Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Feb 22, 2018

NBlog February 22 - responsible disclosure

Today I've been scouring the web for news on cryptominer incidents to incorporate into next month's awareness materials on malware.

As well as the usual doom-n-gloom reports from assorted antivirus companies bigging-up the cryptominer threat, I came across an interesting letter from a US hospital, formally notifying patients about an incident.

The infection was identified back in September 2017, and eradicated within 4 days of detection.

Although the malware infection was a relatively benign cryptominer, the hospital sent a formal notification letter to patients at the end of January 2018 since the infected system held their medical data. 

Full marks to the hospital management for 'fessing up to the incident and publicly disclosing it, and for apparently handling the incident in a professional and reasonably efficient manner (although arguably 4 months is an age in Internet time).

They have offered free credit monitoring services, more appropriate in case of identity fraud ... which is a possibility if the malware gained privileged access to the system. I wonder, though, whether this letter was simply part of their pre-prepared generic response to a cyber-incident, perhaps a defensive move prompted by their lawyers just in case personal/medical information was disclosed inappropriately.

Anyway, there we go: a relevant little news clip to share and explain through the awareness program, for people to discuss and contemplate. We can use it in the awareness slide decks, briefing papers and maybe as a case study. There are aspects of interest to the general staff audience, to management, and to the professionals/specialists, so we get three times the value from one story. Cool!


Feb 20, 2018

NBlog February 20 - awareness in small doses

Last month I blogged about consciously adopting a different style of awareness writing, with succinct tips-n-tricks supplementing, perhaps even replacing, conventional descriptive paragraphs.

At the risk of becoming recursive, one of the tips included in March's malware awareness module will be for NoticeBored customers to solicit tips from their colleagues who have suffered malware incidents recently.  

The idea is for the security awareness people to:

  • Find out what happened, to whom, when and how;
  • Speak, discreetly, to the people involved or implicated in the incidents;
  • Explore the consequences, both for the business and for them personally;
  • Tease out the tips - lessons worth sharing with others;
  • Share them.
Such an approach would work extremely well in some organizational cultures, but in others people can be reluctant to admit to and open up about their issues. Although it is feasible to draw out and express the key learning points anonymously, without identifying those directly involved, the process loses a lot of its awareness impact.

Think about it: if someone stands up before an audience, admits to failings that caused or failed to prevent a malware incident, and is clearly affected by the whole episode, isn't that a powerful, moving message in itself, regardless of the content?

So, taking my own medicine, the Hinson tip cut-to-the-chase version of this blog piece is:
"Find out about malware incidents from those involved, and share the lessons as part of your awareness program." 
While it's not the full story, that is hopefully just enough to catch your eye and stick in your memory.

Feb 17, 2018

NBlog February 17 - The I part of CIA

Integrity is a universal requirement, especially if you interpret the term widely to include aspects such as:
  • Completeness of information;
  • Accuracy of information;
  • Veracity, authenticity and assurance levels in general e.g. testing and measuring to determine how complete and accurate a data set is, or is not (an important control, often neglected);
  • Timeliness (or currency or ‘up-to-date-ness’) of information (with the implication of controls to handle identifying and dealing appropriately with outdated info – a control missing from ISO/IEC 27001 Annex A, I think);
  • Database integrity plus aspects such as contextual appropriateness plus internal and external consistency (and, again, a raft of associated controls at all levels of the system, not just Codd’s rules within the DBMS);
  • Honesty, justified credibility, trust, trustworthiness, ‘true grit’, resilience, dependability and so forth, particularly in the humans and systems performing critical activities (another wide-ranging issue with several related controls);
  • Responsibility and accountability, including custodianship, delegation, expectations, obligations, commitments and all that …
  • … leading into ethics, professional standards of good conduct, ‘rules’, compliance and more.
The full breadth of meanings and the implications of “integrity” are the key reason I believe it deserves its place at information risk and security’s high table, along with confidentiality and availability. However, for some people in the field (perhaps a greater proportion of non-native English speakers?), it evidently has a much more restricted meaning, hence the reason for the note to this definition of information security:
"3.28
information security
preservation of confidentiality (3.10), integrity (3.36) and availability (3.7) of information
Note 1 to entry: In addition, other properties, such as authenticity (3.6), accountability, non-repudiation (3.48), and reliability (3.55) can also be involved."

Those additional properties, and more, are to me all part of “integrity” (plus availability in the case of “reliability”).

By the way, Donn Parker has argued for years (decades!) that the CIA triad is deficient. Aside from the vagueness of “integrity” which is at least partially addressed by that note, Donn points out that there are other, materially different properties or requirements or features of information that are also an integral part of the domain, such as ownership and control – and I must say I think he’s right. A significant part of privacy, for example, is the concept that we data subjects own and hence have a right to control or choose how our personal information is used, disclosed, stored, maintained and disposed of, regardless of who actually has possession of it at any moment, and regardless of the fact that we may have chosen to disclose it to them, or failed to prevent them accessing it (e.g. by standing naked at a window!). That, for me, goes beyond CIA, although some would say it falls under responsibility, accountability and trust which is part of integrity, and of course there is a confidentiality angle. Regardless of the official/academic definitions, it’s an intriguing perspective. 

Feb 16, 2018

NBlog February 16 - innovative malawareness

Malware has been a concern since the 1980’s. It’s an awareness topic we update and refresh every March, and yet we never fail to find something new to discuss. 

Last year, we focused on ransomware, a ‘real and present danger’ at the time with several high-profile organizations (such as the UK National Health Service) suffering disruptive and very costly incidents.
 
This year, surprisingly, the ransomware risk appears to have declined according to some reports, only to be replaced it seems by the next wave: cryptocurrency mining Trojans.

Meanwhile, we suspect reports of the demise of ransomware are premature. Compared to slowly milking a few Bitcoins from a large botnet of cryptominers, holding organizations’ or indeed individuals’ data to ransom for a few hundred dollars or more per hit seems much more lucrative – but also riskier for the criminals behind the scams. 

Perhaps what's really behind this is the criminals’ risk-reward tradeoff. 

Then again, maybe it's just that the analysis is flawed. Perhaps ransomware was not quite as bad as it seemed last March, and remains at much the same level today. 

One of the perennial issues we face in researching the malware topic is that the most readily available information is published by antivirus companies, with an obvious commercial agenda to make the malware issue appear worse than it really is. Sifting through the stream of "surveys" and "reports" to find the few of any note and credibility is a tedious task, making this one of those areas where our security awareness service goes beyond the bare minimum. Rather than regurgitating the same old stuff and scaremongering, we're adding value by researching information risks and challenging the conventional wisdom.  Innovating, you could say, or being unconventionally wise.

Feb 14, 2018

NBlog February 14 - IoT security & privacy standard

I've just added another new page to ISO27001security.com for ISO/IEC 27030, a standard now being developed for IoT security and privacy.

I've been arguing for years that it would be appropriate, since they specify a risk-based approach to security management, for the ISO27k standards to specify the information risks they address. To that end, I've published a PIG (Probability Impact Graph) graphic from the NoticeBored security awareness module on IoT and BYOD, to set the ball rolling ...



There seems little chance of persuading ISO/IEC to incorporate such a colorful image in the standard, unfortunately, but hopefully the analytical approach will at least prove useful for the project team busily drafting the new standard.

On the web page I've described the red and amber zone IoT risks. I'm sure we could have an excellent discussion about those and other risks in the committee, except there is never enough time at the twice-yearly SC27 meetings to get far into the nitty-gritty of stuff like this. Instead I'll see whether I can raise any interest on the ISO27k Forum, perhaps feeding relevant content and creative suggestions to SC27 via formal comments submitted by NZ Standards - the tedious, antiquated, laborious, slow and expensive approach that we are presently lumbered with. It hardly seems worth the effort.

Feb 13, 2018

NBlog February 13: ISO/IEC 27000:2018 FREE download

I’ve caught up with a small mountain of ISO/IEC JTC1/SC27 emails, and updated www.ISO27001.com with a smattering of news.

A few new and updated standards have been released in the past 4 months or so, including ISO/IEC 27000:2008, the overview and glossary of terms used throughout ISO27k. 

As usual, ITTF offers legitimate FREE single-user PDF versions of ISO/IEC 27000 in both English and French

Please observe the copyright notice. The free ITTF PDFs are for personal use and are not to be shared or networked.

Other recent (but not free) releases include ISO/IEC 27007 (management system auditing), 27019 (securing SCADA/ICS process controls in the energy industry) and 27034-5 (application security).

ISO/IEC 27021 is an interesting new one: it explains the competences (knowledge and skills) required by ISMS professionals. It’s fairly straightforward, really, but nice to see it laid out in black and white, with the implication that assorted ISO27k training courses will gradually fall into line.

Perhaps we should develop an ISO27021-aligned training course. Would you like to pop down to the South Pacific to learn how to do this ISO27k ISMS stuff, or invite me over to wherever you are? If so, please get in touch. It's a lot of work to put a course together, so we'd need to establish first whether there would be sufficient demand. 😊

There are also some privacy standards in preparation with ISO27k numbers, hinting at commonality/convergence between information risk/security management with privacy management. It's a shame they aren't already available, given the massive push towards GDPR compliance right now.

Finally, I have some choice words to say on the site about a slew of “cybersecurity” standards projects on the go, with a common concern that “cyber” and derivative words are not properly defined – a bit of a drawback for international standards, I feel. That’s one bandwagon I’m happy to observe cynically from the sidelines.

Feb 9, 2018

NBlog February 9 - mapping awareness memes

Yesterday I came up with the suggestion of using memes to spread security awareness messages from person to person, in a similar fashion to the way that computer viruses and worms spread from IT system to IT system. 

Today I'm trying to come up with something that people will spread among each other by word of mouth, through email and TXT etc., something funny, shocking or useful - such as tips to avoid falling prey to malware maybe, or rumors about a serious malware infection within or close to the organization.

'Too close for comfort' has potential, perhaps a malware incident and business crisis narrowly averted by sheer good fortune. Or maybe we could fool workers into believing that the auditors will soon be coming to check up on the antivirus controls?

Such an approach could be unethical, risky even (e.g. if it prompted workers to meddle inappropriately with antivirus configurations or audit trails, rather than ensuring that the antivirus controls were operating correctly). It would need to be carefully considered and planned, which itself constitutes an awareness activity even if, in the end, the decision is taken not to go ahead.

The 'meme map' (derived from "Meme Maps: A Tool for Configuring Memes in Time and Space" by John Paull) represents the lifecycle and spatial or geographical spread of the meme. Reading from the bottom up, both the yellow area prior to the meme's release, and then the green area, are awareness opportunities.  

Mapping and demonstrating the gradual spread of a security awareness meme within the organization (e.g. mapping the source of clicks on a link to a fake internal memo about the fictitious antivirus audit, or tracking calls about the audit to the Help Desk) is yet another possible awareness activity, with similarities to the spread of malware ... at which point I recurse up my own backside, so that's enough idle musing for today's blog.

Feb 8, 2018

NBlog February 8 - making security awareness infectious

Just appearing into view along our virtual conveyor belt comes an updated module on malware, one of those perennial, almost universally-applicable security awareness topics.

Aside from generally checking over and fluffing-up the content delivered in prior years, we're on the lookout for new developments, specifically any changes in the risk profile or security controls associated with malware.

Something we've spotted is an alleged move away from ransomware (which was Big News this time last year, a real and present danger) towards using compromised systems for crypto currency mining. I'm not entirely convinced at this point whether that is a genuine change: maybe ransomware has indeed peaked out (I sure hope so!), maybe not, but either way mining malware could be an emerging trend, another short-lived fad, a mistaken interpretation of limited data or pure fiction invented by someone flogging antivirus software.

Over a much longer timescale, commercial exploitation of malware remains evident, along with the continuing battles between black and white hats. For decades we have seen innovative and increasingly complex technologies being deployed on both sides - clever stuff, but things have more or less stalled on the human front. Despite our best efforts through awareness, education, training, phishing simulators etc., the same old social engineering tricks remain somewhat effective today at spreading malware, and there's plenty of potential there for further innovation. 

Novelty is a challenge for both the tech and non-tech malware defenses. This is cutting-edge stuff where established approaches gradually lose their power. Purely responding to changes on the offensive side is bound to set us on the back foot, especially given that most of those changes are unrecognized as such, initially anyway. Who knows, maybe the Next Big Thing in social engineering might be quietly ramping up right now.

So, I'm sitting here thinking about how to encourage NoticeBored subscribers to up their game with more innovative malware defenses, including our creative efforts on security awareness of course but what else could they be doing? Hmmm, I wonder if security awareness messages could be delivered by malware-like infectious mechanisms? 

Probably not a good idea, that one, subject to the same risks and drawbacks as those supposedly benevolent worms designed to patch systems against security vulnerabilities. 

A meme, though, has possibilities. If we can't infect IT systems with technological controls, can we at least infect people with behavioral controls, in a way that spreads from person-to-person like a beneficial form of flu, without the sniffles?

Feb 5, 2018

NBlog February 5 - protecting information awareness module

‘Protecting information’ is a non-specific title. Almost everything that we do is about protecting information so what does February's NoticeBored awareness module actually cover?

'Protecting information' begs questions such as:
  • What is the information that deserves or needs to be protected?
  • What are the risks the information is protected against - the threats, vulnerabilities and impacts?
  • How can or should the information be protected?
  • Who is responsible for protecting it?
For the answers, we drew inspiration from the fields of information risk management, intellectual property and knowledge management, as well as information security and governance. 

As usual, we chose to discuss all kinds or forms of information in the typical business context - not just computer data. 'Knowledge' for instance includes workers' experience and expertise, trade secrets and know-how in general. The corresponding information risks and controls are quite diverse.


Information classification is one of the key controls patiently explained. The process of classifying and protecting information is more involved than it may appear. Awareness is particularly important for organizations handling government and defense information: it’s all very well stamping SECRET on your manila folders, but what does that actually mean, in practice? What does it achieve? What's the point? How does it work?

The materials promote a balanced and considered approach towards protecting information. Excessively strong information security reduces legitimate access to, and utility of, the information. The very value we seek to protect can be degraded by too much security. Many information/cyber security professionals would do well to consider this paradox! Protecting the availability of information sometimes means compromising on the controls for confidentiality and integrity.


Get in touch if this brief outline has whetted your appetite: if 'protecting information' sounds like something your people should know about, we have the creative content to make it so.