Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Dec 30, 2017

NBlog December 30 - the start is nigh

With near-perfect timing, we're into the final stages of polishing off January's awareness module on IoT and BYOD security.  

I say near-perfect because this is the last weekend of 2017 with just over a day remaining until 2018. After a week of chilly and miserable weather, an unseasonal polar blast, I'd rather be out enjoying the fine weather and getting ready for the traditional new year's eve celebrations! 

The last section of writing took a bit longer than planned, but I'm confident we'll hit the delivery deadline. Updates to the NoticeBored website are in hand and we'll be packaging and sending the materials to subscribers tomorrow, electronically that is.

Looking forward, we've selected awareness topics for first few months of 2018 and written them up on our distinctly low-tech office whiteboard. We deliberately don't plan too far ahead (who knows what will crop up?) but it takes time to research and draft the materials. Having working titles and outline scopes in mind keeps us focused and on-track. 

If a particularly dramatic information security incident occurs, we can always drop the current work to pick up on it, pushing the original plan out a month. With 60-odd information risk and security-related topics in the portfolio, there's not a lot we haven't covered already, to some extent. The NoticeBored back catalog is as much a source of inspiration as content, though, since the field is constantly moving. On top of that, our own interests and preferences are gradually evolving too.

Dec 28, 2017

NBlog December 28 - slowly slowly catchee monkey


As the end of month deadline looms, we're close to finishing January's NoticeBored security awareness module on IoT and BYOD. 

Today I'm working on the awareness seminar slide deck and accompanying briefing paper for the audience group we call 'professionals', blue-collar workers essentially, specialists in IT, risk, security, audit, facilities, control, compliance etc.

We dig a bit deeper into topic for that audience, but not too deep. The overriding awareness objective is to inform, intrigue, motivate and set them talking to their colleagues (other professionals plus the general and management audiences) about and around the topic. Awareness is not training, although there is a grey area and the terms are often confused. 

Ultimately, we hope the pros will pass on some of their knowledge and enthusiasm for the topic to others, preferably with more than just a casual nod towards the information risk and security aspects. 

IoT and BYOD are obviously IT-related, so the pro materials are IT-centric this month. The awareness poster image above mentions "latest hi-tech goodies" specifically to catch the eyes of geeks and technophiles, people who just love hot new gadgets - reading about them, drooling over the adverts, sometimes buying and using/playing with them, showing them off to their less fortunate playmates ... and occasionally hacking them to figure out how they really work.

An article about hacking building management systems (things!) caught my beady eye today, for several reasons. It's right on-topic, for starters, exactly the kind of intriguing tech content that appeals to the pro audience we have in mind. The author's hacker mentality rings out. He has spent countless hours exploring their capabilities and vulnerabilities for more than a decade. To most of us, that's unnaturally obsessive behaviour but to him it's a hobby, a fascination or passion, fun even. I'm sure he'd do it even if he wasn't being paid to hack (he's a professional penetration tester by day).

I'd love to inspire such intense passion among our customers' employees on the defensive side ... but it's hard given that I'm not there in person and anyway security awareness has a broader and more realistic goal. Some workers may be fired-up by something I've written, although for many the most we can sensibly hope to achieve is to spark an interest. Getting the light to flicker on, occasionally, is the starting point. From there, we can work on making it flicker more often and glow more brightly, gradually changing attitudes, beliefs, behaviours and decisions ... but first we need to open eyes, ears and brains to the fundamentals. The pro audience helps us do that, at first hand.

"A culture of security takes time"
Dan Swanson 

Dec 27, 2017

NBlog December 27 - inspirational security awareness


Normally in security circles, the word 'exploitation' has the distinctly negative and foreboding connotation of some evil miscreant wantonly attacking and taking advantage of us ... but we'll be using the word in a much more positive sense in the IoT and BYOD security awareness materials for January.

The topic presents a golden opportunity to point out that information security mitigates the substantial information risks associated with IoT and BYOD, risks that would otherwise reduce, negate or even reverse the business advantages.

It's not entirely plain sailing, though, since the risks are context-dependent. Someone needs to identify and evaluate the risks and the corresponding security controls, in order to determine firstly whether the risks are truly of concern to the organization (they can't be avoided or accepted), and secondly whether the security controls are necessary and justified since there are costs as well as benefits.

We've pump-primed the process by doing the risk and security analysis in a generic way - a starting point for subscribers to consider and take forward. We don't pretend to know all about all the information risks each customer faces, nor the information security control options open to them. We're definitely not attempting to do the analysis for them, rather to inspire them to do it themselves. The awareness materials are the prompt to set them thinking and the motivation to get them going.

Dec 26, 2017

NBlog December 26 - government security manual

An updated version of the New Zealand Information Security Manual (NZISM) - in effect the government's information security policy manual, or at least the public non-secret element - was released this month:

NZISM is painstakingly maintained and published by the Government Communications Security Bureau (GCSB) - our spooks in other words. It is a substantial tome, well over six hundred A4 pages split across two volumes.

Part 1 (365 pages) covers:

  • A brief introduction to the topic and the manual, in the NZ government context;
  • Governance arrangements including overall controls such as accountability and responsibility, and compliance through system certification and accreditation, audits and reviews;
  • Policies, plans, Standard Operating Procedures plus emergency and incident response procedures;
  • Change management;
  • Business continuity and Disaster Recovery management; 
  • Physical security;
  • Personnel security (including security awareness;
  • Infrastructure security (well, cabling and TEMPEST anyway);
  • Communications systems and devices (e.g. cellphones and wearables);
  • Product security (acquiring commercial goods and services);
  • Storage media (lifecycle management).
Part 2 (another 300 pages) covers:


  • Software security (e.g. hardened Standard Operating Environments, app and website whitelisting, software development);
  • Email security (mostly concerns classification marking, not crypto except TLS);
  • Access control (identification and authentication of IT users, privileges, VPNs, logging etc.);
  • Cryptography;
  • Network security;
  • Gateway security (essentially firewalls with special arrangements to isolate and control traffic between differently classified networks);
  • Data management including data transfers and databases;
  • Working off-site;
  • Enterprise systems security (mostly cloud in fact);
  • Supporting information including a glossary.

NZISM distinguishes mandatory from recommended policies using MUST or SHOULD respectively, in red, with the added complication that some are only mandatory on highly classified systems.

Here's part of the section on security awareness and training, illustrating the style:


Overall, it's an impressive piece of work, [information] risk-driven if rather IT-centric. Some cybersecurity issues (such as malware, VoIP and resilience) aren't immediately obvious but I haven't read all 600+ pages (yet!). 

Despite the scope section 1.1.2 stating:
"This manual is intended for use by New Zealand Government departments, agencies and organisations. Crown entities, local government and private sector organisations are also encouraged to use this manual."
it would take some effort to adapt/interpret and apply NZISM in private sector organizations that aren't engaged in government work, especially small organizations without the implied hierarchical structure, and multinationals. Applying other standards such as ISO27k may make more sense there, but the principle of adopting generally accepted good security practices or templates rather than starting from scratch is sensible and sound.

By the way, NZISM refers to the Protective Security Requirements in a few places. The PSR, in turn, seems to be an even broader framework spanning strategies to procedures including policies for "protecting our people, information and assets":


Picking nits, people and information are assets, hence the tag line ought to end "and other assets". If I have enough time and energy after slogging through the NZISM, I'd like to check the PSR too. 

Coordinating updates between NZISM and PSR, plus laws and regulations, contracts with suppliers and internal agreements, and no doubt various other relevant requirements (not least, politics!), must be a tough job for those involved. As an NZ resident and taxpayer, I wish 'em all the best for 2018!

Dec 21, 2017

NBlog December 21 - auditor independence [LONG]

Over on the ISO27k Forum, we've been discussing one of my favourite topics: auditing, or more precisely the question of auditor independence. 

How independent should an auditor be? What does that even mean, in this context? 

SPOILER ALERT: there's rather more to it than reporting lines.

My experienced IT auditor friend Anton posted some relevant definitions from ISACA, including this little gem:
"Independence of mind: the state of mind that permits the expression of a conclusion without being affected by influences that compromise professional judgement, thereby allowing an individual to act with integrity and exercise objectivity and professional scepticism."
While I agree this is an extremely important factor, I have a slightly different interpretation. 'Independence of mind', to me, is the auditor's mental capacity to examine a situation free of the prejudice or bias that naturally afflicts people who have been in or dealing with or managing or indeed suffering from the situation, plus all that led up to it, and all the stuff around it (the context), including all the 'constraints' or 'reasons' or 'issues' that make it 'a situation' at all. It's more about the auditor making a back-to-basics theoretical assessment, thinking through all the complexities and (hopefully!) teasing out the real underlying reasons for whatever has happened, is happening, and needs to happen next. The ability to report stuff (ISACA's "expression of a conclusion") is only part of it: figuring out how the situation ought to be in theory, then looking at it in practice, gathering objective, factual evidence, doing the analysis, probing further and focusing on the stuff that matters most (the 'root causes'), are at least as important audit activities as reporting.

Here's a little exercise to demonstrate why independence matters: next time you drive or are driven on a familiar route, make an extra special effort to spot and look carefully at EVERY road sign and potential hazard along the way. Concentrate on the task (as well as driving safely, please!). Say out loud everything you see. Chances are, you will notice stuff that was there all along but you had long since tuned-out - big and bright road signs, plain as day, that you would not have recalled or mentioned if someone had previously asked you to describe your journey in detail from memory. You'll see road markings, potholes and rough surfaces that you might have been subconsciously avoiding for ages ... but 'subconscious' is the point: prior to the exercise, they didn't register in your conscious thoughts. This is a natural biological process, essentially a mental mechanism that de-emphasizes the regular/static stuff that is there all the time (it 'fades into the background'), in order to focus more energy and attention on the differences (e.g. a new road sign warning of roadworks, or a cow in the road). 

In terms of auditing the journey, as a regular traveller you can clearly make an extra-special conscious effort to spot and assess everything, but even so there will still be things you will miss, hazards that simply don't register as noteworthy in your mind. It takes effort, too: try it and you'll see what I mean. It's tiring! In contrast, a competent driver who had seldom if ever been down that route before would probably spot even more things, especially if they had been specifically trained to do so and were well practiced and highly skilled at the exercise (e.g. an advanced driving instructor or road safety specialist). The depth and breadth of technical knowledge, coupled with the audit competencies capabilities, is what makes experienced IT audit professionals worth their pay!

'Independence of mind' can also go further: competent auditors tend to be naturally cynical or doubtful or dubious about things, especially the things that we are told by naive, reluctant or hostile auditees but which seem at odds with reality. We are actively encouraged to challenge, to probe, to explore and find out what's really going on. That, in turn, leads to the perception that we only ever see the worse of every situation, that in our eyes everybody is guilty unless/until proven innocent, and that we gleefully enjoy bayonetting the wounded. Being totally honest, there is a tiny grain of truth in that ... which is why structured audit methods and practices are designed to temper our innate cynicism and bloodthirst with reality-checks, fact-checks, quality-checks, audit file reviews and so on. Auditors don't report everything: we filter-out the irrelevant and less important stuff in order to emphasise the key issues and persuade management to focus on those. In a sense, we're consciously doing what our brains would do subconsciously, but with a very clear purpose in mind which is to support and further the organization's best interests. Doing so competently, thoroughly, independently, objectively, impartially, with the support of management, within the constraints of resources and the business and technology and personal contexts etc., in a way that ultimately achieves positive organizational change, is tough

There's another important factor to mention, a little word that ISACA slipped quietly into their definition: integrity. An employee's decision to take a serious issue as far as possible, insistently escalating it up the line despite strong resistance (maybe even direct threats) from management, all the way to resigning if necessary, perhaps even disclosing it externally, takes guts. In my experience, auditors are gutsy people, willing to stand up and be counted, to speak out when something deserves to be said. We'll blow the whistle on impropriety. When backed into corners by powerful, egocentric, belligerent senior managers, we come out fighting! There is a downside to this, personally, in that it takes energy, fortitude and a willingness to pull the pin on a successful assignment or position. We are strong-willed, hard to manage, and can come across as abrasive, stubborn, egocentric, cantankerous, self-opinionated, socially inept and assertive. Some of us are overly fond of the sound of our own voices, and write far too much (guilty as charged!). However, we need to be demonstrably correct in our assessments and advice, which is where the factual evidence, careful analysis and all those audit process checkpoints earn their keep. We also need to be sufficiently self-aware, competent and experienced to know when we are stepping out of line, moving from facts to assumptions, from objectivity to subjectivity. We have our limitations - we are only human after all. There are times when it is totally appropriate and necessary to back down, for instance when a senior manager privately acknowledges audit issues but asks for 'a little breathing space to handle it my way'. Integrity extends to auditees too - it's very much a matter of understanding and trust between the parties, and trustworthiness, mutual respect and solid reputations.

Oh and negotiation - that's yet another set of skills to add to the competent auditor's bulging toolbox. More on that another time.

Dec 19, 2017

NBlog December 19 - sticky ends

Surveys typically show that: 
  1. Most organizations have some form of BYOD scheme encouraging or permitting workers to use their own laptops, smartphones and tablets for work; and
  2. IoT is spreading fast but still has a long way to go before it peaks.

We infosec geeks may throw up our hands in horror ... but the facts remain: BYOD and IoT are popular, now. They are here to stay and almost certain to expand.

It's too late now for us to bleat on about the information risks and security concerns*. The train has long since left the station.

So how should we handle this situation? An obvious approach is to retrospectively identify, assess and treat the information risks as best we can, emphasizing threats such as hackers, malware, theft or loss of information, and inappropriate disclosure, and promoting security controls such as - well, that's where it gets tricky because we have limited options for technical controls, and (despite our best efforts!) security awareness is never going to be a total cure for employees being incautious or careless. Being so negative and constrained, it's hardly a convincing argument. You could say it's also behind the times, fighting the last war as it were.

Instead, we're taking a more proactive and upbeat line in the NoticeBored content for January. There are business opportunities in going with the flow, embracing BYOD and IoT (where appropriate), making the best of the rapidly evolving technology and forging ahead. Maybe we can't fix everything today, but we surely can make tomorrow better. 

Here's a single example: if a company's widgets can be smartened-up and networked, they might just catch the wave. Innovation is a vital component of brand value for many organizations, a common strategic driver. Provided the technology, security and privacy aspects are sufficiently well addressed, smart, networked widgets may be used to gather information about how the widgets are used in practice by real customers, en masse, giving valuable insight to drive further product development and innovation - a positive feedback loop. 

Finding and exploring other similarly motivational examples and potentially attractive business opportunities has kept us happily occupied today. If we successfully express that excitement in the awareness materials, it should energize and motivate the audiences to get to grips with the risk and security aspects of BYOD and IoT. They will at least set off on the journey in a more positive frame of mind than the more usual "We must improve security or the world will come to a sticky end", or worse still the cynical "Stop everything: for security reasons, the answer is NO!".


* PS  In fact we did raise the information risk and security aspects of IoT and BYOD previously, several times, in the awareness materials. We try hard to keep up with, if not stay ahead of, new developments in this field. Some of our customers, though, have rather more inertia than they'd like to admit!

Dec 18, 2017

NBlog December 18 - the complexities of simplification

From a worker's perspective, BYOD is 'simply' about being allowed to work on his/her own ICT devices, rather than having to use those owned and provided by the organization.  What difference would that make? It's straightforward, isn't it?

Good questions! There are numerous differences in fact, some of which have substantial implications for information risk, security and privacy. For example, ownership and control of the device is distinct from ownership and control of the data: so what happens when a worker leaves the organization (resigns or is 'let go'), taking their devices with them? Aside from any corporate data on the devices, they had been permitted access to the corporate network, systems, apps and data.  The corporate IT support professionals had been managing the devices, and probably had access to any personal data on them.  Lines are blurred.


In a similar vein, IoT is more than just allowing assorted things to be accessed through the Internet and/or corporate networks. Securing things is distinctly challenging when the devices are diverse, often inaccessible and have limited storage, processing and other capabilities ... but if they are delivering business- or safety-critical functions, the associated risks may be serious.

The complexities beneath the surface make this a challenging topic for security awareness: we need to help workers (general staff, managers and specialists, remember) appreciate and address the underlying issues, without totally confusing them with techno-babble. That means simplifying things just enough but no more, a delicate balancing act.

In reality, dividing the awareness audience into those three groups lets us adjust the focus, nature and depth of the materials accordingly. Managers, for instance, have a particular interest in the risk management, compliance and governance aspects that are of little concern to workers in general. 

At the same time, the awareness materials should generate opportunities for the three audience groups to interact, which means finding common ground and shared interests, points for discussion. That's what we're working on now.

Dec 14, 2017

NBlog December 14 - distracted


I've been a bit distracted the past day or two by the arrival of a calf called Nellie. 

Amelia, her mum, had been waddling dejectedly around the paddock for ages, almost as wide as she is tall, complaining about her sore back and practicing her breathing exercises.

After the heat of recent weeks, the weather has now turned a bit cooler, wet and stormy which is probably a nice change for Amelia but a bit of a challenge for little Nellie, so we're keeping a close eye on them both.

The joys of rural NZ!

Dec 13, 2017

NBlog December 13 - IoT & BYOD security policies

Today we've been working on model policies concerning IoT and BYOD security.

We offer two distinct types of policy:

  1. Formal information security policies explicitly defining the rules, obligations and requirements that must be satisfied, with a strong compliance imperative relating to management's authority.  These are the internal corporate equivalent of laws ... although we go to great lengths to make them reasonably succinct (about 3 sides), readable and understandable by everyone, not just lawyers familiar with the archaic and arcane legal lexicon (such as has heretofore in the present clause been ably demonstrated, m'lud).
  2. Informal - or at least semi-formal - Acceptable Use Policies that are more advisory and motivational in nature. These compare pragmatic examples of acceptable (in green) against unacceptable (red) uses to illustrate the kinds of situation that workers are likely to understand.  They are even more succinct - just a single side of paper.

So, we now have four security policy templates for IoT and BYOD.

Although they don't contain huge volumes of content and are relatively simple, it takes a fair bit of time and effort to research, design and prepare them. Part of our challenge is that we don't have a particular organization in mind - these are generic templates giving customers a reasonably complete and hopefully useful starting point that they can then customize or adapt as they wish. 

Those customers who already have policies covering IoT and BYOD might find it helpful to compare theirs against ours, particularly in terms of keeping them up to date with ever-changing technologies and risks, while also being readable and pragmatic. Having been developing policies for close to 30 years, I've learnt a trick or two along the way!

The policies will be delivered to NoticeBored subscribers in January's security awareness module, and are available to purchase either individually or as a suite from us.  Contact me (Gary@isect.com) for details.

Dec 12, 2017

NBlog December 11 - things in Santa's sack

What's hot in toyland this Christmas?

Way back when I was a kid, shortly after the big bang, it was Meccano and Lego for me. I still value the mechanical skills I learnt way back then. Give me a box of thin metal strips full of holes, a plentiful supply of tiny nuts and bolts, and some nobbly plastic bricks, and I'll build you an extraordinary space station complete with spinning artificial gravity module. Or I might just chew them.

Today's toys supplement the child's imagination with the software developers'. There are apps for everything, running on diminutive devices more powerful than those fridge-sized beige boxes I tended for a hundred odd scientists (some very odd) in my first real job.

Writing about tech toys in the shops this Christmas, Stuart Miles says:
"For many, the days of just building a spaceship out of Lego or playing a game of Monopoly are long gone. Today, kids want interactive tech toys that are powered by an app or that connect to the internet. They want animals that learn and grow as you play with them, or robots that will answer back."
Some toys are autonomous while others are networked - they are things.  Microphones and cameras are often built-in for interaction, and we've already seen a few news reports about them being used for snooping on families.  All fairly innocuous, so far ... but what about those high-tech toys we grownups are buying each other this year?  Some will find their way into the office, the home office at least, where snooping has different implications.


Dec 8, 2017

NBlog December 8 - cybersecurity awareness story-telling

Conceptual diagrams ('mind maps') are extremely useful for awareness purposes.  This one, for instance, only has about 50 words but expresses a lot more than could be said with ~50 words of conventional prose:




Despite it being more than 7 years since I drew that diagram in Visio, it immediately makes sense. It tells a story. 

Working clockwise from 1 o'clock, it steps through the main wireless networking technologies that were common in 2010, picking out some of the key information security concerns for each of them.  It's not hard to guess what I was thinking about.

The arrows draw the reader's eye in the specified direction along each path linking together related items. Larger font, bold text and the red highlight the main elements, leading towards and emphasizing "New risks" especially. Sure enough today we have to contend with a raft of personal, local, mesh, community and wide area networks, in addition to the those shown. 

When the diagram was prepared, we didn't know exactly what was coming but predicted that new wireless networking technologies would present new risks. That's hardly ground-breaking insight, although pointing out that risks arise from the combination of threats, vulnerabilities and impacts hinted at the likelihood of changes in all three areas, a deliberate ploy to get the audience wondering about what might be coming, and hopefully thinking and planning ahead.

It's time, now, to update the diagram and adapt it to reflect the current situation for inclusion in January's awareness module. The process of updating the diagram is as valuable as the product - researching and thinking about what has changed, how things have changed, what's new in this space etc. qualifies as fun for this geek! Take yesterday's blog piece, for instance: back in 2010, I probably would not have believed it possible that today we'd be configuring our Christmas tree light shows from Web-based apps on our mobile phones ... and that's merely a trivial, seasonal example. The information risk and security angles to IoT and BYOD go on and on.

Technology is the gift that keeps on giving.

Dec 7, 2017

NBlog December 7 - Santa's slaves bearing gifts

Today we went on a tiki-tour of the forest in search of a few pine saplings of just the right size, shape and density to serve as Christmas trees. Naturally, the best ones were in the brambles or on the side of a near vertical slope but, hey, that's all part of the fun.

I guess 'Web-enabled remotely-controllable LED Christmas tree lights' are The Thing this year.  Ooh the sheer luxury of being able to program an amazing light show from your mobile phone!

So what are the information risks in that scenario? Let's run through a conventional risk analysis.

THREATS

  • Elves meddling with the light show, causing frustration and puzzlement.
  • Pixies making the lights flash at a specific frequency known to trigger epileptic attacks.
  • Naughty pixies intent on infecting mobile phones with malware, taking control of them and stealing information, via the light show app.
  • Hackers using yet-another-insecure-Thing as an entry point into assorted home ... and corporate networks (because, yes, BYOD doubtless extends to someone bringing in Web-enabled lights to brighten up the office Christmas tree this year).

VULNERABILITIES


  • Irresistibly sexy new high-technology stuff. Resistance is futile. Christmas is coming. Santa is king.
  • Inherently insecure Things (probably ... with probability levels approaching one). 
  • Blind-spots towards information risk and security associated with Things, especially cheap little Things in all the shops. Who gives a stuff about cybersecurity for web-enabled Christmas tree lights? Before you read this blog, did it even occur to you as an issue? Are you still dubious about it?  Read on!
  • Does anyone bother security-testing them, or laying down rules about bringing them into the home or the corporation?
  • Ineffective compliance enforcement of safety and security standards for low value high volume retail stuff flooding the markets.
  • Widespread dependence on "the authorities" to protect "us" from "them".  A naive and potentially reckless abdication of our own responsibility.

IMPACTS



    • Theft of valuable and confidential information.
    • Disruption or loss of valuable data, networks and devices.
    • [Further] loss of control over network access points, leading to exploitation of other connected systems and data.
    • Fire from badly engineered and manufactured knock-em-out-and-pile-em-high cut-price electronics connected to the mains power and dangled among increasingly flammable dead pine trees.
    • Distractedly driving into the back of stationary traffic while trying to re-program the light show on your way home from the office, at the insistence of a back-seat-load ("a pester" is the collective noun) of over-excited kids on a massive sugar high. A rather more dramatic form of impact, that!
    Taking that all into account, there are definitely information risks in the scenario, but as to whether you consider them significant enough to worry about depends on your perspective. 

    OK so I admit I'm going out on a limb by analyzing information risks for web-enabled Christmas tree lights but the risk analysis is much the same for a zillion other Things quietly invading our homes and businesses. It's the zombie apocalypse.

    Aside from all those high-tech toys soon to be piled up under the Christmas tree, the modern hi-tech kitchen and lounge is already replete with Web-enabled whiteware and entertainment systems, and almost everything that moves or goes ping in the office (including the workers!) is wirelessly networked.

    Remember, kids, information security is for life - not just for Christmas.

    ["Santa's slaves" alludes to a friend-of-a-friend's little'un asking its mum for 'one of those Christmas slaves this year - you know, the slave that Santa rides', while jangling his slave-bells, presumably.]

    Dec 5, 2017

    NBlog December 5 - lurid headline

    Social-Engineer.com's newsletter is a useful source of information about social engineering methods. The latest issue outlines some of the tricks used by phishers to lure their victims initially.
    "It is not breaking news that phishing is the leading cause of data breaches in the modern world. It is safe to ask why that is the case though, given how much of this email gets caught up in our spam filters and perimeter defenses. One trick sophisticated attackers use is triggering emotional responses from targets using simple and seemingly innocuous messaging to generate any response at all. Some messaging does not initially employ attachments or links, but instead tries to elicit an actual reply from the target. Once the attackers establish a communication channel and a certain level of trust, either a payload of the attacker’s choosing can then be sent or the message itself can entice the target to act."
    That same technique is used by advertisers over the web in the form of lurid or intriguing headlines and images, carefully crafted to get us to click the links and so dive into a rabbit warren of further items and junk, all the while being inundated with ads. You may even see the lures here or hereabouts (courtesy of Google). Once you've seen enough of them, you'll recognize the style and spot the trigger words - bizarre, trick, insane, weird, THIS and so on, essentially meaning CLICK HERE, NOW!

    They are curiously attractive, almost irresistible, even though we've groped around in the rabbit warrens before and suspect or know what we're letting ourselves in for. But why is that? 

    'Curiously' is the key: it's our natural curiosity that leads us in. It's what led you to read this sentence. Ending the previous paragraph with a rhetorical question was my deliberate choice. Like magpies or trout chasing something shiny, I got you. You fell for it. I manipulated you.     Sorry.

    There are loads more examples along similar lines - random survey statistics for instance ("87% of X prone to Y") and emotive subjects ("Doctors warn Z causes cancer"). We have the newspapers to thank for the very term 'headline', not just the tabloid/gutter press ("Elvis buried on Mars") but the broadsheets and more up-market magazines and journals, even scientific papers. The vast majority of stuff we read has titles and headings, large and bold in style, both literally and figuratively. Postings on this blog all have short titles and a brief summary/description, and some of the more detailed pieces have subheadings providing structure and shortcuts for readers who lack the time or inclination to read every word ... which hints at another issue, information overload. Today's Web is so vast that we're all sipping from the fire hose.

    And that reminds me: intriguing imagery is another manipulative technique to grab us by the wotsits. The fire hose is a highly visual analogy: it conjures-up a dramatic scene in your mind, so effectively that an actual picture of a gushing hose would be crass. I wrote yesterday about word clouds, and through this blog we've shared a few of the creative posters that accompany the NoticeBored security awareness materials every month. 

    Samplers of the NoticeBored contentWe also use colorful mind maps, process diagrams, flow-charts and so on for the same reason - to intrigue and so grab the reader's focus for a moment, to impart useful information, and so to inspire, motivate and entertain. Some of us like written words, some prefer pictures, and others like to be shown or directly experience stuff first hand ... which is why we also provide seminar slide decks, case studies and briefing papers. It's an immersive approach to security awareness.

    But time is precious so that's it for today. Thanks for dangling on my hook. I'm letting you go now. Swim free.

    Dec 4, 2017

    NBlog December 4 - word clouds


    Today I've been hunting  for word-art programs or services. We've been happily using Wordle for a good while now. It has worked well, despite a few minor niggles:

    • It runs in Internet Explorer, but not Chrome;
    • It creates cloud shapes, blobs not distinct shapes;
    • It feeds on word lists, not URLs.
    There are several alternatives. The hands image above was generated quite simply in WordArt. WordClouds is another option. There are more: Google knows where to find them.  

    I'll be trying them out during December. The combination of words and graphics amuses me, and hopefully catches a few eyes out there too. Catching eyes and imaginations is what we do.

    Dec 2, 2017

    NBlog December 2 - next topic

    Next up on the NoticeBored conveyor belt is an awareness module on the security aspects of BYOD and IoT.

    Aside from being topical IT acronyms, both (largely) involve portable ICT devices - wireless-networked self-contained portable electronic gizmos. 

    We've covered BYOD and IoT security before, separately, but it makes sense to put them together for a change of focus.

    As things steadily proliferate, workers are increasingly likely to want to wear or bring them to work, and carry on using them. The security implications are what we'll be exploring in the next module.

    Dec 1, 2017

    NBlog December 1 - social engineering module released

    We close off the year with a fresh look at social engineering, always a topical issue during the holiday/new-year party season when we let our hair down.  Generally speaking, we are less guarded and more vulnerable than usual to some forms of social engineering.  The sheer variety of social engineering is one of the key messages in this month’s awareness materials. 
    This module concerns:
    • Social engineering attacks including phishing and spear-phishing, and myriad scams, con-tricks and frauds;
    • The use of pretexts, spoofs, masquerading, psychological manipulation and coercion, the social engineers’ tradecraft;
    • Significant information risks involving blended or multimode attacks and insider threats.
    The NoticeBored module is designed to appeal to virtually everyone in the organization,regardless of their individual preferences and perspectives.  A given individual may not value everything in the module, but hopefully there will be something that catches their attention – and that something may not even be the NoticeBored awareness materials as such, but perhaps a casual comment or oblique criticism from a peer or manager relating to the topic, which in turn was prompted by the NoticeBored content. 
    The NoticeBored posters, for instance, are deliberately thought-provoking, puzzling even.  Rather than spoon-feeding people with lots of written information, we choose striking images to express various challenging and often complex concepts visually.  We hope people will notice the posters, wonder what they are on about, and maybe chat about them … which is where the learning happens.
    Explore the thinking that went into these awareness materials, and by all means tag-along with us as we develop next month’s module, on the NoticeBored blog.

    Learning objectives

    December’s awareness materials are intended to:
    • Introduce/outline social engineering – a backgrounder on the wide variety of forms it takes, techniques used etc.;
    • Describe and promote the corresponding information security controls, particularly the human element given the limited effectiveness of technical/cybersecurity controls against social engineering, with a mix of informational and stimulating content;
    • Motivate workers to act more securely, for example spotting, rebuffing and reporting possible attacks.
    There are briefings, presentations, quizzes and competitions, checklists, posters and more in the new module - a wealth of creative materials all ready to use, straight out of the box (although we encouraged you to customize them if you have the time).
    We’ve introduced a new A-to-Z-style awareness format this month with three briefings that work nicely together as a suite:
    1. A-to-Z of social engineering scams, con-tricks and frauds (FREE PDF) - what they do;
    2. A-to-Z of social engineering methods and techniques - how they do it;
    3. A-to-Z of social engineering controls and countermeasures - how to spot and stop them in their tracks.

    Get this module

    Subscribe to the NoticeBored service for December’s awareness module, plus InfoSec 101, a set of information risk and security policy templates, and further awareness modules on a huge range of information risk and security topics, something different every month. Email me to set the ball rolling.

    Nurturing the corporate security culture through awareness

    Subscribe to NoticeBored for fresh perspectives on information risk and security within the corporate context.  NoticeBored picks up on the strategic, governance, compliance and business aspects, particularly in the management stream of course but the principles underpin the general staff and professional streams too.  Information is a valuable and yet vulnerable asset that needs to be protected and legitimately exploited for sound business reasons - not just for compliance purposes or because we say so!  Properly done, information risk management is a business enabler, with security awareness a vital part of the approach - particularly, of course, in topics such as social engineering and fraud.