Welcome to NBlog, the NoticeBored blog

Like the finer things in life, quality trumps quantity.

Mar 23, 2017

NBlog March 23


Nothing much to say today - we're too busy working on the security innovation awareness materials.

The staff seminar is done, and is
now in the process of being adapted/extended for
the management and
professional seminars.

The speaker notes also form
the basis of the accompanying
briefing papers/handouts.

Mar 22, 2017

NBlog March 22

As part of the background research for next month's awareness module on 'email and messaging security', I figured it is about time I got to grips with secure email. You'd have thought I'd be on top of it already, given that my career started nearly 30 years ago with email system administration and then information security! Truth is, I've managed OK without it until now. The few times I have really needed to send secure email, I have either used a secure webmail facility provided by the client or achieved the same ends using AES-encrypted WinZip archives, sharing the secret password off-line. Now, I find myself needing to communicate securely with a company that doesn't offer secure webmail but does (allegedly) use PGP for secure email. Hmmm.

Today I re-discovered a key reason for not bothering with secure email - the very same reason that has caused me to try, fail and give up previously. The process of configuring MS Outlook - a commonplace, mainstream email application - for S/MIME is convoluted and inadequately-explained. For starters, what is S/MIME anyway? Does it interoperate with PGP? Despite reading a bit about it, I'm not entirely sure at this point although I suspect not. Some of the information online might as well have been written by Greeks.  In Martian.

I found a website offering free email certificates ... except it didn't explain that Chrome won't install them properly: evidently we need to run Internet Explorer. There's not the feintest whiff of an error message to tell us the process failed. That's another hour of my life down the pan, chasing down Windows' certificate store and yet failing to persuade Outlook to install and use a perfectly serviceable certificate from the store. Re-running the download install through IE worked fine though (after I had also figured out how to revoke the first certificate since it wouldn't let me have two for the same email address, oh no). I wish I had a clue what it was doing automagically in the background that I couldn't do manually. Some sort of hocus pocus going on.

We're clearly a long way from simple secure email, despite the common refrain that the process really ought to be made easier and more widely accessible. My cynical mind wonders if certain 'agencies' might be actively frustrating attempts to simplify and so spread secure email more widely ... and while I would understand their reasons, I doubt I could be persuaded that it is in the public interest to allow the authorities to continue snooping on all our emails willy-nilly. So I guess our next awareness module has a public service objective.

Regards,

Mar 21, 2017

NBlog March 21

After a weekend on the farm, I'm back to the day-job, preparing April's awareness module on 'security innovation' for NoticeBored.

The scope of this module is becoming clearer day-by-day. Two perspectives, in particular, stand out because of theire relevance to information risk and security. Here's a scope/introductory slide from the staff seminar:


First there's the invention and creativity angle, including the creation, exploitation and protection of intellectual property. NoticeBored has covered Intellectual Property Rights several times already so we could dip into the library of content for something suitable to repurpose this month. However I brought up patent trolls a few days ago, a new topic that avoids regurgitating old content. We can refer to IPR in general terms without going into detail, then expand a little on patent trolls.

Secondly, there's the issue of both driving and responding to changes. Again, we've covered change management before so there may be general background stuff in our awareness library we can dust off. This time we're focusing specifically on risk and security changes involving or brought about by technology and social innovations, though, so here too we will be creating brand new content just for this module.

This is par for the course for NoticeBored. None of the security awareness topics in our bulging portfolio is truly static although admittedly some are more mature than others. In practice, we always find novel perspectives to explore, even for the more stable ones - such as the annual malware topic spawning ransomware this year. Since the world has moved on since we last covered them, there are invariably new issues and incidents to report too. It keeps us on our toes and avoids the awareness materials becoming stale. 

NoticeBored's monthly cycle was innovative when we launched it back in 2003. I've noticed a few other awareness suppliers toying with periodic updates from tiome to time since then, the periods ranging from 1 week to 1 year or more. Several produce regular newsletters with an assortment of current news, although most only cover tech "cybersecurity" issues and don't provide enough context or explanation for the general security awareness audience. It still feels right to me to focus on a different information risk and security-related topic every calendar month, and to take a deliberately broad perspective with unusual topics such as 'security innovation'. An added bonus is that it makes researching and preparing the materials more satisfying for those of us with a short attention span and perfectionist nature. Generally speaking, the last week of any month is a slog but the anticipation of a short break before moving on to the next topic motivates us to get the module finished and delivered.

Regards,

Mar 20, 2017

NBlog March 20

A sunny Sunday was my chance to repair an ancient 7 wire fence, so old in fact that it had become a 6 wire fence: the bottom wire ran on or in the ground and had corroded way. Full grown sheep can't limbo underneath it but their lambs do, becoming separated and soon expiring unless they find their way back in time for a feed. Meanwhile, the ewes generally wander off, seemingly oblivious to the pitiful bleating from the other side of the fence.

Last Spring, a fluffy newborn lamb slipped under the fence and promptly got entangled in a blackberry bush. Luckily Deborah heard the bleating and rescued her just in time. Naturally, we call her Bramble. She's doing fine and will soon have lambs of her own.

On days like today, I love my office.

Regards,

Mar 19, 2017

NBlog March 19

A blog mentioning patent trolls reminded me that inventions may be patented, opening up several innovation-related information risks and opportunities. Hmmm, that's something else to bring up in the management stream this month - intellectual property rights protecting creative expression and innovation.

Meanwhile, there are sheep to shear and fences to mend. So long as the rain holds off, it's a good weekend for 'outside jobs' ...



Regards,

Mar 18, 2017

NBlog March 18






The staff awareness seminar slide deck on 'security innovation' is coming along nicely.  That image of two sectioned heads on the second slide will introduce the ongoing battle of wills between the white and black hats, in which innovation and creativity plays a central role on both sides. We've incorporated a selection of innovation-related images already, and we'll be adding real world examples (like that intimidating Reaper drone in slide 12) to illustrate and reinforce key points.

We're planning to say something towards the end about promising security innovations which means scanning the landscape for news of novel security products and services, innovative approaches to security and creative ways to address information risks. I have a couple in mind already but further suggestions are always welcome. While it would be nice to be able to explain cutting-edge security advances such as quantum crypto, I'm keen to find simpler, more easily understood examples for the general staff awareness audience. With 15 slides and a fair amount of ground to cover already, I can picture those drooping eyes and shuffles.

I'm tempted to tack-on a final slide posing a question about what's coming up on the black hat scene. Again I have a couple of vague possibilities in mind, although I'd prefer to leave them with the parting message that we really don't know what they are up to unless and until someone spots a novel tool, approach or whatever. I like the idea of giving the audience something stimulating to think and talk about as the seminar comes to an end, making the final 'afterthought' slide paradoxically the most valuable one in the deck. If the previous slides, the accompanying speaker notes (not shown here) and the presenter have done their job, it should be eye-catching, intriguing and yet self-explanatory. It's our little seed, planting thoughts in brains through a creative and innovative approach to security awareness.

Regards,

Mar 17, 2017

NBlog March 17 (St. Patrick's day)

I've said quite a lot about our monthly cycle. We find a month long enough to explore an information risk and security topic in some depth, and yet short enough to avoid terminal boredom.

There are two longer cycles too.  A few topics get brought up every year because strong security awareness is such an important and valuable control in the obvious areas such as:

  • Malware
  • Social engineering 
  • Physical security

Other awareness topics are dusted off and refreshed every so often too - things such as:
  • Securing portable IT devices
  • Cryptography including authentication and access control
  • Privacy
  • Fraud
  • Patching, version control, change management and so on. 
Although it's not as critical for everyone to know all about them, a general appreciation is beneficial so these get updated every few years.

As well as covering specific topics, there are more fundamental themes such as:
  • Information risk and security (of course!)
  • Governance
  • Compliance
  • Control
  • Responsibility and accountability
  • Management, oversight, monitoring and directing information risk and security
  • Business
  • Technology
  • Information

Occasionally we highlight and explore those individual themes in isolation, although normally they are just an integral part of the monthly modules. Like threads woven through all the materials, the themes link successive modules together into a coherent mesh, a fabric strip rather than a random assortment of fragments. They help us 'tell the story' of information security.

The long-term thematic approach is a convenient way to handle the inevitable tangents and asides, plus cross-over between many topics. For example, "phishing" involves social engineering, technology, authentication, malware, Internet security, fraud and more. In an awareness piece on phishing, we don't necessarily need to go into depth on those other aspects since they have been and will again be covered, at other times. It's OK to bring them up briefly and move on. In the same way later on, a briefing or seminar about, say, social engineering might casually mention phishing without having to stop and explain it.

I'll end today by mentioning that not everything we do is cyclical or repetitive. Part of the fun in this game involves spotting and responding to changes - new threats, new modes of attack, new incidents, new challenges, new wrinkles, new tricks ... which finally brings me back on track to talk about April's awareness topic, security innovation. Must press on: awareness stuff to prepare before digging out a green teeshirt and the obligatory pint of Guinness.

May all your information risks be in the green today.  Slainte!

Regards,

Mar 16, 2017

NBlog March 16

Distracted by some amusing mathematically-inspired comments from friends relating to Pi-day, I've stumbled across an infamous article about the magic number 7, originally published back in 1956 by George A. Miller, a cognitive psychologist.

Not being a cognitive psychologist myself, I skimmed it ... but the final few words caught my eye: George said "I suspect that it [meaning the obsession with 7] is only a pernicious, Pythagorean coincidence".  What a nice way to put it! 

If you too are not a cognitive psychologist, you might find the Wikipedia version more accessible.

It is often suggested that we should stick to 7 things when presenting in the sense that 7 is allegedly the most points we should expect an audience to appreciate and hopefully remember. It could be called an urban legend. Some people say the magic number is 5 or 3 or 10 ... so I guess the more general version is is "a small number" or "a handful" of things, and that's fine by me (assuming an audience lacking in savants anyway!). 

That's not all though. There's more to this than the number of things, which usually equates to the number of bullet points on a slide or a paragraph in a document. Their complexity, length and content all matter, along with things such as the font, font size, color and contrast. 

Or to put that another way, the things that matter are:
  • Their complexity
  • Their length
  • Their content
  • The font
  • The font size
  • Color
  • Contrast
If you've ever suffered through presentations or reports prepared by inempt presenters and authors (and who hasn't?!), you'll know what I mean. Anything can be reduced to a handful of bullet points, a simple list format, but that's not necessarily a good idea. 

Sometimes, for instance, it is important, necessary or worthwhile to expand on the detail and explore the subject in more depth than is feasible or sensible for bullet point lists. In place of this very paragraph, I could have added another bullet to that list above, perhaps something like "Level of detail" or "Depth" ... but it's not immediately obvious so I prefer to explain it. Looking back, several of those bullet points are distinctly ambiguous. What did I really mean by "Their complexity"? Complexity in what sense?

Already we see that the urban legend about sticking to "about 7 points" is decidedly lame and potentially misleading. 

It gets worse still if you accept that the context is at least as important as the content. A novice presenter who flatly reads out the words on the slide is adding no value, destroying it in fact since the tedious monologue is distracting: the audience is generally better-off reading and contemplating the words without the presenter's drone. The opposite applies too: if the presenter goes off at a tangent, that creates a dissonance with the words on the slide which again can be distracting and confusing.

So far I've only been blabbering on about the style or manner of the communication. Its content is also an important factor, and the audience another. It's easy to cover something simple and superficially with a few bullet points. Not so easy to cover quantum cryptography, for a topical example. Depending on the specific audience, they may: 
  • Not know the term 'quantum cryptography' at all, having never heard it before
  • Have a vague idea about it, a crude understanding, incomplete and possibly inaccurate
  • Know it quite well
  • Be experts, quite possibly more expert than the author or presenter.
This whole blog piece may be quite narrow and obscure, but I'm getting at some of the factors we take into consideration when preparing what we hope are effective and valuable security awareness materials. There are other factors too, and maybe one day I will pick up and continue this thread. If you'd like that (or equally if not!), please comment below. What aspects would you like me to go further into? What are your challenges in this area? What advice would you offer to those preparing security awareness content?

Regards,

Mar 15, 2017

NBlog March 15 (the Ides of March)

A throwaway comment towards the end of yesterday's blog sent me scurrying down a rabbit hole, well more of a warren really. What is DevOps and how does it relate to security innovation?

In short, as I understand it, DevOps involves integrating and tooling-up development and operations teams so they collaborate in a more effective and efficient way, thus reducing the cycle time between conventional software releases while also delivering better, more resilient and more manageable IT systems.

Sounds great, right? 

Oh but hang on a moment. Haven't we seen this kind of thing before? Isn't DevOps just another movement, a buzzword not unlike Agile Waterfall Cloud Lean ITIL and more ... none of which turned out to be the Ultimate Answers their vocal proponents enthusiastically implied or claimed.

They did however deliver philosophies, strategies, elements, approaches and tools that proved somewhat useful and valuable. Truth is they all have their strengths and weaknesses, opportunities and threats, promises and disappointments. DevOps too.

The information risk and security side of DevOps intrigues me. At face value, minor incremental changes appear less threatening than revolutionary and potentially disruptive major releases, especially if the supporting infrastructure, tools and processes facilitate things such as efficent regression testing. However, some information risks may accumulate, some may change in severity and/or probability, and entirely new risks may appear as a consequence of the approach - for example there's the risk of being completely overtaken by a radically different approach or a dramatic change in the market. As a former geneticist, I see parallels here to evolution, including theories such as Lamarkism and punctuated equilibrium. The common factor is that they are theories based around models that attempt to describe relatively complex and incompletely understood activities in relatively simple cause-and-effect mechanistic ways. The difference is that scientific theories are (a) explicitly formulated in a way that is testable, and (b) actively tested, competently, by teams of professional scientists steeped in the field. Admittedly scientists also get passionately committed to their pet theories, some to the point that their human biases cloud or devalue the science. As a global community, however, bad science gets identified and outed, and the field moves ahead by consensus. Integrity overrides both confidentiality and availability.

Things are markedly different in IT. Fads (such as DevOps) are fads largely because of vested commercial interests. Various people and companies hope to make their fame and fortune through each of these fads, feeding off the seemingly insatiable desire for the Ultimate Solution. I don't. I find the very notion of searching for the Answer to the Ultimate Question of Life, The Universe and Everything just as laughable as Douglas Adams did.



So, in keeping with the Ides of March theme, I predict gloom and despondency for anyone who honestly believes DevOps is all they will ever need. Although it may not be pure snake oil, it has the hallmarks of yet another commercially-driven IT fad having its day in the limelight. 

[/rant]

Rapid incremental or evolutionary change has appeal in other domains such as security awareness and security standards development. Do I even dare to hope that the committee behind the ISO27k standards might one day consider reducing its cycle time to approach the rate of evolution in this field? Could DevOps work its magic there? Somehow I doubt it. We are doomed, doomed I telly you, destined to the same fate as the dinosaurs. Obsolescence is so last year.

Regards,

Mar 14, 2017

NBlog March 14 (Pi day)

The awareness messages relating to 'security innovation' are slowly crystallizing, prompted in part by the thinking behind this month's evolving risk-control spectrum diagram:













The diagram shows two overlapping bands of risk:

  • On the one hand, failing to adopt and exploit novel technologies or other forms of control constitutes missed opportunities to the organization, depending on how often and to what extent that occurs.   
  • On the other hand, pressing ahead too quickly with immature technologies etc. increases the risks of failures and costs arising.

Both those risks can be controlled through suitable strategies, policies and approaches concerning the management of information risks. A highly risk-averse organization is likely to be conservative in its choice of security technologies, for instance. While it may avoid the dangers of getting into unfamiliar territory, it may also be missing out on viable business opportunities and failing to address information risks. Conversely, a more gung-ho management might take advantage of new opportunities (such as quantum cryptography) but suffer as a result of unanticipated problems and maybe outright failures of novel approaches since beyond the 'leading edge' lies the 'bleeding edge'. 

I'm hinting that organizations should probably take a balanced, considered approach, hopefully avoiding or at least being prepared for and mitigating those extremes.

There's another issue though, relating to those high-end information risks that can blind-side an unprepared, blinkered or overly conservative organization. I'm talking here about novel threats or exploits, perhaps entirely new classes or modes of attack or significant but as yet unrecognized vulnerabilities and impacts. If the organization doesn't spot and respond appropriately and promptly to them, that could potentially be a catastrophic failure of information risk management.

In the course of using and expanding upon that and other diagrams in the awareness briefings and seminar slide-decks, we often make changes to the diagrams - in other words this is an iterative development process - DevOps you might say ... which fortuitously reminds me of another security innovation theme to bring up in this month's awareness module.

Regards,
Gary (Gary@isect.com)

PS  Happy pi day. I hope you enjoy the tangents.