Welcome to NBlog, the NoticeBored blog

You don't need eyes to see: you need vision

Apr 29, 2015

New awareness module: Safer surfin'

Fascinating sociological changes are occurring around us as the Internet continues to expand and morph. 

Social media, online reviews and customer feedback sites are shifting the balance of power from retailers and other corporations towards their customers, in ways that aren’t entirely beneficial: pressure groups comprising aggrieved customers and others with axes to grind (perhaps including unethical competitors) have the ability to collaborate and express themselves very publicly and often bitterly through online campaigns, while corporations suffering the full glare of the social media spotlight struggle to respond without harming their own brands. 

This issue neatly demonstrates the distinction between information security and IT or cybersecurity: the power of information is key, whereas information technology is (one could argue) merely a tool. No amount of technical security can address the challenges we've just described.

The brand new awareness module for May also touches on covert monitoring and subversion of the Internet by secretive government agencies – another issue that transcends the technology. 

"Safer surfin'" is the 54th awareness topic in our portfolio, albeit something that we have touched upon in several other modules.  Our hope, as always, is that the materials will intrigue and fire up employees’ imaginations, prompting them to think and chat about Internet security at coffee time …. result!


Regards, 
Gary (Gary@isect.com)

Apr 24, 2015

Resilience as a business continuity mindset

An article written in conjunction with Dejan Kosutic has just been published at ContinuityCentral.com
"Most business continuity experts from an IT background are primarily, if not exclusively, concerned with establishing the ability to recover failed IT services after a serious incident or disaster. While disaster recovery is a necessary part of business continuity, this article promotes the strategic business value of resilience: a more proactive and holistic approach for preparing not only IT services, but also other business processes before an incident in order that an organization will survive incidents that would otherwise have taken it down, and so keep the business operating in some form during and following an incident."
We explain how resilience differs from and complements more conventional approaches to business continuity.  It is a cultural issue with strategic implications and benefits for everyday routine business, not just in crisis or disaster situations. It has implications throughout the organization, including business activities/processes, systems, workers and relationships with third parties. It is an integral and essential part of risk management.


The article discusses resilience in the context of ISO 22301 and ISO27k, and includes a maturity model and metric to help organizations put the strategy into practice.



Dejan and I share a passion for this topic that I hope comes across in our writing. Comments welcome!

Regards,

Resilience as a business continuity mindset

An article written in conjunction with Dejan Kosutic has just been published at ContinuityCentral.com
"Most business continuity experts from an IT background are primarily, if not exclusively, concerned with establishing the ability to recover failed IT services after a serious incident or disaster. While disaster recovery is a necessary part of business continuity, this article promotes the strategic business value of resilience: a more proactive and holistic approach for preparing not only IT services, but also other business processes before an incident in order that an organization will survive incidents that would otherwise have taken it down, and so keep the business operating in some form during and following an incident."
We explain how resilience differs from and complements more conventional approaches to business continuity ...


We refer to the 'resilience mindset' in the title, and discuss it as a cultural issue with strategic implications and benefits for everyday routine business, not just in crisis or disaster situations. It has implications throughout the organization, including business activities/processes, systems, workers and relationships with third parties. It is an integral and essential part of risk management.

The article discusses resilience in the context of ISO 22301 and ISO27k, and includes a maturity model and metric to help organizations put the strategy into practice. 

Dejan and I share a passion for this topic that I hope comes across in our writing. Comments welcome!

Regards,

Apr 21, 2015

Awareness paper on authentication and phishing metrics

We've just republished a management-level security awareness paper on metrics relating to user authentication and phishing.

The introduction asks "How do we tell whether our authentication controls are effective?" and "What does 'effective' even mean in this context?" - two decent questions that could be addressed through suitable metrics.

Questions like these are central to the GQM (goal-question-metric) method (see IT Security Metrics by Lance Hayden), and not just literally in terms of their position in the handy acronym. They link the organization's goals or objectives relating to information security, to the information security metrics that are worth measuring.

In your particular circumstances, the effectiveness of authentication controls might or might not be of sufficient concern to warrant generating the associated metrics. Other aspects might take precedence, for example the amount invested in authentication controls, and the ongoing operating and maintenance costs of those controls. It's usually not too hard to think up a whole raft of aspects, parameters or concerns relating to the topic area, but focusing on the things that are likely to matter most to the organization (business priorities) is a good way to keep the list within reasonable bounds. Once you know what they are, the next step is to figure out the questions arising e.g. "Are we spending appropriately (neither too much nor too little) on authentication?"

From there, it's simply a matter of deciding what data would help address the questions, and those are your metrics!  Job done!  Errr, well, no, not quite: if you have several goals/areas of concern and numerous questions arising, each requiring multiple metrics to generate the answers, there is a distinct risk of being overwhelmed with possibilities. It is infeasible and in fact counterproductive to attempt to measure everything. Less is more! This is where the PRAGMATIC method comes into play as a way to whittle down the long list to a shortlist of metrics showing the most promise. The GQM approach also suggests filtering out the metrics that don't address the questions very well, and trimming down on metrics addressing questions that are only marginally related to the organization's business goals. Both approaches have their merits.



Apr 18, 2015

People: can't do with 'em, can't do without 'em

The latest 2015 Verizon Data Breach Investigation Report indicates, once again, that a significant proportion of "data breaches" involve social engineering, perpetrators typically phooling victims into opening infected email attachments or clicking links to infectious or fraudulent websites.  The report also indicates, once again, that security-awareness is necessary to mitigate the social engineering threat. Technical "cybersecurity" (IT security) controls are of limited value precisely because social engineers (and fraudsters and spies) bypass most of them, exploiting vulnerable people instead.
"[T]he common denominator across the top four [incident type] patterns—accounting for nearly 90% of all incidents—is people. Whether it’s goofing up, getting infected, behaving badly, or losing stuff, most incidents fall in the PEBKAC and ID-10T ├╝ber-patterns. At this point, take your index finger, place it on your chest, and repeat “I am the problem,” as long as it takes to believe it."  (page 32)
I can hardly believe we're still banging on about this stuff in 2015 as if it's news. Is there anyone out there who doesn't know this already? Kevin Mitnick's "The Art of Deception" was published 13 years ago and it was far from being the first treatise on social engineering. Likewise with NoticeBored: we've been selling security awareness materials for the same period, and running security awareness campaigns for nigh-on 40 years.

It makes me cringe whenever I see someone making naive statements or posing the most basic of questions about human factors, phishing and other forms of social engineering, including security awareness*. Why is this such a persistent, long-standing issue, a veritable blind-spot for some? Aren't we doing enough to help people realize and understand what's going on, and show them how to defend themselves, their families and their organizations? Or are we expecting too much of people who aren't immersed in the field? While most of us have a clue, there are bound to be laggards, most either ignorant/oblivious or in denial. They are natural targets for social engineering ... including security awareness*.

Regards,

* Yes, security awareness qualifies as social engineering, albeit with benign rather than malicious intent, but nevertheless it is manipulative.

Apr 15, 2015

Yet another information security awareness case study


Controversial plans to replace two Surrey/South London hospitals with a new one were prematurely and inappropriately disclosed on a train:
"The proposals were revealed by management consultants who held a conference call on a commuter train after meeting the trust chief executive Daniel Elkeles.  The call was heard and recorded on a mobile phone by a BBC London reporter."
Someone being overheard discussing sensitive stuff on their mobile phone in a public place is nothing new, an everyday common-or-garden information security incident.  The factors that make this particular one notable include:

  • The disclosure involved trusted third parties possessing (and disclosing!) valuable information belonging to an organization, having been disclosed to them by senior management.  This begs lots of questions about roles and responsibilities, compliance obligations, non-disclosure agreements, ethics, accountability and governance, as well as the information risks and security controls.
  • The disclosed information was particularly sensitive.  Aside from the patients and staff who are directly impacted by the proposals being discussed, the hospitals are landmarks, important assets for their two local communities which, by the way, are several miles apart and socially diverse.  The issue has been a political hot potato in the area for at least a decade.
  • The management consultants concerned should have known better. Whatever their reasoning or justification, this was an embarrassing and perhaps costly incident, quite unprofessional and avoidable.  We can but wonder what damage it might have caused to their ongoing client relationships and future business prospects.
  • 'Conference call' implies this was an open discussion on speakerphone, making it likely to be overheard by everyone in the vicinity.
  • It was overheard by a reporter/journalist and perhaps other local commuters in the carriage, any of whom may have found the information relevant and fascinating.
  • Recording the discussion captured at least some of the content, providing undeniable evidence, non-repudiation and the opportunity to transcribe, analyze and share the information more widely.  By the way, virtually every commuter these days has the technical capability to record or transmit such information discreetly if not covertly using a veritable panoply of portable ICT devices.
  • The disclosed information was published and broadcast by the news media. It is now out there in the public domain, beyond the control of the administrators and politicians and doubtless causing concern in the area - not least for the chief executive, the management consultants and various others involved/implicated in or directly affected by the fiasco.

I'll leave it as an exercise for you, dear reader, to explore and evaluate the threats, vulnerabilities and impacts in this incident, and to consider how it might have been avoided or mitigated.  [Hint: as with the Sony hack, this is another excellent case study to discuss in a information risk workshop setting, or indeed a realistic, highly credible scenario for incident management or business continuity exercises, tests, audits and reviews.]

While I feel sorry for those adversely impacted by the incident, I am grateful for yet another free but valuable information security awareness and improvement opportunity as a result of the incident being disclosed.   We can all learn from incidents of this nature.  The trick as always is for someone to identify and consider them as case studies, teasing out the underlying information risk and security issues, and ultimately persuading the organization to make whatever changes and improvements might be necessary and appropriate to analyze and treat the information risks.  It's not enough to nod sagely, say "tut-tut" and ponder: what are you actually going to do differently as a result of reading about this?  At the very least, has it altered your perception or appreciation of the associated information risks?  If nothing changes, it's an awareness opportunity lost, a senseless waste.

Don't worry though.  I'm certain there will be plenty more learning opportunities in due course - in fact, I'm sure I can see the next one peeking into view just around the corner ...

Regards,

Apr 10, 2015

3 more metrics papers

We've just published another three documents on security metrics, written and first released five years ago as part of the management stream in the NoticeBored information security awareness service.

The first paper was concerned with measuring integrity.  Despite being one of the three central pillars of information security, integrity is largely overshadowed by availability and, especially, confidentiality ... and yet, if you interpret 'integrity' liberally, it includes some extremely important information security issues. The 'completeness and correctness' angle is pretty obvious, while 'up to date-ness' and 'appropriateness' are less well appreciated.  Add in the character and trustworthiness of people, and integrity takes on a rather different slant (Bradley Manning, Julian Assange and Edward Snowden springing instantly to mind as integrity failures).  An 'honesty metric' is an innovative idea.

The integrity metrics paper also suggests measuring the integrity of the organization's security metrics program or system of measurements, on the basis that metrics ought to be accurate, complete, up-to-date and relevant. The metrics integrity issue is obvious when you think about it. Managing with poor quality information is less than ideal.  However, in our experience, information security metrics are mostly taken at face value: we usually focus on what the numbers are telling us without even considering that they might perhaps be wrong, misleading, incomplete or inconsequential. Worse still, we get so distracted by the fancy "infographics" that the information content is almost irrelevant.  That's hardly a scientific approach!  We have raised this issue before in relation to treating published security surveys as gospel, blythely ignoring the fact that most are statistically dubious if not patently biased marketing copy. Remember this the next time you search the web for pie charts to illustrate your security investment proposals, or the next time someone tries to persuade you to loosen the purse strings! 

A short, humdrum paper on IT audit metrics suggests a few ways to measure the IT audit function, such as "IT audit program coverage" as well as conventional management metrics.  

The third paper on malware metrics was virtually the same as the version released a year earlier. We made some changes the following year, partly due to the research and thinking that went into writing PRAGMATIC Security Metrics ... but you'll have to wait just a bit longer for the 2009 paper.

Apr 2, 2015

Management without metrics - how?

The SEC (Security Executive Council - not the Securities and Exchange Commission!) boldly describes itself as "the leading research and advisory firm that specializes in security risk mitigation."  Their primary interest appears to be physical security, although they also make the odd nod towards IT security, business continuity and 'convergence'.

The SEC conducted an unscientific online poll, asking respondents to self-assess and report the capability maturity of their security programs using the classic 5 point SEI-CMM scale.  Unsurprisingly, the results show a vaguely normal distribution about the middle value ('defined'), skewed towards the low end of the maturity scale.

It appears they may have asked a separate question about metrics:
"When participants were asked about metrics (a higher level of maturity), 64% said they did not use business value metrics (metrics that are beyond initial "counting" of activities such as number of background checks performed or number of badges issued)."
So only about a third of their respondents have security metrics other than the absolute basics - a pathetically low proportion that begs the obvious question "How are they managing security without metrics?"

Answers on a postcard please.  Or comment below.