Oxfam report on disasters

A little gem this - a report from Oxfam examines trends in natural disasters over the past few decades.  A substantial increase in the number of disasters largely reflects a significant increase in the number of floods.  The trend is marked and easy to see since the 1990s.

The report's conclusion brings up the issue of country governance:

"Countries with better governance are less vulnerable to natural hazards, which implies that securing increased standards of governance could help to mitigate future increases in exposure and hazards."

Though the report stops there, I would be utterly amazed if the same was not equally valid at the level of corporations and corporate governance - in other words:

Corporations with better governance are less vulnerable to natural hazards, which implies that securing increased standards of governance could help to mitigate future increases in exposure and hazards.

So ... just how good are your business continuity and disaster response arrangements at coping with, say, floods?  Have you ever simulated a flooding disaster? 

Regards,
Gary (Gary@isect.com)

Keep calm and carry on

Happy new year everyone.

The monthly NoticeBored security awareness deliveries continue with the relase of a thoroughly updated and refreshed module on business continuity management.

Do you like the new graphic?  It's even more impressive as a poster-sized image!

We started researching and planning this module around ISO/IEC 27002’s coverage of business continuity management, and ended up going well beyond what the standard advises.  In our opinion, the standard focuses rather myopically on disaster recovery, largely neglecting other equally significant business continuity controls such as disaster avoidance, resilience and contingency.  It talks about business continuity planning and testing the plans, but hardly mentions business continuity preparations and exercises.

Resilience, being the ability to keep critical business processes running right through a disaster, is an important organizational capability that management can proactively develop and enhance, provided they are aware of the possibilities and benefits of resilience.  We’re talking here about the use of hot sites and cloud computing, for instance, for the IT systems and services supporting core business processes.  Furthermore, the concept of resilience extends to supply chains (e.g. having alternative suppliers for vital supplies) and individuals (e.g. the make-do-and-mend so-called “number 8 wire” mentality recently demonstrated by those amazing Kiwis in Christchurch who get on with things and have a go at fixing stuff up rather than passively waiting around for help from the authorities).

All the best for 2012,
Gary (Gary@isect.com)

419s still dribbling in

Fresh from my inbox:

"Dear Sir/Madam

We regret to inform that your Visa/Mastercard secure has been set off because to many attendings, and we beleive that others were ussing your details.

Please download the attach  to reactivate the account."

Yeah, right.

To many attendings, eh?  Others ussing my details?  Unbeleivable.

I'm still troubled by the memory of a printed sign I saw in the lobby of a hotel in Sierra Leone, along the lines of "419ers are not permitted here".  Actually I wish I had photographed it for posterity.  Ho hum.

Regards,
Gary (Gary@isect.com)

Outsourcing POS IT

From Wired: 

"Four Romanian nationals have been charged with hacking card-processing systems at more than 150 Subway restaurants and 50 other unnamed retailers, according to an indictment unsealed Thursday ... The hackers allegedly scanned the internet to identify vulnerable POS systems with certain remote desktop software applications installed on them, and then used the applications to log into the targeted POS system, either by guessing the passwords or using password-cracking software programs."

Which begs the obious question: why would anyone put their Point Of Sale systems on the Internet, with remote desktop software to boot?  The answer presumably involves the millions of retail outlets that don't have an in-house IT function but rely on external 'point of sale IT specialists' to install, manage and maintain their card readers and often the electronic tills, accounting and stock management systems.

I wonder if the mom-n-pop retailers are sufficiently aware of information security to even be concerned about the implications of outsourcing their IT in this way?

I wonder if the Subway group offers IT support to its franchisees, or recommends/uses local POS IT people?

The POS IT specialists, meanwhile, presumably have the expertise either to do their jobs well and protect their customers (and their customers) or to pull the wool over their customers' eyes.  I wonder how many manage to slip right under the PCI-DSS radar?

Regards,
Gary (Gary@isect.com)

Sign of the times: M$ hard-up

Wow!  Lucky me!  I've won a prize from the MSN Foundation!

I guess Microsoft must have fallen on hard times.

[Endless junk like this leaches bandwidth from the network, wastes processing cycles, consumes bytes on disk and exercises my grey matter (admittedly, not a lot).  I guess the cretins sending it have nothing better to do except annoy the rest of us.]

Regards,
Gary (Gary@isect.com)

Network security awareness

December's awareness module on network security has just been released to our subscribers.   Here's a thumbnail of one of six new security awareness poster designs in the module:

Computer networks, particularly the Internet, enable employees, business partners, suppliers and customers to share information and collaborate more or less instantaneously.  The advantages of networking are enormous and have revolutionized modern business life – we are in the midst of an “information revolution”.  However, the World Wide Web is not unlike the Wild Wild West.  Hackers and organized criminals (the Internet’s outlaws) are plundering vulnerable online businesses to steal the gold (information assets).  There are precious few sheriffs in cyberspace and the outlaws pack powerful weapons.  Consequently there are significant risks associated with networking and strong security controls are necessary to protect the organization’s information assets.

The NoticeBored awareness materials cover a wide variety of information security risks associated with networks and networking, and recommend a corresponding variety of security controls to address them.  The ‘risk-control spectrum’ (one of several diagrams and mind maps provided as an MS Visio file) summarizes many of them in an easily digested format.

It was not hard to find topical examples and recent news cuttings for the awareness newsletter this month, unforutnately, since networking is almost universal and network security incidents often hit the headlines.

Read more about the module here and, if NoticeBored looks like something that would pep-up your flagging or non-existent security awareness program, do get in touch.  I'd love to hear back from you.

Regards,
Gary (Gary@isect.com)

Heir Hunters - not

Interesting new slant on an old 419 scam now circulating:

Hello Dear,

I am writing you from Heir Hunters Company in the United kingdom .

Heir Hunters probate detectives looking for distant relatives of people who have died without making a will,

the United Kingdom  government last year made over ?18m from uncliamed assets.

When people die intestate ( without a will ) and with no known relatives, their names are released by the Treasury.

Every Thursday, a list of these unclaimed estates, the Bona Vacantia ( Latin for "ownerless goods" ) is published on the Treasury Solicitor's website.

The race is then on for heir locators to track down the often distant relatives in line for a windfall. Often heir hunters pick more unusual names first, as they are easier to trace.

We came across your profile and email while searching  through genealogy database,we will be glad if you can get back to us with your full name, date of birth,

address and your direct number if it corresponds to the information

we have in our data base in order to enable us carry out necessary  verification processes and to get your claim across to you without any delay.

Heir Hunters have handed over thousands and millions of funds to heirs who have no idea of their fortune,some of them ,Holocaust  victims' estates,

whom some of their heirs tried to flee war-torn Europe,but did any of them survive to claim these fortune ?

We will gladly answer this question for you.

Very Truly Yours

Mrs.Sarah Bernstein OR Mr.James Horgan

Tell your family and friends if you think they might fall for it.

Regards,
Gary (Gary@isect.com)

Singalongapassword

Brian Krebs is an excellent journalist and blogger on information security matters.  He often seems to pick up infosec stories that nobody else covers and his advice is generally sound.

In respect of password choices, however, I think Brian's missing a trick. He offers the stock advice on avoiding common words, using miXed case and punctuation ... etc. all fair enough but neglects to mention the coolest tip of all, which is to use long pass phrases. 

Long passwords used to be counterproductive on old Windows systems that broke them all into weak 7-character chunks.  Windows hasn't done this for years.  The only other issue I'm aware of is that some dinosaurs of the mainframe era still restrict password length to about 8 characters.  But hey, it's only the mainframe, so nothing much to protect there, eh?

My favorite passphrases are the complete lines of songs, complete with punctuation, spaces, capiTaliZation and tricks such as duplicating, omitting or substituting certain characters.  Best of all, I only need to remember one long passphrase - the one that opens my password vault - and I practice it often enough that it stick in my mind.  When it's time to change it, I simply pick another line or another song, poem or famous quotation, something memorable.  Occasionally I find myself quietly humming along as I type it in, and yes I'm paranoid enough to worry about anyone overhearing me!

Regards,
Gary (Gary@isect.com)

Colombian credentials

Presumably as a result of international pressure on the Colombian authorities, a colleague sending me a letter had to attach a photocopy of his REPUBLICA DE COLOMBIA - IDENTIFICACION PERSONAL - CEDULA DE CIUDADANIA (what appears to be his Colombian government-issued ID card), front-and-back including his mugshot and fingerprint, to the "CARTA DE RESPONSABILIDAD" form PR-OP-AD-001-FR-001 endorsed by somebody working for the POLICIA ANTINARCOTICOS at Aeropuerto El Dorado - Bogota.

The bottom of the form reads "Nota: Recuerde que es obligatorio anexar fotocopia del documento de identidad".  With my rather primitive understanding of Spanish, I take that to mean that it was compulsory for the sender to attach the photocopy of his ID card, presumably to be able to send me the letter.

I was absolutely amazed to receive all that personal information 'in plaintext', attached by sticky tape to the rear of the airmail letter that arrived in my NZ postbox today.

I guess the Colombian authorities appreciate that the attached information is personal to the sender and could probably be used as credentials for identity theft.  I presume that nevertheless they insist on it due to the significant risk of drugs being exported via email.  I am astounded that, having checked it, they actually sent the personal information out of the country.


Needless to say, I have destroyed the form and the photocopied ID card.   

Regards,
Gary (Gary@isect.com)

Credentials module released

One of this month's awareness poster images

'Credentials' is the rather formal title of November's NoticeBored security awareness module, but in fact the materials cover a wider brief relating to identification and authentication.

Authentication associates a person unambiguously to an identity, excluding others. It reduces the possibility of fraud and hacking, helps maintain the integrity of the systems and data, and is a prerequisite for personal accountability. Authenticated individuals can safely be given access to sensitive and valuable information resources which they are authorized to access. Without authentication, unauthorized access would be a much bigger problem and the information security risks would be even greater.

That said, from the ordinary employee's perspective, the key issues are choosing good passwords and keeping his staff ID card safe.

Regards,
Gary (Gary@isect.com)