Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Dec 13, 2017

NBlog December 13 - IoT & BYOD security policies

Today we've been working on a model policies concerning IoT and BYOD security.

We offer two distinct types of policy:

  1. Formal information security policies explicitly defining the rules, obligations and requirements that must be satisfied, with a strong compliance imperative relating to management's authority.  These are the internal corporate equivalent of laws ... although we go to great lengths to make them reasonably succinct (about 3 sides), readable and understandable by everyone, not just lawyers familiar with the archaic and arcane legal lexicon (such as has heretofore in the present clause been ably demonstrated, m'lud).
  2. Informal - or at least semi-formal - Acceptable Use Policies that are more advisory and motivational in nature. These compare pragmatic examples of acceptable (in green) against unacceptable (red) uses to illustrate the kinds of situation that workers are likely to understand.  They are even more succinct - just a single side of paper.
So, we now have four security policy templates for IoT and BYOD.

Although they don't contain huge volumes of content and are relatively simple, it takes a fair bit of time and effort to research, design and prepare them. Part of our challenge is that we don't have a particular organization in mind - these are generic templates giving customers a reasonably complete and hopefully useful starting point that they can then customize or adapt as they wish. 

Those customers who already have policies covering IoT and BYOD might find it helpful to compare theirs against ours, particularly in terms of keeping them up to date with ever-changing technologies and risks, while also being readable and pragmatic. Having been developing policies for close to 30 years, I've learnt a trick or two along the way!

The policies will be delivered to NoticeBored subscribers in January's security awareness module, and are available to purchase either individually or as a suite from us.  Contact me (Gary@isect.com) for details.

Dec 12, 2017

NBlog December 11 - things in Santa's sack

What's hot in toyland this Christmas?

Way back when I was a kid, shortly after the big bang, it was Meccano and Lego for me. I still value the mechanical skills I learnt way back then. Give me a box of thin metal strips full of holes, a plentiful supply of tiny nuts and bolts, and some nobbly plastic bricks, and I'll build you an extraordinary space station complete with spinning artificial gravity module. Or I might just chew them.

Today's toys supplement the child's imagination with the software developers'. There are apps for everything, running on diminutive devices more powerful than those fridge-sized beige boxes I tended for a hundred odd scientists (some very odd) in my first real job.

Writing about tech toys in the shops this Christmas, Stuart Miles says:
"For many, the days of just building a spaceship out of Lego or playing a game of Monopoly are long gone. Today, kids want interactive tech toys that are powered by an app or that connect to the internet. They want animals that learn and grow as you play with them, or robots that will answer back."
Some toys are autonomous while others are networked - they are things.  Microphones and cameras are often built-in for interaction, and we've already seen a few news reports about them being used for snooping on families.  All fairly innocuous, so far ... but what about those high-tech toys we grownups are buying each other this year?  Some will find their way into the office, the home office at least, where snooping has different implications.

Dec 8, 2017

NBlog December 8 - cybersecurity awareness story-telling

Conceptual diagrams ('mind maps') are extremely useful for awareness purposes.  This one, for instance, only has about 50 words but expresses a lot more than could be said with ~50 words of conventional prose:

Despite it being more than 7 years since I drew that diagram in Visio, it immediately makes sense. It tells a story. 

Working clockwise from 1 o'clock, it steps through the main wireless networking technologies that were common in 2010, picking out some of the key information security concerns for each of them.  It's not hard to guess what I was thinking about.

The arrows draw the reader's eye in the specified direction along each path linking together related items. Larger font, bold text and the red highlight the main elements, leading towards and emphasizing "New risks" especially. Sure enough today we have to contend with a raft of personal, local, mesh, community and wide area networks, in addition to the those shown. 

When the diagram was prepared, we didn't know exactly what was coming but predicted that new wireless networking technologies would present new risks. That's hardly ground-breaking insight, although pointing out that risks arise from the combination of threats, vulnerabilities and impacts hinted at the likelihood of changes in all three areas, a deliberate ploy to get the audience wondering about what might be coming, and hopefully thinking and planning ahead.

It's time, now, to update the diagram and adapt it to reflect the current situation for inclusion in January's awareness module. The process of updating the diagram is as valuable as the product - researching and thinking about what has changed, how things have changed, what's new in this space etc. qualifies as fun for this geek! Take yesterday's blog piece, for instance: back in 2010, I probably would not have believed it possible that today we'd be configuring our Christmas tree light shows from Web-based apps on our mobile phones ... and that's merely a trivial, seasonal example. The information risk and security angles to IoT and BYOD go on and on.

Technology is the gift that keeps on giving.

Dec 7, 2017

NBlog December 7 - Santa's slaves bearing gifts

Today we went on a tiki-tour of the forest in search of a few pine saplings of just the right size, shape and density to serve as Christmas trees. Naturally, the best ones were in the brambles or on the side of a near vertical slope but, hey, that's all part of the fun.

I guess 'Web-enabled remotely-controllable LED Christmas tree lights' are The Thing this year.  Ooh the sheer luxury of being able to program an amazing light show from your mobile phone!

So what are the information risks in that scenario? Let's run through a conventional risk analysis.


  • Elves meddling with the light show, causing frustration and puzzlement.
  • Pixies making the lights flash at a specific frequency known to trigger epileptic attacks.
  • Naughty pixies intent on infecting mobile phones with malware, taking control of them and stealing information, via the light show app.
  • Hackers using yet-another-insecure-Thing as an entry point into assorted home ... and corporate networks (because, yes, BYOD doubtless extends to someone bringing in Web-enabled lights to brighten up the office Christmas tree this year).


  • Irresistibly sexy new high-technology stuff. Resistance is futile. Christmas is coming. Santa is king.
  • Inherently insecure Things (probably ... with probability levels approaching one). 
  • Blind-spots towards information risk and security associated with Things, especially cheap little Things in all the shops. Who gives a stuff about cybersecurity for web-enabled Christmas tree lights? Before you read this blog, did it even occur to you as an issue? Are you still dubious about it?  Read on!
  • Does anyone bother security-testing them, or laying down rules about bringing them into the home or the corporation?
  • Ineffective compliance enforcement of safety and security standards for low value high volume retail stuff flooding the markets.
  • Widespread dependence on "the authorities" to protect "us" from "them".  A naive and potentially reckless abdication of our own responsibility.


    • Theft of valuable and confidential information.
    • Disruption or loss of valuable data, networks and devices.
    • [Further] loss of control over network access points, leading to exploitation of other connected systems and data.
    • Fire from badly engineered and manufactured knock-em-out-and-pile-em-high cut-price electronics connected to the mains power and dangled among increasingly flammable dead pine trees.
    • Distractedly driving into the back of stationary traffic while trying to re-program the light show on your way home from the office, at the insistence of a back-seat-load ("a pester" is the collective noun) of over-excited kids on a massive sugar high. A rather more dramatic form of impact, that!
    Taking that all into account, there are definitely information risks in the scenario, but as to whether you consider them significant enough to worry about depends on your perspective. 

    OK so I admit I'm going out on a limb by analyzing information risks for web-enabled Christmas tree lights but the risk analysis is much the same for a zillion other Things quietly invading our homes and businesses. It's the zombie apocalypse.

    Aside from all those high-tech toys soon to be piled up under the Christmas tree, the modern hi-tech kitchen and lounge is already replete with Web-enabled whiteware and entertainment systems, and almost everything that moves or goes ping in the office (including the workers!) is wirelessly networked.

    Remember, kids, information security is for life - not just for Christmas.

    ["Santa's slaves" alludes to a friend-of-a-friend's little'un asking its mum for 'one of those Christmas slaves this year - you know, the slave that Santa rides', while jangling his slave-bells, presumably.]

    Dec 5, 2017

    NBlog December 5 - lurid headline

    Social-Engineer.com's newsletter is a useful source of information about social engineering methods. The latest issue outlines some of the tricks used by phishers to lure their victims initially.
    "It is not breaking news that phishing is the leading cause of data breaches in the modern world. It is safe to ask why that is the case though, given how much of this email gets caught up in our spam filters and perimeter defenses. One trick sophisticated attackers use is triggering emotional responses from targets using simple and seemingly innocuous messaging to generate any response at all. Some messaging does not initially employ attachments or links, but instead tries to elicit an actual reply from the target. Once the attackers establish a communication channel and a certain level of trust, either a payload of the attacker’s choosing can then be sent or the message itself can entice the target to act."
    That same technique is used by advertisers over the web in the form of lurid or intriguing headlines and images, carefully crafted to get us to click the links and so dive into a rabbit warren of further items and junk, all the while being inundated with ads. You may even see the lures here or hereabouts (courtesy of Google). Once you've seen enough of them, you'll recognize the style and spot the trigger words - bizarre, trick, insane, weird, THIS and so on, essentially meaning CLICK HERE, NOW!

    They are curiously attractive, almost irresistible, even though we've groped around in the rabbit warrens before and suspect or know what we're letting ourselves in for. But why is that? 

    'Curiously' is the key: it's our natural curiosity that leads us in. It's what led you to read this sentence. Ending the previous paragraph with a rhetorical question was my deliberate choice. Like magpies or trout chasing something shiny, I got you. You fell for it. I manipulated you.     Sorry.

    There are loads more examples along similar lines - random survey statistics for instance ("87% of X prone to Y") and emotive subjects ("Doctors warn Z causes cancer"). We have the newspapers to thank for the very term 'headline', not just the tabloid/gutter press ("Elvis buried on Mars") but the broadsheets and more up-market magazines and journals, even scientific papers. The vast majority of stuff we read has titles and headings, large and bold in style, both literally and figuratively. Postings on this blog all have short titles and a brief summary/description, and some of the more detailed pieces have subheadings providing structure and shortcuts for readers who lack the time or inclination to read every word ... which hints at another issue, information overload. Today's Web is so vast that we're all sipping from the fire hose.

    And that reminds me: intriguing imagery is another manipulative technique to grab us by the wotsits. The fire hose is a highly visual analogy: it conjures-up a dramatic scene in your mind, so effectively that an actual picture of a gushing hose would be crass. I wrote yesterday about word clouds, and through this blog we've shared a few of the creative posters that accompany the NoticeBored security awareness materials every month. 

    Samplers of the NoticeBored contentWe also use colorful mind maps, process diagrams, flow-charts and so on for the same reason - to intrigue and so grab the reader's focus for a moment, to impart useful information, and so to inspire, motivate and entertain. Some of us like written words, some prefer pictures, and others like to be shown or directly experience stuff first hand ... which is why we also provide seminar slide decks, case studies and briefing papers. It's an immersive approach to security awareness.

    But time is precious so that's it for today. Thanks for dangling on my hook. I'm letting you go now. Swim free.

    Dec 4, 2017

    NBlog December 4 - word clouds

    Today I've been hunting  for word-art programs or services. We've been happily using Wordle for a good while now. It has worked well, despite a few minor niggles:

    • It runs in Internet Explorer, but not Chrome;
    • It creates cloud shapes, blobs not distinct shapes;
    • It feeds on word lists, not URLs.
    There are several alternatives. The hands image above was generated quite simply in WordArt. WordClouds is another option. There are more: Google knows where to find them.  

    I'll be trying them out during December. The combination of words and graphics amuses me, and hopefully catches a few eyes out there too. Catching eyes and imaginations is what we do.

    Dec 2, 2017

    NBlog December 2 - next topic

    Next up on the NoticeBored conveyor belt is an awareness module on the security aspects of BYOD and IoT.

    Aside from being topical IT acronyms, both (largely) involve portable ICT devices - wireless-networked self-contained portable electronic gizmos. 

    We've covered BYOD and IoT security before, separately, but it makes sense to put them together for a change of focus.

    As things steadily proliferate, workers are increasingly likely to want to wear or bring them to work, and carry on using them. The security implications are what we'll be exploring in the next module.

    Dec 1, 2017

    NBlog December 1 - social engineering module released

    We close off the year with a fresh look at social engineering, always a topical issue during the holiday/new-year party season when we let our hair down.  Generally speaking, we are less guarded and more vulnerable than usual to some forms of social engineering.  The sheer variety of social engineering is one of the key messages in this month’s awareness materials. 
    This module concerns:
    • Social engineering attacks including phishing and spear-phishing, and myriad scams, con-tricks and frauds;
    • The use of pretexts, spoofs, masquerading, psychological manipulation and coercion, the social engineers’ tradecraft;
    • Significant information risks involving blended or multimode attacks and insider threats.
    The NoticeBored module is designed to appeal to virtually everyone in the organization,regardless of their individual preferences and perspectives.  A given individual may not value everything in the module, but hopefully there will be something that catches their attention – and that something may not even be the NoticeBored awareness materials as such, but perhaps a casual comment or oblique criticism from a peer or manager relating to the topic, which in turn was prompted by the NoticeBored content. 
    The NoticeBored posters, for instance, are deliberately thought-provoking, puzzling even.  Rather than spoon-feeding people with lots of written information, we choose striking images to express various challenging and often complex concepts visually.  We hope people will notice the posters, wonder what they are on about, and maybe chat about them … which is where the learning happens.
    Explore the thinking that went into these awareness materials, and by all means tag-along with us as we develop next month’s module, on the NoticeBored blog.

    Learning objectives

    December’s awareness materials are intended to:
    • Introduce/outline social engineering – a backgrounder on the wide variety of forms it takes, techniques used etc.;
    • Describe and promote the corresponding information security controls, particularly the human element given the limited effectiveness of technical/cybersecurity controls against social engineering, with a mix of informational and stimulating content;
    • Motivate workers to act more securely, for example spotting, rebuffing and reporting possible attacks.
    There are briefings, presentations, quizzes and competitions, checklists, posters and more in the new module - a wealth of creative materials all ready to use, straight out of the box (although we encouraged you to customize them if you have the time).
    We’ve introduced a new A-to-Z-style awareness format this month with three briefings that work nicely together as a suite:
    1. A-to-Z of social engineering scams, con-tricks and frauds (FREE PDF) - what they do;
    2. A-to-Z of social engineering methods and techniques - how they do it;
    3. A-to-Z of social engineering controls and countermeasures - how to spot and stop them in their tracks.

    Get this module

    Subscribe to the NoticeBored service for December’s awareness module, plus InfoSec 101, a set of information risk and security policy templates, and further awareness modules on a huge range of information risk and security topics, something different every month. Email me to set the ball rolling.

    Nurturing the corporate security culture through awareness

    Subscribe to NoticeBored for fresh perspectives on information risk and security within the corporate context.  NoticeBored picks up on the strategic, governance, compliance and business aspects, particularly in the management stream of course but the principles underpin the general staff and professional streams too.  Information is a valuable and yet vulnerable asset that needs to be protected and legitimately exploited for sound business reasons - not just for compliance purposes or because we say so!  Properly done, information risk management is a business enabler, with security awareness a vital part of the approach - particularly, of course, in topics such as social engineering and fraud.

    Nov 30, 2017

    NBlog November 30 - social engineering module

    We've been busier than ever the past week or so, particularly with the NoticeBored materials on social engineering. It is a core topic for security awareness since workers' vigilance is the primary control, hence a lot of effort goes into preparing materials that are interesting, informing, engaging and motivational. It's benign social engineering! 

    The materials are prepared and are in the final stage now, being proofread before being delivered to subscribers later today.

    This is a bumper module with a wealth of content, most of which is brand new. I blogged previously about the A-to-Z guides on social engineering scams, con-tricks and frauds, methods and techniques, and controls and countermeasures. I'll describe the remainder of the materials soon, once everything is finished and out the door. 

    Meanwhile, I must get on: lots to do!

    Nov 28, 2017

    ISO27k internal audits for small organizations

    Figuring out how to organize, resource and conduct internal audits of an ISO/IEC 27001 Information Security Management System can be awkward for small organizations.

    Independence is the overriding factor in auditing of all forms. For internal auditing, it’s not just a question of who the auditors report to and their freedom to ‘say what needs to be said’ (important though that is), but more fundamentally their mindset, experience and attitude. They need to see things with fresh eyes, pointing out and where necessary challenging management to deal with deep-seated long-term ‘cultural’ issues that are part of the fabric in any established organization. That’s hard if they are part of the day-to-day running of the organization, fully immersed in the culture and (for managers in small organizations especially) partly responsible for the culture being the way it is. We all have our biases and blind spots, our habits and routines: a truly independent view hopefully does not - at least, not entirely the same one!

    ISO/IEC 27001 recommends both management reviews and internal audits. The people you have mentioned may well be technically qualified to do both but (especially without appropriate experience/training, management support and the independent, critical perspective I’ve mentioned) they may not do so well at auditing as, say, consultants. The decision is a business issue for you and your management: do the benefits of having a truly independent and competent audit outweigh the additional cost? Or do you think your own people would do it well enough at lower cost?

    As the customer, you get to specify exactly what you want the consultants to bid for. A very tightly scoped and focused internal audit for a relatively small and simple ISMS might only take a day or two of consulting time, keeping the costs down. On the other hand, they will be able to dig deeper and put more effort into the reporting and achieving improvements if you allow them more time for the job – again, a management decision, worth discussing with potential consultants.

    One strategy you might consider is to rotate the internal audit responsibility among your own people, having different individuals perform successive audits. That way, although they are not totally independent, they do at least have the chance to bring different perspectives to areas that they would not normally get involved in. It would help to have a solid, standardized audit process though, so each of the auditors is performing and reporting the audit work in a similar way … and to get you started and set that up, you might like to engage a consultant for the first audit, designing and documenting the audit process, providing checklist and reporting templates etc., and ideally training up one or more of your own people to take the lead on the next audit (like a relay race, passing the baton down the line). 

    Another possibility is to send one or more of your people on a training course for internal auditing, perhaps one of the ISO27k/ISMS-specific Lead Auditor courses. Although I believe the LA courses only cover compliance or certification auditing, they do at least teach the concepts and processes that are much the same for internal audits. Personally, I would recommend ISACA’s CISA instead, as it is more suited to IT auditing in general.

    Yet another potential approach is to ask appropriate newcomers to the organization (management level, probably) to do your audits. They would need support and guidance on the audit process, but they would at least be free of the baggage that existing employees carry! On top of that, it would be an excellent way to introduce them to all of management, giving them a view across the whole enterprise – a jump start if you like.

    Oh and here’s one more option. How about ‘swapping’ with a partner organization: you audit them and they audit you? Obviously you’d need to be careful about the confidentiality, trust and commercial aspects, and you’d still have to be careful about the competence of the individuals doing the work, but it might work out conveniently for both parties, with the added advantage of perhaps sharing good practises between you.

    The beauty of ISO27k is that you have plenty of latitude on how to manage information security, even within the constraints of '27001 certification, so you can be quite creative with how your ISMS is designed. At the end of the day, it is your ISMS and your information at risk, so do whatever is best for your business. That’s even more important than being certified compliant!

    Nov 22, 2017

    NBlog November 22 - A to Z of social engineering controls

    I didn't quite finish the A-to-Z on social engineering methods yesterday as planned but that's OK, it's coming along nicely and we're still on track. 

    I found myself dipping back into the A-to-Z on scams, con-tricks and frauds for inspiration or to make little changes, and moving forward to sketch rough notes on the third and final part of our hot new security awareness trilogy: an A-to-Z on the controls and countermeasures against social engineering. Writing that is my main task for today, and all three pieces are now progressing in parallel as a coherent suite.

    It's no blockbuster but I have a good feeling about this, and encouraging feedback from readers who took me up on my offer of a free copy of the first part.

    Along the way, a distinctive new style and format has evolved for the A-to-Zs, using big red drop caps to emphasize the first item under each letter of the alphabet. I've created and saved a Word template to make it easier and quicker to write A-to-Zs in future - a handy tip, that, for those of you who are singing along at home, writing your own awareness and training content.

    I'd like to include some graphics and examples to illustrate them and lighten them up a bit, but with the deadline fast approaching that may have to wait until they are next updated. Getting the entire awareness module across the line by December 1st comes first, which limits the amount of tweaking time I can afford - arguably a good thing as I find this topic fascinating, and I could easily prepare much more than is strictly necessary for awareness purposes. 

    Aside from that, the release of an updated OWASP top 10 list of application security controls prompted me to update our information security glossary with a couple of new definitions, and a radio NZ program about a book fair in Edinburgh (!) prompted me to explain improv sessions as a creative suggestion for the train-the-trainer guide for the social engineering module.

    Breaking news about Uber losing millions of personal records to hackers has the potential to become a case study at some point. Initial rather vague news reports speak of hacking user credentials from Github and using them to access and steal info from cloud storage services, and raise concerns about the way the privacy noncompliance incident was handled and concealed, which in turn hints at a governance issue - in other words, this looks like becoming yet another multi-faceted incident, relevant to several infosec topics. Possibly, as with the Sony Pictures Entertainment incident, there may be enough meat on the bones to merit creating a special awareness module all by itself: it depends how the story evolves from here, and how much pertinent information is published.

    Nov 21, 2017

    NBlog November 21 - A to Z of social engineering techniques

    On a roll from yesterday's A-to-Z catalog of scams, con-tricks and frauds, I'm writing another A-Z today, this time focusing on social engineering techniques and methods.  

    Yesterday's piece was about what they do.  Today's is about how they do it.

    Given my background and the research we've done, it's surprisingly easy to find appropriate entries for most letters of the alphabet, albeit with a bit of creativity and lateral thinking needed for some (e.g. "Xtreme social engineering"!).  That's part of the challenge of writing any A to Z listing ... and part of the allure for the reader. 

    What will the Z entry be?  As of this moment, I don't actually know but I will come up with zomething!

    Both awareness pieces impress upon the reader the sheer variety of social engineering, while at the same time the alphabetical sequence provides a logical order to what would otherwise be a confusing jumble of stuff. Making people aware of the breadth and diversity of social engineering is one of the key learning objectives for December's NoticeBored module. Providing structured, useful, innovative awareness content is what we do.

    We hope to leave a lasting impression that almost any social interaction or communication could be social engineering - any email or text message, any phone call or conversation, any glance or frown, any blog item (am I manipulating your thoughts? Am I persuading you to subscribe to NoticeBored? Look deeply into my eyes. Concentrate on the eyes. You are starting to feel drowsy ...)

    Yes, hypnosis will make an appearance in today's A-Z.  It's not entirely serious!

    Tomorrow, after completing the second, I'd like to complete the set with a third piece concerning the controls against social engineering. Can we come up with a reasonable list of 26? Come back tomorrow to find out how that turns out.

    Nov 20, 2017

    NBlog November 20 - an A to Z catalog of social engineering

    A productive couple of days' graft has seen what was envisaged to be a fairly short and high-level general staff awareness briefing on social engineering morph gradually into an A-to-Z list of scams, con-tricks and frauds.

    It has grown to about 9 pages in the process. That may sound like a tome, over-the-top for awareness purposes ... and maybe it is, but the scams are described in an informal style in just a few lines each, making it readable and easily digestible. The A-to-Z format leads the reader naturally through a logical sequence, perhaps skim-reading in places and hopefully stopping to think in others.

    For slow/struggling readers, there are visual cues and images to catch their eyes but let's be honest: this briefing is not for them. They would benefit more from seminars, case studies, chatting with their colleagues and getting involved in other interactive activities (which we also support through our other awareness content). The NoticeBored mind maps and posters, for instance, express things visually with few words.

    Taking a step back from the A-Z list, the sheer variety and creativity of scams is fascinating, and I'm not just saying that because I wrote it! That's a key security awareness lesson in itself. Social engineering is hard to pin down to a few simple characteristics, in a way that workers can be expected to recognize easily. Some social engineering methods, such as ordinary phishing, are readily explained and fairly obvious but even then there are more obscure variants (such as whaling and spear phishing) that take the technique and threat level up a gear. 

    It's not feasible for an awareness program to explain all forms of social engineering in depth, literally impossible in fact. It's something that an intensive work or college course might attempt, perhaps, for fraud specialists who will be fully immersed in the topic, but that's fraud training, not security awareness. We can't bank on workers taking time out from their day-jobs to sit in a room, paying full attention to their lecturers and scribbling notes for hour after hour. There probably aren't 'lecturers' in practice: most of this stuff is delivered online today, pushed out impersonally through the corporate intranet and learning management systems.

    Our aim is to grab workers' attention, fleetingly, impart useful information and guidance, and motivate them to take even more care in future: yes, that's a benign form of social engineering. Maybe we should include it in the A-to-Z?

    [Email me for a FREE copy of this briefing]

    Nov 19, 2017

    NBlog November 19 - IoD advises members to develop "cyber security strategy"

    report for the UK Institute of Directors by Professor Richard Benham encourages IoD members to develop “a formal cyber security strategy”.

    As is so often the way, 'cyber' is not explicitly defined by the authors although it is strongly implied that the report concerns the commercial use of IT, the Internet, digital systems and computer data (as opposed to cyberwar perpetrated by well-resourced nation states - a markedly different interpretation of 'cyber' involving substantially greater threats).

    A 'formal cyber security strategy' would be context dependent, reflecting the organization's business situation. That broader perspective introduces other aspects of information risk, security, governance and compliance. All relevant aspects need to be considered at the strategic level, including but not just 'cyber security'. 

    Counteracting or balancing the desire to lock down information systems and hence data so tightly that its value to the business is squeezed out, 'cyber security strategy' should be closely aligned with, if not an integral part of, information management. For instance it should elaborate on proactively exploiting and maximising the value of information the organization already holds or can obtain or generate, working the asset harder for more productive business purposes. In some circumstances, that means deliberately relaxing the security, consciously accepting the risks in order to gain the rewards. 

    I find it ironic that the professor is quoted:
    “This issue must stop being treated as the domain of the IT department and be the subject of boardroom policy. Businesses need to develop a cyber security policy, educate their staff, review supplier contracts and think about cyber insurance.”
    Does he not appreciate that, in common parlance and understanding of the term, cyber is the geeks' domain, their home turf? Over-use of both 'cyber' and 'security' biases the entire report and perpetuates the issue, unfortunately.

    'Information risk management' would be a more appropriate term since it concerns: 
    • 'Information' not just 'data': there's a huge amount of valuable information outside the computer systems and networks, not least in workers' heads. That, too, is a valuable asset which deserves to be nurtured, exploited and protected. No amount of 'cyber security' is going to stop an experienced employee resigning to work for a competitor, taking loads of proprietary information with them, or blabbing about trade secrets on social media, over coffee or down the pub.
    • 'Risk' not just 'security'. Security is not inherently valuable unless it addresses risk ... and security controls are not the only way to address risks. In referring to 'cyber insurance' for instance, the report yet again over-emphasizes IT, whereas insurance plus incident management, business continuity management and other aspects would provide a more rounded, sensible, strategic approach, fundamental to which is an appreciation of the risks.
    • 'Management', as in systematically planning, directing, monitoring and controlling things to achieve business objectives. Fire-and-forget does not apply here: management needs to keep a close eye on developments, especially as the risks are changing rapidly around us. There are governance aspects to it too, including that point about not leaving it to IT!
    An 'information risk management strategy', then, has legs. We're getting somewhere!

    To be clear, my beef is not just with the semantics. Frequent and widespread reference to 'cyber security' and related neologisms doesn't make it right. It is too specific, too narrow to address the real issues, bordering on being a dangerous diversion. It's a bit like the distinction between 'global warming' and 'climate change'. They are strongly related concepts, of course, but need to be handled differently in practice. There's more to climate change than the Earth warming up a bit.

    On a positive note, I’m pleased to see the report state:
    "Ensure all your staff have regular cyber awareness training, building it into induction processes and ensure your people are a robust and secure first line of defence."
    Personally, I’d have preferred the term “continuous information risk and security awareness” to counteract the obsessive focus on both 'cyber' and 'security', and to draw the distinction between awareness and training. They are complementary approaches with different objectives and methods.  If that's unclear, take a good look at NIST SP800-50 "Building an Information Technology Security Awareness and Training Program" or Rebecca Herold's "Managing an Information Security and Privacy Awareness and Training Program".

    Nov 16, 2017

    NBlog November 16 - color-coding awareness

    Looking back, I see that I've blogged quite a few times in different contexts about color.

    For example, most of the security metrics I discuss are colored, and color is one of several important factors when communicating metrics, drawing the viewer's eye towards certain aspects for emphasis. 

    We talk of white hats and black hatsred teams and so on.

    Traffic light RAG coloring (Red-Amber-Green) is more or less universally understood to represent a logical sequence of speed, intensity, threat level, concern or whatever - perhaps an over-used metaphor but effective nonetheless. Bright primary colors are commonly used on warning signs and indications, sometimes glinting or flashing for extra eye-catchiness.

    Jeff Cooper, father of the "modern technique" of handgun shooting, raised the concept of Condition White, the state of mind of someone who is totally oblivious to a serious threat to their personal safety. Cooper's Color Code is readily adapted to the information risk and security context, for example in relation to a worker's state of alertness and readiness for an impending hack, malware infection or social engineering attack. We're currently exploring and expanding on that idea as part of December's awareness briefing for professionals on social engineering.

    Nov 15, 2017

    NBlog November 15 - ethical social engineering for awareness

    Security awareness involves persuading, influencing and you could say manipulating people to behave differently ... and so does social engineering. So could social engineering techniques be used for security awareness purposes?

    The answer is a resounding yes - in fact we already do, in all sorts of ways.  Take the security policies and procedures, for instance: they inform and direct people to do our bidding. We even include process controls and compliance checks to make sure things go to plan. This is manipulative.

    Obviously the motivations, objectives and outcomes differ, but social engineering methods can be used ethically, beneficially and productively to achieve awareness. Exploring that idea even reveals some novel approaches that might just work, and some that are probably best avoided or reversed.

    Social engineering method,
    technique or approach
    Security awareness & training equivalents
    Pretexting: fabricating plausible situations
    Case studies, rĂ´le-plays, scenarios, simulations, tests and exercises
    Plausible cover stories, escape routes, scorched earth, covering tracks
    ‘What-if’ scenarios, worst-case risk analysis, continuity and contingency planning
    Persuading, manipulating, using subconscious, visual, auditory and/or behavioral cues such as body language, verbal phrasing     and       emphatic     timing
    Apply the methods and techniques used in education, marketing and advertising (e.g. branding disparate awareness materials consistently to link them together)
    Deceiving/telling lies, making false promises, masquerading/mimicry, fitting-in, going undercover, building the picture, putting on a persona or mask (figuratively speaking), acting and generally getting-in-character
    Emphasize the personal and organizational benefits of being secure; “self-phishing” and various other vulnerability/penetration tests
    Distracting, exploiting confusion/doubt to slip through, doing the unexpected
    Develop subtle underlying themes and approaches (such as ethics, a form of self-control) while ostensibly promoting more obvious aspects (such as compliance)
    Appealing to greed/vanity, charming, flirting
    Emphasize the positives, identify and reward secure behaviors
    Playing dumb, appealing for assistance
    Audience-led awareness activities e.g. a workshop on “What can we do to improve our record on malware incidents?”
    Exploiting relationships, trust and reliance
    Collaborating with other corporate functions such as risk, HR, compliance, health & safety etc. on joint or complementary awareness activities
    Empathizing, befriending, establishing trust, investing time, effort and resources
    Being realistic about timescales, and setting suitable expectations.  Anticipating and planning for long-term ‘cultural’ changes taking months and years rather than days and weeks to occur
    Exploiting reputation and referrals from third parties (transitive trust)
    Gather and exploit metrics/evidence of the success of awareness activities
    Claiming or presenting false or exaggerated credentials, using weak credentials to obtain stronger ones
    Do the opposite i.e. study for qualifications in information security and/or adult education
    Assertiveness, aggression, 'front', cojones, brazen confidence, putting the victim on the back foot or catching them off-guard
    Be more creative, adopting or developing unusual, surprising, challenging and perhaps counter-cultural awareness activities
    Creating and using urgency and compulsion to justify bypassing controls
    (Over?) Emphasizing ‘clear and present dangers’ (within reason!)
    Bypassing, sidestepping or undermining controls
    Addressing individuals and teams directly, regardless of hierarchies and norms
    Exploiting management/support overrides
    Using managers, auditors and other authority figures as communications vehicles
    Puppetry, persuading others to do our bidding (possibly several layers deep)
    ‘Train-the-trainer’!  Develop and support a cadre of security friends/ambassadors.  Gain their trust and favor.  Involve them proactively.
    Fast/full-frontal/noisy or slow/gradual attrition/blind-side/silent attacks, or both!
    Focus on a series of discrete topics, issues or events, while also consistently promoting longer-term themes
    Mutuality, paying a debt forward (e.g. if I give you a gift, you feel indebted to me)
    Give rewards and gifts, “be nice” to your audience, respect their other business/personal interests and priorities
    Targeting the vulnerable, profiling, building a coherent picture of individual targets, researching possible vulnerabilities and developing novel exploits
    Working on specific topics for specific audiences e.g. following up after security incidents, systematically identifying and addressing root causes
    Shotgunning (i.e. blasting out attacks indiscriminately to hook the few who are vulnerable) and snipering (e.g. spear phishing)
    Combining general-purpose awareness materials plus targeted/custom materials aimed at more specific audiences
    Pre-planned & engineered, or opportunistic attacks (carpe diem), or both!
    Planned awareness program but with ‘interrupts’ (see below)
    Dynamic, reactive/responsive attacks, turning the victim on himself, not entirely pre-scripted/pre-determined, being alert and quick-witted enough to grasp opportunities that arise unexpectedly
    Spotting and incorporating recent/current security incidents, news etc., including business situations and changes, into the awareness program
    Con-man, con-artist, fraudster, sleight-of-hand, underhand, unethical, selfish, goal-oriented, covertly focused
    Do the opposite i.e. be very open and honest, sharing the ultimate goals of the awareness program
    Using/replaying insider information and terminology obtained previously
    Referring back to issues covered before, and ‘leaving the door open’ to come back to present issues later on; re-phrasing old stuff and incorporating new information
    Systematically gathering, combining, analyzing and exploiting information
    Systematically gather, analyze and use metrics (measures and statistics) on awareness levels and various other aspects of information security
    Exploiting technical, procedural and humanistic vulnerabilities
    Work on policies, procedures, practices and attitudes, including those within IT
    Multi-mode, blended or contingent attacks e.g. combining malware with social engineering, plus hacking if that is appropriate to get the flag
    True multimedia e.g. written/self-study materials, facilitated presentations/seminars, case studies, exercises, team/town-hall/brown-bag meetings, videos, blogs, system messages, corridor conversations, posters, quizzes, games, classes, security clubs, Learning Management Systems, outreach programs …