Welcome to NBlog, the NoticeBored blog

Bored of the same old same old? Here's something a bit different.

Apr 18, 2019

NBlog April 18 - another NSA contractor accused of schlurping

Catching up with recent infosec news, I stumbled across a piece about NSA contractor Harold T Martin III, accused of schlurping (pinching and hoarding) some 50 terabytes of secret data.  50 Tb!  Along with Julian Assange, Ed Snowden and Chelsea Manning, the US government appears to be hemorrhaging secrets by the shed-load, despite all the extraordinary security controls designed to prevent and detect it.

I say 'shed-load' advisedly: a typical page of a typical document has about 500 typical words per side i.e. 1,000 words per double-sided sheet needing about 200 kb of rich text data (e.g. a Word document). That's 5 sheets per Mb*. 50 Tb is 50 million Mb or about 250 million sheets. A typical box of printer paper contains 10 reams of 500 sheets i.e. 5,000 sheets per box, enough to print out about 1 Gb of data*. So, printing 50 Tb would take about 50,000 boxes of paper, a stack of about 37x37x37 boxes. That's a shed-load ... a big shed, a small warehouse or industrial unit*.

Modern PC disk drives hold about 1 Tb. It is possible someone might casually stroll out of work carrying 50 hard drives in a box marked "Spares", more likely a high-capacity USB thumb drive or laptop every working day for a month or three.

Alternatively, 50 Tb would take approximately forever to download at 1 Gb per hour on a typical home Internet connection ... but barely a day on a lightning-fast fiber-optic line running flat-out at 1 Gb per second*. Professionals working regularly from home, perhaps offering remote IT support, could conceivably claim the business expense of a fast fiber line ... or invest personally for geek status points.

This is relevant to next month's NoticeBored security awareness topic. IT-enabled workers are technically capable of accessing and storing vast quantities of data wherever they happen to be working, whether on- or off-site. About 20 years ago 'deperimiterization' became a nasty buzzword, referring to the dissolving boundaries around organizations, changing the information risks. Today, it seems as if those boundaries have completely evaporated: inside and outside are virtually indistinguishable.

If our organizations can't quite match the government spooks' budgets and appetites for information security (and even if they can!), where does that leave us? I'll  tell you where - firmly in the Probability Impact Graph's high-risk bright red zone.


* All the figures in this piece are vague approximations. Treat them as rough ball-parks at best ... and please let me know if you spot any errors.

Apr 14, 2019

NBlog April 14 - SecAware eShop open for business


Acquiring top-quality creative security awareness and training materials is easier, quicker and cheaper than ever through our online shop at www.SecAware.com 

Browse a selection of awareness materials including policies, the InfoSec 101 orientation module and more.  

Pick, pay and download - "easy-as" as we Kiwis say.

Please let me know if there are other materials or topics you'd like us to offer through SecAware ... and please excuse the minimalist site design: it's just a starting point as we figure out how to build and maintain websites for mobiles and desktops.  

So much left to do, so much left to learn.

Apr 13, 2019

NBlog April 13 - working off-site

We're rapidly spiralling-in on a scope, purpose and hence title for the next NoticeBored security awareness and training module, currently trundling its way along the production conveyor belt at IsecT HQ.

Inspired by a customer request to cover the security aspects of 'home working', we set out to complement the BYOD and business continuity topics ... but in exploring the associated information risks and controls, we've realized that there are other ways and means of working with similar issues. 

Mobile or portable working, for example, is almost the rule for managers and professionals these days, at least to the extent of being constantly in touch by cellphone, keeping up with emails and TXT messages, and using work apps on smartphones, laptops and tablet PCs. Commuters on public transport often seem totally absorbed by their screens and ear-buds, whether that's personal or work emails, podcasts, news from the city desk, Harry Potter, Game of Thrones, Bach or BoyZone we don't know.

Just as 'the office' has evolved from classrooms laid out with rank-and-file desks sporting noisy typewriters and ashtrays, to separate rooms with closed doors, through Dilbert cubicles (with partitions but without doors), to open-plan spaces, stand-up meetings, table-football, basketball hoops and flame-grilled hot-desking, so too 'the home office' has changed over time. 

Back in the 80's all-in-one beige plastic monsters such as IBM PCs and DEC VAXmates were all over the business ads, while home computers of the time looked more like unfinished industrial machines with plenty of blinkenlights and mysterious switches to catch the hobbyist's beady eye. Adverts focused on the 'powerful machine' rather than 'the workstation', 'desk' or 'office'. We had duplicators, pagers, PDAs and luggables, facsimile machines, and those first generation mobile telephones that needed their own motorized carts for the battery packs.

Do you recall when 'workstation furniture' became a thing - weird multilevel desks on caster wheels with cutouts for keyboards and cables, and plenty of depth for big heavy CRT monitors, leaving precious little leg-room for the unfortunate user. For a while, executive home offices were advertised by suited, bossy gentlemen (almost always) in high-back puffy leather chairs at expansive and expensive mahogany veneer desks the size of tennis courts (well table tennis tables anyway). Then came corner desks, filing cabinets on wheels and home stationery cupboards with roller-shutter fronts to stop the kids pinching daddy's crayons. 

Today, given the price of property, the 'home office' is more often a corner of the kitchen workbench or someone's lap. I wouldn't be surprised to learn of people replying to work emails on vertical touchscreens on their fridges and microwaves, all while cooking tea. We don't all have the Oval Office at home.

It has become socially acceptable, almost the norm to hold business meetings in cafes and restaurants, and anyone without a smartphone in easy reach, yakking loudly and laughing into their wireless headset, stands out like a sore thumb-drive.

Entire generations of business travelers have been trained to leap to their feet as the plane lurches to a stop, grabbing their phones and wondering where the Uber will lurk.

Oh and as speaking as a motorcyclist, don't get me going on texting-while-driving. Have you noticed just how many displays there are built-in to cars now, in addition to those clutched by the occupants? 

So, that outlines the physical and cultural context we have in mind for the next awareness module. Some of the associated information risks are obvious, others less so, which means quite a variety of controls, plenty to explain and discuss.

Apr 12, 2019

NBlog April 12 - off-site security



Do your mobile sales reps look after the information relating to products, pricing, contracts, supplies, specifications, strategies and all that – not just the sales apps, spreadsheets and slide decks on their laptops, tablets and smartphones, but all the other sensitive and valuable corporate and personal data they carry or access? What about your roaming product/tech support and maintenance people? Your company doctor? The Board of Directors? Managers and business travelers generally? Workers catching up with email on their way home, or putting the final touches on a progress report while stretched out on the couch watching an episode of CSI?

Are they vigilant and alert? Do they have the faintest clue about the information risks around them, or what's expected of them in the way of information security and privacy? Do they care?

Portable ICT has revolutionized our lives to the point that we take it for granted these days. We've become blasé about it. No longer are we tied to the desk and landline. We can be reached almost anywhere at any time by friends, family and colleagues, including the boss, customers and associates. One-way pagers morphed into TXT messaging and SMS-RSI. Cellular telephones with power packs the size of Manhatten, the capacity of a flea and dreadful audio quality became multimedia smartphones small enough to wear on the wrist, while jogging. Embedded computing used to refer to dedicated Computer Numerical Controllers buried deep inside noisy industrial machines: now it includes subcutaneous things.

It's not just students doing homework. For some, working from home is a lifestyle choice, a way to mesh work and family lives seamlessly or at least to juggle dishwashing with helpdesking. For others, it's a necessity, squeezing a few more precious hours into the working week while being physically present and technically 'at home'. And 'home' tonight may be a bland concrete box in some anonymous city hotel, tomorrow a cab and departure lounge en route to the next bland concrete box.

Those are just some of the scenarios we have in mind for May's NoticeBored security awareness and training module. With a profusion of information risks and security controls to explore, preparing the materials involves drawing out the core themes and threading them into story lines that spark the imagination. Informing, engaging and persuading people is what we do. Must dash now: dishes to wash. 

Apr 11, 2019

NBlog April 11 - the KISS approach to ISO27k

From time to time on the ISO27k Forum, someone claims that certification auditors 'like to see', 'require' or even 'insist on' or 'demand' certain information security controls. Sometimes, it is further claimed or implied that certification auditors have actually raised or might yet raise nonconformances regarding the lack of certain controls, and consequently might refuse to certify their clients.

I'm not entirely convinced that such claims are true, for starters, but if so that hints at a problem with the certification and perhaps accreditation processes.

In accordance with ISO/IEC 27006, ISO/IEC 27007, ISO 19011 (revised last year) and their own internal certification audit procedures, accredited certification auditors should be certifying an ISO27k Information Security Management System against the requirements formally specified in the main body clauses of ISO/IEC 27001. They should definitely raise major nonconformances and refuse to certify if they have evidence that an organization has not fulfilled particular requirements in the main body of '27001. However, if there are issues regarding the organization’s interpretation and/or implementation of '27001 Annex A controls, that’s a different matter because Annex A itself is not mandatory.

A (re)current example on the Forum concerns asset inventories. The main body of '27001 does not formally require that organizations prepare and maintain inventories, databases or lists of their assets. Compliant organizations are required to consider the advice in Annex A regarding inventories and other matters, but they do not have to take the advice and they are free to interpret it in whatever way happens to suit their purposes.

Arguably, if an organization has identified and evaluated its information risks and decided to implement certain mitigating controls based on Annex A, but has not in fact done so yet (at least not satisfactorily) and has no real intention, then that suggests a failure of the ISMS processes which would likely constitute a reportable nonconformance. However, if the organization acknowledges that the controls are not fully implemented yet and is in the process of addressing that (ideally with some evidence of genuine intent, such as approved projects with allocated resources), then the ISMS processes appear to be working as planned … which would be a basis to challenge a nonconformance raised by the certification auditors. One of the objectives for an ISO27k ISMS is to drive and facilitate systematic improvement and maturity in this area: that’s nothing to be ashamed of - quite the reverse!

Unfortunately a number of myths and misunderstandings persist in the field, including allegedly common practices and widespread approaches that are not entirely aligned with the ISO standards. Even if many certified organizations happen to have asset inventories, that does not mean the standard formally requires everyone to do so. The same thing applies to information classification, antivirus controls, backups and so forth – in fact, the whole of Annex A ("Reference control objectives and controls") is advisory: certified organizations are formally required to check their selection of controls against Annex A "to ensure that no necessary controls have been overlooked" [27001 cluse 6.1.3c note 1] but they are not formally required to adopt and implement the Annex A controls. They are encouraged to select whatever controls happen to best address their risk mitigation needs, from any sources they choose including controls of their own invention. 
"Organizations can design controls as required, or identify them from any source." 
[ISO/IEC 27001:2013 clause 6.1.3b (note)]
Oh and by the way, mitigation is just one of four perfectly acceptable forms of risk treatment, along with avoidance, sharing and acceptance. Again, the organization is fully within its rights to choose its approach and the auditors should not complain (with some provisos concerning how those choices were made).

This point drove our development of the ISMS mandatory documentation checklist for the ISO27k Toolkit (free!). If you analyze the wording of ‘27001 carefully and narrowly, almost like a lawyer analyzing a contract, you find that many common practices are optional, not mandatory after all. This has implications for the certification auditors: clients have a sound basis to challenge audit findings or nonconformances on options that, for whatever reason, they have chosen not to take up. Provided the process through which they evaluated and chose their options is compliant with '27001, and provided they duly complied with their own policies and procedures, the auditors should not insist that those options are in fact required.

Having said all that, there is more to this than certified compliance with '27001. It could equally be argued that Annex A constitutes good practice, hence in accordance with '27001 6.3.1d, organizations that choose not to adopt Annex A controls should at least be able to justify their decisions in a Statement of Applicability. Right or wrong, discretion is appropriate and necessary under various circumstances, in practice. 

Furthermore, while certification auditors might be going beyond their brief if they refuse to certify organizations that choose not to adopt all the controls in Annex A, they might appear negligent if they didn’t at least point out substantial information security concerns which crop up in the course of their audits … which is where minor nonconformances, ‘other findings’, ‘potential points of concern’, informal reporting and the negotiations towards the end of an audit generally come into play. 'We will certify your ISMS, but we advise you of the following issues: ...'.

ISMS management reviews, ISMS internal audits etc. probably should dig out and report concerns of this nature too: they generally have a wider brief than certification and are not necessarily constrained to compliance auditing solely against the formal requirements. Almost anything is potentially reportable internally if a competent person believes and has evidence that is in the organization’s best interests. That includes audits and reviews of the ISMS against other requirements such as quality assurance or health and safety or environmental protection or corporate strategies or whatever. Organizations have many obligations and expectations in addition to those in ‘27001, not least meeting their own business objectives and duties towards various stakeholders.

So what does this all mean? Personally, despite being a fan of good security practices, I understand the value of a minimalist KISS approach (as in Keep your ISMS Simple, Stupid) with benefits such as:
  • Ease of understanding, use, management, maintenance and auditing;
  • Focus on the essentials, and do those well, make them slick;
  • Lack of red tape and bloat - often itself a rats nest of security issues as well as the obvious costs and delays;
  • Maximize bang for buck - the core processes and an ISO/IEC 27001 compliance certificate are valuable, even if the certified ISMS is minimalist;
  • Release the organization from the constraints of overbearing security, encouraging investment and effort in other more valuable business opportunities;
  • A solid foundation on which to build appropriate extensions at some future point - meaning both maturity and the flexibility to respond to novel situations as they arise.

Apr 8, 2019

NBlog April 8 - The Power of Resilience


One of my all-time top-N books, this one. Love it!


The author, Yossi Sheffi, is an expert in systems optimization, risk analysis and supply chain management. He’s a professor at MIT, the Director of the Center for Transportation & Logistics, a faculty member of the Civil and Environmental Engineering Department and Institute for Data, Systems, and Society. As well as his academic credentials, he’s a level-headed clear thinker.

Yossi’s thesis is valuable and convincing. There is no organization that would not benefit from being even more resilient, and for the vast majority even modest improvements along these lines could make a huge difference to their capabilities and capacities, both in disastrous conditions and in normality.

I particularly like the emphasis on resilience as a strategic matter, for example making organizations fit and ready to seize the business opportunities that open up when their less-resilient peers are struggling to cope with nightmare scenarios. Resilience is far more than a defensive mechanism: this book explains how to create competitive advantage by a more proactive approach.

The writing style is excellent. The book is clear, easy to read and understand, and interesting too - I really enjoyed reading and contemplating it. It is peppered with details and anecdotes from the author's research with numerous companies, not just the usual rather restricted and superficial set of case studies but a wealth of relevant info from a wide range of industries, albeit mostly large companies hence SMEs are a little underrepresented.

It's a stimulating read. Every few pages I found an angle that hadn't occurred to me before, an approach that instantly registered as something well worth considering. It's overflowing with good advice - and not just hand-waving generalities: there are plenty of clues here for bright managers to adapt and adopt.

All in all, fantastic! A cracker! A keeper!



Apr 7, 2019

NBlog April 7 - time resilience


It's official - summer's over in the Southern hemisphere.  

Not only did we need to light a fire to keep warm yesterday but at 3 am last night our clocks went back an hour at the end of NZ Daylight Savings Time. We're now 12 hours ahead of UTC.

◄ My Windows PC clock reset itself automagically, dropping an information entry into the system logs 12 seconds later ▼



Consequently the normally sequential Windows system log appears out of sequence. According to the time stamps ► log entries at 02:55 and 02:56 were followed by the informational entry at 02:00. 

That's just an reporting/display artifact though. Under the covers, the operating system uses UTC. UTC didn't change by an hour at 02:00 but just kept ticking away like normal. Log entries always join the top of the heap in a strictly sequential log.

UTC does occasionally change by a second, though, to keep it in step with the Earth's rotation which is how we animals measure time - by reference to the cycle of days and nights, sunrises and sunsets.

We all know days and nights change gradually in length throughout the year. Thanks to their atomic clocks, the scientists know that the 'gradual change' is not, in fact, entirely consistent. For reasons that escape me, atomic clocks are more consistent than the Earth's rotation, hence UTC is not entirely accurate.

UTC is only ever adjusted in whole 1 second increments ... which presents a problem for computer systems and processes that depend on UTC. Loggable events occurring within the period of a step adjustment could be logged with the wrong times, so a better approach is to speed up or slow down the clock tick rate ever so slightly until the one second change is achieved. Now, log entries will be ever so slightly wrong for the period of the change, but provided 'ever so slightly' is less than the resolution of the date-time-stamps, it shouldn't matter, hopefully.

Some systems and clocks don't adjust themselves, such as Sun.exe, a neat little Windows utility that displays a yellow or blue sun icon on the task bar depending on whether it is day or night. The times shown on its pop-up message about sunrise and sunset are wrong by an hour:


After terminating and restarting Sun.exe, the times are correct:


So it looks as if Sun.exe takes its time reference as it launches, not as it calculates and displays the pop-up message and colours the task bar icon.

Along with assorted battery-powered clocks around the place, the 1 hour error in Sun.exe is a trivial issue. For forensics purposes, accuracy of date-time-stamps to the second may be important when establishing the precise sequence of events, perhaps down to millisecond levels in some business situations (such as recording the precise moment that a bargain is struck in a volatile trading market). There might be safety or other implications as a result of strictly sequential activities getting out of sequence, unless the systems involved are coordinated to change at the same rate, which I guess is the reason for 'coordinated' in Coordinated Universal Time (i.e. UTC - the acronym is based on the French version of the phrase, as if this wasn't confusing enough already). What matters there is relative time ... and no, I'm not going into relativity at this point.

Overall, though, we manage. As with the much-feared Y2K, we scrape through. We're quite resilient, you could say. It takes me maybe a couple of days to adjust my body-clock to the 1 hour changes between winter and summer time, or other stepwise changes that occur when I fly East or West through one or more time zones. Of course I could cross just one time zone at the very point the clocks change between summer and winter time to cancel out the changes but the stress of figuring out whether I should change my watch, by how much and which way, would be worse than just coping with it. I'm glad I don't schedule flights though. 

So here I sit at 0730am roughly an hour after sunrise this Sunday morning, in daylight outside. Yesterday at this clock time, I needed the desk lamp on because it was still quite dark. This evening, it will be drink o'clock an hour earlier than yesterday. Drink o'clock is more daylight- than clock-related ... so I'd better push on. Things to do while it's light.


PS  As I tagged this blog piece, I realised that the issue has numerous implications for information security. There's more to it than it seems.

Mar 30, 2019

NBlog April - spotting incidents


'Spotting incidents’ is the brand new NoticeBored security awareness and training module for April.

It concerns vigilance, early detection and (where appropriate) prompt reporting of a deliberately diverse and open-ended set of information-related incidents, concerns and risks ... 

Whether you consider them to be incidents or not, suspicious activities and near-misses are also worth reporting if ‘early warning’ is something you and your management would appreciate. Nasty surprises are, well, nasty.  The sooner you know about trouble on the horizon, the more options you have, not least the possibility of deftly avoiding the minefields ahead.

Scope

The NoticeBored module concerns two critical early steps that kick-start the incident management cycle:

We have covered the remainder of the incident management process before and will do so again - in fact every single NoticeBored module concerns incidents since they are the very reason that information risks are of concern, and information security is necessary. 

Learning objectives

‘Spotting incidents’ is about identifying and reporting a wide range of information security-related incidents:
  • For the general staff audience, the awareness and training materials emphasize vigilance and diligence.  Simply put, we’re encouraging people to watch out for and report more stuff, as well as responding directly to threats (e.g. by not clicking suspicious links). 
  • For the management audience, the materials also cover reporting (e.g. enabling and actively encouraging staff to let management know about issues, incidents, risks, near-misses etc.) and edge forward into the analysis and response to reported incidents, including the need to disclose some incidents externally (e.g. privacy breaches).
  • For the professional audience, the materials touch on the ‘instrumentation’ of information systems and processes.  Automated flagging/alerting and logging of security-relevant events naturally complements the manual reporting by IT users, but is a neglected area of systems architecture and design.
Those three streams support each other, setting workers thinking and talking about this topic, fostering the security culture in a general way. It’s a good topic for socializing security among the organization because it is relevant to, involves and affects everyone.
Think about your learning objectives in this area. What are your organization’s challenges around spotting incidents? If you are struggling to deal with the volume of incident-related reports already flowing and reluctant to invite yet more, you’d better get more efficient at assessing, handling and using those reports! The preferred way to cut the volume of incident reports is to improve your information security, which includes improving the quality and relevance as well as timeliness of incident reporting.

Don’t just complain: raise your game!

As well as customizing the NoticeBored materials to suit your awareness branding and objectives, feel free to blend-in additional content.  Use the materials in the company newsletters and magazines, your intranet Security Zone, in awareness events and training courses, and for new employee induction or orientation purposes.

Get this module

Subscribe to NoticeBored for access to 'spotting incidents' and other creative security awareness and training materials, delivered fresh every month.

Mar 27, 2019

NBlog March 27 - break-in news


Kaspersky has released information on Operation ShadowHammer, a malware/APT infection targeting ASUS systems with particular MAC addresses on their network adapters.

According to a Motherboard report:
"The issue highlights the growing threat from so-called supply-chain attacks, where malicious software or components get installed on systems as they’re manufactured or assembled, or afterward via trusted vendor channels. Last year the US launched a supply chain task force to examine the issue after a number of supply-chain attacks were uncovered in recent years. Although most attention on supply-chain attacks focuses on the potential for malicious implants to be added to hardware or software during manufacturing, vendor software updates are an ideal way for attackers to deliver malware to systems after they’re sold, because customers trust vendor updates, especially if they’re signed with a vendor’s legitimate digital certificate."
And that, in a nutshell, is a concern with, say, the Microsoft Windows 10 patches, pushed out at Microsoft's whim to Windows 10 users who haven't figured out yet how to prevent or at least defer them until they have been checked out.  Same thing with Android and other operating system and application auto-updates: aside from the inconvenience of downloading and installing the patches, and the aggravation caused by the need to patch up such shoddy software in the first place, the security issue is insidious ... and yet there is also a substantial risk of not patching at all, or of delaying patches.

Rock, meet hard place.

As we know from Stuxnet, bank ATM and other infections, even supposedly offline/isolated computer systems and private networks are not totally immune to online attacks. As for anything permanently connected to the Internet (IoT things, for instance ... plus virtually all other ICT devices), well that's like someone grabbing onto the exposed end of a high voltage power cable in the hope that it has been permanently disconnected.

The ultimate solution is to improve the quality of software substantially, in particular minimizing exploitable vulnerabilities which implies simplifying and formalizing the design and coding. Unfortunately, that goal has eluded us so far and, to be frank, seems unattainable in practice. Therefore we're stuck with this mess of our own creation. Automation is wonderful but we can't trust the robots.

Mar 25, 2019

BNlog March 25 - awareness supports incident management


ITU X.1056 "Security incident management guidelines for telecommunications organizations" includes the following little nugget:


Well said ITU-T!

The idea of incorporating information about the organization's own incidents into the awareness program is something we suggest almost every month in the NoticeBored train-the-trainer guides for each module. Actual incidents naturally resonate with the audience, all the more so if they affected the organization directly.