Insidious insiders

We are in the process of delivering next month's NoticeBored security awareness materials on "Insidious Insiders".  This topic has turned a shade darker since we last covered it, thanks to a number of research studies and warnings from the likes of CERT and the FBI indicating to us that insider threats are escalating.

If you've caught the news this week, you probably saw the unfolding drama at the Vatican concerning leaks of confidential internal matters to the Italian press and allegations that the Pope's butler was involved.  So much for trust and ethics as security controls!  If your organization relies heavily on the trustworthiness and ethics of insiders, perhaps it's time to dust-off your insider threat analysis and review where you really stand.  

For a few years now, the news media, researchers and various official sources have been consistently playing-up the use of industrial espionage by China, in particular, although I'm quite certain that China is not the only bad boy on the block.  As well as malware and hacking from the outside, social engineering and information theft from within are the flavor of the month.  At the same time as they are bleating about the ongoing theft of intellectual property and flagrant disregard for IPR, the evident lack of media concern about industrial sabotage strikes me as rather odd: provided they are measured and reasonably subtle about it, well-placed insiders can quite easily wreck a company's commercial prospects by forcing it to bid inappropriately, miss crucial deadlines, and generally screw around with vital commercial relationships, all without necessarily tipping-off senior management.

I can't help but wonder whether substantial delays to both the Airbus A380 and Boeing Dreamliner products were purely the result of wiring and outsourcing concerns (or whatever they claimed), or perhaps, just conceivably, the commercial impacts of skulduggery deep within the ranks.  The aerospace industry is intensely competitive with an enormous amount at stake, including strong national interests and of course the defense side of the business.  Do you think I'm paranoid to believe that there might be more to this massive EU v US bun-fight than perhaps meets the eye?

Regards,

Gary (Gary@isect.com)

Code talkers

The death of a Navajo Indian veteran reminds us of the role played by the Navajo "code talkers" in WWII.  Their obscure language, coupled with the use of codes, provided sufficiently secure communications on the battlefield.  

Regards,

Gary (Gary@isect.com)

Another email scam

An email appeared out of nowhere in my inbox today with no message content, just a very long subject line and a dodgy attachment.

The subject reads: "This mail was intended to you only because your surname seems similar to my late client. A client in our Bank died Five Years ago leaving behind Capital amount {US$17.5M}Read the attached copy and get back to me.Thanks Spencer Clayton".

It's hard to believe anyone would still fall for such a lame attempt at social engineering, but I guess there's a sucker born every minute.  

Regards,

Gary (Gary@isect.com)

The value of awareness

This year's UK information security breaches survey is, as always, a useful source of statistics concerning how real-world organizations are dealing with information security.  It is also, as always, a depressing read for those of us promoting good security practices, partcularly (in my case) ISO27k and human factors.

 So, 44% of organizations gave additional staff training after their worst breach - presumably they realized that their existing training (and awareness?) activities were lacking.  But what of the other 56%: they either thought their training (and awareness?) was OK (wishful thinking?), or it didn't even occur to them that they might need reinforcement.

26% of organizations "believe" their staff have a very good understanding of their security policy.  Bravo!  However, I can't help but wonder how many of those actually have data to support their belief.  How many of them have the metrics to know?  And what of the remaining 74% of organizations who acknowlwdge that their staff don't have a very good understanding of their policy: does that mean the policy is opaque, or tucked away in some intranet backwater perhaps?

That three quarters of the organizations with a poorly-understood policy had staff-related breaches implies a strong correlation, although it is not necessarily cause-and-effect.  As well as being promoted in standards such as ISO27k, most infosec professionals would agree that policy is an important security mechanism, for several reasons (e.g. it clarifies the rules for employees,  confirms management's overt support for security, and is a Litmus test for organizations taking security seriously).  I doubt anyone would seriously claim that having a well-written, readily-understood security policy would make security worse.

Finally, I am dismayed, though not at all surprised, to find that more than half of small businesses don't have any security awareness programme.  I suspect many small businesses don't have IT or HR or Finance specialists, in fact some don't even have experienced, qualified, professional managers as such: they make do with common sense, passion for their core business, and occasionally take advice/assistance from third party professionals such as accountants, lawyers and IT support companies, many of whom are also small businesses.  There are certainly control and governance benefits in being small - information security may not (appear to) be quite the issue that it is for larger organizations since the owner can keep a beady eye on things.  I suspect information security risks and opportunities materially differ in different sized organizations, and it is entirely possible that other considerations such as establishing and maintaining their brands, or securing adequate cash flows eclipse most information security risks although, arguably, brands and cash flows are themselves information-security-related.

Anyway, those are just four or many thought-provoking statistics in the report.  I will be poring over the numbers, gleaning whatever I can and no doubt using some of the key findings in our security awareness materials over forthcoming months.   We've just reduced our minimum annual subscription to below $3,000 in order to appeal to more small businesses: compared to the risks of not having an effective security awareness program, and the costs and difficulties of creating an awareness program in-house, we think that's a sound investment, but naturally we are biased.  What do you think?

Regards,

Gary (Gary@isect.com)

Cryptohistory

Information security took great strides forward during WWII, particularly in the field of cryptography and cryptanalysis.  With help from their allies (particularly the Poles), the boffins at Bletchley Park were able to piece together details of many of the encryption schemes used by the Axis forces and succeeded in breaking some of them, thanks in part to inventing computers to crack crypto keys.

 

Regards,

Gary (Gary@isect.com)

Trusting Bruce Schneier

Yesterday I was in Wellington to see Bruce Schneier speak about his latest book, Liars and Outliers.  For about an hour, he discussed the concepts covered in the book:

• Security exists to enable us to trust each other (both individually and institutionally), where 'trust' is a complex issue
• In addition to morals, reputation and legal controls, security gives society some control over those who behave selfishly, furthering their own personal interests rather than those of society as a whole, helping to stabilise the societies
• Real life is far more complex than this imiplies - for instance, individuals belong and have allegiance to multiple overlapping "societies" e.g. family, groups of friends and colleagues, organizations, nations, cultures and professions

It will be interesting to read whether the book discusses the fragility of many human societies, for instance the looting that commonly occurs when civil disobedience leads to rioting.  Many of us are evidently prepared to break the rules of society and act in our own interest when the opportunities arise.

As usual, I will publish a review with further comments and impressions once I've actually read the book. [I trust that it will be worth reading.]

Meanwhile, thanks to Bruce for coming all the way to NZ to speak to us.

Regards,

Gary (Gary@isect.com)

Historical security awareness module

We sometimes mention historical incidents in the NoticeBored materials but this is the first time we have gone into any depth on the history of information security.  May’s brand new awareness module plucks interesting stories and anecdotes from the annals of history to set people thinking, drawing out the information security aspects that remain relevant today.

Our timeline stretches from pre-history to the future.  Novel security technologies and techniques developed in wartime include both offensive weapons and defensive measures.  The use of information as a weapon is a theme throughout history, hence information security is far older than any of us.

This is not a history lesson as such - we have been very selective about the issues we have covered, with the aim of finding items of interest and relevance to employees in general, management and tecchies.

We prepared the NoticeBored awareness materials to satisfy the following learning objectives:

• Inform employees generally about the history of security, entertaining them and sparking their interest through a potted selection of security-relevant incidents and anecdotes spanning the millennia from evolutionary pre-history to science fiction;

• Point out that many well-known ancient threats, attack methods and techniques are still around, while others re-emerge from time to time;

• Prompt employees to consider the relevance of information to battles and wars, and hence the value of protecting and exploiting information in business and other contexts;

• Identify historical controls, technologies and techniques that remain valuable in securing today’s information and other assets;

• Act as a platform, the creative basis on which you can customize, adapt and enhance the materials to suit your own security awareness purposes without having to start from scratch.

Regards,

Gary (Gary@isect.com)