Welcome to the SecAware blog

I spy with my beady eye ...

31 Jul 2006

Identity theft awareness materials released

If the statistics are to be believed, up to one in six of us has suffered some form of identity theft incident or attack. Thankfully, only a minority of attacks succeed but if you or someone you know has been through the horror of a full identity theft, I'm sure you will appreciate how important it is for us all to be on our guard.
There are lots of things we can do to reduce the risk of becoming victims, but the first step (as always) is to be aware of it, realizing that the threat exists and the impacts can be severe. If fraudsters can open bank accounts, get credit cards and run up huge debts in our name, we are the ones left with bad credit ratings and the nightmare of trying to prove we are genuine and they are the fraudsters.
The management and technical streams in the NoticeBored Classic module this month raise awareness of the control measures that corporations should take to prevent their good names being abused by the phishers and to constrain the fraudsters intent on defrauding our customers.
Additional awareness materials will be made available to the general public through the Global Security Week website this month to help those organizations planning their participation in the week leading up to September 11th. Please visit the GSW website or contact us for further information.
More security awareness and identity theft resources

30 Jul 2006

Faking the dead

In something the Daily Mail has dubbed faking the dead, identity thieves are using dead people's IDs to rack up credit. In the news story about an 86 year old widow (the archetypical Little Old Lady), the thieves "linked her death notice with her empty house, which had been put up for sale when Rosemary died in December 2004. The criminals called the local estate agent and made an appointment to view the pretty cottage. Once inside, they stole junk mail which had been piled up unopened in the kitchen, including an offer for a new credit card." The real shocker comes next: "There were an astonishing 70,000 similar cases in Britain last year affecting more than 16,000 families, it was disclosed last week by the UK's Fraud Avoidance Service (CIFAS)." CIFAS is a non-profit body set up by the UK credit card industry and 'dedicated to the prevention of financial crime'. Their identity fraud and identity theft pages have good advice to victims as well as hints to avoid becoming one.
More identity theft links

29 Jul 2006

ENISA gude to security awareness

The European Network and Information Security Agency, ENISA, published an excellent Users' Guide: How to Raise Information Security Awareness earlier this month. ENISA is an agency of the European Union that exists to advise member states on effective information security. The ENISA paper draws heavily upon but substantially extends IsecT's Generic Business Case for an Information Security Awareness Program and thus broadly reflects the design goals of the NoticeBored security awareness product.
More security awareness links

26 Jul 2006

Insider threat case study

"The computer sabotage trial of a systems administrator who was found guilty of attacking the network he had been hired to protect at UBS PaineWebber is sending out a sobering message, and one that can't be stressed enough: No matter what network security you have in place, it may not be enough to protect you from one of your own. It's almost a clich, but one that many companies still do not take seriously."

[Good insider threat case study here]

"And O'Malley also says executives need to step it up when it comes to keeping an eye on employees who are full of complaints, or are on a bad streak with the company. "Sure it will happen again," he says. "And in all likelihood it will happen because of an insider They always say, 'Oh, he was a trusted insider.' Bingo! That's the problem. He was a trusted insider."

More information security management and hacking links

Iron Mountain fire destroys archives

Valuable paper-based records archived in an Iron Mountain storage facility in East London have been lost in a huge fire. The storage warehouse was apparently "full of paper", such that the fire was expected to rage for a day or two. The cause of the fire was unknown (as of July 13th anyway). 

Naturally, Iron Mountain's more sensible customers will have taken the precaution of copying their valuable archive materials and storing them separately in diverse, well-protected and secured storage facilities - won't they? 

Remember this story when you are moving that vital database file to your archive tapes or CDs. If that is the only remaining copy, when it's gone it's gone.  Pfffffft.  Toast.

Iron Mountain's press release takes an admirably responsible position: "Iron Mountain already invests heavily and emphasises security as a normal operating principle. Due to the unknown cause of the fire at this time, we are taking extra precautions to supplement our current high level of security:
  • Increased security staff has been added to all London facilities;
  • Conducting an out of cycle review of background checks on personnel;
  • Auditing external agencies and internal security assessments; Re-issuing of vendor background checks;
  • Re-implementation of security awareness of all internal employees;
  • Performing an out-of-cycle inspection of all Iron Mountain vehicles." 
[That last one could be an obtuse reference to the possible cause of the fire, or perhaps to the fact that so many couriers seem to lose their valuable cargoes in transit]. 

Nevertheless, Iron Mountain's customers' misfortune is Iron Mountain's misfortune too. A lot more than just a pile of paper went up in smoke on July 12th.

24 Jul 2006

Security awareness for flight schools

Two online presentations from the US Transportation Security Agency aim to raise awareness of [physical] security among employees at flight schools and flight simulators. The introduction mentions that the courses were made available "in accordance with 49 CFR 1552" as a "pro-active response from TSA".

Both presentations recommend reporting suspicious behaviors or incidents, including "unusual adjustments to strengthen the wheel wells" on aircraft among other things. We find out later on that strengthened wheel wells are considered a threat as they may indicate the intention to carry heavy loads - evidently that is Bad. Advice to interview suspicious characters such as people "loitering for extended periods" (as opposed to those who loiter briefly?), students who "continually want to fly over sensitive locations or critical infrastructures - nuclear facilities, power plants, dams, etc." or students "who perspire excessively or have excessive nervous energy", though well meaning, could prove life-threatening if the people under suspicion are indeed worth interviewing, and seems rather pointless otherwise.

It's so easy to poke fun at the training materials that I wonder whether this is some sort of elaborate joke or hoax, maybe even a honeypot. If so, it's very convincing, delivered without the vaguest hint of irony or humor. If it is genuine, though, I have to ask why the TSA considered it A Good Idea to post this advice on a public website if they are genuinely expecting to catch suspicious characters loitering, sweating or whatever near aircraft ... 

The "Reference PDF" is not available as I write this blog entry so maybe the presentation was uploaded for testing or by accident, or maybe it's just broken. The 'interactive learning' elements make good use of the technology although the stodgy, repetitive language soon gets tedious. Judging by the number of times the courses recommend 'inform your supervisor', for instance, US flight schools seem to have a plentiful supply of highly-knowledgeable supervisors. They have presumably been trained into an elite defense force, experts at body language and psychology as well as (possibly) flight training.

23 Jul 2006

Books on ISO 27001 and 17799

New book from ALan CalderOur ISO27001security website is going from strength to strength. Today we added a new page of information about books on ISO 27001 and ISO 17799 including two new booklets by Alan Calder giving overviews of the standards and the implementation process.
New book from Alan Calder
Alan kindly gave me the opportunity to review the drafts and I duly fired a stream of feedback comments at him, most of which I'm pleased to say were accepted - the end results are well worth 22 Euros each.
Join the new ISO27001 Security Implementors' discussion forum

18 Jul 2006

New home for the STIGs

The Security Technical Implementation Guides (STIGs) and other information-security-related guides from the NSA, previously released through the NIST website, are now available directly from DISA's public area. The STIGs, in particular, form an excellent basis for corporate technical security standards, supplementing the vendor-specific secure configuration and system hardening guides released by the likes of Microsoft, HP, CISCO etc. Their mailing list is a neat way to keep up with developments - low volume and invariably interesting.
More IT Ops, secure systems management and related links

12 Jul 2006

Power cut hits generator upgrade

A power outage that took out Unisys' Penrose data centre in Auckland, New Zealand, for an hour illustrates the unfortunate impact of rare but not impossible coincidences. Although the mains power was out, the datacentre had sensibly rented a standby generator to provide cover whilst installing a new genny. That should have been enough to keep the UPS topped up ... except for a coincident problem with water in the standby genny's diesel fuel supply. How many times have we read about power works causing computer room outages? (And to be fair, how many more have taken place without incident?).
More resources on IT resilience and DR

6 Notes security bugs

A clutch of six critical security vulnerabilities in IBM Lotus Notes reminds us that Microsoft is not the only company producing buggy software with security holes that need patching.
More email security resources

9 Jul 2006

Untrustworthy insiders

A very public industrial espionage case involving allegations that an employee tried to sell proprietary information from Coca-Cola to Pepsi is a timely reminder of the issues arising from trusted insiders. It is alleged that the employee, an administratrive assistant in the marketing function having ready access to highly sensitive information, removed it from the office and offered to sell it to Coke's arch rival. Pepsi presumably alerted the auhorities who ran a 'sting' to catch the alleged perpetrator red-handed. Even with the benefit of 20-20 hindsight, it is unclear what Coke management might reasonably have done to address this risk. Better screening and supervision of employees, maybe? Clearer policies on control of sensitive information in whatever format, e.g. "secret information must not be removed from the office"? An employee who is prepared to offer secrets for sale to a competitor seems unlikely to heed such policies. Better detective and corrective controls might perhaps have identified the exposure before things got out of hand, especially if there were preliminary incidents. Due to the implending court action, there is limited information on the details of the case, for example the news article does not state whether the accused had an exemplary record.
More links on keeping secrets

8 Jul 2006

Dictionary of Information Security

Rob Slade's new Dictionary of Information Security promises to be the definitive guide to infosec terms, given Rob's extensive reading and experience in the field. At just under $19 from Amazon, it's a bargain.
More information security links

Insider theft

Extrusion Prevention - the story of insider theft, a three-piece article from Israeli author, Danny Lieberman, is a useful summary of the threats, vulnerabilities and impacts of unauthorized information disclosure by insiders, along with the controls including legal measures.
More links on disclosure of confidential information

5 Jul 2006

ISO 17799:2005 information security policy manual

At last! We have finally completed and released our generic information security policy manual based on ISO 17799, the latest 2005 version (BS 7799, ISO 27001, ISO 27002). If you need security policies, either because you don't have any or your existing materials are showing their age, save yourself hundreds of hours of work by starting with our manual. Its 115 pages cover the full scope of '7799, with a complete set of 39 high level policy statements derived from the control objectives identified in the standard, supported by a comprehensive suite of more detailed policies inciorporating best practice and common controls. Download an extract from the manual in PDF format from the IsecT website or contact us for the editable Word version. Find out more about the ISO standard at www.ISO27001security.com. The manual is realistically priced at NZ$800 (approximately US$500).

4 Jul 2006

SEC view of DR and Business Continuity

A presentation by Mary Ann Gadziala, Associate Director of the U.S. Securities and Exchange Commission (SEC) in 2003 discussed business continuity issues arising from 9/11. In Disaster Recovery and Business Continuity Planning, she specifically noted an overriding requirement for financiaol institutions to resume vital clearing and settlement operations on the same day as a major incident, ideally within 2 hours. In practice, this implied highly resilient systems with some form of dual-live/multiply-redundant or hot standby arrangement, and significant investment in IT by the entire [US] financial services industry by April this year. The risk of systematic failure of the banking system shines out from the page.
More resilience and DR resources

1 Jul 2006

RFC3751 Omniscience Protocol

I can't believe I missed this one - an RFC proposing a new Internet Protocol, published on April 1st 2004. RFC3751: Omniscience Protocol defines "a set of requirements for a new protocol to be used by prosecutors to determine a person's intent, thus reducing the need to dilute the historical legal requirement to show intent and by groups such as the MPAA and RIAA to be sure they are dealing with lawbreakers and not 60 year old non computer users." The main purpose of Omniscience Protocol as described is to control copyright infringement although plagiarism by students is also mentioned. The security requirements in section 3 present something of a challenge with current technology, let alone the functionality required in section 2.2 to determine the user's intent.
More copyright links