Welcome to the SecAware blog

I spy with my beady eye ...

21 Aug 2009

Cradle-to-grave security awareness

Today's release of Information Security 101 adds another valuable tool to the Information Security Manager's security awareness toolkit from IsecT Ltd.

Information Security 101 was formally known as the Induction Module and that remains its primary purpose: facilitating security induction courses for new employee orientation. It provides a coherent and comprehensive set of foundation level awareness materials covering the basics of information security, the kinds of things that all new employees (and indeed contractors, consultants and even temps) should soon become familiar with when they turn up for work.

All the awareness materials from the original Induction Module have been thoroughly revised, updated and refreshed, with several brand new items being added. Information Security 101 still provides three parallel 'streams' of materials addressing three audience groups with subtly different information needs and perspectives:
  1. General employees or staff have broad responsibilities for information security and need to know the simple things such as choosing good passwords, running antivirus and backing up their data. For them, security is an incidental aspect of their work and home life that most don't really consider without some conscious effort being made to make them aware;
  2. Managers and Directors have specific governance and compliance obligations in respect of information security although they may not at first appreciate this. They are invariably busy people, yet take an interest in high level security strategies, policies and so forth. Getting managers on board with information security significantly improves the chances of the awareness program resonating with staff and ultimately being successful;
  3. IT professionals have an obvious interest in the more technical IT security controls. They are broadly expected to design, implement and operate most of the IT security controls on behalf of general IT users throughout the organization, yet it is not uncommon to find that IT pros have had limited exposure to even fundamental information security principles during their formal education, let alone leading security practices such as federated identity management and multifactor authentication.
As well as its use for induction/orientation purposes, Information Security 101 gives extra value by helping organizations launch (or relaunch!) best-practice security awareness programs. Bringing the whole employee base quickly up to speed on information security ensures that everyone has a firm grasp of the basics, preempting the regular security awareness activities that follow. [For this reason, Information Security 101 is supplied free of charge to customers of our flagship product, NoticeBored - a US$695 value.]

NoticeBored is a security awareness subscription service providing a fresh package of creative awareness materials on a different information security topic each month. This innovative approach is designed to drive "rolling" or continuous-delivery awareness programs giving year-roound coverage to a brad range of information security topics. The NoticeBored materials also have three parallel streams covering the same three target audiences on relevant issues in familiar terms. The materials themselves are delivered as ordinary Microsoft Office files, making it easy for customers to customize or adapt the materials to suit their purposes. Customers can reference their own information security policies and procedures, provide contact details for their Information Security, Physical Security, Legal, HR and Compliance people, and incorporate the NoticeBored materials into intranet websites and Learning Management Systems supporting information security throughout the organization.

Other security awareness materials in the NoticeBored product family include:
  • The Back Catalog, a comprehensive library of awareness materials covering more than 30 information security topics - ideal to get your awareness program off to a flying start without having to wait for the monthly NoticeBored deliveries.
  • A generic information security policy manual based on the good security practices and controls recommended by ISO/IEC 27002. Organizations that are implementing Information Security Management Systems use our manual to develop their own custom set of policy principles, axioms and detailed policy statements reflecting the ISO27k standards.
  • A range of over 200 high-quality security awareness posters, supplied as JPG images for customers to customize and brand, then print as many hardcopies as they actually need at no extra charge.
  • A set of Internal Controls Questionnaires covering some 31 information security topics. These are useful prompts or guides for risk assessments, gap analysis, internal audits or management reviews, helping customers assess the extent to which their security controls actually mitigate the organization's information security risks. The questions posed are deliberately open-ended to encourage intelligent and flexible application, as opposed to the usual brain-dead compliance tick-lists that achieve so little in practice.
Thanks to our low overheads, we are able to offer unbeatable prices across the whole NoticeBored product range. Given that awareness leverages existing investments in technical and other forms of security controls, as well as being the only rational way to address the human elements of social engineering, fraud, phishing and similar security risks, NoticeBored provides outstanding value for money.

Last but not least, NoticeBored embodies our passion for the subject. Few if any information security managers would dispute the importance of security awareness, training and education, yet they seldom have the time or indeed the skills to really do it justice. By providing "camera ready" security awareness materials on topical subjects, we release our customers from the tedious burden of researching, writing and polishing the awareness content, leaving them free to concentrate on the fun part - interacting with employees, promoting good security practices and enthusiastically spreading a little of that passion we mentioned. In some ways, it's a shame we can't walk the last mile with you ... good luck.

7 Aug 2009

Twitter admin email password reset incident

Last month a story broke about employees of the company behind Twitter being hacked. TechCrunch has published details of the incident, and the comments on their story identify some of the possible controls. In short:
- A Twitter employee uses Gmail
- Gmail has a password reset function that sends the user's password to a pre-registered email account
- The Twitter employee had originally configured Gmail to use a Hotmail email account for this
- The Hotmail account was unused for months and lapsed
- The hacker requested and obtained the same Hotmail email address [it looks like the hacker was able to guess the address, preumably it was a similar address to the Gmail account]
- The hacker told Gmail to reset and send him the Gmail account password via the Hotmail address that he now owns, which it did
- The hacker then logged on to the Twitter employee's Gmail account
- One of the emails he could now access was the original "Welcome to Gmail" type notice with the original password, so the hacker was able to reset the Gmail password back to the one the real user knew, before the real user noticed it had been changed
- Through information disclosed between Twitter employees by email, and by guessing his passwords to other Web systems, the hacker obtained a further bunch of confidential information including access to the email accounts of senior Twitter execs
- The hacker eventually disclosed the hack to the news media for some reason, causing public embarrassment to Twitter and fears about their evident insecurity

Digital Forensics Mag

A new magazine for fans of digital forensics will debut later this year, covering:

• Cyber terrorism
• Law
• Management issues
• Investigation technologies and procedures
• Tools and techniques
• Hardware, software and network forensics
• Mobile devices
• Training
• eDiscovery
• Book/product reviews

Meanwhile they are seeking input - perhaps we should recycle one of our recent security awareness deliverables ...

Office comms risks and controls

An article about responsible Twittering hints at a broader concern for all social media, and in fact all forms of communication between the office and the outside world. Examples in the article include people falsely claiming to represent their employers and disclosing sensitive information via Twitter, plus Twitter being used to direct potential victims to infectious sites hosting malware. People have done the same kinds of things for years using email, telephone, blogs, bulletin boards, IM, VoIP and so on - even letters in the post: the incidents are pretty similar though the communications media vary.

This obviously raises questions about how to reduce the risks without unduly interfering with legitimate business communications. Technical controls offer limited assistance e.g. blocking IM will block legitimate IM activities, and determined users can sometimes find ways around such blocks anyway. Automatically appended email disclaimers have dubious legal validity, particularly those that are written or modified by amateurs. Policies and procedures can help but only if employees are made aware of, accept and comply with them, which requires awareness activities (such as this month's NoticeBored module) and compliance activities (such as management oversight - basically taking an interest in what staff are doing at their desks).

Risk avoidance is arguably the most effective control, in other words discouraging or preventing unnecessary office communications outside the organization. However this is likely to have an adverse impact on legitimate business activities, and hence costs.

Since the controls are evidently not perfect, wise organizations make contingency arrangements in preparation for situations when the controls fail and incidents occur. Examples:
  • Incident notification and specific response procedures covering these kinds of incident;
  • Response procedures include 'damage limitation' using legal actions (e.g. those disclaimers and Non Disclosure Agreeand Public Relations (e.g. stock press releases ready to issue);
  • "Learning the lessons" which means using incidents (particularly those suffered by the organization but also its peers and others in the public domain) as case studies and training materials;
  • Disciplinary procedures taking account of incidents of this nature, typically using examples.

[Scary postscript: the Pentagon thinks there is value in 'instant comms', if only soldiers can be persuaded not to disclose little things such as battle plans ...] [Or is this just a crude attempt by the US to encourage foreign militia to permit their soldier to use Twitter ?]

6 Aug 2009

Tax passwords are valuable!

The BBC reports that fraudsters are exploiting taxpayers' passwords to access an online Inland Revenue system in attempts to make fraudulent claims for tax refunds. They presumably obtain the passwords by stealing the notification letters from the post or carelessly discarded in rubbish bins, by tricking people out of them (perhaps by social engineering or phishing), or perhaps most worryingly for the tax authorities, hacking their lovely online and/or back-end IT systems.

It's hard to imagine that taxpayers would deliberately discard letters with login credential that might let them reclaim overpaid tax, but its possible some do not even realise that they are able to do so. I doubt the tax man says this in big bold print! We know from studies by the Police and other dumpster divers that many people routinely discard all sorts of juicy documents without a care.

Stealing mail from the postal system is certainly a possibility, although of course there are controls in place to prevent this kind of thing. Rogue postal workers sometimes get the blame. Fraudulent redirection of post and theft from mailboxes also occur from time to time.

It's interesting that the possibility that someone might have been hacking the tax systems is not even mentioned by the BBC or the Revenue's spokesperson. Perhaps it's just too horrific to countenance?

Office and email security awareness

We've released a thoroughly refreshed and updated awareness module on office security, covering physical and IT security in the workplace. It includes email security and security for other forms of office messaging and inter-personal communications such as IM and VoIP.