Welcome to NBlog, the NoticeBored blog

Like the finer things in life, quality trumps quantity.

Dec 2, 2014

There's more to awareness than phishing


  1. Apps - about integrating information security into the software development/acquisition lifecycle, and mobile apps;
  2. Bugs! - security vulnerabilities created by errors or flaws in program specification, design, coding or configuration by software development professionals and end-users;
  3. Business continuity - business impact analysis, resilience, disaster recovery and contingency ;
  4. BYOD (Bring Your Own Device) - the pros and cons of allowing employees and third parties to use their personal tablets, laptops, smartphones etc. for work purposes;
  5. Change management - this module covers the intersection between change management and information security management, taking in risk management, compliance, patching, testing, configuration and version management, and more;
  6. Cloud computing - covers the information security aspects of cloud computing;
  7. Compliance and enforcement - fulfilling obligations under information security-related laws, regulations, standards, contracts etc. plus internal corporate policies, procedures and guidelines;
  8. Computing on the go - securing portable ICT devices such as laptops, USB memory sticks, PDAs, smartphones and all manner of boys’ toys;
  9. Cryptography - a fun, lightweight introduction to the rather heavy topic of encryption and other cryptographic applications;
  10. Cybertage - ‘sabotage in cyberspace’ concerns the use of information and IT systems as weapons to commit sabotage, and sabotage of information and IT assets.
  11. Database security - securing large collections of valuable data against hackers, corruption, loss etc.;
  12. Digital forensics - forensic investigation of data relating to information security incidents;
  13. Email - security aspects of email plus other electronic person-to-person chatting/messaging tools such as Skype, Instant Messager, Twitter, blogs and more;
  14. Ethics and trust - trust and trustworthiness are closely related to ethics and morality;
  15. Governance - roles, structures and reporting lines for the information security management function and its relationships with others such as risk management, IT audit and general business management;
  16. Hacking - tips to counteract hackers, crackers, industrial spies, insider threats, scammers, criminals and other adversaries exploiting network, software, hardware and human vulnerabilities;
  17. History of security - looks at the evolution of information security techniques and technologies through the ages;
  18. Hi-tech infosec - risks and controls involving IT- or cyber-security;
  19. Human error - explores the human side of information integrity including booboos, blunders and gaffes;
  20. Human factors - the human side of information security - security culture, awareness, policies and more;
  21. Incident management - the cyclical process for identifying, reacting to, containing, resolving and learning from information security incidents;
  22. Information protection - obligations to protect information assets, plus information classification and baseline security controls;
  23. Information Security 101 - a general, multi-topic starter module covering the basics of information security for new employee orientation sessions and to accompany the launch of your security awareness program.  MORE
  24. Information security risk management - processes to identify, examine and treat the full spectrum of information security risks, in the context of corporate risk management as a whole;
  25. Insider threats - security threats arising from employees on the payroll and third party employees working for/within the organization in a similar capacity;
  26. IPR (Intellectual Property Rights) - protecting our own rights and interests while also respecting others’;
  27. IT auditing - understand what makes IT auditors tick, what they do, and how to work with them more effectively;
  28. Knowledge - protecting intangible information assets and intellectual property;
  29. Learning from information security incidents - improving security in response to incidents that involve the organization, or indeed third parties (situational awareness);
  30. Lo-tech infosec New for NovemberHot topic! - concerns those important parts of information security that lie beyond IT-security or cyber-security;
  31. Network and Internet security - all manner of information security issues arising from networking and internetworking, the Web And All That, including the Internet of Things;
  32. Office security - the average workplace faces a range of information security risks ranging from intruders, thefts, fires and floods to bugs and a variety of office IT security issues;
  33. Oversight - a unique security awareness module covering both ‘oversights’ (casual errors, accidents and omissions) and ‘overseeing’ things (an integrity control);
  34. Passwords - several modules concern the credentials used for identification and authentication of people, including passwords, passphrases, two-factor authentication, biometrics and so forth;
  35. Privacy - protecting personal information and respecting individuals’ rights to privacy;
  36. Physical security - protecting information assets (including people) against physical threats such as unauthorized or inappropriate physical access, fires, floods, and various workplace hazards is this month’s hot topic
  37. Portable ICT - security of laptops and other portable/mobile ICT devices, touching on BYOD and home working/teleworking;
  38. SCADA/ICS security - security risks and controls relating to Supervisory Control And Data Acquisition/Industrial Control S ystems on the factory floor as well as distributed and embedded microcontrollers such as those increasingly found in Building Management Systems, elevators and vehicles;
  39. Secure-by-design - making information security an integral part of systems and processes from the outset, including security architecture and the concept of fail-safe/fail-secure design;
  40. Social media - covers the security hazards associated with Linkedin, Facebook, blogging etc.;
  41. Social insecurity combines social engineering with the security aspects of social networking and social media;
  42. Surveillance - increasingly common in public, corporate and personal domains, surveillance is both a valuable form of monitoring control and a privacy/human rights concern depending on your perspective;
  43. Survivability - tackles the extreme end of risk management, incident management and business continuity;
  44. Third parties - information security issues resulting from business relationships between organizations, extending the corporate security boundary to suppliers, partners and customers;
  45. Trade secrets - a spectrum of activities from legitimate market research and competitive intelligence through to unethical if not illegal industrial espionage and information warfare;
  46. Viruses and other forms of malware (worms, Trojans, key loggers, spyware, rootkits, APTs/Advanced Persistent Threats) are such significant threats that we update this module annually with fresh content and news.  This year, we picked up on the sophisticated bank Trojans.
... so how come certain vendors are still desperately flogging the notion that self-phishing is enough?  Do they honestly believe that their customers are that naive?

Don't get me wrong: phishing is indeed a threat, but even a highly phishing-aware workforce remains open to many more forms of attack, and indeed many other forms of information compromise, damage or loss.

Regards,