Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Jun 23, 2017

NBlog June 22 - phishing myopia strikes again

A piece in the Redmond Magazine "Protecting Office 365 from Attack" caught my eye today - specifically this chunk on "User-Awareness Training" [sic]:
"One of the most effective but underutilized strategies for defending your network against malware such as Osiris/Locky is user-awareness training. Because it's impossible to catch all malware, your users are the last line of defense for your network, and they should be trained as such. Accordingly, you should implement the following user-awareness training strategies:
  • Threat awareness: Have your users take refresher courses on how to identify a phishing attempt and the importance of their participation in the fight to defend resources against malware once every quarter. Specifically, they must learn not to engage with any suspicious e-mail, report suspicious e-mail, and ensure that their endpoints are protected with anti-malware software and effective backups. It might sound simple, but many users still aren't aware of this.
  • Phishing Simulators: A very effective method of user training is the implementation of a phishing simulator. There are several free phishing simulator options available that allow you to create a simulated phishing campaign that you can send to your users. Those who fall victim to the simulation will be impacted far greater than any passive training course could ever achieve. Of course, you must obtain the proper permission from all authoritative stakeholders before pursuing this type of training."
Skimming deftly past the fact that "User-Awareness" literally means being aware of users (as in IT users, presumably, but drug users is the usual implication), the author's conflation of training (as in dog-training) with awareness makes this rather lame advice. It's superficial at best, admittedly just a small part of an article about securing Office 365 - Microsoft's answer to Google's online creative/collaborative tools.

Aside from the naive but typical myopic focus on phishing, there are so many other angles to security awareness, even in relation to Office 365 specifically, that it's hard to know where to start. FWIW here's a quick brain dump:
  • Security awareness for the managers responsible for enabling and authorizing use of online tools (e.g. helping them understand the risks and opportunities associated with various approaches and tools, the governance implications of using third party information services for business purposes, and how to measure this stuff through appropriate security metrics ...)
  • Security awareness for the technologists responsible for the associated technologies, filling-in some of the stuff they probably weren't taught at college (e.g. network security and crypto key management, logging and alerting, cloud insecurity, click-to-run automatic patching and security awareness ...)
  • Security awareness for customers, partners and other interested parties (e.g. how to spot and deal with phishing attacks using the organization's own brands, domains, people's names, project names etc. as lures ...)
  • Confidentiality, integrity and availability aspects, including incidents other than "attacks" (e.g. taking care to avoid inadvertent or inappropriate disclosure, privacy aspects such as trans-border processing, typos and outages, spotting and dealing with fraud ...)
  • Identification, authentication and access controls (e.g. online passwords, sharing files ...)
  • Business continuity (e.g. the pros and cons of online and offline toolsets, identifying critical aspects, ensuring resilience and recovery plus true contingency preparation ...)
  • Roles and responsibilities, plus accountabilities, plus compliance ...
  • Intellectual property rights, piracy And All That ...
  • Collaborative working and social engineering in general ...
  • Bugs! plus design flaws, secure development, testing, change-, version- and configuration-management ...
  • The rest of malware (just imagine the implications, for instance, if say Office 365, Google Docs and/or other online office services were hijacked by doomsday ransomware that affected all their clients simultaneously ...)
Against that backdrop, do you see what I mean when I call phishing awareness myopic? Phishing is an important security awareness topic, just one of many. Ignore the rest at your peril.


Jun 21, 2017

NBlog June 21 - a positive spin on auditing

Over on the ISO27k Forum, a member told us about having passed an ISO/IEC 27001 certification surveillance audit with a minor noncompliance. The auditor reported that the firewall's firmware had not been updated since a year ago despite the availability of a more recent update. The auditor was concerned that this left the network exposed to malware such as Wannacry.

While not disputing the facts, reading between the lines, the auditee was clearly disappointed that this had been raised because the information risk does not seem significant, given that the organization has other effective controls in this area. A negative audit finding, even something as trivial as a minor nonconformance, can be hard to accept if you genuinely believe you are doing a great job. There may not be fireworks but it's a challenge, for sure, a knock to one's integrity and credibility.

Leaving aside the certification aspects for a moment, if it were me in that situation I’d be inclined to ask why the firewall firmware was not updated. Was or is there a good reason for NOT doing the update, for not addressing the information risks? 
  • Did the organization not even know there was a firmware update? If not, that points to a possible lack of communication/coordination with vendors (possibly on other platforms too) or something else. 
  • Did the organization know about the update but ignored it? Why? Was there some higher priority, or a lack of resources, a lack of policy or a broken process, or what? 
  • Did this ‘fall between the cracks’, for instance if there are several people or teams involved, each of whom thought it was someone else’s problem (hinting at a governance issue)? 
  • Did the organization know about the update, assessed it and the associated information risks (which, by the way, arise from both doing and not doing the update, as well as how and when to do it) and chose not to go ahead with it for a genuine business reason (e.g. the update does not address the risk)? If so, is there evidence of the assessment and risk acceptance decision, properly authorized by management? If that wasn't properly recorded/documented, maybe the process wasn't being followed correctly or maybe it needs to emphasize retaining such evidence in future. 
  • Did someone misunderstand or incorrectly assess the risk? What actual or potential consequences might that have caused? How serious is it? Does something need to be fixed here? 
  • Is the organization in fact planning to do the update at some point? That begs the classic audit response: “OK then, show me the plans and the resources allocated”! 

It would presumably be possible simply to update the firmware and close off the specific issue … but asking lots of questions in and around the area can help determine the real, underlying reasons for this little incident, and presents an opportunity to improve/mature your ISMS, which is of course A Good Thing. Taken in the right spirit, incidents (including audit comments) and near-misses are learning opportunities.

As an inherently optimistic former (reformed) IT-focused internal auditor, I heartily recommend taking nonconformances and other comments or concerns as prompts to at least openly consider and ideally make improvements. Try looking at things from the auditor’s perspective, responding positively to the audit and going a little out of your way to move things along in the right direction … unless you honestly feel the auditor is mistaken or misguided or whatever. That does happen (e.g. with naïve/inexperienced auditors, perhaps a junior obsessed with the Wannacry incident, and “jobsworth” tick-n-bash auditors who are only concerned about the tiny strip of the world they see through their blinkers) but it is unusual: be wary of going down that line, and be prepared to provide hard evidence to back up your assertions for what might turn out to be a full and frank discussion with the auditors. 

In my experience, issues like this are more to do with the organization’s evolving relationship with the auditors and appreciation of the audit rôle than with the actual findings. Also, in my experience, there are lots of little issues of this nature in every organization: auditors are spoilt for choice! Usually, auditors are aware of other stuff too but, for various reasons, choose to ignore them (this time around) and focus instead on a few specific issues that they feel are either significant in their own right, or are potentially valuable learning/improvement opportunities, ways to force the organization to bring deeper issues to the surface and deal with them. There’s quite an art to evaluating the findings and preparing audit reports which may not be obvious if you have never been an auditor and only see the end product. The decisions about whether the issue is reportable and if so how to report it (e.g. a major or minor nonconformance, a formal observation and maybe a recommendation, an off-the-record comment/suggestion, or merely a subtle hint in passing) are quite complex and subjective in practice.

The auditor's risks, liabilities and professional obligations are a particular concern, especially with formal external audits such as certification audits. If for whatever reason something was spotted but not reported, and it subsequently turned out to be a significant issue (e.g. if a serious malware infection or hacking incident had subsequently occurred in this case, materially harming the organization), the auditors could face some difficult questions, conceivably even legal action. They have get-out-of-jail-free cards to play concerning various theoretical and practical constraints on the audit work and their contract or terms of engagement, but still it's an awkward position to defend. 

By the way, it’s an excellent idea to build friendly professional relationships and chat to the auditors informally if you get the chance, preferably throughout the assignment. Most don’t bite and like to be consulted. Ask to see the evidence, check their understanding and risk assessment, and find out what particular aspects caught their attention. Talk through your options. Try hard to remain open-minded - suspend your disbelief and get over being affronted that they found something. Maybe they are indeed wrong ... but you might just find they are on to something (not necessarily what they think or state is the issue!), or there might be other/better ways to respond.

Gary (Gary@isect.com)

Jun 20, 2017

NBlog June 20 - workplace infosec policies

Protecting information in the workplace is such a broad brief that we're working on 4 policy templates for the July awareness module:

  1. Workplace information security policy - concerns the need to identify and address information risks wherever work is performed, and wherever valuable information exists (not just at the office!).  This is an update to our 'office security policy'
  2. Information retention policy - the timescales for retention and/or the criteria for disposal, of information should be specified when it is classified, along with the security requirements for safe storage, communications and access.
  3. Information disposal policy - when information is no longer required, it may need to be disposed of securely using forensically sound techniques.
  4. Information classification policy - updated to reflect the need to specify retention and destruction requirements where applicable (e.g. if mandated in laws, regulations or contracts).

Several other information security policies are also relevant - in fact virtually all of them - but if we attempted to promote them all, the key awareness messages would be diluted and lose their impact.  Even citing all the relevant policies from those 4 would become unweildy, so instead we pick out those few that are most important in this context.

This situation illustrates the value of a coherent and integrated suite of information security policies, designed, developed and managed as a whole. Having personally written all our policies, I appreciate not just what they say, but what they are intended to achieve and how they inter-relate. At the same time, I'm only human! Every time I review and revise the policies, I spot 'opportunities' ranging from minor readability improvements to more substantive changes e.g. responding to the effects of BYOD and IoT on information risks. Revising a policy is also an opportunity to refresh the accompanying security awareness materials, reminding everyone about the topic.

Given that the landscape is constantly shifting around us, policy maintenance is inevitably an ongoing task. So when was the last time you checked and updated yours?

Hinson tip: sort the policy files by the 'last updated' date, and set to work on at least checking the ones that haven't been touched in ages. It's surprising how quickly they become limp, lackluster and lifeless if not actually moldy like stale bread.


PS  If you have to scrabble around just to find all the policies before sorting them, well the learning point is obvious, isn't it?

PPS  No, I think it's a daft idea to have a policy on policy maintenance!

Jun 19, 2017

NBlog June 19 - weekend report

Hey, a weekend off! The weather was fine (no rain, blue skies) so we got some outside jobs done, including removing yet another fallen tree (about the fifteenth from the cyclone in April), repairing and installing a gate and depatching a dozen fattened lambs to market.


Jun 16, 2017

NBlog June 16 - dress down Friday

Every day is dress-down day in the IsecT office. Like most Kiwis, we much prefer comfortable clothes to formal attire such as business suits and ties. Why anyone - especially knowledge workers - would voluntarily choose to don a noose that constricts the flow of blood to their own heads is beyond me. The necktie is a bizarre fashion legacy from the fifteenth century - the very antithesis of 'smart'.

Anyway, today was a tad more laid-back than I anticipated. I got up with the very best of intentions to crack on with the module, only "stuff" occured. 

Firstly came a string of emails from the CSA (Cloud Security Alliance) inviting me to get involved in their work on cloud and IoT security. They are doing fabulous things and it's very flattering to be asked, except I can't afford the time to wade in. By a process known as Chinese whispers (telephone in the US), my simple, naive inquiry about their activities on IoT security got transmogrified into an offer to help out. I'd love to, but I can't, sorry.

Next came the realization that one of the websites I manage on behalf of a group I belong to had fallen into a black hole when I rebuilt the server some months ago. As I tried to recover the site, I remembered why it wasn't already running: NetObjects Fusion (possibly the worst website management software) had, once again, scrambled the site beyond repair, entailing an hour or two regenerating and reloading the site from scratch.

Then a knock at the back door from a flustered Deborah told me one of our cattle was the wrong side of a 7 wire fence ... which meant leaving the office and donning my fencing garb to retrieve the beast and repair the fence. It's winter here, hence lots of mud and a fair bit of cow poo. Good thing I wasn't wearing my best suit!

After a quick lunch al-desko, another urgent farm job popped to the very top of my honey-do list: Deborah needed my help to round up and tidy up some sheep ready to send them to market on Monday. Apparently it is due to rain later today or over the weekend, so it couldn't possibly wait. Another few hours of my working day down the Swanee.

Finally at 5 pm I returned to the sanctuary of the office to write a case study for the workplace information security awareness materials and update this blog. It is officially drink o'clock so as I write these words a large glass of plonk is helping me relax as I contemplate a predicted rainy weekend ahead, catching up on work in the office no doubt.

"I'm only happy when it rains" rings true right now.

I've worked in more than enough organizations to appreciate the frustrations of "stuff" that is not "work" in a corporate context. There are meetings, meetings about meetings, quick jobs that are anything but quick, urgent tasks which wouldn't have been urgent if only someone had listened to someone pleading to get on to it sooner, and myriad other diversions of everyday office life. Filling in time sheets was one of the low-lights of my career, especially when management complained that I was working one and a half or two standard working weeks per week, and seemed curiously upset that I insisted on accounting for "Time spent completing pointless and counterproductive office admin". Against that backdrop, a few hours fencing and chasing sheep into the yards seems quite a pleasant way to waste my day.


Jun 15, 2017

NBlog June 15 - nose to the grindstone

Having completed and submitted our bids yesterday, it's back to the day-job today, picking up where we left off the workplace information security awareness module.

Well it would be noses-to-the-grindstone ... except MS Office is playing up for no obvious reason, so I sit here watching the clock tick while it reinstalls, again, idly wondering why an organization the size of Micro$oft can't be bothered to put enough resources and effort into sorting out its numerous information security and quality problems properly, for once ... and so here I am an hour and much frustration later. It seems to be running, for now, sort-of: Outlook still tells me it isn't activated while the Office365 online site says "We’re still setting a few things up, but feel free to get started" (thanks a bunch: it was working until you screwed it up, M$). No clue what was wrong with it - lack of oomph  in the dilithium crystals or something. Given how keen M$ is to charge us, perhaps we should send them an invoice for my wasted hour - just another in a long long run and I'm SURE it won't be the last.

Sorry, rant over.

As I was saying, the awareness module is coming along. Given the diverse nature of the modern workplace, the information risks and associated security controls are equally diverse, hence in some ways the module is losing focus - and yet that very diversity, along with the evolution of "work", presents challenges worth exploring. As I said the other day, workers are increasingly mobile while work of all kinds is increasingly IT-enabled, so the traditional emphasis on physical office security is becoming less relevant. Simply figuring out what the organization's information assets are, plus relevant third party information assets (not least BYOD and IoT things) plus where they are located, is hard enough even before we get down to assessing and deciding what to do about the information risks.


Jun 14, 2017

NBlog June 14 - the periodic table of atomic controls

Many information security controls are multi-purpose, hence they could be specified in several places, several policies plus procedures and standards and guidelines etc. That multiplicity creates a nightmare for the ISO/IEC JTC1/SC27 project team trying to generate a succinct version of ISO/IEC 27002 without duplications, gaps or discrepancies in the control catalog. It’s also a potential nightmare for anyone writing corporate policies, or an opportunity depending on how you deal with it. 

My current pragmatic approach is to mention [hopefully] all the important controls in each topic-specific policy template, with a reference section that mentions other related policies, creating a kind of policy matrix. I’m still wary of gaps and discrepancies though: with 60+ policies in our matrix so far, it’s fast approaching the limit of my intellectual abilities and memory to keep them all aligned! It’s an ongoing task to review and revise/update the policy templates, without breaking links, creating discrepancies, or missing anything important.

My mention of ‘control catalog’ hints at a more rigorous approach: a database where every control is listed once, definitively, and then referenced from all the places that need to describe or mandate or recommend the controls. That in turn requires us to be crystal-clear about what constitutes a control. User authentication, for instance, is in fact a complex of several controls such as identification, challenge-response, cryptography, biometrics, enrolment, awareness, logging, compliance, passwords/PINs and more. Some of those are themselves complex controls that could be broken down further … leading to the ultimate level of ‘atomic controls’ or ‘control elements’. The control catalog, then, would be built around a kind of periodic table of all known atomic information security controls, which can be used individually or assembled into 'molecular controls' mitigating various information risks.  
Extending the analogy, it would be helpful if our periodic table (or 'information security elemental control catalog' or whatever we end up calling it) had a rational structure, some sort of logical sequence with groupings of related atomic controls in much the same way that, say, the 'noble gases' are clustered together on the real periodic table, giving the colored regions. Also, the atomic controls would need to be rigorously specified, with equivalents for the atomic number and other chemical parameters. Right now, though, I can only guess at some of the parameters that might be used to group related atomic controls: I suspect a structure might emerge once the complex controls are decomposed, the constituent atomic controls are identified, and they start piling up in a big unsightly heap. These are just some of the complexities that SC27 is currently grappling with in the ongoing revision of ISO/IEC 27002.It’s also, by the way, something where we might help out SC27 by compiling our periodic table. At the SC27 meeting in Hamilton, I tried unsuccessfully to persuade one of the project groups to set to work on that, instead of what they were proposing to do (yet another revamp of the glossary). It’s really a sizable research project, an idea for some enterprising academic, MSc/PhD student or research team maybe. It's entirely possible that someone out there is already on to it. If so, I'd love to hear about or from them. Do please get in touch.Regards,
Gary (Gary@isect.com)
PS  I published this blog item on LinkeDin to reach a wider spectrum of readers. Michela Liavaag kindly pointed out that NIST SP800-53 has a controls catalog ... but the controls listed in Appendix F are compound or complex controls, not elemental. I'm proposing to take the analysis down to the lowest level, to the building blocks from which practical controls are assembled.

Jun 12, 2017

NBlog June 12 - nothing small about business

As a small business, we have to do much the same stuff that any business has to do, such as:

  • Marketing, promoting and selling our products e.g. maintaining and updating our websites, preparing advertising copy etc.
  • Procurement and sales administration - licensing, invoicing etc.
  • Customer and supplier relations
  • Financial administration: budgeting, accounting, tax, expenses, pay & rations
  • HR & personal development
  • IT - hardware, software, firmware, wetware and - yes - IoT
  • Information risk and security, including awareness (golly!)
  • Strategy, governance, compliance 
  • Planning, resource allocation, priorization
  • Market and competitor analysis
  • Research and development
  • Operations/production - working hard to make the products we sell
  • Quality assurance and quality control
  • Packaging, delivery and logistics
  • Elf'n-safety
  • Blogging and other social marketing/social media stuff

In our case these are on a smaller, simpler scale compared to, say, a multinational megacorporation, but they are no less important to the business. The key difference is that (with some exceptions, namely our elite band of trusted advisors and specialist service providers) we rely on ourselves - our capabilities, expertise and skills across all of those areas, rather than calling on departments, teams and individuals who specialize. That necessarily makes us generalists, Jacks-of-all-trades with the attendant practical constraints and risks. We are constantly juggling priorities to meet deadlines.

On the other hand, being personally involved with virtually everything going on means we don't have the regimented hierarchy, internal communications issues, corporate politics and so forth of larger organizations. We are glad not to suffer the enormous inertia and conservatism that plague large, mature organizations, nor the attendant overheads. We don't need to consult the rule books, check the policies and refer to the procedures to get stuff done. We can make substantual changes almost the very moment we decide to do something different, provided we have the resources - the knowledge and time mostly but also the motivation which stems from doing a good job, being respected and most of all being commercially successful. Minimal overheads help but still we need income.

One of my tasks for the past week has been to prepare bids for a couple of prospective customers against their formal Requests For Tenders (RFTs) no doubt prepared by vast teams of procurement and legal specialists over the preceding weeks or months. Whereas they were able to spread the efforts and costs of planning, preparing, reviewing, approving, issuing and administering the RFT's across several people and functions representing a tiny fraction of their organizations' total activities and costs, we have no option but to dedicate almost all of our available resources to bidding. It's disproportionally costly for us, yet we have little option if we want the business.  

We're used to squeezing a quart from the pint pot but going for the whole gallon, well something has to give. With deadlines approaching and assorted jobs piling up on the side, I may be blogging less often for a while. Normal service will be resumed as soon as possible. 

On the upside, the more bids we prepare, the more efficient and effective we become at doing so. At least, I tell myself that's the cunning plan that stops me becoming totally snowed-under.


Jun 10, 2017

NBlog June 10 - beyond the cubicle

As information risks change, existing information security controls ought to be reviewed and if necessary updated. Abrupt, major changes tend to be obvious and, in mature organizations, trigger the risk review and security update process, whereas gradual, incremental changes may creep up on us unnoticed.

Working practices are evolving. We are spending less time tethered to our desk-based 'workstations' these days, and more time on the move, whether just wandering around the office from meeting to meeting, traveling between offices and other workplaces (and working on the hoof), working from temporary and makeshift workplaces or working from home (if only to avoid the tedium of commuting). 

The nature of 'work' is also evolving thanks to automation (e.g. robotics, computer-controlled machinery and IoT things) and networking (e.g. the Web plus WiFi, Bluetooth and cellular): manual labor is being supplemented or replaced by intellectual labor - we're thinking more than doing, 'working smarter not harder' as the trite saying goes. Higher-level qualifications are increasingly being demanded even for junior positions - and the impact that social change is having on those without qualifications cannot be ignored.

Talking of social change, we are interacting with expanding and diffuse social networks including people we have never met in person and who work for other organizations, as much as our close work colleagues. Physical distance is becoming less relevant, while [some] cultural and language barriers are sliding if not toppling. 

So, July's awareness module on workplace information security presents an opportunity for our customers to take stock, to consider the evolutionary changes that have already occured plus those that are ongoing and likely to come along, from the perspective of the information risks and hence the security requirements. This is awareness in the broadest sense, opening eyes to the stuff going on beyond the cubicle. 

Workplace information security is an important awareness topic with profound implications for us and our organizations. Subscribe to NoticeBored this month to receive the July materials. Tell your iPad or fridge to email me.


Jun 9, 2017

NBlog June 9 - Weaving the Web

One of the pleasures of my job is continual learning, doing my best to keep up with the field. I read loads, mostly on the Web but I also maintain a physical bookshelf well-stocked with books ... including:

Sir Tim Berners-Lee recounts the original design and development of the World Wide Web in the 1980s and 90s. This is more than merely an authorative historical account, however valuable that may be. Tim elaborates on his big dreams and deep personal philosophy that drove him to conceive and gift to humanity the most powerful information technology invented - so far. 

62 years ago when Tim was born (happy birthday!), ENIAC was in the final few months of its life and the 5,000-tube UNIVAC was just 2 years into commercial production. Computers were monstrous beasts with (by today's standards) minimal processing, storage and communications capabilities, yet ironically they were known as 'electronic brains'. Networking was virtually nonexistent, and email wasn't even invented until Tim was 16.

Tim's early fascination with the 'power in arranging ideas in an unconstrained, weblike way' led him to create technologies to support that aim. This was true innovation, not merely coming up with bright ideas, wouldn't-it-be-nice pipe-dreams and theories but putting them into practice and exploring them hands-on. He has remained hands-on ever since, and is the Director of the World Wide Web Consortium

Tim's vision extends way beyond what we have right now, into the realm of artificial intelligence, machine learning and real-time global collaboration on a massive scale, the 'semantic web' as he calls it. But in the sense of a proud parent watching their progeny make their way in the world, I suspect he is keen to see the Web develop and mature without the shackles of his own mental framework. The free Web ideal is closer to free speech than free beer.

Bottom line: a fascinating insight into modern life.  Highly recommended and a steal at just $13 from Amazon.