Create a Winning Strategy for Your Awareness Program

CSO Mag offers advice for those planning security awareness programs, based on responses to an earlier survey.

It all boils down to awareness, which is built through patient and relentless education and marketing—yes, marketing—about the importance of security as both the guardian and enabler of core business value. An aggressive, well-designed and -executed security awareness program can help to transform the business culture, increase overall security program effectiveness and present the "brand" of the security function in a more positive, business-focused light. It can also help the security executive "sell up" to senior management and achieve the elusive goal of tight integration between business strategy and security practice.
...
Existing awareness programs target, in varying degrees, multiple constituencies—from boards of directors to senior executives to rank-and-file employees and even, sometimes, outward to trading partners and customers. Boards of directors (50 mentions) were in nearly a dead heat with vendors (49 mentions) for getting the least awareness attention. Not surprisingly, employees (148 mentions) got the most. Senior management (123), business unit management (114) and CEOs (84) also got plenty of focus.

Physically securing sensitive facilities

The US Government specifies physical security requirements prior to the construction of facilities to house especially sensitive and valuable information assets - national secrets. Sensitive Compartmented Information Facilities (SCIFs) need physically strong walls and doors with multiple layers of protection. A SCIF reference guide provides further details of the requirements, including aspects such as sound proofing and white noise generators (to mask sensitive conversations). The requirements may seem excessive outside the government and military/defense sectors but in fact many large commercial organizations face similar risks.

ISO/IEC 27002 - lukewarm news

I have it on good authority from a representative at the ISO JTC1/SC27 meeting in Moscow earlier this month that the renaming of ISO 17799 to 27002 has been delayed until later this year, probably Q3 or Q4 2007. Although there are no changes to the content of the standard, ISO has to complete its formal process of explaining the name change to all the national standards bodies and gaining their acceptance. Oh, the joys of international standardization!

On a more positive note, progress is being made on the other ISO 2700* standards currently in the works. I will update the ISO27001security website accordingly when I have had a chance to get my head around the notes - early June probably. Head's too full right now.

Using ISO27002 to integrate security into systems

An excellent article by Ismael Valenzuela in the latest issue 11 of [IN]SECURE eZine explains how information security can and indeed should be integrated with the systems development lifecycle (SDLC), using ISO/IEC 27002:2007 (currently known as ISO/IEC 17799:2005). There is a useful table linking specific clauses in the ISO standard to SDLC phases starting from the risk assessment stage, prior to drawing up security requirements, and continuing right through development, testing and operations to eventual retirement of the system at the end of its life.

The NoticeBored security awareness module on this topic a year ago took the same basic idea one step further. The concept was simple: we provided a 'sales brochure' to help the Information Security Department sell their services to software development project managers and hence to the development teams. The brochure is a folder containing two sheafs of glossy leaflets, one set explaining the kinds of security-SDLC process integration issues covered by Ismael, the other outlining the range of information security controls that are typically required for most IT systems. Contact me (Gary@isect.com) if you'd like more information on the module but that's not a bad brief to write your own!

Insider Threat - Protecting the Enterprise from Sabotage, Spying, and Theft

Despite the promise, this book does not do justice to such an important topic. The naive writing style and lack of unique, meaty content detract from the value.

[Read our review for more in this vein, if you need any more that is.]

The awareness issue

News from a UK court case trying terrorism suspects gives a clue about why it is so hard to get the general public interested in information security. The 59-year old judge in the case which is considering evidence on the accused having accessed 'interesting materials' on the Web stopped the flow to ask what is a web site and a forum.

This reminds me very much of a parody on the BBC's "Not the Nine O'clock News" many years ago regarding a judge not having a clue what a 'digital watch' was, but knowing ALL about a certain blow-up doll, "the one with the real hair". Truth is sometimes stranger than fiction.

Insider becomes outsider

A man is accused of hacking into his former employer's systems two weeks after walking out and deleting "an entire computer drive of personal employee information". It is claimed that he was "was one of only three people who knew the needed passwords to log into the company's computer system at that time." The prosecution will presumably have to explain how they drew the specific conclusion that it was him that deleted the disk, not one of the other two people who, by their admission, also knew the passwords, someone else entirely, or one of those chance IT events caused by cosmic rays or gremlins.

More insider threat resources here.

Expert witness accused of perjury

A man who has appeared in court as an expert witness for computer forensics has been accused of perjury. After 'inconsistencies' in the qualifications claimed in his resume came to light, a background check revealed that he has served prison time on a forgery charge.

This story is a good illustration of the need to conduct thorough background checks on people in positions of trust and power. Insiders who are known former forgers might be welcome in a criminal gang but not in your average court or corporation.

Insider threat - USB thumb drive

"A worker calls up a sensitive investor list and downloads it on her thumb drive, slips it into her pocket, and walks out, smiling and waving to her boss and the security officer stationed at the front door. This is just one of the scenarios that security professionals and IT managers are increasingly worried about. According to one recent study, IT managers said portable storage devices, such as thumb drives and MP3 players, have surpassed even malware to become a top concern."

I presume reporter Sharon Gaudin from Information Week has simply swallowed and regurgitated the blurb from Bill Piwonka (yes, that's his real name - I couldn't make 'em up), VP of product management for Centennial Software, which conducted a "survey" at the InfoSec security conference in London. [Would you be surprised to hear that the company sells a "solution" to control access to USB drives?] The scenario described above looks more like an insider threat example to me. The fact that the worker used a USB thumb drive is incidental: it could equally have been a USB hard drive, a CD-ROM, even a pen and paper. She could have emailed it to herself or an accomplice, perhaps ZIPped up with 256-bit AES to bypass any content inspection. Preventing the abuse of USB thumb drives is hardly going to stem the flow.

COBIT 4.1 released! [UPDATED]

Despite a press release, the latest v4.1 of COBIT is not yet available from the IT Governance Institute website but is expected imminently. Meanwhile, the ITGI has various other interesting docs available, including a new version of their paper on IT control objectives for SOX.

I note that COBIT is described in the press release as an 'international unifying framework that integrates all of the main global information technology standards, including ITIL, CMMI and ISO17799', which sounds strangely similar to what ISM3 claims to be.

Another ITGI document relates COBIT to an extraordinarily comprehensive set of information security, project and risk management standards, viz: COSO, ITIL, ISO/IEC 17799:2005, FIPS PUB 200, ISO/IEC TR 13335, ISO/IEC 15408:2005/Common Criteria/ITSEC PRINCE2, PMBOK, TickIT, CMMI, TOGAF, IT Baseline Protection Manual and NIST 800-14.

[UPDATE: May 20th: COBIT v4.1 has now been released. I'll probably add another blog entry if/when I find time to review it.

ISM3: Making ISMS (ISO 27001) Measurable, Manageable and Improvable

A 3-day training course " ISM3: Making ISMS (ISO 27001) Measurable, Manageable and Improvable" in Dubai next month has been announced by the ISM3 Consortium. The course emphasizes how ISM3's approach helps ISMS implementations through a strong focus on security processes and metrics, supplementing the best practice guidance in standards such as ISO 27001 and ISO 20000 (ITIL). Course leader Anup Narayanan has just over 7 years experience in the field but has contributed to the development of ISM3 and so has reasonable credentials.

Although I don't personally agree with everything in ISM3, the Consortium is to be congratulated for making a determined and consistent effort to improve information security practices and advance the profession. I believe this initiative would benefit from wider involvement by the international infosec community and encourage you to visit their website or sign-up to their discussion forum (email ism3-subscribe@yahoogroups.com).

By the way, the ISO27001security forum which we initiated last July has just welcomed its 500th member and is turning into an excellent source of well-informed pragmatic advice and support for ISO 27000-series ISMS implementers.

My compeciation have been ganted! [Updated]

This one, fresh from my inbox, needs no comment.

From: FROM THE FEDERAL HIGH COURT OF NIGERIA [mailto:info_lawoffice03@yahoo.com]
Sent: Tuesday, 8 May 2007 1:12 a.m.
To: [me]
Subject: YOUR COMPECIATION HAVE BEEN GANTED BY MR PRESIDENT


FEDERAL HIGH COURT OF NIGERIA.

Attn: beneficiary
This to acknowledge you that your e-mail id is found among those that have been scammed, and the competiation have been approved from the supreme high court here in Nigeria and we are asked to contact you by the Nigeria president on how to send you the ($3.5million) united state dollars by the diplomatic courier and the fund as been cash in dollars here in Nigeria bank.
So you are advice to contact the lawyer in charges of this fund and his name is Mr. Tunde Martins and make sure you contact him with your full
Contact information such as.

Your home address.......

Telephone number..........

Your occupation...........

Country........................

Zip code.......................

With your international passport, or drivers lances or state I.D
Card........

For more information on how to make the money send to you because many
People complain about scamming every day from Nigeria and we are trying to stop this fraudulent from Nigeria and am sure you that it will stop because we are now working with the internet operation such as YAHOOMAIL, HOTMAIL and also the united state FBI and Nigeria police with Nigeria EFCC so the scam can be eradicated in this country and I want you to follow your fund code which follow bellow, and whish is given to you by the high court of Nigeria and the code is (NG74678FGN)

And I want you to keep this code, because this code will ensure you and
Alert you in any day you receive a scam e-mail from this country. And as soon as you contact Mr. Tunde martins with your full contact information requested, he will be forward everything to the Nigeria presidency office to issue out your award certificate as the rightful beneficiary of the ($3.5million) united state dollars from the president of Nigeria.

And here is the contact information from the lawyer in charges of this
Fund
So contact him and he we forward the picture of the concernment to you
For you to see your fund in cash before the diplomatic courier can deliver it to your Doorstep.

And here is the contact address of the lawyer in charge which follows
Below.

Name: Tunde Martins
E-mail Address: info_lawoffice03@yahoo.com
Direct Telephone: +234-802-410-4101

Contact him in regarding of the fund to be deliver to you by the
Diplomatic courier service and also any beneficiary we be responsible for shipping fees so as to avoid any scam and the fees is just only $480.00 and you will receive your fund from the high court because as soon as you contact the lawyer in charges of your fund he will alert the united state bureau and also the your state police for the fund to be deliver to you without any restriction and problem when the fund get to you in your location area.

Thanks.

Best Regard.


Dr. kelvin donald Director.

:-)

UPDATE 9th May: SANS ISC warns about an altogether more sinister variant - 419 death threats. The normal advice not to respond in any way to the scammers is extended to include notification of the authorities.

Coin bugs tell a story

Having just issued a security awareness module on 'insider threats', I'm currently researching for a future topic on 'competitive intelligence' so this story caught my imagination. The mystery about US defense contractors working in Canada being bugged by coins containing miniature transmitters has been solved: the coins were a commemorative 'poppy' issue with a special protective coating that looked suspicious to alert defense people.

Regardless of the eventual outcome in this case, the way that the suspicious coins were identified and reported up the line demonstrates good security awareness. The contractors were evidently well aware of the possibility of being bugged, enough to spot and report the susicious coins. Their managers and clients, in turn, quickly raised the alarm and so the story spread. The authorities now admit that they did not fully validate the reports but it appears they chose to err on the side of caution. We call that 'fail-safe'.

If a similar situation occurred in a regular commercial setting, how many of you and your colleagues would have identified the possible threat, or reported it? Would any of your managers have given such a report even a second thought, let alone circulated a warning? Would someone have investigated and resolved the issue? That's called 'fail-open'. Or 'fail' for short.

Life in the fast lane

Two former Ferrari engineers have been convicted by an Italian court for stealing and passing confidential proprietary engineering data to their new employer, Toyota.

“This prosecution highlights the seriousness of the ‘insider threat’. Disgruntled employees still find it all too easy to take company secrets off the network and onto portable storage devices such as CDs and USB sticks,” said Matt Fisher, VP of Centennial Software. “You don’t have to work in Formula One for your secrets to be valuable to the competition. With corporate IP the fuel that keeps business running, all companies are vulnerable to damage from data leaks,” he added.

As we said in our latest newsletter on insider threats, there is no shortage of case study materials on this topic.

More insider threat links here

Insider threats awareness module released

Insiders (employees and pseudo-employees such as contractors and consultants) have ready access to valuable information assets. Information security incidents caused by insiders are therefore a substantial threat to every organization. The news media frequently record incidents such as terminated employees who wreak revenge by hacking their former employer’s networks. Less often in the headlines but much more common in practice are those ‘little accidents’ by employees that damage information systems and data - everything from occasional typos to (ahem) reformatting the wrong disk (been there, done that!). Read all about May’s band new NoticeBored security awareness module here and check out our new links collection on insider threats.

Poetic justice

CFO dotcom has a short news piece about a former Enron HR director prosecuted for submitting fraudulent consulting invoices to Enron post-bancruptcy and sentenced to 63 months in prison. He has been ordered to repay $2.9m in restitution - $2.3m and a house have already been seized by the authorities.

So here we have a greedy employee (an insider) of a greedy employer caught with his hand in the corporate cookie jar.