Welcome to NBlog, the NoticeBored blog

Like the finer things in life, quality trumps quantity.

Apr 25, 2017

NBlog April 25 - getting back on track

After a busy week away at the ISO27k meeting, I'm catching up with the day-job, working flat out to complete the email security awareness module by the end of this month.

Yesterday, the professionals' seminar slide deck came together nicely:

It's not quite finished yet but the 'story' behind/linking the slides is taking shape.

We've incorporated a mixture of graphic images, diagrams and recent press clippings to illustrate and enhance the content. Notice the near absense of bullet points, avoiding 'death by Powerpoint'. There are a few paragraphs of text quoted in the press clippings (which, we believe, are relevant, topical, interesting and worth it) but most slides use striking visual imagery and strong colors. The idea is for a seminar leader, presenter or facilitator to explain and talk about each slide, conversing and interacting with the audience, where appropriate expanding on the literal content of the slides, interpreting things in the particular context of the organization, the audience and the individuals present, perhaps going off-script to pick up on specific matters of concern and interest. 

If we simply wrote out a bunch of bullet points or paragraphs, there would be a tendency for presenters to read them out word-by-word, a very tedious and boring approach for all concerned. Worse still, it would be harder for them to ad lib, for instance picking up on corporate strategies and policies, current incidents, applicable laws and regulations etc

Someone (who shall remain nameless) actually did that at the ISO27k meeting last week. He read out the entire contents of several wordy slides, verbatim, destracting us from reading and contemplating the content ourselves and so, in a sense, detracting from the value of the slides. We would have been better off without the presenter! To give him his due, it was a formal meeting and I strongly suspect he was asked to present someone else's unfamiliar content. He did seem uncomfortable in that position, a shame given his presence, expertise and ability to project quite strongly. Personally, I got far more value from the nature of the presentation than from the content.

Anyway, the slides above illustrate a distinctly different approach. The scope diagram, risk graphics and mind map, for instance, are meant to intrigue as well as inform the audience. The 'speaker notes' accompanying each slide (not shown here) pick out the key points that we hope the presenter will emphasize, preferably NOT by literally reading out the speaker notes verbatim! We want everyone to contemplate the meaning for themselves: in so doing, they will internalize the key messages, reconsider/adjust their perspectives and ultimately behave more securely, which is of course the ultimate aim of security awareness. 

If the awareness approach has no impact - if the materials and activities don't improve workers' decisions and behaviors, we might as well not bother. To put that anotehr way, lame (as in inept, inappropriate, ineffective, boring ...) security awareness and training approaches destroy value.  This is why some people say awareness doesn't work. They're doing it wrong!

To be fair, it takes a lot of effort to design and develop good seminar materials, to find, incorporate and reference those press clippings, prepare the risk graphics and mind maps etc., and most importantly clarify the 'story' and the messages we want to express. We've had lots of practice, producing at least 3 awareness slide decks per month for many years and presenting frequently at conferences and courses ... and also (as noted above) attending and critiquing presentations by others. Aside from the conferences and courses we have attended as punters, we have given and received numerous management and group presentations (e.g. audit reports, board presentations, phone meetings and video conferences), webinars and sales pitches over the years, and we've read the odd website, article and book concerning presentation and communications techniques. We observe TV and radio presenters doing their thing, thinking about their differing approaches and styles. We are still learning and improving, all the time discovering new techniques to explore and adopt as well as those to avoid like the plague. We're continually investing not just in the product but also the production methods, approaches and tools, not least our own competencies and skills. Genuine, honest, especially constructive feedback from others (yes, you!) is gold dust for us.

Hopefully you are getting useful hints and ideas from this blog. Thank you for taking the time to read this. I hope I've made you think. Anything you'd like to add? Comments are open ... over to you ...


Apr 24, 2017

NB hyperlinked information security glossary

In the course of researching security awareness topics, I frequently stumble across new words (neologisms) and obscure terms of art. Often the meaning is reasonably obvious from the context and/or the derivation, but not always - "cybersecurity" being a classic example of a popular term that evidently means different things to different people. Technical authors who rudely fail to expand their acronyms are another bugbear of mine. 

For as long as I can remember, I have maintained a personal information security glossary as a memory aide. It is a living document, frequently updated to reflect new terms and interpretations as the language evolves. Earlier this week I quoted a stack of definitions from the NZ Information Security Manual for instance, adding to those quoted from the ISO27k standardsNIST Special Publications and other definitive reference sources, plus my own 'plain English' explanations.

About 20 years ago, I realized that most specialist terms are defined using or in relation to other specialist terms, which means following a trail from word to word in much the same way that one would use a thesaurus. Hyperlinks make the process much easier than alphabetical lookups, as with a conventional dictionary. For those of us who enjoy language, browsing the glossary is both fun and educational - so much so that sometimes I need to stop and get on with proper work!

The NoticeBored information security glossary, now published as a Kindle eBook on Amazon, explains about 2,000 terms. If printed out, it would take about 300 A4 pages ... but in electronic form it is cheaper (under $10), lighter, easier to search and saves trees.


[By the way, the Kindle version of the glossary is read-only and only gets updated occasionally. Every month as part of the security awareness module, the updated edition is delivered to NoticeBored subscribers as an editable MS Word document. Get in touch to subscribe.]


Apr 22, 2017

NBlog April 22 - ISO27k meeting report

A plenary concluded the main business of the ISO/IEC JTC1/SC27 WG1 meeting in Hamilton, NZ.  This was a formal session to vote on and record decisions and progress made during the week, including deadlines for the next tranche of work.

The next SC27 meeting will be in Berlin at the end of October 2017, then Wuhan in China in April 2018.

The main resolutions from this meeting were:
  • A minor revision will update ISO/IEC 27000:2016 to reflect the recent publication of 27002, 27004 and 27011.
  • Governmental/regulatory use of 27001 will become Standing Document 7 and will be maintained for internal committee use.
  • 27002 revision project will generate two versions of the standard demonstrating alternative structures for commenting at the next stage.
  • 27005 will produce a revised design specification for the revision work, plus a corrigendum for the current standard.
  • 27007 will produce revised text for FDIS, requesting a project extension to complete this.
  • 27008 will produce revised text for a DTS.
  • 27009 will be revised early rather than issuing a corrigendum, and the accompanying 'use cases' will become a SD.
  • 27014 SP on information security governance will generate a NWIP to revise the standard, with an outline document.
  • 27019 will produce revised text for FDIS.
  • 27021 on ISMS professionals' competencies will also go to FDIS (despite four disapprovals, indicating concerns with this standard).
  • 27102 on cybersecurity insurance will produce a first working draft next.
  • Cybersecurity frameworks and cybersecurity resilience work will be combined initially into an SD which will then become a PDTR.
  • Risk Handling Library will produce a Standing Document.
  • Terminology Working Group will hold a Webex meeting to discuss definitions, and is developing conceptual maps.
  • Several liaison statements will be produced to inform and align WG1's work with various other committees and bodies.


NBlog April 22 - ISO/IEC 27003 ISMS implementation guide published

ISO/IEC 27003:2017 has been published.  This is a fully revised version of the Information Security Management System (ISMS) implementation guide, originally published in 2010.

The new version is a significant improvement on the 2010 version.  It follows the structure of ISO/IEC 27001, providing pragmatic advice section-by-section on how to satisfy the requirements. I'm happy to recommend it.

The following core ISO27k standards are a sound basis on which to design and implement a management system to manage information risks (for historical reasons, termed "information security risks" or "cybersecurity risks" in the standards):
Unfortunately, ISO/IEC 27005 on information risk management is out-of-line with the set. A revised version of '27005 is not expected to surface for at least a couple of years. Meanwhile, '27003 gives useful advice in this area, while ISO 31000:2009 (a well respected de facto risk management standard) is readily applied to information risks. There are several other information risk management standards, methods and approaches as well, all of which have their advantages and disadvantages: if your organization is already familiar with and using some other approach to risk management, it can probably be applied directly or adapted to suit information risk management.

For more information on the ISO27k standards, ISMS implementation, information risk management and so forth, please browse the ISO27k FAQ. If you are active in this area, you are very welcome to join the 3,500-strong ISO27k Forum. Although it is not 'official' ISO information, it is FREE.


Apr 21, 2017

NBlog April 21 - ISO27k meeting progress report

ISO/IEC TR 27019 concerns Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry. 27019 identifies information security controls that are either specific to the energy utilities, or are critical in that domain and perhaps need to be bolstered.

The 2013 standard is currently being revised and will be published as a full International Standard, possibly later this year. There are some formatting issues to resolve with ITTF but the content is stable enough to move forward to FDIS.

The SC27 project on cybersecurity insurance is developing a standard explaining cyberinsurance concepts to information security professionals, and cybersecurity concepts to insurance professionals, forming a common basis for specifying, discussing and adopting cyberinsurance. The Study Period has developed a solid donor document with plenty of meaty content.

The SC27 Study Period on Risk Handling Library (RHL) resolved to develop and then maintain an SC27 Standing Document that references ISO27k and other standards that concern or mention information security risk. The next step is to call for contributions to help flesh out the initial SD.

A minor revision of ISO/IEC 27000 may be required as a result of publishing 27003, 27004 and 27011.

The SC27 Terminology Working Group resolved to develop a new approach to the management of terminology, using 'concept maps' (similar in style to mind maps) as a way to clarify and distinguish terms and their relationships. A half-day workshop is proposed, possibly for the next SC27 meeting in Berlin in October.

The SC27 Annex SL special working group is preparing to respond to possible changes pushed by JTCG concerning the common/boilerplate text for all the ISO management systems standards. JTCG will be circulating a questionnaire to national standards bodies concerning the possible changes.

A cybersecurity standard will initially become an SC27 Standing Document 27103 that may then go forward as PDTR 27103.

Tomorrow's plenary session will include formal voting on these projects and activities. This evening, though, we are visiting Hobbiton for a tour and gala dinner.

Gary (Gary@isect.com)

Apr 20, 2017

NBlog April 20 - ISO/IEC 27005 and 27014 revisions

The study period researching the possibility of revising ISO/IEC 27005 on 'information security risk' has resolved to limit the scope of the revised standard primarily to supporting and expanding on sections 6 and 8 of ISO/IEC 27001:2013, with some consideration of other standards including ISO 31000.

An outline/skeleton document structure has been developed as part of the design specification, although it is hard even to assess it without the corresponding content. It is likely to change as the project proceeds. It was agreed to request a further 6 months to prepare a more complete draft standard before proposing a new work item.

The study period considering the revision of ISO/IEC 27014 is proposing various improvements to make the standard more generally applicable and useful. 


Apr 19, 2017

NBlog April 19 - SC27 interim sit-rep

27001 ISMS for government use - comments agreed, Standing Document to be produced.

27001 ISMS defect concerning 'risks and opportunities' should have covered risks to the ISMS not to information security.  Issue was slopy-shouldered to 27005 revision project (then promptly rejected by them!). Decision to defer this to next planned revision of this standard.  

27002 security controls revision SP - challenging meeting. Plan to develop 2 versions of a template standard: (1) with the controls laid out in the front part in 4 categories with various 'views' of the controls appended according to the attributes; (2) with the views up front and the controls laid out in a catalogue as an annex. SP to be extended another 6 months, giving time for expert comments. [Meeting ongoing]

27005 information security risks - challenging meeting and robust discussion. 27005 scope changed again to support 27001 clauses on 'Risks and opportunities' plus 'risk assessment and treatment' only (not the rest of information risk management). [Meeting ongoing]

27007 ISMS auditing - all comments resolved.  Standard to go to FDIS next, plus a justification to extend the deadline by 6 months to allow finalization.

27008 technical auditing - comments resolved, some issues to be held over to next revision. All agreed.

27009 use cases SP - comments agreed, except for a problem with clause numbering using letters (falls foul of the ISO Directives).  Plan to issue a SD not an IS.

27011 telecomms security - simple defect reported, one subsection title to be corrected from 'Classification guideline' to 'Classification of information' to align with 27002.

27015 ISMS for financial services - 91% approval to withdraw, so that's it really.

27021 infosec management competencies - comments resolved, moves towards completion. All bar 1 vote turned to yes, hopefully will move to FDIS next. 

Cyber security/resilience - a robust discussion. Agreed to merge SPs and continue another 6 months as cybersecurity SP. New Call For Contributions to be prepared soon.

IEC liaison - waiting for/working on liaison statements. Published standard 62443-2-4 covers certification for IACS solution providers. 62443-2-1 is being revised, but alignment with ISO/IEC 27001 is problematic. It can still provide a useful catalogue of controls for a 27001 ISMS.

STRATUS project: NZ government+industry funded research project on cloud security, in conjunction with CSF and others. Research aims include data provenance, data protection, situational awareness and business continuity. See stratus.org.nz for more info. STRATUS wants to engage with, use and support SC27 activities through a 'category A' liaison.


NBlog April 19 - ISO/IEC 27002 revision

It should be obvious from my previous comments here on this blog, on www.ISO27001security.com and on the ISO27k Forum, that the last revision of ISO/IEC 27002 was less than satisfactory in my jaundiced opinion. When released in 2013, the standard was already out of date (e.g. it pretty much ignores cloud computing, BYOD and IoT - all topical issues that were emerging at the time the standard was being revised) and had some serious flaws  (e.g. in the garbled continuity section). What may not be quite so clear is that the team responsible for the revision is a top-rate international group of experts in the field - experienced, intelligent, committed professionals. 

It wasn't the team that let it down so much as the tortuous revision process we had to follow.

The next revision of 27002 could easily go down the same muddy path but there's hope, now, for a different approach. A major stumbling block, to date, has been the structure of 27002, derived from the original donor security policy that became first BS 7799, then ISO/IEC 17799, then 27002. Things have moved on some way since the 1970's and 80s! It's high time to update the structure. The crucial question we are tackling right now is how to update it. 

Yesterday we considered and discussed seven proposed structures, plus an eighth straw-man option (i.e. no structure is perfect so we could forget about the structure to concentrate solely on the content). The favoured option, currently, is two-fold: 
  1. The standard could be structured into the following 'themes' (categories or types of control): organizational security; behavioural security; technical security; physical security; and third party security. Most information security controls would fit quite naturally and easily into one or other of those categories (or 'themes'), leaving relatively few ambiguous or complex controls to be allocated arbitrarily between them (or simplified and perhaps split up). Few if any controls would be orphaned, being out of place in all those options. The explicit names for the categories are not cast in stone but the structure works better than the other options considered so far ... 
  2. ... while those other structural options could be taken into account anyway in the form of 'attributes' or 'tags' for the same controls e.g. aside from where they are placed in the main structure, we could also tag the controls as preventive/detective/corrective, confidentiality/integrity/availability etc., reflecting the other classifications or structures considered.
If this proposal is agreed, the work to define, classify and tag the security controls can start as soon as the revision project is approved. Admittedly, there may still be disagreements about the classification and tagging, but hopefully most of the discussion will be more productive in connection with the controls themselves - what they are and how they are described - rather than where they should sit in the standard.

Offsetting the advantages, there would be additional work in this approach including:
  • Carefully defining the criteria or rules for classification and tagging
  • Classifying and tagging the existing controls 
  • Reviewing and revising the existing controls
  • Retiring controls that are no longer applicable
  • Adding new controls in areas that are weak
  • Addressing any anomalies, gaps and duplicates
  • Dealing with controls that are already documented adequately in other ISO27k and non-ISO27k standards (e.g. ISO/IEC 27001, 27003, 27004, 27005, ISO 22301 etc.)
  • Generating one or more appendices (possibly just a table) with the controls grouped by or referencing their respective tags 
  • Mapping the controls from ISO/IEC 27002:2015 to the new structure, so current users can migrate more easily
  • Coordinating and leading the overall effort to ensure that the end product is user-friendly, comprehensive, accurate, valuable, up-to-date, maintainable, fit for purpose and on time.  That's a tough job, whatever approach is taken!

Apr 18, 2017

NBlog April 18 - ISO27k meeting

The ISO/IEC JTC 1/SC 27 meeting is under way in Hamilton. After a stormy couple of weeks in NZ, the weather is fine and sunny so hopefully delegates will have some time to see the country after the meeting.

Work on the ISO/IEC 27000-series information security management standards ("ISO27k") standards this week includes:

27000 (glossary & intro) - terminology working group to review process for maintaining terms

27001 - its use in governments and regulators is going well, may become a SD as it demonstrates the value of 27001

27002 - structure & future to be discussed in depth this week, particularly the ~5-10 themes (chapters or sections of the standard, the logical sequence, classes of control) and control attributes (tags, categories) that may form the basis of a revised, smaller, more usable 27002

27005 - reported defect to be discussed and resolved; revision project to be discussed too

27007 - comments to be discussed and resolved this week: should go to DIS stage after the meeting. 

27008 - comments to be discussed and resolved this week: should go to DIS stage after the meeting.

27009 - reported defect to be discussed and resolved; use cases to be discussed

27011 - technical defect to be discussed

27015 - withdrawal to be discussed

27019  - comments to be discussed and resolved this week: should go to DIS stage after the meeting

27021 - comments to be discussed and resolved this week: should go to DIS stage after the meeting

27102? - cyber insurance SP, likely to go ahead to IS

Other cybersecurity stuff - may be combined

I'll be providing updates during the week as I attend various meetings and talk to other delegates.


Apr 17, 2017

NBlog April 17 - ISO/IEC JTC 1/SC 27 meeting

Today I'm off to the University of Waikato in Hamilton for the SC 27 meeting. 

I'm planning to catch up with developments on most if not all of the ISO27k standards, in particular:
  • ISO/IEC 27000 - is this going to be dropped in favour of an online glossary? What happened to the definitions for 'information asset', 'information risk' and 'cyber'? 
  • ISO/IEC 27001 - how did the boilerplate section on 'risk & opportunity' get hijacked as information risk?
  • ISO/IEC 27002 - how is the idea of tagging the controls going to work out? Is that just another recipe for interminable 
  • ISO/IEC 27003 - new version due soon, all done?
  • ISO/IEC 27005 - any chance of this being updated and published soon/ever? And if it is fast-tracked, where next - 'information risk management' maybe?
  • ISO/IEC 27007 - new version due soon, all done?
  • ISO/IEC TR 27008 - new version nearing completion, ready to finalise?
  • ISO/IEC 27017, 27018, 27036 and others - where are we with cloud security standards?
  • ISO/IEC 27021 - is the competency framework well thought out? How will this drive the ISO27k training & qualifications?
  • ISO/IEC 27031 - where does this stand in relation to ISO 22301?
  • ISO/IEC 27034 - is application security getting there?
  • IoT and IIoT security - what's happening?
There are some general issues I'm hoping to chat about too, such as:
  • High level, generic information risk and security principles or axioms as a unifying theme and structural framework
  • SC 27 project governance e.g. requiring all NWIPs to be accompanied by reasonably complete WD1 drafts of proposed standards or be canned; perhaps splitting 27002 into static and dynamic parts, or reducing it to a controls overview standard supported by as many detailed controls standards (i.e. the remainder of the ISO27k suite plus others) as necessary
  • Non-technical, non-IT, non-cyber information, information risks and information security controls, the meaning of 'cyber', and revisiting the scope and purpose of SC 27
  • Explicitly describing the information risks addressed by each of the ISO27k standards
  • Collaborative working practices, filling-in the gaps between SC 27 meetings with discussion and joint development, making the committee more responsive to surging market demands
  • ISO27k marketing e.g. reducing the price of the core standards for a trial promotional period; bulk pricing for sets of standards; advertising; branding; sales and certification figures
  • NZ and Australia shadow committees & collaboration
Most importantly, I'm really looking forward to socialising with committee members from around the world, welcoming them to NZ, renewing old friendships and establishing new ones. About 400 delegates are expected to attend, a massive challenge for someone as shy and retiring as me!

I'll be blogging from Hamilton this week as time permits.


Apr 16, 2017

NBlog April 16 - CERT insider threat guide

The fifth edition of the Common Sense Guide to Mitigating Insider Threats was published at the end of 2016 by the CERT Insider Threat Center.  As we've come to expect from CMU/SEI & CERT), it's an impressive, well-written piece of work.

In short, these are the 20 best practices they recommend:
  1. Know and protect your critical assets. 
  2. Develop a formalized insider threat program. 
  3. Clearly document and consistently enforce policies and controls. 
  4. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior. 
  5. Anticipate and manage negative issues in the work environment. 
  6. Consider threats from insiders and business partners in enterprise-wide risk assessments.
  7. Be especially vigilant regarding social media.
  8. Structure management and tasks to minimize unintentional insider stress and mistakes. 
  9. Incorporate malicious and unintentional insider threat awareness into periodic security training for all employees. 
  10. Implement strict password and account management policies and practices. 
  11. Institute stringent access controls and monitoring policies on privileged users. 
  12. Deploy solutions for monitoring employee actions and correlating information from multiple data sources.
  13. Monitor and control remote access from all end points, including mobile devices.
  14. Establish a baseline of normal behavior for both networks and employees.
  15. Enforce separation of duties and least privilege.
  16. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
  17. Institutionalize system change controls.
  18. Implement secure backup and recovery processes.
  19. Close the doors to unauthorized data exfiltration. 
  20. Develop a comprehensive employee termination procedure.
The guide expands substantially on each of those, explaining the challenges, describing case studies and offering quick wins for many of them. Pre-hiring background checks, for instance, aren't mentioned in the list above but feature several times in the guide.

I've picked out practice 9 for special attention, given my interest in security awareness. In the main body, the guide states:
"Without broad understanding and buy-in from the organization, technical or managerial controls will be short lived. Periodic security training that includes malicious and unintentional insider threat awareness supports a stable culture of security in the organization."
Well said! It goes on to note several warning signs:
"Security awareness training should encourage employees to identify malicious insiders not by stereotypical characteristics but by their behavior, including
  • threatening the organization or bragging about the damage the insider could do to the organization or coworkers 
  • downloading sensitive or proprietary data within 30 days of resignation 
  • using the organization’s resources for a side business or discussing starting a competing business with co-workers 
  • attempting to gain employees’ passwords or to obtain access through trickery or exploitation of a trusted relationship (often called “social engineering”) 
Awareness training for the unintentional insider threat should encourage employees to identify potential actions or ways of thinking that could lead to an unintentional event, including
  • level of risk tolerance—someone willing to take more risks than the norm
  • attempts at multi-tasking—individuals who multi-task may be more likely to make mistakes
  • large amounts of personal or proprietary information shared on social media
  • lack of attention to detail"
I'm intrigued by the concept of 'unintentional' insider threats.
"We define unintentional insider threats as a current or former employee, contractor, or other business partner who:
  • has or had authorized access to an organization’s network, system, or data and 
  • had no malicious intent associated with his or her action (or inaction) that caused harm or substantially increased the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems."
Seems to me that covers almost everyone since we humans all experience the odd errors and accidents, but I guess it's a matter of degree: most of us catch our typoos etc. in time, without precipitating global meltdowns.

The advice includes "Training programs should create a security culture appropriate for the organization and include all personnel" - OK so far on both points. "The training program should be offered at least once a year" is not so good if it is taken to mean a single annual event or session is sufficient, but I'm relieved that it goes on to mention 'refresher training'.

The recommendations are sound:
"All organizations:
  • Develop and implement an enterprise-wide training program that discusses various topics related to insider threat. The training program must have the support of senior management to be effective. Management must be seen participating in the course and must not be exempt  from it, which other employees could see as a lack of support and an unequal enforcement of policies. 
  • Train all new employees and contractors in security awareness, including insider threat, before giving them access to any computer system. Make sure to include training for employees who may not need to access computer systems daily, such as janitorial and maintenance staff. These users may require a special training program that covers security scenarios they may encounter, such as social engineering, active shooter, and sensitive documents left out in the open. 
  • Train employees continuously. However, training does not always need to be classroom instruction. Posters, newsletters, alert emails, and brown-bag lunch programs are all effective training methods. Your organization should consider implementing one or more of these programs to increase security awareness. 
  • Establish an anonymous or confidential mechanism for reporting security incidents. Encourage employees to report security issues and consider incentives to reporting by rewarding those who do.
 Large organizations:
  • The information security team can conduct periodic inspections by walking through areas of your organization, including workspaces, and identifying security concerns. Your organization should bring security issues to the employee’s attention in a calm, nonthreatening manner and in private. Employees spotted doing something good for security, like stopping a person without a badge, should be rewarded. Even a certificate or other item of minimal value goes a long way to improving employee morale and increasing security awareness. Where possible, these rewards should be presented before a group of the employee’s peers. This type of program does not have to be administered by the security team but could be delegated to the employee’s peer team members or first-level management."  
The quotes above are just part of the 6 pages on that one practice area, a small fraction of the guide's 175 pages - well worth the trouble to read if your organization has humans on the payroll, or depends on third party personnel for that matter - those nice people who do their level best to keep the lights on whatever the weather, for instance. 


PS  If anyone from CERT reads this blog, please stop referring to awareness and training as if they are the same thing. They aren't. See NIST SP800-50 and SP800-16 ... or ask me!

Apr 13, 2017

NBog April 13 - Spinning the security awareness yarn

The number and variety of information risk relating to email and inter-person messaging is both a challenge and an opportunity for the awareness program. On the one hand, there's a lot to cover hence no shortage of things to say. On the other hand, the coverage tends to be 'bitty' and quite superficial because we don't have time to go into everything in detail.  

We tackle this in several ways:
  1. We mention a wide variety of issues illustrating the risk landscape. Diagrams such as the ARA graphic and mind maps are helpful, presenting lots of information in structured, visually-appealing and thought-provoking ways. 
  2. We use recent/current incidents, risks, controls and news concerning the topic to illustrate and draw out the key points as they stand today. As well as being topical, they turn the spotlight towards present and future issues rather than dwelling on stale news. We're running on Internet time here: yesterday is so last week. At the same time, we are where we are because of our history and the past can teach us a lot.
  3. Email/messaging security issues such as phishing and malware are significant enough to warrant in-depth coverage in separate, dedicated awareness modules, so we only need skim them in this module. This approach avoids us going off-track along tangents. They are important issue, though, so we won't totally disregard them! 
  4. We identify and exploit themes to lead our audiences on planned routes through the confusing risk landscape. The idea is two-fold: as well as spinning coherent, interesting yarns within the present module, we're also continually reinforcing the fundamentals of information risk and security as threads linking all the modules and topics.
  5. The NoticeBored content is only part of our customers' security awareness programs (hopefully!): through the PowerPoint speaker notes, briefing papers and train-the-trainer guide, we actively encourage our customers' security awareness people to engage and interact with their audiences, bringing the materials to life in the specific business contexts of their organizations. 
Story-telling is a powerful yet ancient information-sharing and educational technique, stretching back millennia to cave art and mythology such as the Trojan horse. Children learn about stuff through bedtime stories told and re-told by parents and peers. As we grow older, most of us shift towards non-fiction but fantasy and science-fiction remain as popular as, say, the 6 o'clock news and factual documentaries - and even they tell stories.


Apr 12, 2017

NBlog April 12

The awareness module on email and person-to-person messaging is gradually taking shape.

Today we've brainstormed the information risks associated with email and P2P messaging and arranged them on an Analog Risk Assessment graphic:

So far, the risks are scattered across the green and amber zones with none in the red high-risk region. However, there are more than 20 risks already identified hence, taking them all into account, the cumulative risk is significant. Furthermore, many directly concern employees' insecure use of email/P2P systems - falling for scams, making typoos and inappropriately trusting the veracity of messages for examples. This is clearly an important topic for security awareness purposes.

We'll reconsider, adjust and refine the risks as the module develops, using the ARA graphic to illustrate some of the briefing papers and presentations.

By the way, phishing is but one of the 20+ information risks in this domain. Even if we group it with spear-phishing, whaling and other social engineering and coercive attacks using email, there are many others too. You might like to think about that if your idea of a security awareness program involves mock-phishing attacks but not much else. Mock-phishing tests can be valuable as PART of the approach, just as strength-testing seatbelts is PART of driving safety. 


Apr 11, 2017

NBlog April 11 - Security metrics pissing contest

A lengthy white paper ably if inadvertently demonstrates the value of the PRAGMATIC approach. "Using Security Metrics to Drive Action" includes a page or three of advice from a bunch of mostly big-company CISOs concerning the security metrics they use to communicate security program effectiveness to business executives and the board.

According to the report, Tenable asked 33 'IT security experts' the following question: "Your CEO calls and asks, “Just how secure are we?” What strategies and metrics do you use to answer that question?"

Unfortunately, there is little consensus among the 33 contributors, with stark discrepancies between them in some cases. They don't even discuss metrics and measurement strategies in the same terms. Most wax lyrical on their favorite (pet) metrics, although some seem confused about the term, referring vaguely to areas of concern rather than actual metrics. Some say more about how to present metrics than what metrics to present. Some promote technical metrics, while others say they prefer business metrics ... even if they then go on to discuss tech metrics! Some are happy to talk about the metrics they use within their teams but only reluctantly address CEO-level reporting mentioned in the question. 

In short, 33 CISOs equates to more than 33 opinions. Good luck making sense of that jumble of diverse and often contradictory advice. It's hard even to identify themes or clusters of agreement.

What's missing is a common conceptual framework enabling a productive discussion about the pros and cons of various metrics. Before recommending metrics, we first need a shared understanding about what they are and their purpose/s, plus the quality criteria for assessing security metrics. Without that, how can anyone sensibly choose between all the metrics on offer? How can we identify the points of agreement and gaps in the measurement blueprint if every contributor has their own unique perception of what the blueprint is? We're left with witchcraft and prejudice, pet metrics and biased personal opinions - a "my metrics are better than yours" pissing contest.

If you have the time and interest, the whitepaper is still worth reading and contemplating but please take all that sage advice with a large pinch of salt. Be very wary of adopting any security metrics until you figure out your own requirements. Before picking the answers, what are the questions?

Find out more at www.SecurityMetametrics.com and read our book!


Apr 9, 2017

NBlog April 8

A productive weekend ...




Metrics for tangible things such as trees are more straightforward than for intangible things such as risks. We can easily see the progress being made as the tree is cleared, estimate how much work remains, calculate the value earned and so on. We could measure the height, spread and volume of the foliage section with a tape measure (or use a ruler on the photographs above), and weigh the firewood using scales. You could potentially verify our measurements, using your own measures and scales. We might need to convert the units, but the units of measure and the conversion factors are scientifically determined and generally agreed. There would inevitably be discrepancies in the measured values (we may need to repeat them or adopt other measurement methods) and estimates (such as the value of firewood). We might need to clarify certain parameters such as exactly what constitutes 'the foliage section'. With care it ought to be possible to get our measurements and calculations to within, say, 20%.

We could also assess the risk factors involved in the tree-clearance job and come up with our risk measures, but you would probably think of different factors and use different measures. We would struggle to get our measures 'on the same page', let alone within 20%. We might be thinking of health and safety risks, while you might be concerned about financial risks, or the risk of bad weather or whatever. On the other hand, discussing our differences would be quite revealing in terms of deepening and broadening our understanding the risks - and often that's the real value of risk analysis: the numbers themselves aren't the most important goal. Knowing about the risks involved in the situation in order to treat them sensibly is a more valuable outcome. 

Amazing how much the mind wanders when I'm chainsawing logs!