Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Dec 30, 2017

NBlog December 30 - the start is nigh

With near-perfect timing, we're into the final stages of polishing off January's awareness module on IoT and BYOD security.  

I say near-perfect because this is the last weekend of 2017 with just over a day remaining until 2018. After a week of chilly and miserable weather, an unseasonal polar blast, I'd rather be out enjoying the fine weather and getting ready for the traditional new year's eve celebrations! 

The last section of writing took a bit longer than planned, but I'm confident we'll hit the delivery deadline. Updates to the NoticeBored website are in hand and we'll be packaging and sending the materials to subscribers tomorrow, electronically that is.

Looking forward, we've selected awareness topics for first few months of 2018 and written them up on our distinctly low-tech office whiteboard. We deliberately don't plan too far ahead (who knows what will crop up?) but it takes time to research and draft the materials. Having working titles and outline scopes in mind keeps us focused and on-track. 

If a particularly dramatic information security incident occurs, we can always drop the current work to pick up on it, pushing the original plan out a month. With 60-odd information risk and security-related topics in the portfolio, there's not a lot we haven't covered already, to some extent. The NoticeBored back catalog is as much a source of inspiration as content, though, since the field is constantly moving. On top of that, our own interests and preferences are gradually evolving too.

Dec 28, 2017

NBlog December 28 - slowly slowly catchee monkey


As the end of month deadline looms, we're close to finishing January's NoticeBored security awareness module on IoT and BYOD. 

Today I'm working on the awareness seminar slide deck and accompanying briefing paper for the audience group we call 'professionals', blue-collar workers essentially, specialists in IT, risk, security, audit, facilities, control, compliance etc.

We dig a bit deeper into topic for that audience, but not too deep. The overriding awareness objective is to inform, intrigue, motivate and set them talking to their colleagues (other professionals plus the general and management audiences) about and around the topic. Awareness is not training, although there is a grey area and the terms are often confused. 

Ultimately, we hope the pros will pass on some of their knowledge and enthusiasm for the topic to others, preferably with more than just a casual nod towards the information risk and security aspects. 

IoT and BYOD are obviously IT-related, so the pro materials are IT-centric this month. The awareness poster image above mentions "latest hi-tech goodies" specifically to catch the eyes of geeks and technophiles, people who just love hot new gadgets - reading about them, drooling over the adverts, sometimes buying and using/playing with them, showing them off to their less fortunate playmates ... and occasionally hacking them to figure out how they really work.

An article about hacking building management systems (things!) caught my beady eye today, for several reasons. It's right on-topic, for starters, exactly the kind of intriguing tech content that appeals to the pro audience we have in mind. The author's hacker mentality rings out. He has spent countless hours exploring their capabilities and vulnerabilities for more than a decade. To most of us, that's unnaturally obsessive behaviour but to him it's a hobby, a fascination or passion, fun even. I'm sure he'd do it even if he wasn't being paid to hack (he's a professional penetration tester by day).

I'd love to inspire such intense passion among our customers' employees on the defensive side ... but it's hard given that I'm not there in person and anyway security awareness has a broader and more realistic goal. Some workers may be fired-up by something I've written, although for many the most we can sensibly hope to achieve is to spark an interest. Getting the light to flicker on, occasionally, is the starting point. From there, we can work on making it flicker more often and glow more brightly, gradually changing attitudes, beliefs, behaviours and decisions ... but first we need to open eyes, ears and brains to the fundamentals. The pro audience helps us do that, at first hand.

"A culture of security takes time"
Dan Swanson 

Dec 27, 2017

NBlog December 27 - inspirational security awareness


Normally in security circles, the word 'exploitation' has the distinctly negative and foreboding connotation of some evil miscreant wantonly attacking and taking advantage of us ... but we'll be using the word in a much more positive sense in the IoT and BYOD security awareness materials for January.

The topic presents a golden opportunity to point out that information security mitigates the substantial information risks associated with IoT and BYOD, risks that would otherwise reduce, negate or even reverse the business advantages.

It's not entirely plain sailing, though, since the risks are context-dependent. Someone needs to identify and evaluate the risks and the corresponding security controls, in order to determine firstly whether the risks are truly of concern to the organization (they can't be avoided or accepted), and secondly whether the security controls are necessary and justified since there are costs as well as benefits.

We've pump-primed the process by doing the risk and security analysis in a generic way - a starting point for subscribers to consider and take forward. We don't pretend to know all about all the information risks each customer faces, nor the information security control options open to them. We're definitely not attempting to do the analysis for them, rather to inspire them to do it themselves. The awareness materials are the prompt to set them thinking and the motivation to get them going.

Dec 26, 2017

NBlog December 26 - government security manual

An updated version of the New Zealand Information Security Manual (NZISM) - in effect the government's information security policy manual, or at least the public non-secret element - was released this month:

NZISM is painstakingly maintained and published by the Government Communications Security Bureau (GCSB) - our spooks in other words. It is a substantial tome, well over six hundred A4 pages split across two volumes.

Part 1 (365 pages) covers:

  • A brief introduction to the topic and the manual, in the NZ government context;
  • Governance arrangements including overall controls such as accountability and responsibility, and compliance through system certification and accreditation, audits and reviews;
  • Policies, plans, Standard Operating Procedures plus emergency and incident response procedures;
  • Change management;
  • Business continuity and Disaster Recovery management; 
  • Physical security;
  • Personnel security (including security awareness;
  • Infrastructure security (well, cabling and TEMPEST anyway);
  • Communications systems and devices (e.g. cellphones and wearables);
  • Product security (acquiring commercial goods and services);
  • Storage media (lifecycle management).
Part 2 (another 300 pages) covers:


  • Software security (e.g. hardened Standard Operating Environments, app and website whitelisting, software development);
  • Email security (mostly concerns classification marking, not crypto except TLS);
  • Access control (identification and authentication of IT users, privileges, VPNs, logging etc.);
  • Cryptography;
  • Network security;
  • Gateway security (essentially firewalls with special arrangements to isolate and control traffic between differently classified networks);
  • Data management including data transfers and databases;
  • Working off-site;
  • Enterprise systems security (mostly cloud in fact);
  • Supporting information including a glossary.

NZISM distinguishes mandatory from recommended policies using MUST or SHOULD respectively, in red, with the added complication that some are only mandatory on highly classified systems.

Here's part of the section on security awareness and training, illustrating the style:


Overall, it's an impressive piece of work, [information] risk-driven if rather IT-centric. Some cybersecurity issues (such as malware, VoIP and resilience) aren't immediately obvious but I haven't read all 600+ pages (yet!). 

Despite the scope section 1.1.2 stating:
"This manual is intended for use by New Zealand Government departments, agencies and organisations. Crown entities, local government and private sector organisations are also encouraged to use this manual."
it would take some effort to adapt/interpret and apply NZISM in private sector organizations that aren't engaged in government work, especially small organizations without the implied hierarchical structure, and multinationals. Applying other standards such as ISO27k may make more sense there, but the principle of adopting generally accepted good security practices or templates rather than starting from scratch is sensible and sound.

By the way, NZISM refers to the Protective Security Requirements in a few places. The PSR, in turn, seems to be an even broader framework spanning strategies to procedures including policies for "protecting our people, information and assets":


Picking nits, people and information are assets, hence the tag line ought to end "and other assets". If I have enough time and energy after slogging through the NZISM, I'd like to check the PSR too. 

Coordinating updates between NZISM and PSR, plus laws and regulations, contracts with suppliers and internal agreements, and no doubt various other relevant requirements (not least, politics!), must be a tough job for those involved. As an NZ resident and taxpayer, I wish 'em all the best for 2018!

Dec 21, 2017

NBlog December 21 - auditor independence [LONG]

Over on the ISO27k Forum, we've been discussing one of my favourite topics: auditing, or more precisely the question of auditor independence. 

How independent should an auditor be? What does that even mean, in this context? 

SPOILER ALERT: there's rather more to it than reporting lines.

My experienced IT auditor friend Anton posted some relevant definitions from ISACA, including this little gem:
"Independence of mind: the state of mind that permits the expression of a conclusion without being affected by influences that compromise professional judgement, thereby allowing an individual to act with integrity and exercise objectivity and professional scepticism."
While I agree this is an extremely important factor, I have a slightly different interpretation. 'Independence of mind', to me, is the auditor's mental capacity to examine a situation free of the prejudice or bias that naturally afflicts people who have been in or dealing with or managing or indeed suffering from the situation, plus all that led up to it, and all the stuff around it (the context), including all the 'constraints' or 'reasons' or 'issues' that make it 'a situation' at all. It's more about the auditor making a back-to-basics theoretical assessment, thinking through all the complexities and (hopefully!) teasing out the real underlying reasons for whatever has happened, is happening, and needs to happen next. The ability to report stuff (ISACA's "expression of a conclusion") is only part of it: figuring out how the situation ought to be in theory, then looking at it in practice, gathering objective, factual evidence, doing the analysis, probing further and focusing on the stuff that matters most (the 'root causes'), are at least as important audit activities as reporting.

Here's a little exercise to demonstrate why independence matters: next time you drive or are driven on a familiar route, make an extra special effort to spot and look carefully at EVERY road sign and potential hazard along the way. Concentrate on the task (as well as driving safely, please!). Say out loud everything you see. Chances are, you will notice stuff that was there all along but you had long since tuned-out - big and bright road signs, plain as day, that you would not have recalled or mentioned if someone had previously asked you to describe your journey in detail from memory. You'll see road markings, potholes and rough surfaces that you might have been subconsciously avoiding for ages ... but 'subconscious' is the point: prior to the exercise, they didn't register in your conscious thoughts. This is a natural biological process, essentially a mental mechanism that de-emphasizes the regular/static stuff that is there all the time (it 'fades into the background'), in order to focus more energy and attention on the differences (e.g. a new road sign warning of roadworks, or a cow in the road). 

In terms of auditing the journey, as a regular traveller you can clearly make an extra-special conscious effort to spot and assess everything, but even so there will still be things you will miss, hazards that simply don't register as noteworthy in your mind. It takes effort, too: try it and you'll see what I mean. It's tiring! In contrast, a competent driver who had seldom if ever been down that route before would probably spot even more things, especially if they had been specifically trained to do so and were well practiced and highly skilled at the exercise (e.g. an advanced driving instructor or road safety specialist). The depth and breadth of technical knowledge, coupled with the audit competencies capabilities, is what makes experienced IT audit professionals worth their pay!

'Independence of mind' can also go further: competent auditors tend to be naturally cynical or doubtful or dubious about things, especially the things that we are told by naive, reluctant or hostile auditees but which seem at odds with reality. We are actively encouraged to challenge, to probe, to explore and find out what's really going on. That, in turn, leads to the perception that we only ever see the worse of every situation, that in our eyes everybody is guilty unless/until proven innocent, and that we gleefully enjoy bayonetting the wounded. Being totally honest, there is a tiny grain of truth in that ... which is why structured audit methods and practices are designed to temper our innate cynicism and bloodthirst with reality-checks, fact-checks, quality-checks, audit file reviews and so on. Auditors don't report everything: we filter-out the irrelevant and less important stuff in order to emphasise the key issues and persuade management to focus on those. In a sense, we're consciously doing what our brains would do subconsciously, but with a very clear purpose in mind which is to support and further the organization's best interests. Doing so competently, thoroughly, independently, objectively, impartially, with the support of management, within the constraints of resources and the business and technology and personal contexts etc., in a way that ultimately achieves positive organizational change, is tough

There's another important factor to mention, a little word that ISACA slipped quietly into their definition: integrity. An employee's decision to take a serious issue as far as possible, insistently escalating it up the line despite strong resistance (maybe even direct threats) from management, all the way to resigning if necessary, perhaps even disclosing it externally, takes guts. In my experience, auditors are gutsy people, willing to stand up and be counted, to speak out when something deserves to be said. We'll blow the whistle on impropriety. When backed into corners by powerful, egocentric, belligerent senior managers, we come out fighting! There is a downside to this, personally, in that it takes energy, fortitude and a willingness to pull the pin on a successful assignment or position. We are strong-willed, hard to manage, and can come across as abrasive, stubborn, egocentric, cantankerous, self-opinionated, socially inept and assertive. Some of us are overly fond of the sound of our own voices, and write far too much (guilty as charged!). However, we need to be demonstrably correct in our assessments and advice, which is where the factual evidence, careful analysis and all those audit process checkpoints earn their keep. We also need to be sufficiently self-aware, competent and experienced to know when we are stepping out of line, moving from facts to assumptions, from objectivity to subjectivity. We have our limitations - we are only human after all. There are times when it is totally appropriate and necessary to back down, for instance when a senior manager privately acknowledges audit issues but asks for 'a little breathing space to handle it my way'. Integrity extends to auditees too - it's very much a matter of understanding and trust between the parties, and trustworthiness, mutual respect and solid reputations.

Oh and negotiation - that's yet another set of skills to add to the competent auditor's bulging toolbox. More on that another time.

Dec 19, 2017

NBlog December 19 - sticky ends

Surveys typically show that: 
  1. Most organizations have some form of BYOD scheme encouraging or permitting workers to use their own laptops, smartphones and tablets for work; and
  2. IoT is spreading fast but still has a long way to go before it peaks.

We infosec geeks may throw up our hands in horror ... but the facts remain: BYOD and IoT are popular, now. They are here to stay and almost certain to expand.

It's too late now for us to bleat on about the information risks and security concerns*. The train has long since left the station.

So how should we handle this situation? An obvious approach is to retrospectively identify, assess and treat the information risks as best we can, emphasizing threats such as hackers, malware, theft or loss of information, and inappropriate disclosure, and promoting security controls such as - well, that's where it gets tricky because we have limited options for technical controls, and (despite our best efforts!) security awareness is never going to be a total cure for employees being incautious or careless. Being so negative and constrained, it's hardly a convincing argument. You could say it's also behind the times, fighting the last war as it were.

Instead, we're taking a more proactive and upbeat line in the NoticeBored content for January. There are business opportunities in going with the flow, embracing BYOD and IoT (where appropriate), making the best of the rapidly evolving technology and forging ahead. Maybe we can't fix everything today, but we surely can make tomorrow better. 

Here's a single example: if a company's widgets can be smartened-up and networked, they might just catch the wave. Innovation is a vital component of brand value for many organizations, a common strategic driver. Provided the technology, security and privacy aspects are sufficiently well addressed, smart, networked widgets may be used to gather information about how the widgets are used in practice by real customers, en masse, giving valuable insight to drive further product development and innovation - a positive feedback loop. 

Finding and exploring other similarly motivational examples and potentially attractive business opportunities has kept us happily occupied today. If we successfully express that excitement in the awareness materials, it should energize and motivate the audiences to get to grips with the risk and security aspects of BYOD and IoT. They will at least set off on the journey in a more positive frame of mind than the more usual "We must improve security or the world will come to a sticky end", or worse still the cynical "Stop everything: for security reasons, the answer is NO!".


* PS  In fact we did raise the information risk and security aspects of IoT and BYOD previously, several times, in the awareness materials. We try hard to keep up with, if not stay ahead of, new developments in this field. Some of our customers, though, have rather more inertia than they'd like to admit!

Dec 18, 2017

NBlog December 18 - the complexities of simplification

From a worker's perspective, BYOD is 'simply' about being allowed to work on his/her own ICT devices, rather than having to use those owned and provided by the organization.  What difference would that make? It's straightforward, isn't it?

Good questions! There are numerous differences in fact, some of which have substantial implications for information risk, security and privacy. For example, ownership and control of the device is distinct from ownership and control of the data: so what happens when a worker leaves the organization (resigns or is 'let go'), taking their devices with them? Aside from any corporate data on the devices, they had been permitted access to the corporate network, systems, apps and data.  The corporate IT support professionals had been managing the devices, and probably had access to any personal data on them.  Lines are blurred.


In a similar vein, IoT is more than just allowing assorted things to be accessed through the Internet and/or corporate networks. Securing things is distinctly challenging when the devices are diverse, often inaccessible and have limited storage, processing and other capabilities ... but if they are delivering business- or safety-critical functions, the associated risks may be serious.

The complexities beneath the surface make this a challenging topic for security awareness: we need to help workers (general staff, managers and specialists, remember) appreciate and address the underlying issues, without totally confusing them with techno-babble. That means simplifying things just enough but no more, a delicate balancing act.

In reality, dividing the awareness audience into those three groups lets us adjust the focus, nature and depth of the materials accordingly. Managers, for instance, have a particular interest in the risk management, compliance and governance aspects that are of little concern to workers in general. 

At the same time, the awareness materials should generate opportunities for the three audience groups to interact, which means finding common ground and shared interests, points for discussion. That's what we're working on now.

Dec 14, 2017

NBlog December 14 - distracted


I've been a bit distracted the past day or two by the arrival of a calf called Nellie. 

Amelia, her mum, had been waddling dejectedly around the paddock for ages, almost as wide as she is tall, complaining about her sore back and practicing her breathing exercises.

After the heat of recent weeks, the weather has now turned a bit cooler, wet and stormy which is probably a nice change for Amelia but a bit of a challenge for little Nellie, so we're keeping a close eye on them both.

The joys of rural NZ!

Dec 13, 2017

NBlog December 13 - IoT & BYOD security policies

Today we've been working on model policies concerning IoT and BYOD security.

We offer two distinct types of policy:

  1. Formal information security policies explicitly defining the rules, obligations and requirements that must be satisfied, with a strong compliance imperative relating to management's authority.  These are the internal corporate equivalent of laws ... although we go to great lengths to make them reasonably succinct (about 3 sides), readable and understandable by everyone, not just lawyers familiar with the archaic and arcane legal lexicon (such as has heretofore in the present clause been ably demonstrated, m'lud).
  2. Informal - or at least semi-formal - Acceptable Use Policies that are more advisory and motivational in nature. These compare pragmatic examples of acceptable (in green) against unacceptable (red) uses to illustrate the kinds of situation that workers are likely to understand.  They are even more succinct - just a single side of paper.

So, we now have four security policy templates for IoT and BYOD.

Although they don't contain huge volumes of content and are relatively simple, it takes a fair bit of time and effort to research, design and prepare them. Part of our challenge is that we don't have a particular organization in mind - these are generic templates giving customers a reasonably complete and hopefully useful starting point that they can then customize or adapt as they wish. 

Those customers who already have policies covering IoT and BYOD might find it helpful to compare theirs against ours, particularly in terms of keeping them up to date with ever-changing technologies and risks, while also being readable and pragmatic. Having been developing policies for close to 30 years, I've learnt a trick or two along the way!

The policies will be delivered to NoticeBored subscribers in January's security awareness module, and are available to purchase either individually or as a suite from us.  Contact me (Gary@isect.com) for details.

Dec 12, 2017

NBlog December 11 - things in Santa's sack

What's hot in toyland this Christmas?

Way back when I was a kid, shortly after the big bang, it was Meccano and Lego for me. I still value the mechanical skills I learnt way back then. Give me a box of thin metal strips full of holes, a plentiful supply of tiny nuts and bolts, and some nobbly plastic bricks, and I'll build you an extraordinary space station complete with spinning artificial gravity module. Or I might just chew them.

Today's toys supplement the child's imagination with the software developers'. There are apps for everything, running on diminutive devices more powerful than those fridge-sized beige boxes I tended for a hundred odd scientists (some very odd) in my first real job.

Writing about tech toys in the shops this Christmas, Stuart Miles says:
"For many, the days of just building a spaceship out of Lego or playing a game of Monopoly are long gone. Today, kids want interactive tech toys that are powered by an app or that connect to the internet. They want animals that learn and grow as you play with them, or robots that will answer back."
Some toys are autonomous while others are networked - they are things.  Microphones and cameras are often built-in for interaction, and we've already seen a few news reports about them being used for snooping on families.  All fairly innocuous, so far ... but what about those high-tech toys we grownups are buying each other this year?  Some will find their way into the office, the home office at least, where snooping has different implications.


Dec 8, 2017

NBlog December 8 - cybersecurity awareness story-telling

Conceptual diagrams ('mind maps') are extremely useful for awareness purposes.  This one, for instance, only has about 50 words but expresses a lot more than could be said with ~50 words of conventional prose:




Despite it being more than 7 years since I drew that diagram in Visio, it immediately makes sense. It tells a story. 

Working clockwise from 1 o'clock, it steps through the main wireless networking technologies that were common in 2010, picking out some of the key information security concerns for each of them.  It's not hard to guess what I was thinking about.

The arrows draw the reader's eye in the specified direction along each path linking together related items. Larger font, bold text and the red highlight the main elements, leading towards and emphasizing "New risks" especially. Sure enough today we have to contend with a raft of personal, local, mesh, community and wide area networks, in addition to the those shown. 

When the diagram was prepared, we didn't know exactly what was coming but predicted that new wireless networking technologies would present new risks. That's hardly ground-breaking insight, although pointing out that risks arise from the combination of threats, vulnerabilities and impacts hinted at the likelihood of changes in all three areas, a deliberate ploy to get the audience wondering about what might be coming, and hopefully thinking and planning ahead.

It's time, now, to update the diagram and adapt it to reflect the current situation for inclusion in January's awareness module. The process of updating the diagram is as valuable as the product - researching and thinking about what has changed, how things have changed, what's new in this space etc. qualifies as fun for this geek! Take yesterday's blog piece, for instance: back in 2010, I probably would not have believed it possible that today we'd be configuring our Christmas tree light shows from Web-based apps on our mobile phones ... and that's merely a trivial, seasonal example. The information risk and security angles to IoT and BYOD go on and on.

Technology is the gift that keeps on giving.

Dec 7, 2017

NBlog December 7 - Santa's slaves bearing gifts

Today we went on a tiki-tour of the forest in search of a few pine saplings of just the right size, shape and density to serve as Christmas trees. Naturally, the best ones were in the brambles or on the side of a near vertical slope but, hey, that's all part of the fun.

I guess 'Web-enabled remotely-controllable LED Christmas tree lights' are The Thing this year.  Ooh the sheer luxury of being able to program an amazing light show from your mobile phone!

So what are the information risks in that scenario? Let's run through a conventional risk analysis.

THREATS

  • Elves meddling with the light show, causing frustration and puzzlement.
  • Pixies making the lights flash at a specific frequency known to trigger epileptic attacks.
  • Naughty pixies intent on infecting mobile phones with malware, taking control of them and stealing information, via the light show app.
  • Hackers using yet-another-insecure-Thing as an entry point into assorted home ... and corporate networks (because, yes, BYOD doubtless extends to someone bringing in Web-enabled lights to brighten up the office Christmas tree this year).

VULNERABILITIES


  • Irresistibly sexy new high-technology stuff. Resistance is futile. Christmas is coming. Santa is king.
  • Inherently insecure Things (probably ... with probability levels approaching one). 
  • Blind-spots towards information risk and security associated with Things, especially cheap little Things in all the shops. Who gives a stuff about cybersecurity for web-enabled Christmas tree lights? Before you read this blog, did it even occur to you as an issue? Are you still dubious about it?  Read on!
  • Does anyone bother security-testing them, or laying down rules about bringing them into the home or the corporation?
  • Ineffective compliance enforcement of safety and security standards for low value high volume retail stuff flooding the markets.
  • Widespread dependence on "the authorities" to protect "us" from "them".  A naive and potentially reckless abdication of our own responsibility.

IMPACTS



    • Theft of valuable and confidential information.
    • Disruption or loss of valuable data, networks and devices.
    • [Further] loss of control over network access points, leading to exploitation of other connected systems and data.
    • Fire from badly engineered and manufactured knock-em-out-and-pile-em-high cut-price electronics connected to the mains power and dangled among increasingly flammable dead pine trees.
    • Distractedly driving into the back of stationary traffic while trying to re-program the light show on your way home from the office, at the insistence of a back-seat-load ("a pester" is the collective noun) of over-excited kids on a massive sugar high. A rather more dramatic form of impact, that!
    Taking that all into account, there are definitely information risks in the scenario, but as to whether you consider them significant enough to worry about depends on your perspective. 

    OK so I admit I'm going out on a limb by analyzing information risks for web-enabled Christmas tree lights but the risk analysis is much the same for a zillion other Things quietly invading our homes and businesses. It's the zombie apocalypse.

    Aside from all those high-tech toys soon to be piled up under the Christmas tree, the modern hi-tech kitchen and lounge is already replete with Web-enabled whiteware and entertainment systems, and almost everything that moves or goes ping in the office (including the workers!) is wirelessly networked.

    Remember, kids, information security is for life - not just for Christmas.

    ["Santa's slaves" alludes to a friend-of-a-friend's little'un asking its mum for 'one of those Christmas slaves this year - you know, the slave that Santa rides', while jangling his slave-bells, presumably.]

    Dec 5, 2017

    NBlog December 5 - lurid headline

    Social-Engineer.com's newsletter is a useful source of information about social engineering methods. The latest issue outlines some of the tricks used by phishers to lure their victims initially.
    "It is not breaking news that phishing is the leading cause of data breaches in the modern world. It is safe to ask why that is the case though, given how much of this email gets caught up in our spam filters and perimeter defenses. One trick sophisticated attackers use is triggering emotional responses from targets using simple and seemingly innocuous messaging to generate any response at all. Some messaging does not initially employ attachments or links, but instead tries to elicit an actual reply from the target. Once the attackers establish a communication channel and a certain level of trust, either a payload of the attacker’s choosing can then be sent or the message itself can entice the target to act."
    That same technique is used by advertisers over the web in the form of lurid or intriguing headlines and images, carefully crafted to get us to click the links and so dive into a rabbit warren of further items and junk, all the while being inundated with ads. You may even see the lures here or hereabouts (courtesy of Google). Once you've seen enough of them, you'll recognize the style and spot the trigger words - bizarre, trick, insane, weird, THIS and so on, essentially meaning CLICK HERE, NOW!

    They are curiously attractive, almost irresistible, even though we've groped around in the rabbit warrens before and suspect or know what we're letting ourselves in for. But why is that? 

    'Curiously' is the key: it's our natural curiosity that leads us in. It's what led you to read this sentence. Ending the previous paragraph with a rhetorical question was my deliberate choice. Like magpies or trout chasing something shiny, I got you. You fell for it. I manipulated you.     Sorry.

    There are loads more examples along similar lines - random survey statistics for instance ("87% of X prone to Y") and emotive subjects ("Doctors warn Z causes cancer"). We have the newspapers to thank for the very term 'headline', not just the tabloid/gutter press ("Elvis buried on Mars") but the broadsheets and more up-market magazines and journals, even scientific papers. The vast majority of stuff we read has titles and headings, large and bold in style, both literally and figuratively. Postings on this blog all have short titles and a brief summary/description, and some of the more detailed pieces have subheadings providing structure and shortcuts for readers who lack the time or inclination to read every word ... which hints at another issue, information overload. Today's Web is so vast that we're all sipping from the fire hose.

    And that reminds me: intriguing imagery is another manipulative technique to grab us by the wotsits. The fire hose is a highly visual analogy: it conjures-up a dramatic scene in your mind, so effectively that an actual picture of a gushing hose would be crass. I wrote yesterday about word clouds, and through this blog we've shared a few of the creative posters that accompany the NoticeBored security awareness materials every month. 

    Samplers of the NoticeBored contentWe also use colorful mind maps, process diagrams, flow-charts and so on for the same reason - to intrigue and so grab the reader's focus for a moment, to impart useful information, and so to inspire, motivate and entertain. Some of us like written words, some prefer pictures, and others like to be shown or directly experience stuff first hand ... which is why we also provide seminar slide decks, case studies and briefing papers. It's an immersive approach to security awareness.

    But time is precious so that's it for today. Thanks for dangling on my hook. I'm letting you go now. Swim free.

    Dec 4, 2017

    NBlog December 4 - word clouds


    Today I've been hunting  for word-art programs or services. We've been happily using Wordle for a good while now. It has worked well, despite a few minor niggles:

    • It runs in Internet Explorer, but not Chrome;
    • It creates cloud shapes, blobs not distinct shapes;
    • It feeds on word lists, not URLs.
    There are several alternatives. The hands image above was generated quite simply in WordArt. WordClouds is another option. There are more: Google knows where to find them.  

    I'll be trying them out during December. The combination of words and graphics amuses me, and hopefully catches a few eyes out there too. Catching eyes and imaginations is what we do.

    Dec 2, 2017

    NBlog December 2 - next topic

    Next up on the NoticeBored conveyor belt is an awareness module on the security aspects of BYOD and IoT.

    Aside from being topical IT acronyms, both (largely) involve portable ICT devices - wireless-networked self-contained portable electronic gizmos. 

    We've covered BYOD and IoT security before, separately, but it makes sense to put them together for a change of focus.

    As things steadily proliferate, workers are increasingly likely to want to wear or bring them to work, and carry on using them. The security implications are what we'll be exploring in the next module.

    Dec 1, 2017

    NBlog December 1 - social engineering module released

    We close off the year with a fresh look at social engineering, always a topical issue during the holiday/new-year party season when we let our hair down.  Generally speaking, we are less guarded and more vulnerable than usual to some forms of social engineering.  The sheer variety of social engineering is one of the key messages in this month’s awareness materials. 
    This module concerns:
    • Social engineering attacks including phishing and spear-phishing, and myriad scams, con-tricks and frauds;
    • The use of pretexts, spoofs, masquerading, psychological manipulation and coercion, the social engineers’ tradecraft;
    • Significant information risks involving blended or multimode attacks and insider threats.
    The NoticeBored module is designed to appeal to virtually everyone in the organization,regardless of their individual preferences and perspectives.  A given individual may not value everything in the module, but hopefully there will be something that catches their attention – and that something may not even be the NoticeBored awareness materials as such, but perhaps a casual comment or oblique criticism from a peer or manager relating to the topic, which in turn was prompted by the NoticeBored content. 
    The NoticeBored posters, for instance, are deliberately thought-provoking, puzzling even.  Rather than spoon-feeding people with lots of written information, we choose striking images to express various challenging and often complex concepts visually.  We hope people will notice the posters, wonder what they are on about, and maybe chat about them … which is where the learning happens.
    Explore the thinking that went into these awareness materials, and by all means tag-along with us as we develop next month’s module, on the NoticeBored blog.

    Learning objectives

    December’s awareness materials are intended to:
    • Introduce/outline social engineering – a backgrounder on the wide variety of forms it takes, techniques used etc.;
    • Describe and promote the corresponding information security controls, particularly the human element given the limited effectiveness of technical/cybersecurity controls against social engineering, with a mix of informational and stimulating content;
    • Motivate workers to act more securely, for example spotting, rebuffing and reporting possible attacks.
    There are briefings, presentations, quizzes and competitions, checklists, posters and more in the new module - a wealth of creative materials all ready to use, straight out of the box (although we encouraged you to customize them if you have the time).
    We’ve introduced a new A-to-Z-style awareness format this month with three briefings that work nicely together as a suite:
    1. A-to-Z of social engineering scams, con-tricks and frauds (FREE PDF) - what they do;
    2. A-to-Z of social engineering methods and techniques - how they do it;
    3. A-to-Z of social engineering controls and countermeasures - how to spot and stop them in their tracks.

    Get this module

    Subscribe to the NoticeBored service for December’s awareness module, plus InfoSec 101, a set of information risk and security policy templates, and further awareness modules on a huge range of information risk and security topics, something different every month. Email me to set the ball rolling.

    Nurturing the corporate security culture through awareness

    Subscribe to NoticeBored for fresh perspectives on information risk and security within the corporate context.  NoticeBored picks up on the strategic, governance, compliance and business aspects, particularly in the management stream of course but the principles underpin the general staff and professional streams too.  Information is a valuable and yet vulnerable asset that needs to be protected and legitimately exploited for sound business reasons - not just for compliance purposes or because we say so!  Properly done, information risk management is a business enabler, with security awareness a vital part of the approach - particularly, of course, in topics such as social engineering and fraud.

    Nov 30, 2017

    NBlog November 30 - social engineering module

    We've been busier than ever the past week or so, particularly with the NoticeBored materials on social engineering. It is a core topic for security awareness since workers' vigilance is the primary control, hence a lot of effort goes into preparing materials that are interesting, informing, engaging and motivational. It's benign social engineering! 

    The materials are prepared and are in the final stage now, being proofread before being delivered to subscribers later today.

    This is a bumper module with a wealth of content, most of which is brand new. I blogged previously about the A-to-Z guides on social engineering scams, con-tricks and frauds, methods and techniques, and controls and countermeasures. I'll describe the remainder of the materials soon, once everything is finished and out the door. 

    Meanwhile, I must get on: lots to do!

    Nov 28, 2017

    ISO27k internal audits for small organizations

    Figuring out how to organize, resource and conduct internal audits of an ISO/IEC 27001 Information Security Management System can be awkward for small organizations.


    Independence is the overriding factor in auditing of all forms. For internal auditing, it’s not just a question of who the auditors report to and their freedom to ‘say what needs to be said’ (important though that is), but more fundamentally their mindset, experience and attitude. They need to see things with fresh eyes, pointing out and where necessary challenging management to deal with deep-seated long-term ‘cultural’ issues that are part of the fabric in any established organization. That’s hard if they are part of the day-to-day running of the organization, fully immersed in the culture and (for managers in small organizations especially) partly responsible for the culture being the way it is. We all have our biases and blind spots, our habits and routines: a truly independent view hopefully does not - at least, not entirely the same one!

    ISO/IEC 27001 recommends both management reviews and internal audits. The people you have mentioned may well be technically qualified to do both but (especially without appropriate experience/training, management support and the independent, critical perspective I’ve mentioned) they may not do so well at auditing as, say, consultants. The decision is a business issue for you and your management: do the benefits of having a truly independent and competent audit outweigh the additional cost? Or do you think your own people would do it well enough at lower cost?

    As the customer, you get to specify exactly what you want the consultants to bid for. A very tightly scoped and focused internal audit for a relatively small and simple ISMS might only take a day or two of consulting time, keeping the costs down. On the other hand, they will be able to dig deeper and put more effort into the reporting and achieving improvements if you allow them more time for the job – again, a management decision, worth discussing with potential consultants.

    One strategy you might consider is to rotate the internal audit responsibility among your own people, having different individuals perform successive audits. That way, although they are not totally independent, they do at least have the chance to bring different perspectives to areas that they would not normally get involved in. It would help to have a solid, standardized audit process though, so each of the auditors is performing and reporting the audit work in a similar way … and to get you started and set that up, you might like to engage a consultant for the first audit, designing and documenting the audit process, providing checklist and reporting templates etc., and ideally training up one or more of your own people to take the lead on the next audit (like a relay race, passing the baton down the line). 

    Another possibility is to send one or more of your people on a training course for internal auditing, perhaps one of the ISO27k/ISMS-specific Lead Auditor courses. Although I believe the LA courses only cover compliance or certification auditing, they do at least teach the concepts and processes that are much the same for internal audits. Personally, I would recommend ISACA’s CISA instead, as it is more suited to IT auditing in general.

    Yet another potential approach is to ask appropriate newcomers to the organization (management level, probably) to do your audits. They would need support and guidance on the audit process, but they would at least be free of the baggage that existing employees carry! On top of that, it would be an excellent way to introduce them to all of management, giving them a view across the whole enterprise – a jump start if you like.

    Oh and here’s one more option. How about ‘swapping’ with a partner organization: you audit them and they audit you? Obviously you’d need to be careful about the confidentiality, trust and commercial aspects, and you’d still have to be careful about the competence of the individuals doing the work, but it might work out conveniently for both parties, with the added advantage of perhaps sharing good practises between you.

    The beauty of ISO27k is that you have plenty of latitude on how to manage information security, even within the constraints of '27001 certification, so you can be quite creative with how your ISMS is designed. At the end of the day, it is your ISMS and your information at risk, so do whatever is best for your business. That’s even more important than being certified compliant!

    Nov 22, 2017

    NBlog November 22 - A to Z of social engineering controls

    I didn't quite finish the A-to-Z on social engineering methods yesterday as planned but that's OK, it's coming along nicely and we're still on track. 

    I found myself dipping back into the A-to-Z on scams, con-tricks and frauds for inspiration or to make little changes, and moving forward to sketch rough notes on the third and final part of our hot new security awareness trilogy: an A-to-Z on the controls and countermeasures against social engineering. Writing that is my main task for today, and all three pieces are now progressing in parallel as a coherent suite.

    It's no blockbuster but I have a good feeling about this, and encouraging feedback from readers who took me up on my offer of a free copy of the first part.

    Along the way, a distinctive new style and format has evolved for the A-to-Zs, using big red drop caps to emphasize the first item under each letter of the alphabet. I've created and saved a Word template to make it easier and quicker to write A-to-Zs in future - a handy tip, that, for those of you who are singing along at home, writing your own awareness and training content.

    I'd like to include some graphics and examples to illustrate them and lighten them up a bit, but with the deadline fast approaching that may have to wait until they are next updated. Getting the entire awareness module across the line by December 1st comes first, which limits the amount of tweaking time I can afford - arguably a good thing as I find this topic fascinating, and I could easily prepare much more than is strictly necessary for awareness purposes. 

    Aside from that, the release of an updated OWASP top 10 list of application security controls prompted me to update our information security glossary with a couple of new definitions, and a radio NZ program about a book fair in Edinburgh (!) prompted me to explain improv sessions as a creative suggestion for the train-the-trainer guide for the social engineering module.

    Breaking news about Uber losing millions of personal records to hackers has the potential to become a case study at some point. Initial rather vague news reports speak of hacking user credentials from Github and using them to access and steal info from cloud storage services, and raise concerns about the way the privacy noncompliance incident was handled and concealed, which in turn hints at a governance issue - in other words, this looks like becoming yet another multi-faceted incident, relevant to several infosec topics. Possibly, as with the Sony Pictures Entertainment incident, there may be enough meat on the bones to merit creating a special awareness module all by itself: it depends how the story evolves from here, and how much pertinent information is published.

    Nov 21, 2017

    NBlog November 21 - A to Z of social engineering techniques

    On a roll from yesterday's A-to-Z catalog of scams, con-tricks and frauds, I'm writing another A-Z today, this time focusing on social engineering techniques and methods.  

    Yesterday's piece was about what they do.  Today's is about how they do it.

    Given my background and the research we've done, it's surprisingly easy to find appropriate entries for most letters of the alphabet, albeit with a bit of creativity and lateral thinking needed for some (e.g. "Xtreme social engineering"!).  That's part of the challenge of writing any A to Z listing ... and part of the allure for the reader. 

    What will the Z entry be?  As of this moment, I don't actually know but I will come up with zomething!

    Both awareness pieces impress upon the reader the sheer variety of social engineering, while at the same time the alphabetical sequence provides a logical order to what would otherwise be a confusing jumble of stuff. Making people aware of the breadth and diversity of social engineering is one of the key learning objectives for December's NoticeBored module. Providing structured, useful, innovative awareness content is what we do.

    We hope to leave a lasting impression that almost any social interaction or communication could be social engineering - any email or text message, any phone call or conversation, any glance or frown, any blog item (am I manipulating your thoughts? Am I persuading you to subscribe to NoticeBored? Look deeply into my eyes. Concentrate on the eyes. You are starting to feel drowsy ...)

    Yes, hypnosis will make an appearance in today's A-Z.  It's not entirely serious!

    Tomorrow, after completing the second, I'd like to complete the set with a third piece concerning the controls against social engineering. Can we come up with a reasonable list of 26? Come back tomorrow to find out how that turns out.