2013 Information Security Breaches Survey

The latest Information Security Breaches Survey is required reading if you care about information security risks.  The survey, commissioned from PwC by the British Government's Department for Business, Innovation and Skills, takes place every couple of years or so.  The statistics are useful ... provided you take the trouble to think carefully about what you are being told.

Take for instance the following graphs and the associated commentary on page 6 of the technical report:

"Having a security policy is just the start; to prevent breaches, senior management need to lead by example and ensure staff understand the policy and change their behaviour.  Less than a quarter of respondents with a security policy believe their staff have a very good understanding of it; 34% say the level of understanding is poor.  There's a clear payback from investing in staff training.  93% of companies where the security policy was poorly understood had staff-related breaches versus 47% where the policy was well understood.  Worryingly, levels of training haven't improved much - 42% of large organizations don't provide staff with any ongoing security awareness training, and 10% don't even brief staff on induction.  Many instead seem to wait until they have a serious breach before training staff."

That's a whole lot of information to take in for starters but let's take a closer look:

• The two graphs represent answers from about 150 respondents each (not necessarily the same people) out of the 1,402 who took the survey.  Page 1 of the report told us the margin of error for 100 respondents was about 10% at the 95% confidence level, so without doing the calculation, it is not unreasonable to assume a similar level of error - maybe 8% - with 150 respondents.   
• Page 1 also told us a little about the survey respondents.  Roughly half of the respondents were based in London and South-East England.  The survey is therefore biased towards that part of the world. 
• The respondents were in roughly equal proportions infosec pros, IT pros and business managers/execs.  It seems fair to assume they have a reasonable understanding of their organizations' information security status.  Infosec pros tend to be risk-averse by nature, while business managers/execs see risk in a more positive light, so perhaps those opposing biases cancel out?  It's impossible to say for sure without more information.
• Figure 9 separates out the numbers for large and small organizations in this year's survey, but those two categories were not identified separately in all the previous reports, making it tricky to compare.  The report indicates that the proportion of small businesses having a formally documented information security policy has fallen consistently from 67% in 2010, through 63% in 2012, to 54% now.  Given the ~8% margin of error, the differences may not be significant. 
• Figure 10 has similar issues: the differences may not be significant.  Nevertheless, it is interesting that about one third of the respondents only cover awareness of security threats at induction (orientation) time, while about half have a programme of ongoing education (whatever that means!  Requiring staff to attend an awareness class once every year or so presumably qualifies as 'ongoing education' but we know just how ineffective that approach can be).
• "Having a security policy is just the start" could be simply a throwaway phrase to kick off the commentary, although it clearly implies a sequence of events.  Furthermore, the text implies that policy is an important vehicle for changing behaviours.  Personally, I'm not totally convinced on either point - there are some unanswered questions there that could have been addressed by the survey or other research ... which reminds me: there are few if any references to other sources of information and statistics in the report.  Some of the topics discussed in the report have undoubtedly been examined by rigorous scientific studies, so why aren't they referenced?
• The commentary provides some additional statistics, although the report's authors have been selective.  Stating "Less than a quarter of respondents with a security policy believe their staff have a very good understanding of it; 34% say the level of understanding is poor." gives the impression that most respondents think employees don't understand their policies, but that is an interpretation of data that are incompletely presented in the report.
• We are none the wiser on how PwC concluded that "Many instead seem to wait until they have a serious breach before training staff."  Maybe there was one or more survey questions along these lines.  Maybe PwC reached this conclusion on the basis of their audit and consultancy work, independently of the survey.  Maybe the reports authors just made it up to fill a gap - pure conjecture perhaps.  We're left guessing. 

While I have only discussed two graphs and about 130 words of commentary, a small part of the report's 19 or so pages, hopefully this has given you a clue about what I meant by 'thinking carefully about what we are being told' and, for that matter, what we are not being told.  The survey is well worth reading, although I recommend reading it critically to get the most value from it.  

Regards,

Gary (Gary@isect.com)

PS  I wrote about security surveys over on the PRAGMATIC metrics blog some while back, concluding with "a very pragmatic bottom line: published security surveys are, on the whole, good enough to be worth using as security metrics.  While many of us take them at face value, they are even more valuable if you have the knowledge and interest to consider and ideally compensate for the underlying issues and biases, thinking about them in PRAGMATIC terms."  

NZ privacy workshop

The Office of the Privacy Commissioner here in New Zealand ran a half-day privacy workshop in Wellington yesterday, ably compered by Malcolm Crompton, former Australian Privacy Commissioner and co-author of the official independent report into ACC's privacy breach.  We heard from several government departments and Telecom about their recent high-profile privacy breaches, a couple of lawyers specialising in privacy and employment laws and a PR consultant, plus the Privacy Commissioner and the government's Chief Information Officer.

Most of the breaches discussed were caused by simple human error, although we did hear about a couple of malicious incidents too.

A few themes came up repeatedly, including:

• Compliance, specifically compliance with the Privacy Act;
• The importance of having a strong corporate culture and policy towards privacy - most organizations claimed to have both, implying that they lack the associated awareness/training and/or oversight and compliance activities although enforcement seems well in hand;
• The need for a slick incident response process that could deal effectively with the inevitable media scrum when such incidents are disclosed (more on this below);
• The value of clarifying ownership of personal information i.e. not simply nominating a "Privacy Officer" but one or more Information Asset Owners who are personally accountable for protecting the information, and can therefore be held to account if the protection fails (otherwise the buck stops with the CEO or Minister!);
• Governance, described in terms of management putting in place the mechanisms needed to stay informed about the state of privacy risks and controls, coupled with the mechanisms necessary for them to act on the information, making improvements where necessary;
• Social media rapidly spreads information and rumour about breaches, supplementing if not supplanting the news media;
• Portable IT, BYOD and homeworking - there are many temptations for employees to move personal data from the relative security of the corporate IT infrastructure to the relative insecurity of their own devices;
• The need to support rather than punish employees who unwittingly cause privacy breaches.  The embarrassment and anguish these incidents create is considered more effective as both punishment and deterrent than  disciplinary action.

The PR guy, Mike Munro, briefly outlined what makes a breach or incident newsworthy (e.g. the combination of an obvious victim, a security lapse, a witch-hunt to find the guilty party who in turn becomes another victim if prosecuted/disciplined, and a sense of outrage - interesting that since he implied that the journalists feed off the public outrage, whereas it appears to me to be mostly the other way around i.e. outrage is created or at least pumped up by the reporting, or 'it takes two to tango').  He also described how the organization can manage a breaking story, emphasizing the speed of response, clarity and openness (e.g. nominating a single spokesman or point of contact for the media, someone who understands the organization's objectives and purpose in discussing the news and who 'feeds the sharks' with newsbytes through press releases, press conferences and interviews, all the while being careful of the tone of what is said as much as the literal content.  If the organization comes across as transparent, sincere and contrite, this should defuse the most intrusive and negative reporting that tends to occur if the journalists smell a rat or are not getting the basic information they need (he mentioned that if the official source of information doesn't come up with the goods, the media will find their own sources and write their own copy, which takes control away from the organization).  The news feed needs to continue until the story fades out. 

Drawing on that advice, I will write a generic "media plan" to incorporate in our awareness module on incident management.  Thanks for the inspiration, Mike!

Largely absent from the day's proceedings were:

• Strategy - the higher-level corporate objectives that provide the strategic framework, direction and mandate for the privacy policies, accountability and various other lower-level controls (e.g. explicitly linking the organization's approach towards customer and employee privacy with its business objectives and values);
• Metrics - the idea that organizations should not just be operating and auditing their privacy controls but should be routinely measuring and reporting the associated risks to management, such that they are motivated and in fact able to adjust the approach as necessary (this is, of course, an integral part of governance, so I find it strange that metrics weren't raised as such);
• How to make security awareness effective including management-level awareness/training such that managers appreciate their role in guiding/driving and funding the investments necessary to implement and maintain all those controls properly, and IT awareness/training enabling the IT pros to appreciate and fulfill their roles in designing, implementing, testing, operating and maintaining all manner of technical privacy controls, encryption and data access controls being classic examples albeit barely mentioned; 
• Technical security measures - other than brief mentions of DLP/Data Leakage Prevention, using tools to search audit logs, and an intriguing comment about a 'break glass' function for a medic to bypass access controls if there was a legitimate need to access confidential patient data.  As far as I recall, nobody mentioned the value of MDM or honeytokens as privacy controls, for example.  Most speakers apologised for not being technologists implying that privacy and/pr information security is still considered an IT issue in NZ, despite several speakers stating that it is primarily a business or organizational issue (strange, then, how many privacy and information security people and functions languish within the IT department under the CIO or CTO!);
• Standards - such as ISO27k and other privacy and information security standards.  I get the impression that NZ is either busily inventing its own privacy approaches and occasionally adopting those brought in by immigrants, while seemingly ignoring the wealth of published standards and so forth laying out good privacy practices that the rest of the world finds useful ('not invented here syndrome' I guess);
• Broad privacy concepts - such as the meaning of 'private and personal' and a person's right to maintain control over the accuracy and use of their personal information, not just its disclosure (one speaker mentioned that privacy is about control but there wasn't time to elaborate on that - most speakers were clearly rushed);
• Privacy principles - such as informed consent and stated purposes - I didn't notice a single mention of those important controls that precede the gathering of personal information;
• Information security in the broad - for example nobody explicitly mentioned the integrity and availability aspects that are often just as applicable to personal data as is confidentiality.

There was a Twitter feed for the event, although it was somewhat dominated by the compere's rolling summary and was not an effective mechanism for audience participation, contribution or feedback.  Despite the excellent turnout (250 people!) and obvious interest in sharing information about privacy, I am not aware of any plans to keep the initiative going.  I have suggested on the Twitter feed that an email forum for attendees and other interested parties would be a good way for us to carry on discussing privacy for a while at least.  I can easily set one up but I doubt the organizers would disclose to me attendees' email addresses on privacy grounds!  Unless we can persuade them to email attendees with an invitation to the forum, it is unlikely to work.  

Regards,

Gary (Gary@isect.com)

Fraud awareness module released

Frauds, scams, swindles and cons involve taking advantage of victims through the use of deception, which is itself a form of social engineering.  As such, fraud definitely qualifies as an information security concern, making it a valid topic for the security awareness program.  What’s more, fraud is an inherently fascinating subject.  The deviously creative nature of fraudsters means they find surprising ways to dupe and manipulate people, processes and systems, undermining or bypassing controls that superficially appear sound.

Fraudsters may exist within or without the organization, sometimes both.  Procurement frauds, for instance, often involve dishonest or coerced employees acting in collusion with external suppliers to misappropriate the organization’s funds.  Collusion between individuals is a particularly challenging concern in relation to fraud since it negates a very important form of control – the division of responsibilities between individuals.

The breakdown of trust is another problem with fraud, a serious consequence given that commerce and society revolve around trust.  I'm deep into Bruce Schneier's latest book Liars and Outliers at the moment, and intrigued by the concept that fraudsters, hackers and other adversaries are 'defectors' who choose to ignore the explicit and implicit rules of society.  I'm sure I'll be drawing on that thought in future awareness modules and bloggery.

Anyway, please check out the fraud awareness module and get in touch to subscribe to NoticeBored.  Provided you have the time, inclination, skills and expertise, there's nothing to stop you writing your own suite of creative and motivational awareness materials on interesting security topics such as fraud every month ... but how much it will cost you to do that?  And wouldn't you rather spend your valuable time interacting with your awareness audiences, not to mention "having a life"?

Regards,

Gary (Gary@isect.com)

Our tenth anniversary module

NoticeBored's new “Taking chances” awareness module is about identifying, assessing and dealing with information security risks and opportunities. 

Whereas information security and risk management professionals, as a breed, are generally risk-averse, the awareness materials this month acknowledge pragmatically that there are legitimate business reasons to accept some information security risks, to take chances deliberately: the trick is to know which ones to live with, and which to avoid, pass to someone else or mitigate.

Animals deal with safety risks routinely at a subconscious level, avoiding extreme dangers instinctively, and learning to avoid other risks through teaching, by observing their parents and peers, or by trial-and-error: the ability to learn and so change our behavior is a vital survival skill.  In a sense, organizations also have both instinctive and learned reactions to risks.  This month’s awareness module passes-on decades of real-world experience with the management of information security risks.

Some cynical graybeard information security professionals feel that the methods commonly used to analyze risks are little better than chicken entrails at predicting the future.  By explaining the elements of the risk management process, we demonstrate that rational analysis, prioritization, treatment and monitoring of information security risks does give us a bit of an edge over those entrails, and perhaps in our own small way we can help advance the profession a little.  It’s not all hocus pocus!

"Taking chances" is our 120th monthly module, in other words we have  successfully navigated our first decade in security awareness.  We're still trying to decide how best to celebrate our tenth birthday so watch out for a news update once we sober up from the office party.

Happy Easter all!

Regards,
Gary (Gary@isect.com)

Molds and parasites - new families of malware

The following paragraph remains unredacted in a heavily redacted NSA newsletter from 1996:

"The most harmful computer virus will not be the one that stops your computer, but the one that randomly changes or corrupts your data over time."

Malware that causes data corruption perhaps ought to be called a fungus or mold rather than a virus but I guess "virus" remains the nondescript all-purpose term preferred by journalists and lay-people alike. 

Anyway, I partially agree with the statement.  Compared to incidents that are as crude and noisy as completely stopping the computer, more sophisticated and silent attacks (such as those behind APTs - Advanced Persistent Threats) are more dangerous and insidious because they can continue unabated for longer.  As with a parasite that exploits its symbiotic relationship with the host, a lengthy infection starts off with the host barely even recognizing that it has been victimized.

Random data corruption is a concern, for sure, but is fairly noisy in its own right.  Creeping data corruption in a relational database system, for instance, will eventually fall foul of the built-in database integrity controls, and may well be spotted by users who are aware and intelligent enough to appreciate that just because the computer says something does not necessarily mean it is true.  

So what about directed data corruption, where the malware targets particular data items and makes specific but relatively subtle changes?  Such a mold could be used to manipulate the system, the data, the users and their decisions in a concerted manner, leading them a merry dance for as long as possible before the inconsistencies came to light, by which time it might be too late to act.  The changes may appear as innocuous typoos in textual information (generally overlooked) or slight but consistent biases in numeric data.  Numeric changes might perhaps be picked up by statistical integrity-checking routines or Benford's Law - provided anyone bothered to consider the risk, implement and use the controls that is.  Aside from the NSA paper and our own security awareness materials on the topic of integrity, I have not seen this risk discussed (maybe I just missed it).

To close, let me return to the idea of parasitic malware.  Some living parasites have evolved the capability to alter their host's behavior, secreting toxins or hormones if not directly stimulating the host's nervous system.   Ophiocordyceps unilateralis, for example, is a fascinating parasitic fungus that infects certain ants, causing them to climb and cling to the top of foliage where the parasite kills them and sends out its fruiting bodies and spores over a wider area than it could have reached if the ants had remained at  ground level.  Imagine now an APT that not only stole and manipulated information, but influenced management and operational decisions made by managers and staff, changing the way the organization behaved.  

Remember this if your organization seems, for no obvious external reason, to be climbing the foliage.

Regards,

Gary (Gary@isect.com)

Windows update scam

Hey, that's nice.  The "Microsoft Windows Team" just wrote to me inviting me to update my PC:

Dear Windows User,
Please upgrade your current Windows to the latest Windows 8, this helps keep your PC safer-and your software current-by fetching the latest security and feature updates from Microsoft via the Internet, CLICK HERE. To upgrade your Microsoft Windows Experience.
Please sign on with your email.
Thanks Microsoft Windows Team

Since I wasn't actually born yesterday, this crude attempt at social engineering failed at the first hurdle.  There are numerous clues that it's a scam.  How many can you spot, dear reader?

Regards,

Gary (Gary@isect.com)

PS  No, the CLICK HERE link in the original email did not point at NoticeBored.com - I made that change for you because I'm nice like that.  If for some reason you want to know where it was actually pointing, check your inbox or spam box for this message.  But please don't click it.

On Cryptography

The focus on key length obscures the failures of cryptography

Mar 21, 2013 | 07:39 AM |  No comment

By Gary Hinson 
Light Reading 

Should companies continue sinking yet more money into cryptography? It's a contentious topic, with respected experts on both sides of the debate. I personally believe that cryptography is generally a waste of time and that the money can be spent better elsewhere. Moreover, I believe that our industry's obsessive fascination with crypto serves to obscure greater failings in security design.

In order to understand my argument, it's useful to look at cryptography's successes and failures. One area where crypto doesn't work very well is health. We are forever trying to secure health records using encryption.  We apply the very finest mathematical and statistical trickery known to Man to scramble them beyond comprehension.  But then medics go and decrypt them in order to use them, callously undoing our good work!  What is it with this people?  Don't they realize that plaintext health records can be read by anyone?  Couldn't they at least give hexadecimal a go?  There's a lot to be said for doctors hand-writing their notes, in Latin, with a quill.

Similarly, cryptography is an abstract "benefit" that gets in the way of using and enjoying the Internet. Good cryptographic practices might protect me from a theoretical attack by a marauding horde of keyboard-tapping monkeys at some time in the future, but they’re a bother right now, and I have more fun things to think about than how many rounds of Ess- and Pee-boxes are necessary.  No one except cryptographers actually read and comprehend new cryptographic algorithms; for the rest of us, it's much easier to just click "OK" and start chatting with our friends. In short: crypto is not for Joe Public.

One reason crypto remains the domain of egg-heads is that cryptographers do their level best to make sure it is a dark, mysterious, magical art. We can train anyone in the basics -- even software developers -- with a simple reward mechanism: increase the key by one bit, double the effort required to brute force it. But instead we imply that crypto is not quite so easy. With smoke and mirrors, we seed those little germs of doubt.  Is 'one more bit' enough?  How many bits do you really need?  Is each new bit worth the same as all those old bits?  If you have too many bits, will you go to pieces?  Is it your fault if someone breaks my beautiful algorithm by circumventing the random number generator that you thought was quietly factoring the least significant figures of pi? 

Training laypeople in cryptography also isn't very effective: why is it that laypeople and IT professionals alike seem unable to make perfectly straightforward decisions concerning obscure parameters on oh-so-elegant algorithms when configuring their systems and browsers?  Are they simply thick or are they being deliberately obstructive?  Turns out that it's a bit harder than one might think to teach ordinary mortals advanced theoretical mathematics. We can't expect every motherf to have the knowledge of a cryptographer and we certainly can't expect him to become a crypto-expert when most of the advice he's exposed to comes from cryptographers' blogs. In cryptography, too, a lot of so-called expert advice comes from companies with products and services to sell, some of it good, some of it ... fantastic, according to their marketing anyway.

Talking of which, one area of cryptography that has been a tremendous commercial success is churn. Why release a cryptographic system that is provably secure for a zillion years when we can fool everyone into adopting a crippled variant that will fail within ten?  Even better, let's publish its inner workings in explicit detail, and fund a ravenous mob of cryptanalysts to smash it to pieces in public like the statue of a deposed dictator so there is no choice but to deprecate it, discard an entire generation of broken software and replace it ... with ... something based on ... the next crippled variant.  This points to a possible way that cryptography can succeed.  Instead of trying to design ever more fantastically convoluted and beautiful machines, perhaps we ought to focus our efforts on making them usable and maintainable by ordinary mortals, greasy oiks armed with monkey wrenches instead of PhDs in astrophysics.

On the other hand, we still have trouble teaching some cryptographers to wash -- even though it’s easy, fairly effective, and simple enough to explain if we used diagrams with numbers. Notice the difference, though.  The risks of cryptographic failure are huge, and the cause of the failure is obvious. The risks of not washing are low, and it’s not easy to prove personal hygiene is necessary in a formal model. Some might claim that the world of cryptography stinks. Is it any wonder that cryptographers are shunned by security architects?

Another illustration of the outright failure of cryptography is driving. We trained, either through formal courses or one-on-one tutoring, and passed a government test to be allowed to drive a car. We're even allowed to fill up by ourselves and some of us maintain our own vehicles.  One reason that works is because we have car manuals with exploded parts lists and step-by-step instructions. Even though the technology of driving has changed dramatically over the past century, we don't have to worry ourselves over transposition functions and matrix algebra.  You might have learned to drive and service a vehicle 30 years ago, but that knowledge is still relevant today.  What use is a DES-expert now, eh?  Triple-DES was the beginning of the end of that era.  "It's no use,"  I told them, "hanging on to the thought of quad-DES.  It's over I tell you, over."

To those who think that cryptography is a good idea, I want to ask: "Have you ever met an actual cryptographer, in the flesh?" They're not human, and we can’t expect them to become human. They inhabit a bizarre world populated by people called Alice and Bob who insist on chatting about their most personal secrets on phone lines despite knowing they are being tapped.  

Even if we could invent a provably-effective cryptographic system (don't laugh - it has already been done), there's one last problem. Malware prevention training works because affecting what the average person does is valuable. Even if only half of the population practices safe hex, those actions dramatically reduce the spread of worms and Trojans. But computer security is often only as strong as the weakest link. If four-fifths of company employees learn to choose better passwords, or not to click on dodgy links, that's four-fifths who can thumb their noses at the bad guys.  But there's no such thing as a four-fifths broken cryptosystem.  Its all-or-nothing with crypto - a teeny weeny bit too little entropy and they fail spectacularly.  As long as we continue to build cryptosystems with built-in-obsolescence, key escrow, raising the 'number of bits' won't make them more secure.  It's the magician's diversion.

The whole concept of bit-length being a measure of the strength of cryptography demonstrates how the cryptographic industry has failed. We should be designing cryptosystems that don't care if users choose lousy passwords and don't mind what links a user clicks on. We should be designing cryptosystems that are provably unbreakable, not provably broken.  And we should be spending money on personal hygiene for cryptographers. These are people who, with patience and understanding, can be taught the necessary skills in a safe changing-room environment, and this is a situation where reduced odor correlates with increase security.

If cryptographers would only do their job right, then IT users and administrators would not have to worry about the number of bits or "how complex is complex".  Alice and Bob wouldn't have to plan on replacing their systems yet again because Eve knows their innermost secrets.  That makes a whole lot more sense.

Gary Hinson is a cynic with a sense of humour (with a you).  He researches and writes cost-effective security awareness materials by day and pragmatic books on security metrics by night.  Despite appearances, he actually values cryptography, respects cryptographers and is simply reacting instinctively to a poke in the ribs from one of his idols.

The bloggings will continue until morale improves

I've just noticed that, according to Blogger, this is my 1,000th piece on the NoticeBored blog since 2005, an average of about 10 a month.  In fact, I published  a few hundred more on the previous blog platform but I've long since forgotten how many, and it doesn't matter much anyway.

Just in case you are the least bit interested, here are the top ten most popular posts according to the mimimalist statistics that Blogger gives me:

1. A distinctly cynical piece about the launch of the Information Security Awareness Forum - a laudable British initiative unfortunately overshadowed by a lack of focus and the competing interests of its commercial sponsors.  I guess the ISAF website is still running but updates are few and far between, while the associated blog's domain has expired.  Such a shame, yet another missed awareness opportunity. 
2. A short note about a NIST paper Directions in Security Metrics Research (NISTIR 7564).  The paper outlined a bunch of possible avenues for research into security metrics: I wonder if any of them actually took place?  NIST has the smarts to make a real impression on security metrics.  I hope PRAGMATIC Security Metrics will prove to be a useful new direction.
3. A heads-up about a bunch of credit card numbers being posted on an eBay forum.
4. An announcement about a new NoticeBored awareness module on information security risk management, complete with diliferate mipsellings.  Interesting that this should be so popular since we are currently preparing an update to the very same module.
5. A harsh critique of FAIR (Factor Analysis of Information Risk), with a lengthy and spirited rebuttal by Alex Hutton - well worth reading in its entirety.  We may hold different opinions in some respects but we are in violent agreement elsewhere.  Overall, I have a lot of respect for Alex - he knows his stuff.
6. A little item about incident management plans and processes.  Short and sweet.
7. News about the hacking of a Xerox multi-function printer thingummy, a plain English summary of the main points from a geeky Black Hat presentation.
8. A very short note about the costs to fix bugs escalating 200 times if they are discovered after implementation, compared to finding and fixing them much earlier in the software development cycle.  I suspect this item is so popular because the x200 figure is frequently quoted but the original source is obscure and hard to track down.  As I recall, it was shown on a graph in a research paper, in other words an image not readily located using, say, Google. 
9. Announcing another NoticeBored awareness module on business continuity.  I am disappointed to be one of very few professionals promoting the concept that business continuity is a superset of resilience, recovery and contingency practices.  Even ISO/IEC JTC1/SC27 doesn't get it, judging by the fact that the editor appears to have struck out my rewrite of the business continuity section of the forthcoming update to ISO/IEC 27002, largely reverting to the gibberish from the 2005 version.  If you believe business continuity management is all about recovering information security, knock yourselves out.  I give up.
10. Another short item about a list of 100 underground hacking/cracking/warez websites, complete with a security warning for anyone foolhardy enough to be browsing indiscriminately.

I'm a little disappointed to have received so few reader comments on the blog, with notable exceptions such as Alex Hutton's response.  Sometimes I wonder if I am just idly talking to myself here, quietly gibbering or muttering away like the nutter on the bus.  Maybe I should become more contentious and outspoken in the next 1,000 bloggings, or just concede defeat and keep this stuff to myself in future ... but Blogger tells me I have more than 2,000 readers per month, the silent majority which keeps me going.  I guess you find some interest and value in my musings, dear reader, and indeed so do I: from time to time, I search my own blog for stuff I have written before, particularly links to useful resources (such as that x200 reference at number 8 above).

To infinity ... and beyond!

Regards,

Gary (Gary@isect.com)

How-to security awareness guide from ENISA

Re-reading ENISA's excellent how-to guide on security awareness has spurred me into getting ready to update our Information Security 101 awareness module.  

The guide is strong on the purpose and objectives for security awareness:

"An information security awareness programme will:

• Provide a focal point and a driving force for a range of awareness, training and educational activities related to information security, some of which might already be in place, but perhaps need to be better coordinated and more effective.

• Communicate important recommended guidelines or practices required to secure information resources.

• Provide general and specific information about information security risks and controls to people who need to know.

• Make individuals aware of their responsibilities in relation to information security.

• Motivate individuals to adopt recommended guidelines or practices.

• Create a stronger culture of security, one with a broad understanding and commitment to information security.

• Help enhance the consistency and effectiveness of existing information security controls and potentially stimulate the adoption of cost-effective controls.

• Help minimise the number and extent of information security breaches, thus reducing costs directly (e.g. data damaged by viruses) and indirectly (e.g. reduced need to investigate and resolve breaches); these are the main financial benefits of the programme."

The New Users' Guide: How to Raise
Information Security Awareness
ENISA (2010)

ENISA's structured process, laid out in detail over its 140 pages (!) resembles a project plan for a one-off project:

The ENISA guide is a bit ambiguous about the duration of the awareness programme, for example the activity "C-070 Re-Launch the Programme" clearly implies that the programme has stopped, but elsewhere it mentions the need for a continuous approach to security awareness.  A one-off project plan may not be an ideal model for a continuous/ongoing/indefinite effort, but I guess it's a familiar starting point for most of those using the guide.

In a couple of places, the guide uses graphical images to illustrate the progression of the awareness audience from a basic level of security awareness and knowledge, through understanding and commitment to change, to behaving more securely - not unlike our ladder diagram.  Understanding this concept differentiates the old-skool approach to awareness (basically, throw a bunch of policies at the users and tell them to comply - treating the audience as mere receptacles for Important Security Stuff) from more modern and effective cultural-change approaches (engaging, motivating and persuading the audience, providing interesting content on a range of relevant business-related security topics, and interacting with them as sentient beings).

One more thing I particularly like about the ENISA advice is that it emphasizes the use of metrics to measure and drive systematic improvements in the awareness programme.  "The effectiveness of an awareness programme and its ability to improve information security can be measured.  The need for security awareness is widely recognised, but not many public or private organisations have tried to quantify the value of awareness programmes." (page 70).  I'm currently working on an article about awareness metrics using the PRAGMATIC method - more to come on that score.  Perhaps I can turn those awareness progression graphs into an awareness metric ...

Regards,
Gary (Gary@isect.com)

Malware & APT awareness

Malware is a core information security topic, something that virtually every security awareness program covers.  As such, we update the NoticeBored malware module once a year to remind our audiences about the ever-present malware risks ... which means we have covered it several times already and, to be frank, we're getting ever so slightly bored by it!  We try to find different angles every time to keep interest levels up: this year, thanks to a customer suggestion, we have focused on APTs - Advanced Persistent Threats - which combine sophisticated malware with other methods of penetrating targeted organizations, hence there are a few mentions of social engineering, hacking and physical intrusion as well as classic malware in the module.

A recent upsurge in reports, mostly from the US, about the Chinese state-sponsored spies and hackers is timely since APTs are undoubtedly part of their arsenal.  However, Stuxnet (at least) was an APT attack allegedly sponsored or conducted by the US plus Israel.  Other nations such as the French are known to be active in the same field, and I rather suspect many more are playing the game, just a bit more discreetly.  In other words, I'm sure this is not solely a Chinese issue, and America is not the poor helpless victim some xenophobic commentators imply.  

[By the way, a lively debate around that topic might be a worthwhile awareness exercise in itself.  Is the Chinese cyber-threat over-rated?  Aren't we ignoring the fact that our most dangerous adversaries are the ones we don't even recognize as such?  And what of our own governments: exactly how trustworthy are they?]

The severity of APT risks and the limitations of available information security controls (particularly if you don't have a bottomless pit of money!) makes this a rather dark and depressing topic for information security and risk management professionals.  We have done our best to point out in the module that there are things organizations ought to be doing in relation to APTs, however, and those who do so will simultaneously improve their controls against ordinary malware and those other attack methods I noted above, even if they don't actually make much headway against APTs.  Industrial espionage, commercial sabotage and information theft are issues that should concern us all.  Being aware of the threat is the first step towards doing something about it, so get in touch to add APTs to your security awareness program's list of topics. 

Regards,

Gary (Gary@isect.com)