password protection among employees,” an awareness activity might be the use of reminder stickers for computer keyboards. (7)

The fundamental value of information security awareness programs is that they set the stage for awareness training and role-based training by bringing about a change in attitudes which should begin to change the organizational culture. The cultural change sought (8) is the realization that information security is critical because a security failure has potentially adverse consequences for everyone. Therefore, information security is everyone’s job. (9)"

My comments:

(1) The terms "awareness", "training" and "education" are often used interchangeably and sometimes combined, as in "awareness training". However, they are different activities with different mechanisms and purposes. SP800-50 “Building an Information Technology Security Awareness and Training Program” covers this point rather eloquently, better in fact than SP800-16 and FISMA which tie themselves in knots over the terminology.

(2) If you can read past the much abused second word of "blended solution of activities", the real point is that awareness requires a range of separate but complementary activities - and by "activities" I mean things that involve physical actions by both the information givers and the information receivers. I am talking about proactive learning, not passive entertainment or "edutainment". The most important part of a training course is not the presentation slides or other materials, the presenter, the facility or the audience: it's the engagement, interest and interaction that happens when members of the audience become inspired to change what they do thereafter.

(3) Informing people, in other words providing relevant facts about information security risks and controls, is an important element of awareness, training and education but is not in itself sufficient, in most cases. Erudite but boring and dry factsheets have limited impact and can be counterproductive. News stories are just one way to bring information security to life, reminding people that we are not talking purely hypothetically about security incidents. They are really happening around us, and not just Out There in the news headlines but much closer to home, affecting us, our colleagues, friends and families, and of course our organization and society. Getting personal on information security matters is a good way to engage with people.

(4) Focus is important. Generic, bland "be more secure" messages are a total waste of brain cycles. People need to know what, specifically, they should be worried about and what they should do ... but first they need to open up in order to even receive the message. Making people "wake up and smell the coffee" is one option but is not the only way (I'll speak about other techniques another time). Focus, to me, includes getting straight to the point - being direct and avoiding unnecessary fluff or irrelevancies. It also includes picking on specific information security topics, providing more depth than is typical of those rushed security induction training classes.

(5) Building knowledge and skills to enhance job performance is all very well but has little value unless people actually use the knowledge and skills when they get back to work. Achieving this is the crux of effective awareness, training and educational activities. Unless people are taken beyond the point of being mere receptacles for facts and are motivated to behave more securely, the program is not going to earn its keep.

(6) Notice that "forcing employees to sit down en masse in a stuffy meeting room or lecture theatre while some boring IT geek or clueless manager spouts off about information security" does not feature in NIST's list of worthwhile activities, but is not far from the truth in some organizations! Awareness, training and education take creativity and passion. It's not that hard really. [For lots more ideas, thing such as case studies with role plays, crosswords, competitions etc. see NoticeBored!]

(7) Taking focus to the extent of a single awareness activity covering just a single information security control might perhaps be necessary if that one control is conspicuously failing but seems unlikely to cover the full breadth of security controls that employees should understand and respect, in any reasonable timeframe. Coupling this point with comments about keeping the content interesting implies to me the need to run quite rapidly through a sequence of topics, moving ahead at or just before the point that eyelids start to droop. This idea of a rolling awareness program, in my experience, makes all the difference but there's one more little point to bear in mind. "Sequences" can be random or directed. A random assortment of information security topics may achieve the coverage desired but misses the opportunity to link together successive topics into a more coherent security story. Being smart about the sequence and scope of the topics leads to a more subtle form of the old teacher's saw "Tell them what you are going to tell them, tell them, then tell them what you told them". We can introduce future topics and refer back to previous topics, all while delivering the present topic. The interrelatedness of information security topics makes this quite easy to achieve with just a bit of thought and planning. The advantage is a level of coherence and reinforcement that random assortments don't achieve.

(8) Now there's a thought: we are seeking "cultural change" are we? Great idea, one I thoroughly endorse ... but unfortunately for many managers, security awareness is less about achieving cultural change than about "being seen to be Doing Something" or, even worse, "doing it for compliance reasons". Health and safety training finds itself in the same pickle. Effective H&S training has a lasting impact on what employees do as they go about their normal business activities, long after the ink has dried on the training evaluation forms. It's about putting on the ear muffs and safety goggles even when there's nobody else looking. It means taking a moment to deal with a trip hazard in a public thoroughfare even when you yourself have clearly spotted and avoided the hazard. Achieving cultural change to create a "culture of security" is a fabulous objective, one that's much easier to say than to do. For me, it goes somewhat beyond the rather simplistic if important ideas noted in section 2.2.1, picking up concepts such as:

• Providing continuity - planning awareness activities over the long term (and I don't mean 'scheduling next year's security awareness session'!);
• Addressing the entire organization (staff and managers), in fact the scope can usefully cover the extended organization including friends and relatives of employees, contractors/consultants, outsource suppliers, customers, suppliers, business partners, other stakeholders and, to some extent, society at large
• Using creativity to create interest and engage people with the program, and retaining that interest indefinitely;
• Being sensitive to cultural norms, communications preferences and so forth for the audiences - notice the plural: it makes little sense to focus all the security awareness activities on one homogeneous audience when we know full well that business units, departments, teams and individuals vary markedly in many key respects. "Selling" copyright compliance to, say, an Indian or Chinese business unit is a rather different prospect to getting the same point across to a Scandinavian organization. For some people, the 3 minute high level overview is more than enough: for others, 3 minutes would not be nearly enough for the briefest of introductions;
• Taking audience engagement to the extent of active audience participation, for example encouraging managers, IT professionals and employees to converse on the same information security topic, putting their respective points of view in the context of a shared understanding of the terms and concepts involved.

(9) If "information security is everyone's job", it ought to be in everyone's job descriptions - not a bad idea in itself but I feel there's a bit more to it. "Information security is everyone's responsibility" takes it a step further since it is not purely a job-related thing, and hints at a vital security concept, that of ownership, accountability and responsibility. "Information security is what we do" might be a bit excessive, but I prefer the word "we" in there since it is clearly a shared responsibility. [Arguing about the specific meaning and nuance of every word smacks of the crazy process of developing corporate mission statements. However, the discussion is at least if not more valuable than the product, rather like planning and plans. Discussing such security principles leads to a common understanding and is a good way to engage senior managers with the awareness program.]

Right, that's section 2.2.1 duly considered. I'll stop there for now, leaving consideration of the remaining 156 pages as an exercise for you dear reader - homework if you will. NIST welcomes comments on the draft SP800-16 until June 26th 2009 by email to 800-16comments@nist.gov.

Labels: Awareness

Our latest product is a brand new security awareness module on SCADA, ICS, DCS and related acronyms - essentially industrial process control systems. I suspect few employees outside of IT will have heard of SCADA and hardly any will have considered the security requirements associated with keeping the lights on, both literally (SCADA systems are heavily used by the electricity generators and grid) and figuratively (modern factories are packed with all manner of computerized industrial machinery). For those who work not in manufacturing industry but in ordinary offices, we point out that elevators and other facilities are typically managed by a Building Management System, itself a form of SCADA. For those who don't even work in an office, the Engine Management System in their car is another example.

In addition to the potential for unplanned production outages and disruption to critical infrastructures, the health and safety plus environmental protection aspects make SCADA security impacts potentially horrific. Simply being obscure is no defence against some hackers and, potentially, their terrorist masters. Governments and managers at major utilities are worried about SCADA security risks, so all in all this is an important awareness topic.

Labels: Awareness, Risk, SCADA

Reuters says:

"A 35-year-old computer programer pleaded not guilty on Friday to charges that he planted a computer virus designed to destroy all the data on 4,000 Fannie Mae computer servers the day he was fired from the company ..."

While we read about logic bombs in security textbooks, real world examples are relatively few and far between, in other words the probability of attack is quite low. The impacts could be significant, although in practice most attacks we read about have been thwarted while a proportion of successful attacks are likely either to be misdiagnosed as bugs, viruses, outsider attacks etc. or covered up by embarrassed managers. As so often when assessing information security risks, the true scale of the insider threat can only be surmised from imperfect data and hence contingency planning is sensible in case we miscalculate.

Disgruntled technically-competent insiders, usually IT professionals, get the blame for logic bombings. Logic bombs are but one example of the damage privileged insiders can cause, ranging from fraud and theft of intellectual property (personal or proprietary) to passive resistance such as faked incompetence and "accidental" damage to the IT systems and networks under their control. Last year's story of network administrator Terry Childs holding the city of San Francisco to ransom for the access password is another real-world example.

What controls would be useful to guard against this sort of situation? There's a wide choice including:

• Management oversight - bosses keeping an eye on what their staff are doing (not so easy to arrange if the boss is the trouble maker and other bosses are incompetent to oversee or are simply unaware!);
• Divisions of responsibility such that a lone cowboy cannot easily take advantage of his access (tricky again if he has system privileges and access to information, systems and processes that permit him to bypass or undermine standard access controls);
• Laws, regulations, policies, standards, procedures and guidelines, not just to influence potential logic bombers (who, by their very nature, are unlikely to respect the rules) but also to establish and mandate the supporting/compensating procedural, technical and physical security controls;
  
• Audits, whether periodic/planned/pre-notified or ad hoc/unannounced/surprise visits, plus management reviews and similar checkpoints, particularly when scoped and panned specifically to address this issue and performed by experts with prior experience in this area;
• Technology-related controls such as air-tight change and configuration management processes; scans for unauthorized or inappropriate source code, malware and hacker tools on production systems; logical access controls as a whole; trustworthy backups; network intrusion detection and content management systems etc.;
• Slick incident management processes to identify and respond rapidly and efficiently to potential incidents and thus limit the damage;
  
• Liabilities on those responsible, whether employees or third parties, that are legally defined and practically enforceable in employment or service contracts (an after-the-fact contingency or corrective control);
  
• Whistleblowers' hotline - a facility to encourage peers and co-workers (including managers and HR people dealing with clearly disgruntled staff) to report their concerns or suspicions in confidence for independent review;
• Security awareness, training and educational activities, for instance promoting the whistleblower's hotline and policies, and training those who oversee IT operations in the symptoms of insider attack to watch out for (e.g. when logic bombers develop and test their evil schemes prior to the Big One);
• Pre- and para-employment screening of employees in an attempt to locate and drop the bad apples, assuming that they can be identified as such (some believe that bad apples can be psychologically profiled but this practice is probably more art than science - merely being a social misfit or square-peg-in-a-round-hole is not in itself sufficient cause to track or sack somone, and such people can be extremely beneficial and creative if somewhat difficult to manage employees);
• Sensible termination procedures, designed to remove possible hitches from a leaver's last few days or weeks on site (e.g. arranging for an "understudy" to shadow a leaver, both to pick up important new skills and to watch out for inappropriate activities);
  
• Keeping employees gruntled, not disgruntled (!). Seriously, maintaining good employer-employee relations is a general baseline control against many forms of insider threat, and a particular challenge for management in an economic downturn. Procedural controls are particularly likely to suffer when people have other things on their mind than the organinization's best interests.
  

Labels: Awareness, Incidents, Insider, Malware

Hi there!

Malware authors are constantly exploring different modes of infection, creating new payloads and inventing novel criminal activities. Some malware modifies its own code in order to try to escape detection by pattern-matching antivirus software, or picks up new component parts through the Internet as the infection progresses (Malware As A Service!). Read more about the malware scourge in this month’s awareness module and newsletter.

Labels: Awareness, Malware

I can't resist re-posting this hilarious 419 scam fresh from my inbox, allegedly from innocent Natalya pictured above from the JPG attached to "her" email - I say "her" because the sender was listed as Frederick somebody, hardly a common ladies' name where I come from!

Hi! I ask you to read this letter, it will not borrow a lot of your time. This letter not
advertising, but this letter from usual Russian woman which wishes to meet the man of she dream...
My name is Natalya. I'm 28 years old. My friends speak, that I - very cheerful and sociable woman
and I have good sense of humour. I like to learn something new, to travel, walk on a nature. But
unfortunately, I did not manage to meet the man to which I could trust, be very close with him and love
him.
At my age it is time to me to reflect on family, children. But all men whom I met, did not concern
to this seriously. Therefore I have decided to try to find the man in other country. I have addressed in
agency of acquaintances and to me have offered to dispatch my letter, I have agreed... If there is even
one chance from thousand, I am ready... I believe... I so would like to give my heart, the love my
favourite person.


If you have read my letter and wish to continue dialogue, write on mine e-mail: natalyakorobkova@googlemail.com


If you will write to me only for game or to receive my photos, I ask you to stop it.
If you have decided to answer my letter, I ask you tell about yourself. It will be interesting to
me to know about you more.
What is your name?
How old are you? Your city.
Would you like to meet the woman for love?
So, I finish the letter, thanks, that you have read it. I hope, that I shall receive the answer
from you. And this hope allows me to look at the world in another way...
Please be in earnest to my letter very much. Also be fair.

I wish you good day.
Natalya.

Good day to you. Go forth and multiply, Natalya.

POSTSCRIPT 15th January 2009: a British man has lost £130,000 to Nigerian 419 scammers.

Labels: Awareness, Fraud

What makes hackers tick? Who are they? What is the difference between hacking and cracking? Are phreaks and social engineers hackers too? And most of all what can we do to avoid being hacked? We can't promise to answer these questions fully but our latest NoticeBored security awareness module does at least address them.

Please sign-up here to receive the free monthly awareness newsletter. We will be using Google Groups in future rather than Topica to circulate the newsletters but unfortunately this means everyone on the current mailing list must make the effort to join the Google Group to continue getting them [we'd have migrated all your email addresses ourselves except that some might consider that a privacy violation!].

Labels: Awareness, Hacking

The security risks associated with social networking sites such as FaceBook and LinkeDin are pointed out by a well-balanced piece on Search Security by David Sherry, CISO of Brown University. Unusually for this kind of article, the author describes a reasonably comprehensive range of security controls that organizations might adopt to minimize the risks. I'm pleased to note that security policies and awareness are among the recommendations, and in fact the security issues arising from social networking can be used as an awareness-raising topic:

"Social networking risks are also a great way to enhance security awareness throughout an organization and build convergence with key decision makers and leaders. Social networking is a familiar term, but one that may not conjure up risks to the enterprise. Many other areas of the corporation, while focusing on risk and some aspects of security, may need to be educated and consulted when creating a policy or modifying your appropriate use policy. Include senior representatives from human resources, risk management, privacy, physical security, audit and legal in your preparations and response to social networking risks. A stronger partnership, and ultimately a stronger policy and process, will surely result from reaching out to them."

Our recent NoticeBored security awareness module on social engineering used example scenarios based on LinkeDin and other social networking sites for exactly this purpose. We suspect few managers think of LinkeDin as a social networking site, let alone consider the security implications of publishing all sorts of personal information about themselves. It's a useful topic to get their attention.

Labels: Awareness, Social engineering

Despite our standard subscription charges being probably the lowest in the marketplace, some prospective customers struggle to find any money for security awareness. We are very conscious of the global credit crunch and financial turmoil out there so, for a trial period, we are offering a special SME version of NoticeBored for less than US$1,000 per year. Read more about NoticeBored Lite.

Labels: Awareness

December's NoticeBored module covers security issues associated with gizmos. Please visit the website or read the newsletter to discover what gizmos are and find out about the security issues.

Labels: Awareness, Mobile

A key finding from the 2008 information security survey by PwC is that organizations are spending more on security technologies but need to achieve a better balance:

"One of the best ways of improving enterprise-wide visibility into the crucial details of actual security incidents is to match technology investments with an equally robust commitment to the other principal drivers of security’s value: the critical business and security processes that support technology, and the people that administer them."

Technology is a bottomless pit for security investment: one can always spend more on security hardware and software but after the basics (such as antivirus and firewalls) are covered, the returns diminish. Organizations should be complementing their technological investments with security awareness and training.

"What matters, of course, is improving an organization’s ability to defend and prevent attacks on an ongoing basis—without distracting people from the every-day operational needs of the business or incurring the exorbitantly high price tags associated with a reactive response to an unexpected (but foreseeable) crisis. And that requires getting key information about the risks to an organization’s data and systems very quickly from the front row to everyone else in the house. Expanding security awareness at every level of the enterprise is essential."

Labels: Awareness

Surveys and news items suggest that social engineering attacks are on the rise in terms of scale and sophistication, as well as number. A new 40-page white paper from ENISA:

• outlines social engineering methods such as pretexting, phishing, spear phishing and vishing;
• presents an interview with acknowledged social engineer Kevin Mitnick;
• discusses three studies portraying how easily naive/untrained users are manipulated;
• identifies five defence measures; and
• offers a checklist to fight social engineering based on the mnemonic LIST (Legitimacy, Importance, Source, Timing).

While technical controls can help to some extent for example by identifying emails that might be phishers, research on undergraduates (described in the paper) demonstrates the effectiveness of repeated security awareness/training.

Labels: Awareness, Social engineering

The eponymous man in the street may think information security primarily involves technical security controls but in fact other types of control are equally important in protecting information assets. For example, physical controls (locks, gates, fire/intruder/water alarms etc.), legal and regulatory controls (data protection/privacy laws, PCI DSS, HIPAA etc.) and procedural controls (policies, procedures, guidelines, management reviews, audits etc.). Most security risks are countered by a combination of controls from these different categories. Social engineering is fairly unusual in that technical controls are more or less irrelevant: social engineers aim to bypass the technology completely either by physically penetrating the organization or by fooling employees into giving them unauthorized access to information assets. We have covered awareness of physical security controls and compliance obligations in other NoticeBored modules but November’s module concentrates on pretexting, phishing and other techniques used by social engineers to fool employees.

Policies, procedures and guidelines are essential controls against social engineering, but these are useless unless employees both know about them and follow them in practice. Social engineering is therefore a particularly important security awareness topic, one of our “core topics” in fact that merits being covered annually in all awareness programs. Employees need to be taught about how social engineers work in order to spot them and stop them. It’s a tricky task since social engineers are adept at finding ways to build and exploit trust, slipping quietly beneath the corporate radar. The best social engineering attacks are never detected. Our aim is not to completely prevent social engineering attacks from succeeding but to create significant barriers that block simple attacks and frustrate more advanced ones, such that social engineers hopefully move along to softer targets.

One of the issues we cover, for instance, concerns the publication of personal details by employees on social networking sites. Names, addresses and birthdates are fabulous starting points for enterprising identity thieves and social engineers to pretend to be someone. Being cautious about what you publish is a simple control but is only valuable if you appreciate the risk sufficiently to be careful, hence the value of awareness.

Find out what's in the awareness module and read all about the NoticeBored service.

Labels: Awareness, Social engineering

Police are using technology to capture criminals, for example by fitting out vehicles with CCTV and leaving them in vulnerable locations to lure car thieves. The CCTV images are so good that it's easy to make out the criminal's facial features and sometimes even his name and birth date tattoo'd on his neck (doh!).

But consider the question about whether such activity is ethical. From most perspectives (other than the criminals'!), it seems acceptable since the recording devices are within someone's property space which is clearly being violated by the criminals. One might argue that leaving such an attractive lure in a vulnerable place is entrapment, encouraging an otherwise law-abiding person to step over the line and break in, but what do you think? This is a good topic for a tea-time discussion in the average office.

UPDATE Oct 17th: Here's another situation with similar ethical issues. The FBI has allegedly been running DarkMarket, a carders' web exchange for stolen credit card numbers. What a great way to capture details about the criminals, the cards and the culture, but is it ethical? To make it work, they had to let a significant number of carders' transactions go ahead without interference, leading to millions of pounds worth of fraudulent purchases and costs for the card holders and/or credit card companies, banks and retailers concerned, in the same way that undercover drugs cops let and in fact help drug deals proceed until they have the opportunity to spring the trap.

Labels: Awareness, Ethics, Physical

Why is it that so many organizations expect their software developers and other IT people to “do” information security, yet they don’t bother to train them in the art?

A new security awareness briefing pack contains a set of notelets (short briefings) to help those involved in managing and delivering IT system developments fulfill their information security obligations.

The notelets fall into two groups:

1. Technical notelets introduce common information security controls, explain generic control requirements and outline the options available to satisfy those requirements.
2. Development process notelets outline information security issues that ought to be taken into account during most software developments (including ‘end user computing’ projects such as spreadsheet programs).

Although all the notelets are succinct double-sided items, the briefing pack contains 33 of them and hence with introduction and copyright notice is some 70 pages in total.
Download the complete pack here (1Mb PDF file).

The editable MS Word version of the pack is available free of charge on request by NoticeBored customers. An earlier version of the pack was delivered in the module on ‘SDLC integration’ in 2006.

Labels: Awareness, Development

Whereas most months we revise and reissue NoticeBored security awareness modules on topics we've covered before, this month we've written a completely new one on ethics and morality in information security. To be fair, its something we have touched on several times but it seemed appropriate to go into a bit more depth for once.

Ethical people and indeed organizations act in accordance with principles of conduct that are generally considered correct, appropriate or proper. In respect of information security, ethical behavior reinforces procedural controls. Unethical people who disregard the principles and ignore procedures weaken security, just as a rusty door bolt can jeopardize physical security. However, there is more to ethics than mere compliance. We all face ethical decisions and dilemmas from time to time, situations in which our internal values, beliefs guide our actions as much as external pressures.

The NoticeBored newsletter explores the risks around ethics and sets the scene for the remainder of the awareness module. The module covers aspects such as:

• Responsible disclosure of security vulnerabilities
• Cheating and hacking
• Management responsibilities to set the right ethical tone at the top
• Employee responsibilities to uphold ethical principles
• Whistleblowing on unethical practices
• The slippery slope from entirely ethical to entirely unethical behaviors.
  

As always, the newsletter is freely available to all as a PDF file but you'll need to subscribe to the NoticeBored awareness service for the MS Word version, plus around 36Mb of other awareness materials (including 6 posters, 3 seminar presentations, 4 screensavers, several briefings and guidelines, a crossword, an awareness test and a survey, a discussion paper on ethics metrics, a board agenda, awareness activities and an internal controls questionnaire to review your organization's ethical security controls).

Labels: Awareness, Ethics

Dan Swanson just put me on to the fact that MIT, the world-renowned Massachusetts Institute of Technology, publishes course notes from many of its classes, for free, on the Web.  This includes the Sloan School of Management with its broad range of fascinating courses about managerial psychology and other topics of interest to security awareness professionals and management students alike - take a look at Advanced Corporate Risk Management for example to understand a bit about futures and options trading where amazingly enough, risk has an upside!

Thanks Dan!

Labels: Awareness

Email security is our topic for September's NoticeBored module. This is a core topic covering perennial issues worth reminding employees about every year.

By the way, we've had some problems with the blog feeds lately but hope things are working OK now. I'm also posting occasionally to the (ISC)2 blog in the company of other CISSPs and luminaries. Do take a look if you're not already subscribed.

Labels: Awareness, Email

This is just too funny to resist.

I might open up a little on this blog from time to time but you won't find a picture of me in a fairy costume, clutching a beer, when I'm supposed to be at work. Oh the joys of Facebook.

Labels: Accountability, Awareness, Misc, Privacy

The field of corporate governance exploded onto management’s agenda following Enron’s collapse in 2000/2001 and the introduction of SOX (Sarbanes Oxley Act) in 2002. There has been some public discussion of IT governance since then but information security governance is still emerging from the murk.

In August's security awareness module we expand on what ‘governance’ means and how it relates to information security in particular. It affects our target audiences (staff, managers and IT professionals) differently so we explain the implications in practical terms, covering the essential elements that everyone should comprehend.

You may have seen the recent news about the arrest of a network administrator in San Francisco. As reported, the accused (Terry Childs) was solely responsible for designing, operating and securing the city government’s network. He allegedly refused to disclose the network admin passwords at first, preventing others from managing the network in his absence. While it’s far too early to determine whether there is any truth behind the allegations, the story has fascinating governance implications that find their way into a case study and the latest newsletter.

Labels: Accountability, Awareness, Governance

We've just released our latest security awareness module on "information security risk management". The title is deliberately a bit ambiguous - in fact it cover mostly risk management in an information security context, plus a bit of information security management and a sprinkling of IT operations for good measure.

Identifying and managing information security risks is of course a key objective for information security managers. The module dispenses sage advice to managers and IT professionals on exactly what is involved in the infosec risk management process. For general employees, we emphasize the "What's in it for me?" aspect by drawing parallels between managing infosec risks at home and at work.

Whereas the PDF newsletter is free, you'll need to subscribe to NoticeBored to see the whole module in all its glory, and receive another one each month. We work this way to encourage customers to deliver rolling/continuous awareness programs. It seems to us a month is long enough to put across the essentials of any information security topic (potentially in more depth than any other awareness program we know of), yet short enough to avoid everyone getting totally bored by the same old same old. Next month we'll move on to a new topic (information security governance), hopefully before the eyelids start dropping and the posters disappear into the background.

We're clearly passionate about our approach to security awareness but keenly aware that we don't have a monolopoly on the subject. Please email me (Gary@isect.com) or comment on this blog if you have other security awareness ideas or approaches that work for you. We'll gladly acknowledge your input if we take up your ideas, and maybe something more substantive will find its way to your inbox as our way of saying thanks.

Labels: Awareness, Infosec, Risk

A survey by CompTIA on security for mobile IT devices reveals the continuing lamentable and rather puzzling lack of investment in security awareness:

"Seventy-one per cent of respondents said their organizations allow mobile and remote employees to access data and networks, but only 39 per cent said their organizations have implemented security awareness training and education. Only 19 per cent said they intend to implement such training in 2008. The good news is that of the organizations that have implemented security awareness training for remote and mobile employees, 92 per cent of respondents said they believe the number of major security breaches has been reduced."

So, security awareness works but few organizations are using it. More fool them!

Jay Cline, writing in Computerworld, describes the top five mistakes of privacy awareness programs:

1. Doing separate training for privacy, security, records management and code of ethics.

2. Equating "campaign" with "program."

3. Equating "awareness" with "training."

4. Using one or two communications channels.

5. No measurement.

[Read Jay's piece if these are not immediately obvious.]

I agree with all five issues, particularly his point that "A true program has an annually refreshed calendar of messages and training going out to different employee populations throughout the year". Multimedia, multiple audiences and multiple activities together make for a more effective awareness program.

Labels: Awareness