Logo fun

A new logo at the UK's Office of Government Commerce looks fine, until you turn it on its side.

This reminds me of the issue of naming products that will be sold internationally. Something totally innocent in one country may be highly inappropriate in another. I won't be too specific here but some of the model names I spotted in Japan last month would be considered offensive in some other countries.

Or, as Anton would say, "context is everything".

April fools spotted in the wild

The US power grid is not changing to DC by 2020.

We are not going to shift our watches a minute a day to avoid the problems caused by daylight savings time.

Please send further fools-in-the-wild spottings to us. We'll probably mention information security and risk-related ones here.

CISSP course in Dubai

If you or someone you know in the Middle East is thinking of taking the CISSP exam, Clement Dupuis will be leading a boot camp-style intensive CISSP training course in Dubai on 11-15 February 2008. Clement has stacks of experience at CISSP training and will be using Shon Harris' course materials recently updated to reflect the latest CBK. The course is being offered in conjunction with the Open Information Systems Security Group.

For those who don't know Clement, he is the inspiration and driving force behind CCcure.org, recommended reading for all CISSP candidates and indeed for those seeking other information security qualifications or who simply want to keep their knowledge and skills up-to-date.

Singapore sling

Here's a sad tale of woe. A good friend of mine in Singapore is suddenly facing redundancy through absolutely no fault of her own. Her employer is simply cutting costs, slashing the workforce it seems without considering their employees' net value (i.e. business benefits created less salary and other expenses). What makes this really sad is that the organization in question is a bank that really ought to have a better idea of basic economics.

So, if anyone out there in Blogoland knows of Singapore-based/regional openings for a highly qualified and experienced IT auditor cum information security manager cum IT governance expert, and understands that value equation, do please get in touch with me (email Gary@isect.com). My friend has a CISSP (with the ISSMP concentration), CISM, CISA and 2 decades in the field with globally-renowned financial services companies. She is also one of the most gracious, friendly and genuinely committed individuals I know. It's hard to think of a better definition of "asset".

Attention fellow CISSPs, SSCPs and CAPs - a call to action

Voting for the ISC2 Board elections will start in just a few days (Nov 16th). If you have the slightest interest in ISC2, your qualifications and your future career in information security, this is important.

The ISC2 bylaws allow the sitting Board to nominate a bunch of candidates for the election without reference to the membership. Naturally, they tend to put themselves forward for re-election and/or propose their colleagues who, generally speaking, are similar to themselves in background and outlook. In practice, this means the Board is very conservative and favours the status quo. I personally have no issue with stability and continuity unless it prevents ISC2 from responding appropriately to changes in the environment. There comes a point when stability becomes inertia that stifles all innovation and creativity.

If you are entirely happy with the way ISC2 is run right now, if you feel you are getting the best possible value from your membership dollars, and if you see no need to change the way ISC2 is operated and managed, then go back to sleep: you need do nothing at all. Like a giant supertanker, ISC2 will continue indefinitely in the same direction without you doing anything.

However, if you want ISC2 to change for the better, then you have to do something about it, now.

In addition to the Board-nominated candidates, members can stand for election provided they gain sufficient support from the membership (meaning at least 1% must sign their petitions to stand). For obvious reasons, the sitting Board doesn't exactly go out of its way to help independent candidates contact the membership or canvass for the necessary level of support and votes. Electioneering is explicitly banned on CISSPforum, for example, and there have even been accusations of bias in the way candidate profiles/manifestos are presented on the ISC2 website. Nevertheless, a few valiant membership-supported candidates (precisely three out of the 12 on offer) have made it onto the slate and they need our votes to make a difference to ISC2.

Turnout for the ISC2 elections is traditionally extremely poor (though it's hard even to squeeze this little piece of information from ISC2 management). What this means is that your vote counts more than ever.

I'm not going to recommend any particular candidates at this point (maybe later!) but encourage you to do the following:

1. Sign-in to the ISC2 website. Please note: without informing the membership, ISC2 management has recently implemented some significant changes to the website including a new login process - you should be able to login with your original password but using "the primary email address on file with ISC2" instead of your member/certificate number. Several members have had difficulties with this process (e.g. forgetting which email address they originally nominated), requiring support calls to ISC2 that can take days or weeks to resolve. DO THIS NOW to avoid delays that might prevent you from voting when the poll opens.

2. Once logged-in, visit the page listing the 12 candidates and read their submissions. Think very carefully about what they are proposing to do for ISC2 and the certifications in the future. Look for clues as to whether they merely support the status quo (same old same old) or want to do something new and worthwhile for the members. If you agree with the general thrust of what they are proposing, make a note of the candidates' names.

3. If you are interested enough to want to discuss the elections, interact with the candidates and clarify what they really stand for, join the discussion at cissp elections, a mailing list established specifically for that purpose (simply email a polite request to cissp-elections-subscribe@yahoogroups.com). Perhaps you might like to explore issues such as:
- Why the current management recently changed the rules for CPEs, requiring a minimum number of CPEs in every year instead of during a 3 year period.
- Whether the candidates are happy with the way ISC2 communicates important changes (such as the above) with members, if not actually involving them in the decision-making process;
- Relaxing the tight control over CISSP training courses and coinfidentiality of the CBK, limiting the opportunities for other/non-ISC2 training providers and exams in other locations;
- How come volunteers for ISC2 duties such as exam proctoring, and the speakers' bureau, never seem to get anywhere?;
- Membership meetings - ways for CISSPs and others to meet face-to-face in Real Life;
- Other things that concern you about ISC2, the profession and your career.

ISC2 belongs to its members. Its future is in our hands. Don't let this chance to make things better just slip by without raising a finger.

Global Security Challenge grand final

The Global Security Challenge grand final conference takes place in London on November 8th.

Global Security Challenge is an annual business plan competition to find the most promising security technology startups in the world. The winners of three semi-finals (!) in Europe, Asia and the U.S. stand to win a $500,000 grant in prize money and mentoring.

Keynote speakers and judges include:
- Sir Richard Dearlove, former Chief of the UK's Secret Intelligence Service (MI6)
- Ken Minihan, former Director of the U.S. National Security Agency (NSA)
- Alastair MacWillson, Managing Partner, Accenture
- Jeff David, Deputy Director, TSWG, US Department of Defense
- Stephen Bonner, Global Director, Barclays

Creativity unleashed

Anyone who has been in a medium or large company for more than a few months has no doubt been subjected to the tyrrany of "team building" and "vision sharing" sessions in which ideas for unlocking employee's inner strengths are shared with the 'team' by some eager HR person or on-something training consultant. These can be great fun if the facilitator is full of life and the 'team' is in the mood for it. They can also be painfully lame.

Well, here's a shortcut - a wiki on creative thinking techniques. Explore the ideas in the safety and comfort of your very own private cubicle, with no need to disclose your innermost fears in public, play ridiculous rigged games, sing 'team' songs, raft whitewater rapids, rappel down a precipitate cliff in your underpants and generally make a blithering idiot of yourself in front of the office belle (or beau).

Full disclosure on Wall Street Journal

I've been watching the brouhaha over the article in WSJ for most of a month now, with some bemusement. Essentially, 95% of the 'informed opinion' in the infosec blogosphere has been along the following lines:
- The WSJ is irresponsible to have published this piece;
- The journalist is even more irresponsible to have penned it;
- It is outrageous!! Something Must Be Done!! Prepare the noose!!

What I haven't seen anyone cover in depth as yet is the concern that information security controls on the corporate desktop are so pathetic that an editorial piece in WSJ can blow them wide open. Que? Aren't the bloggers completely missing the point?

I've never bought the argument of 'security by obscurity' which they seem to be arguing for. We in the infosec profession should be redoubling our efforts to design and apply sound desktop security controls, not bleating at the journalist who says "The King has no clothes". As to those 'infosec pros' who are baying for her blood, shame on you. Shooting the messenger won't alter the fact that desktop security stinks.

Isn't this just the same argument as with full disclosure of security vulnerabilities? Most of the profession are outraged that someone would even consider posting an exploit in a public forum, let alone doing so without giving the relevant party time to analyse it, create and test a fix, and then wait N months for everyone to implement the patch. Hackers, meanwhile, argue very convincingly that if they do not at least disclose exploits "responsibly", they will never be fixed because vendors are far too busy adding new bells and whistles. They say that crackers, the criminal underground and 'terrists' will eventually discover the self-same vulnerabilities and exploit them for criminal purposes and the world as we know it will come to a sticky end. Both points of view have merit but the real issue is that FAR TOO MUCH SOFTWARE HAS BLATANT BUGS THAT CREATE SECURITY VULNERABILITIES BECAUSE SECURITY IS NOT A DEVELOPMENT OR SALES IMPERATIVE. In that context, the full/responsible disclosure argument is simply irrelevant bickering.

I'm looking forward to the WSJ's forthcoming editorials blowing open web security, multifactor authentication, database security and all those other oxymorons so beloved of the 'infosec profession'.

Go ahead, shoot me if you like.

Boys toys

Thanks to stumbling across a list of 101 cool freeware apps compiled by PC World, I've now got virtual sticky notes on my screen, I'm monitoring the temperature of my CPU and I've rediscovered Belarc Avdisor, a tool that interrogates the PC to find out what hardware and software are installed. Since I last used it, Belarc has evidently been upgraded to provide an assessment of the PC against the CIS security benchmarks. Nice touch!

Google shines in the PC World list with strong entries in several categories including Gmail, Google Reader, Google Blogger, Google Docs, Google Notebook, Google Picasa, YouTube (now owned by Google) and Google Desktop all listed. If free search engines were listed, I'm quite confident Google would easily top the list.

My favourite discovery in the 101 is a neat little tool called SyncToy. At last I can replicate the files and directories from my desktop on the laptop, work for a while on the laptop and then re-synchronize to put the altered files back on the desktop. It works well. Having never quite got the hang of the Windows' functions for the same thing, it's good to find a tool so easy to configure and use.

A map for NIST Special Publications

NIST has published over 250 Special Publications, FIPS standards and guidelines on IT security, all available for free download from the NIST Computer Security Resource Center. There are so many that newcomers tend to be overwhelmed by the choice. NIST's response is to publish yet another document - a guide to their publications that categorises them by 'family', by topic cluster and by [US] legal requirement.

The choice of a PDF document for the guide was presumably a no-brainer for NIST and, I guess, will suit people who like reading printed documents. I hate to criticise NIST but the guide doesn't even have URLs for the listed documents. New draft and final standards are published every month but the guide will only be updated twice a year.

The Google search box on the CSRC home page has the advantage of easier, more flexible and more up-to-date searching. I think I'll stick to that, thanks.

Infosec salaries up 6½% on 2005 - woop woop

Amongst the usual boring drivel about why a certain statistic is marginally up or down on previous values, one section caught my eye in the latest SC Magazine survey of information security salaries:

"The other thing that I think we’re starting to finally see is that security is becoming more and more integrated into the other operational areas of IT, whereas if you go back a few years, you needed a staff of absolute security specialists that sort of rode herd on the whole thing," he says. "Now what’s becoming more important is that security is integrated into all facets of the IT operations. It’s that cross-pollination, I think, that’s happening and, as security gets integrated more and more into the mainstream of the organization, you’re going to see that differentiator for people as security specialists in a standalone mode change." That means that no longer will companies need to hire "a team of security killers," but "a bunch of IT professionals with good security awareness," he adds.

So, information-security-savvy IT professionals are going to be in demand, are they? We'll see.

I agree with some of the other points in the magazine article though, such as the change of emphasis from hiring information security managers with pure technical skills to those with business-plus-technical competencies. If you haven't already done it, Mr Information Security Manager, it's high time to take a serious look at doing an MBA or similar qualification through a good business school. At the very least, you'll learn how to speak management doublespeak and perhaps you won't be quite so terrified of phrases like "security strategy" and "business case".

How I got started on security awareness

Having been 'tagged' by a colleague from the Security Catalyst community, it seems I must explain 'how I got started' in infosec and specifically how I ended up in security awareness.

My first contact with computing was in connnection with my childhood interest in amateur radio and electronics. I saw a demonstration of one of the first PCs at the radio club, running the game "Life" ata bout one generation per 15 seconds. It was amazing!

I started using IT systems at school (where the students knew more about IT than the teachers!) and in college I wrote programs for my own research project and for colleagues in the department working on DNA fingerprinting, fruit flies, bacteria and yeasts. That's where I started teaching IT - mostly 'demonstrating' to undergraduate and adult classes, passing on the few little tips that I'd picked up by trial and error. In the land of the blind, the one-eyed man is king.

In the late 1980s, I moved out of the science labs to become a system administrator for a pharmaceuticals company, eventually running the IT systems for several R&D sites in the South of England under the excellent tutelage of a canny Scotsman, Stef. A takeover by a larger American company was partly responsible for my specialisation in infosec: overnight, we plugged our two extensive DECnet networks together with no firewalls or other additional security measures. Trying to explain the changing risks to my managers was something of a challenge, one I eventually gave up on. By the way, Stef subsequently became the head of information security so I guess some of the things I was saying must have struck home.

I spent most of the 1990's in infosec and IT audit jobs for a privatised electricity utility. Security challenges there included all the normal office and eBusiness systems security issues plus real-time process control systems. I developed and ran an early security awareness program warning about the dangers of, amongst other things, boot sector viruses on floppy disks (remember them?). I wrote my first security policy manual based on the Code of Practice for Information Security Management (later BS 7799, then ISO 17799 and now ISO 27002) and technical security standards for VAX VMS, DECnet, X.25, "PCs" (well, VAXmates anyway!) and Iris graphics workstations. I also learned how to deal with management by playing them at their internal politics games. The value of security metrics and 'evidence' really came home to me in this time. I was amused to play the game of Life on my handheld PDA, at a few milliseconds per generation (the screen is just a blur).

From electricity, I moved first to aerospace and then to a series of consultancy assignments and eBusiness startups. Along the way, a little brainwave led to an awareness program suggestion to a client and, some months thinking and research later, the NoticeBored security awareness service was born. Security awareness has developed into an absorbing passion since 2000. I'm totally fascinated by the challenge of helping ordinary people understand and respond appropriately to the information security risks around us. Many people are waking up to the importance of security awareness, training and education, but relatively few of us get much beyond the "Something must be done!" stage.

So, that's me done, well mostly. It'll cost you a beer or two to fill in the gaps.

Google TiSP

Those of us who cannot squeeze another comms cable into our cable ducts might be interested in a new scheme promoted by Google. TiSP uses an unusual form of ducting available pre-installed in most homes and businesses. The installation kit provides all one needs to cable up a single location. TiSP brings the added benefit that the cable termination unit is ideally located for contemplative Web browsing sessions.

Any budding infosec authors out there?

EDPACS (Electronic Data Processing Audit Control and Security) is looking for authors to provide comprehensive views on topics of interest to the EDPACS readership. More information on EDPACS and its Editorial Board. If you simply want to read EDPACS rather than write for it, here's the subscription page.

Your pig, my name

Isn't the World Wide Web Wabsolutely Wonderful? In the course of researching DMCA, DRM, copyright, patents and trademarks for the next NoticeBored awareness module on IPR, I chanced across this bizarre story of a Danish artist who is providing "free" pigs and goats to Ugandan villagers in exchange for them adopting his surname. It's only a click or two away from genuine research materials ...

Links to further IPR and perhaps piggy resources will follow, next month.

Soot juggling

Being an information security manager in today's complex world of business and technology is a bit like this.

A fun information security dictionary

A Portuguese information security community - Communidade ISMS PT - has published an entertaining Security Dictionary based on an article in CSO Magazine, itself derived from The Hackers Dictionary and The Devil's DP Dictionary. I particularly liked their description of a laptop: "a computer designed to allow employees to easily store vast amounts of customer data in the backseat of a taxicab." Too true.
Further general infosec resources

NB wins TopBlogger award

[Cue drum roll] The winner the trophy for top security blog at FileRatings.com ... is ... [ta-daaaah] NoticeBored! On behalf of the NoticeBored team, IsecT CEO Gary Hinson said "I'd like to thank the nice people at FileRatings for this fabulous award. I must thank my producer, the editorial team, my mum, my dad and everyone else who knows me. Such an honor! You guys are great. Thanks." [leaves podium, blubbing]

Xenu's Link Sleuth

Xenu's Link Sleuth spiders a website looking for dead links. Useful if, like us, you maintain an extensive links collection.

NoticeBored links collection