Welcome to the SecAware blog

I spy with my beady eye ...

17 Dec 2011

419s still dribbling in

Fresh from my inbox:
"Dear Sir/Madam

We regret to inform that your Visa/Mastercard secure has been set off because to many attendings, and we beleive that others were ussing your details.

Please download the attach  to reactivate the account."
Yeah, right.

To many attendings, eh?  Others ussing my details?  Unbeleivable.

I'm still troubled by the memory of a printed sign I saw in the lobby of a hotel in Sierra Leone, along the lines of "419ers are not permitted here".  Actually I wish I had photographed it for posterity.  Ho hum.

Gary (Gary@isect.com)

10 Dec 2011

Outsourcing POS IT

From Wired
"Four Romanian nationals have been charged with hacking card-processing systems at more than 150 Subway restaurants and 50 other unnamed retailers, according to an indictment unsealed Thursday ... The hackers allegedly scanned the internet to identify vulnerable POS systems with certain remote desktop software applications installed on them, and then used the applications to log into the targeted POS system, either by guessing the passwords or using password-cracking software programs."
Which begs the obvious question: why would anyone put their Point Of Sale systems on the Internet, with remote desktop software to boot?  The answer presumably involves the millions of retail outlets that don't have an in-house IT function but rely on external 'point of sale IT specialists' to install, manage and maintain their card readers and often the electronic tills, accounting and stock management systems.

I wonder if the mom-n-pop retailers are sufficiently aware of information security to even be concerned about the implications of outsourcing their IT in this way?

I wonder if the Subway group offers IT support to its franchisees, or recommends/uses local POS IT people?

The POS IT specialists, meanwhile, presumably have the expertise either to do their jobs well and protect their customers (and their customers) or to pull the wool over their customers' eyes.  I wonder how many manage to slip right under the PCI-DSS radar?


1 Dec 2011

Sign of the times: M$ hard-up

Wow!  Lucky me!  I've won a prize from the MSN Foundation!

I guess Microsoft must have fallen on hard times.

[Endless junk like this leaches bandwidth from the network, wastes processing cycles, consumes bytes on disk and exercises my grey matter (admittedly, not a lot).  I guess the cretins sending it have nothing better to do except annoy the rest of us.]

Gary (Gary@isect.com)

30 Nov 2011

Network security awareness

December's awareness module on network security has just been released to our subscribers.   Here's a thumbnail of one of six new security awareness poster designs in the module:

Computer networks, particularly the Internet, enable employees, business partners, suppliers and customers to share information and collaborate more or less instantaneously.  The advantages of networking are enormous and have revolutionized modern business life – we are in the midst of an “information revolution”.  However, the World Wide Web is not unlike the Wild Wild West.  Hackers and organized criminals (the Internet’s outlaws) are plundering vulnerable online businesses to steal the gold (information assets).  There are precious few sheriffs in cyberspace and the outlaws pack powerful weapons.  Consequently there are significant risks associated with networking and strong security controls are necessary to protect the organization’s information assets.

The NoticeBored awareness materials cover a wide variety of information security risks associated with networks and networking, and recommend a corresponding variety of security controls to address them.  The ‘risk-control spectrum’ (one of several diagrams and mind maps provided as an MS Visio file) summarizes many of them in an easily digested format.

It was not hard to find topical examples and recent news cuttings for the awareness newsletter this month, unforutnately, since networking is almost universal and network security incidents often hit the headlines.

Read more about the module here and, if NoticeBored looks like something that would pep-up your flagging or non-existent security awareness program, do get in touch.  I'd love to hear back from you.

Gary (Gary@isect.com)

22 Nov 2011

Heir Hunters - not

Interesting new slant on an old 419 scam now circulating:

Hello Dear,

I am writing you from Heir Hunters Company in the United kingdom .

Heir Hunters probate detectives looking for distant relatives of people who have died without making a will,

the United Kingdom  government last year made over ?18m from uncliamed assets.

When people die intestate ( without a will ) and with no known relatives, their names are released by the Treasury.

Every Thursday, a list of these unclaimed estates, the Bona Vacantia ( Latin for "ownerless goods" ) is published on the Treasury Solicitor's website.

The race is then on for heir locators to track down the often distant relatives in line for a windfall. Often heir hunters pick more unusual names first, as they are easier to trace.

We came across your profile and email while searching  through genealogy database,we will be glad if you can get back to us with your full name, date of birth,

address and your direct number if it corresponds to the information

we have in our data base in order to enable us carry out necessary  verification processes and to get your claim across to you without any delay.

Heir Hunters have handed over thousands and millions of funds to heirs who have no idea of their fortune,some of them ,Holocaust  victims' estates,

whom some of their heirs tried to flee war-torn Europe,but did any of them survive to claim these fortune ?

We will gladly answer this question for you.

Very Truly Yours
Mrs.Sarah Bernstein OR Mr.James Horgan
Tell your family and friends if you think they might fall for it.

Gary (Gary@isect.com)

17 Nov 2011


Brian Krebs is an excellent journalist and blogger on information security matters.  He often seems to pick up infosec stories that nobody else covers and his advice is generally sound.

In respect of password choices, however, I think Brian's missing a trick. He offers the stock advice on avoiding common words, using miXed case and punctuation ... etc. all fair enough but neglects to mention the coolest tip of all, which is to use long pass phrases. 

Long passwords used to be counterproductive on old Windows systems that broke them all into weak 7-character chunks.  Windows hasn't done this for years.  The only other issue I'm aware of is that some dinosaurs of the mainframe era still restrict password length to about 8 characters.  But hey, it's only the mainframe, so nothing much to protect there, eh?

My favorite passphrases are the complete lines of songs, complete with punctuation, spaces, capiTaliZation and tricks such as duplicating, omitting or substituting certain characters.  Best of all, I only need to remember one long passphrase - the one that opens my password vault - and I practice it often enough that it stick in my mind.  When it's time to change it, I simply pick another line or another song, poem or famous quotation, something memorable.  Occasionally I find myself quietly humming along as I type it in, and yes I'm paranoid enough to worry about anyone overhearing me!

Gary (Gary@isect.com)

7 Nov 2011

Colombian credentials

Presumably as a result of international pressure on the Colombian authorities, a colleague sending me a letter had to attach a photocopy of his REPUBLICA DE COLOMBIA - IDENTIFICACION PERSONAL - CEDULA DE CIUDADANIA (what appears to be his Colombian government-issued ID card), front-and-back including his mugshot and fingerprint, to the "CARTA DE RESPONSABILIDAD" form PR-OP-AD-001-FR-001 endorsed by somebody working for the POLICIA ANTINARCOTICOS at Aeropuerto El Dorado - Bogota.

The bottom of the form reads "Nota: Recuerde que es obligatorio anexar fotocopia del documento de identidad".  With my rather primitive understanding of Spanish, I take that to mean that it was compulsory for the sender to attach the photocopy of his ID card, presumably to be able to send me the letter.

I was absolutely amazed to receive all that personal information 'in plaintext', attached by sticky tape to the rear of the airmail letter that arrived in my NZ postbox today.

I guess the Colombian authorities appreciate that the attached information is personal to the sender and could probably be used as credentials for identity theft.  I presume that nevertheless they insist on it due to the significant risk of drugs being exported via email.  I am astounded that, having checked it, they actually sent the personal information out of the country.

Needless to say, I have destroyed the form and the photocopied ID card.   

Gary (Gary@isect.com)

2 Nov 2011

Credentials module released

One of this month's awareness poster images

'Credentials' is the rather formal title of November's NoticeBored security awareness module, but in fact the materials cover a wider brief relating to identification and authentication.

Authentication associates a person unambiguously to an identity, excluding others. It reduces the possibility of fraud and hacking, helps maintain the integrity of the systems and data, and is a prerequisite for personal accountability. Authenticated individuals can safely be given access to sensitive and valuable information resources which they are authorized to access. Without authentication, unauthorized access would be a much bigger problem and the information security risks would be even greater.

That said, from the ordinary employee's perspective, the key issues are choosing good passwords and keeping his staff ID card safe.

Gary (Gary@isect.com)

1 Oct 2011

SSL security checker

A nicely presented online tool from Qualys lets us check the security of SSL configurations used by public websites

SSL is not exactly the security panacea that is usually implied by online businesses.  It can be configured on the servers to negotiate and establish connections using older, weaker algorithms, instead of the more recent, stronger, recommended ones - or not.  The Qualys tool presumably connects and tries to persuade the tested site to fall back to one of the deprecated SSL algorithms, marking down the site's score if it succeeds.

This is a simple illustration of the complexity of IT security management today, and the value of routine independent pen testing of corporate websites.

Regards, Gary (Gary@isect.com)

[Thanks to Jim for the heads-up on this.]

Another 4,900,000 privacy breach statistics

A backup tape containing medical records and other personal information on nearly 5 million US military personnel in the TRICARE scheme have been stolen from an SAIC employee's car. 

TRICARE is a US "health care program serving Uniformed Service members, retirees and their families worldwide".

SAIC (Science Applications International Corporation) is a "scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. We do this with the constant and deliberate commitment to ethical performance and integrity that has marked SAIC since its founding".  It is best known as an IT oursourcer/service provider.

TRICARE's statement "retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure" does not stand up well to scrutiny.  If the data had been strongly encrypted - which is generally accepted as good practice for such confidential information, or "reasonable controls" - then knowledge of hardware, software and data structures wouldn't have been a factor.  Without encryption, yes it might require a professional tape drive to get at the data, and then some time (perhaps months) analyzing the data to establish the data structure.  But if the prize is worth the investment, someone may feel lucky.  Given that the people whose personal information has been stolen include serving US military personnel, the stakes are high.

Did they really have to wait two weeks after discovery before disclosing this 'to avoid raising undue alarm'?  It sounds like their incident management, HIPAA compliance, and relationship management processes could do with a squirt of WD-40

TRICARE says "both SAIC and TRICARE Management Activity (TMA) are reviewing current data protection security policies and procedures to prevent similar breaches in the future".  Shame it took an incident of this magnitude to spur them into action.  If I was one of the 4.9 million, or a US taxpayer, I would be calling TRICARE and SAIC management to account for their handling of governace, compliance, policy, privacy and information security.
Gary (Gary@isect.com)

30 Sept 2011

Privacy awareness module

Today we released the October NoticeBored awareness module on privacy ...

The awareness materials introduce basic privacy concepts using the OECD privacy principles, emphasizing compliance with privacy laws and regulations, as well as corporate privacy policies and procedures.  Information security controls underpin privacy for personal information and data.  Ethical considerations take privacy beyond mere compliance into the realm of appropriate and inappropriate use and disclosure of private matters, while the business impacts of privacy breaches, and the costs of privacy controls, are also discussed.

The awareness quiz is a new idea.  I hope customers will have fun with that.  The quiz format will no doubt continue to evolve over future months, and as always improvement suggestions are very welcome.
Gary (Gary@isect.com)

28 Sept 2011

Social media policies

Seems free speech is alive and well in the US ...
"Most of the social media policies that we've been presented are very, very overbroad," Solomon said in an interview. "They say you can't disparage or criticize the company in any way on social media, and that is not true under the law."  ... Doreen Davis, a management-side labor lawyer based in Philadelphia, said many of her corporate clients are often "surprised and upset" when they learn they can't simply terminate employees for talking about work online.
Employers should develop sound, legally-sanctioned policies concerning what employees can and can't say about them on Facebook or whatever, but more importantly they need to provide mechanisms for employees to voice genuine grievances and have them addressed properly by management, without fear of persecution or recrimination.  That's the real issue here, isn't it? And it's a governance matter in my book.

So why is it that whistleblowers' hotlines are still as rare as rocking horse poo?

Gary (Gary@isect.com)

21 Sept 2011

40 hard-won business continuity lessons from the NZ and Japan quakes

Rob Slade and I wrote an article capturing forty business continuity lessons arising from the massive earthquakes in New Zealand and Japan. It has just been published in EDPACS and, thanks to the generosity of the publishers Taylor and Francis, it is available as a free PDF download.
Aside from the specific lessons concerning resilience, crisis management, disaster recovery, and contingency management, our article illustrates a broader point, namely that it is not necessary to experience disasters first-hand in order to learn from them.  If you are fortunate enough not to live and work in an earthquake-prone area, there are still valid lessons here to help you survive other natural and unnatural disasters.

Gary (Gary@isect.com)

7 Sept 2011

What use is a BCP that won't work?

While contemplating the latest PwC security survey report, I was intrigued to read:
"At first glance, the nearly six out of every 10 (58%) respondents who report their organization has a contingency plan in place for security incidents is a healthy number. (Figure 15)  But when you factor this number by the percentage who report that their plan is effective (63%), the results are disheartening.  In effect, most organizations (63%) have no plan or the plan they have doesn’t work." 
I'm curious about the implication that about a third of organizations have nonfunctional contingency plans for information security incidents.  Presumably they know their plans don't work because:
  1. They have used the plans but they failed in operation.  It's possible some such organizations are too busy trying to recover from the incidents, or conceivably they are too badly damaged, to work on their contingency plans right now.  What are the others doing?;
  2. They have tested the plans but the tests failed.  Surely these organizations are in the process of re-working their plans?  The alternative - failing to respond to the test failure - sounds to me like more than just a matter of incompetence or not knowing how to fix their broken plans.  Isn't this a governance issue, verging on negligence?;  or
  3. For some reason they assume their plans would not work, perhaps because they are clearly incomplete, unworkable or missing vital components.  They believe they have an issue but are they doing anything about it?  This looks like an assurance issue and poor governance again.
I could understand a small proportion (5 to 10%?) of organizations finding themselves caught in the act of checking and updating their plans at the time of the survey, but I would not have predicted the proportion would reach as high as one third, on top of the 42% without any plans at all (doh!).  Such is the value of surveys, I guess.

IMNSHO it's high time that contingency, or rather business continuity, planning came into the mainstream of business management, under professional leadership, as an expectation of every soundly-governed organization.  Having no workable plans is simply an untenable position for management, especially knowing that there is no such thing as perfect or complete information security, and given that serious incidents will certainly be costly and could easily destroy the business.  Standards such as BS 25999 and NFPA 1600 are already available with ISO/IEC 27031 and ISO 22301 on their way, while professional organizations such as the BCI support their members with information and guidance on good practices.  

An article for EDPACS that I wrote in conjunction with Rob Slade, currently 'in press', uses the earthquakes and tsunami in Christchurch and Sendai to highlight 40 valuable lessons for business continuity planning.  I'll let you know as soon as it's released  :-)

Gary (Gary@isect.com)

31 Aug 2011

Securing people: the human side of information security

Information security involves far more than just computer security.  It's about protecting information in all its forms against all sorts of risks using whatever security controls are cost-effective.  Technology-based controls such as logins, firewalls and antivirus programs, plus physical controls such as padlocks, are merely parts of the information security space - important parts, maybe, but not sufficient in themselves to secure our information assets. 

This is where the modern approach to information security departs from traditional IT security in particular.  We need to secure not just the computer systems and networks but also the human beings - the people who design, develop, test, implement, use, manage and maintain the systems and networks, plus those who seem to get by perfectly well without IT ...

Information security is very much a human endeavor, which of course makes it an ideal security awareness topic, not least as security cannot be addressed through technology alone. So we have ... a new awareness module on people security ...

To be honest, it's actually the 102nd module since we released an additional module following the London Underground bombings in 2005, and module #101 is our security orientation module.  But please join with us in celebrating our centenary anyway!

Gary (Gary@isect.com)

29 Aug 2011

Oh no! Several stormy rainfall!

Phishers are already using the US hurricanes as the pretext:

"... After several stormy rainfall occurred recently, We regret to inform you that a computer failure has affected some of the modules of our systems notament sending wire transfers and credit card payments online.  But our teams have set up a verification process and reactivate your account.  To complete verification, you will be taken through the following stages:
 1. Input your Personal Information
 2. Input your Account Information
 3. Input your Online Banking Information
 4. Click on Continue ..."

Anyone gullible enough to believe that 'several stormy rainfall' is enough to knock out a bank's computer systems and require them to 'verify' themselves probably shouldn't have a bank account.   :-)

Gary (Gary@isect.com)

10 Aug 2011

Spoon-fed security

I've been reading the recently-issued revised FFIEC guidance to US financial institutions on user authentication and related 'layered' controls, and puzzling as to why such guidance is required  Is it really necessary for the FFIEC to tell banks, for example, to use "enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk"?  Is that not stating the bleedin' obvious?  Isn't it clearly in the banks' interest to make their valued customers aware of keylogging Trojans, phishing, 419s, money-mules and a zillion other scams?

The financial institutions in which I have worked have all been hot on risk management, and have usually worked at or close to the cutting-edge of brand new security technologies.  My risk, security and fraud colleagues definitely appreciated the issues relating to failing to identify and authenticate customers, not least for Internet banking systems, while on the whole, management "gets" security.  After all, it is of course their core business.  Security is 'what banks do'.

Aside from generally-accepted good security practices and standards, plus industry norms shared informally through industry forums and employee migration, they experience and learn from information security and fraud incidents, in much the same way as they learnt the need for strong bank vaults from traditional stocking-masked bank heists.  For example, banks know that cheap low-resolution CCTV systems give woefully inadequate images, whereas good quality stills, or even better clear color video shots from multiple angles, substantially improves the probability of someone recognizing bank robbers caught in the act.  So too do they appreciate that strong forensic evidence concerning network hacks makes it much more likely to pin the attacks on the perpetrators.  I won't go into details about the controls but suffice to say that practice is good.

In Europe and Australasia, in my experience, the banking regulations are primarily concerned with corporate governance, accounting practices and systemic risk - areas in which banks' commercial interests might conceivably conflict with the wider interest of customers, tax authorities, shareholders and society.  There are of course laws and regulations about privacy, but compliance is relatively insignificant for banks given the pervasive security culture.  The laws and regulations mandate privacy 101 for the witless and clueless, while on the whole banks are in a completely different class*.

So is there something materially different about financial services in the States that for some reason requires rather minimal security standards to be imposed on the industry by a government regulator?  Without the regulations, would US banks not be concerned about protecting their customers' assets?  Unless spoon-fed the appropriate security advice, I wonder whether they would casually leave the vault doors open?

That the FFIEC guidance even exists perhaps implies that (some) US financial institutions are incompetent, negligent and/or irresponsible regarding information security.  Following hot on the heels of the 'sub prime' fiasco, there does seem to be something of a mental block there concerning risk and control.   Please tell me I'm wrong ...

Gary (Gary@isect.com)

* That's not to say that banks always get it right - like for instance the local branch that insisted on repeatedly FAXing confidential customer paperwork to my office phone, until I was annoyed enough to forward the call to our office FAX and discovered the culprit.  It was a simple case of digital dyslexia - a wrong number stored in the FAX machine's memory.  The branch was of course embarrassed to discover the breach and the annoying calls stopped immediately.  Lesson over.  Move along.  No need for an industry regulation.

5 Aug 2011

Hard lessons

Distribute.IT, an ISP that suffered a devastating hacker attack on June 11th was attempting disaster recovery by June 13th but in serious trouble by June 17th and finally admitted defeat with the complete loss of several important customer-facing servers by June 21st, just ten days after the hack.  Some 4,800 domains and customer accounts were lost, with (it appears) no offsite data backups from which they might have been restored.

With 20/20 hindsight, someone in Distribute.IT's management presumably made some extremely unwise decisions regarding the risk that materialized.  Whether they simply didn't consider or appreciate the risk, considered it too remote to address, or failed to treat the risk adequately, is now a moot point: whatever they did do was patently not good enough, and it looks like the business has failed.  Controls that are meant to prevent hacks fail quite often in practice, so it would have been sensible to make suitable disaster recovery and business continuity arrangements on that basis.  We know that now, and so do they and their customers - too late for this incident but hopefully not too late for the rest of us to learn the hard lessons.

Gary (Gary@isect.com)

3 Aug 2011

Hacking the Sun

The website for the Sun newspaper, formerly a competitor to the now defunct News of the World, has been hacked, compromising personal details of entrants to an online competition.  Whether this is linked to Lulzsec and Anonymous hacks remains to be seen, but I'm glad I'm not an information security manager for the British tabloid press, or in fact any British news media.

Gary (Gary@isect.com)

RSA hack cost >$66m

EMC, which owns RSA, spent US$66m 'between April and June' as a result of the Trojan/hack incident in March that compromised their SecureID product.

$66m may be Information Week's headline figure and that's a staggering amount of money for starters, but that's just it - it's for starters.  We're told "It doesn't include post-breach expenses from the first quarter, when EMC began investigating the attack, hardening its systems, and working with customers to prevent their being exploited as a result of the attacks." so we know for sure it is an underestimate of the full breach costs.  The wording of the disclosure also implies that it only covers the direct costs that are readily-attributed to the breach.  Indirect costs such as the brand/reputation damage, customer defections, lost sales prospects, damaged employee morale and more are hard to even estimate, let alone with sufficient accuracy to satisfy the bean-counters and marketing people who typically drive these "earnings calls".  Furthermore, the costs of the incident to RSA/s customers are totally out of the picture. 

The ultimate grand total tally may be orders of magnitude greater than $66m, all thanks to an employee retrieving an email from the spam folder and unwisely opening the attachment.   [Was that a Freudian slip?  I originally typed "attackment" which is not far from the mark.]

Gary (Gary@isect.com)

30 Jul 2011

Disclosing our sources

These are some of the key resources we use routinely to find out about and learn from information security incidents:
  • Google, of course.  We search often using the Google toolbar in our browser.  We have learnt to craft more effective queries by exploiting Google’s search syntax including the advanced search functions
  • Google Alerts are a helpful way to trawl the Web daily for specific news and tidbits relevant to the monthly topics, especially since we discovered how to integrate alerts into our RSS/blog reader …
  • Google Reader is, currently, our RSS/blog reading weapon of choice.  Have you spotted the not-too -subtle pattern here?  Google rocks! 
  • Hyperlinks embedded within other sources.
  • Blogs, particularly information security blogs from information security gurus and respected tech journalists, but sometimes we enjoy na├»ve or counter-cultural blogs, even those from the Dark Side, the hacker underground (as in ‘know your enemy’!).  Check our blogroll (lower right) of this page to see who we’re currently following.
  • Academic and trade journals, such as EDPACS, ISSA Journal and (ISC)2 Journal.
  • Industry associations, meetings and peers.
  • Magazines such as Hackin9 and ClubHACK.
  • General news media – yes, even TVNZ, the BBC, CNN and others occasionally highlight information security incidents or issues that haven’t already come to our attention elsewhere, albeit rather superficially.
  • Information security surveys such as those from Secunia, CSI and PwC (including the biannual breaches survey).  While these sometimes describe interesting incidents, they tend not to be very recent.  Surveys are of more use for their information about information security threats.
What do you use?

Gary (Gary@isect.com)

PS  We'll cite further sources as they occur to us, on the NoticeBored links page.

28 Jul 2011

Learning from information security incidents

Information security incident management processes are meant to help the organization contain and recover more efficiently from incidents.  Well-designed processes also enable the organization to understand the risks that materialized, analyze and identify the root causes, and make improvements to the security controls in order to reduce the risk of further incidents.

The School of Hard Knocks is an effective but rather brutal institution.  We can certainly learn from the information security incidents we suffer directly, but they can be costly - devastating even.  The worst can literally threaten the organization’s survival.  Hard knocks indeed!  The awareness materials this month extend the idea of learning from our own information security incidents to take in lessons from incidents affecting third parties.  The idea is to gain the knowledge without actually suffering the adverse impacts of information security failures. 

It’s obvious when you think about it, but does your organization do this systematically?

If not, take a look at our latest batch of security awareness materials.

Gary (Gary@isect.com)

19 Jul 2011

On being 'secure enough'

Security Week invites readers to complete a checklist/questionnaire to figure out whether their security awareness programs are "good enough".  I was pleased to rate myself in the top-scoring category:
"If you scored 55 or more “yes” answers, you already know this stuff and have yourself under control. You could probably be teaching other organizations how to design and implement security awareness programs. You have a well-defined and executed program that pretty consistently exceeds standards of due care. Maintain your program and stay vigilant on quality updates."
Well yes, in a sense I am 'teaching other organizations how to design and implement security awareness programs' through our NoticeBored service so the high score is to be expected.  In fact, NoticeBored delivers rather more than the checklist requires*, but it got me thinking about whether it is realistic to expect our customers, or indeed less fortunate organizations :-) to adopt all the awareness practices and topics mentioned in the checklist, or in books such as Rebecca Herold's Managing an Information Security and Privacy Awareness and Training Program.

The reality is that the range and scope of awareness programs varies enormously, depending on factors such as:
  • The level of management support for information security and/or awareness;
  • The energy, enthusiasm and drive of the person or team driving the awareness program, plus their own preferences, expertise and experience;
  • The maturity of the awareness program, and its perceived value and effectiveness to date;
  • The breadth of information security issues facing the organization.
A few organizations are either not doing any security awareness, or are stuck in the groove of annual 'awareness training sessions' or begrudging, minimal compliance with their legal and regulatory requirements which is frankly not much better.  As the checklist author put it "To put it bluntly, you are probably an accident waiting to happen."

I struggle to understand how management expects the organization to be secure if it fails to inform and motivate its employees on security matters.  It's a curious form of myopia/blindness.  Perhaps these same managers put all their faith in antivirus and firewalls ... right up to the point that they are hit by one massive security incident (a la RSA) or a string of (slightly) smaller ones (Sony-style).  Meanwhile, they are slowly being bled dry by the background noise of information security incidents which nobody notices or cares about.  What a waste!

Gary (Gary@isect.com)

* NoticeBored covers a wider choice of information security topics, with a broader range of awareness materials, and last but not least we create awareness materials for IT professionals as well as for general employees and managers.  What do you do?

PS  Aside from the differences between organizations, different parts of an organization may be at different stages of maturity with respect to information security and/or security awareness.  And it's a dynamic, fluid situation - for example levels will be higher soon after a major incident or event than before.

18 Jul 2011

Unclassified but still worth protecting

An unusual news item in the Federal Times says that the US DoD is proposing to impose information security requirements on defense contractors regarding unclassified information, supplementing those for classified information.  The article goes on about blurring the distinctions between classified and unclassified information, and claims the compliance costs across the industry will be enormous, but if so I'm puzzled at the implication that such information is not already being adequately protected by contractors.  Surely any organization that handles classified military information is well aware of information security risks and controls, so I would be very surprised if unclassified information is as insecure as the journalist suggests.

Gary (Gary@isect.com)

14 Jul 2011

Cross site scripting made simple

A well-presented video tutorial from the OWASP team explains in simple terms how one form of XSS - cross site scripting - works.

XSS is a bit tricky to explain.  The video makes good use of graphics to put the message across, without getting too technical.

If you are a web developer, you should be well aware of XSS, in sufficient depth to know how to prevent this form of attack on visitors to your websites.  The tutorial barely hints at the technical controls needed but future editions will go into more depth.  Meanwhile, the excellent OWASP site includes lots more information and even some code snippets to give you a head start on securing your site.

Gary (Gary@isect.com)

12 Jul 2011

You have the right to remain silent ...

... while we force you to enter your passphrase into your computer to decrypt the data potentially comprising or incriminating evidence. According to the cNet article:
Prosecutors stressed that they don't actually require the passphrase itself, meaning Fricosu would be permitted to type it in and unlock the files without anyone looking over her shoulder. They say they want only the decrypted data and are not demanding "the password to the drive, either orally or in written form."

The ramifications of governments 'allowing' 'ordinary' 'citizens' access to strong encryption are many and varied.  What if citizens have the nerve to protect information which they consider highly confidential but which the government desires to access?  Of course the government has the resources to try to defeat the cryptosystem, whether by brute-force attack or cryptanalysis.  It also has the resources and means to attempt to steal passphrases using Trojans or other surveillance techniques, or insert and access backdoors, or insist on escrow.   We know it has the rubber hose necessary for coercive cryptanalysis.  And if it had the means to read citizens' minds, you can bet it would apply them.  But for now, being forced to go through the courts to demand that citizens decrypt their own information for the benefit of the government (and, arguably at least, for society at large) is, for me, a step too far. 

Just like the so-called rule of law "innocent until proven guilty", I accept that some guilty parties will 'get away with it' if their crypto-secrets are in fact strong enough to remain secret, but on balance this is better than the alternative.  If the government has the legal right to demand that its citizens incriminate themselves, the government cannot also demand the support of its citizens - the very citizens who give it the authority and power to act on their behalf.  George Orwell saw it coming.

Gary (Gary@isect.com)

3 Jul 2011

Changing the culture of an entire industry

Engendering a culture of security is something we normally talk about in relation to organizations and parts thereof (for example, changing the culture within management or within the IT department).  I'm sure that most people who have actually tried to do this would agree that it's a tough challenge.  It's not even entirely obvious how to define, let alone influence or change corporate cultures. It's one of those things that is easier to say than to do.

OK, now imagine your task is to engender a culture of security across a massive public body - like for example the UK's National Health Service.  According to a piece in SC Magazine, the Information Commissioner is calling for changes in the NHS:
“The sector needs to bring about a culture change so that staff can give more consideration to how they store and disclose data. Complying with the law needn't be a day-to-day burden if effective measures are built in and then become second nature."
Actually, the quote is a bit ambiguous regarding the scope: is the Commissioner concerned with just the NHS or the sector - presumably the health sector in the UK?   Either way, changing the culture is a massive undertaking.

He continues:
“My office is working with Connecting for Health to identify how we can support the health service to tackle these issues.”
I looked through the Connecting for Health website to see what they have to say about information security or privacy, and initially found nothing obvious until I came across the Information Governance section (hint: governance is not normally a synonym for security, but the NHS seems to be developing its own parallel language, for example referring to Serious Untoward Incidents, or SUIs, where plain old 'incidents' would normally suffice).  There I discovered some red tape to request access to the NHS network, out-of-date and inaccurate information about the "ISO 27000 series of standards" (meaning the ISO/IEC 27000 standards), a "detailed 17-page document explaining the background and development of both patient and clinician 'sealed envelopes' functionality" plus, of course, a PowerPoint presentation to explain the 17 pages (!), a vague introduction to information security and various other bits.  Overall, the website leaves a poor impression regarding information security.  The information is disjointed, minimalist and full of jargon, so that's one area in which the Information Commissioner can usefully apply pressure supporting the cultural change he anticipates.  A coherent, accessible, useful and engaging website would be a worthwhile vehicle for a security awareness program.

Gary (Gary@isect.com)

30 Jun 2011

Background checking the background checkers

If your organization conducts background checks on candidates prior to employing them into roles involving access to highly classified information, or when promoting employees to more responsible and trusted positions (good on yer!), your security probably depends heavily on those checks and hence on the checkers.  Given the risks inherent in the process, you should definitely ensure that the process controls are adequate.

For example, if you outsource your background checks, is the outsourcer competent and diligent?  Do you need to check up on them?  If so, how, and how often, should you check?  Who, within your organization, is accountable for the quality of the checks and for any security incidents that result if the checks prove inadequate?

I'm asking these questions because it has been known for background checkers to falsify evidence of the checks they are supposed to have conducted.  Incidents of this nature are hard to uncover, expensive to investigate and resolve, and worse still can lead to extremely serious incidents downstream if improperly cleared people are handling classified information inappropriately.

Gary (Gary@isect.com)

29 Jun 2011

Information protection awareness module

NoticeBored's security awareness topic for July is "information protection", a deliberately vague title for a wide-ranging subject, including ownership and accountability for information assets, classification and baseline security.

Read all about it on the NoticeBored site and get in touch to subscribe to NoticeBored, the creative momthly security awareness service.

Gary (Gary@isect.com)

Queensland Government security audit

Writing in the Courier Mail, journalist Mike O'Connor takes a particularly cynical view of  the Auditor-General's latest official report into information systems governance and security at the Queensland Government:
IF YOU ran a business that spent $1.5 billon a year on information technology systems that contained highly sensitive, confidential data, then you would very likely take care that you were getting your money's worth.  You might also ensure the best-practice security systems were in place and that your staff knew what to do and how to do it.  The Queensland Government, however, takes a more relaxed approach to the value it gets for its $1.5 billion, one best characterised by those two delightful Australian synonyms for incompetence and ineptitude, "She'll be right'' and "No worries''.
 The audit report identified issues such as:
  • Weaknesses in the overall governance of IT;
  • No clear business owners for whole-of-government IT programmes;
  • Persistent weaknesses in network security (despite this having been raised in previous audits);
  • Out of date or untested IT DR plans, with some agencies having not even identified their critical business processes as yet and particular concerns around the shared IT infrastructure. 
The inter-departmental issues are disappointing given the strategy announced in 2009 "to achieve efficiencies by enabling the Queensland Government to perform successfully as a single enterprise".  At one point, the report says:
"The CEO Leadership Team Services Sub-committee was assigned the responsibility for being accountable for the delivery of benefits and outcomes of the Toward Q2 through ICT strategy and projects. This responsibility was communicated to Cabinet through a progress report on the portfolio. However, the terms of reference for the CEO Leadership Team Services Sub-committee did not reflect this role.  ... Between December 2009 and December 2010, 13 meetings of the Services Sub-committee were held but no material decisions relating to the Toward Q2 through ICT portfolio were made by the Sub-committee during that time. The Services Sub-committee did not have the necessary powers to exercise effective governance over the portfolio such as changing the progress or discontinuing initiatives in response to an assessment of their capacity to deliver benefits to the operations of the Queensland Government."
If you are familiar with the BBC satire "Yes, Minister", it's not hard to imagine the internal politics associated with driving, and particularly funding, cross-governmental security initiatives in this cost-cutting environment.

Gary (Gary@isect.com)

19 Jun 2011

Epsilon and ISO27k

A report by Jeanette Fitzgerald, Epsilon Data Management's General Counsel, to the U.S. House of Representatives' Committee on Commerce, Manufacturing, and Trade outlines the sequence of events involved in the Epsilon data breach on March 30th that compromised names and email addresses on the mailing lists of about 50 Epsilon clients

Epsilon's business is to provide the infrastructure enabling massive email marketing campaigns for its clients.  While that may sound to some rather like legitimized spamming, Epsilon refers to it as "permission-based marketing" since recipients supposedly opt-in to the campaigns (albeit perhaps by failing to deselect the relevant option hidden deep in some marketing materials or during an inquiry or sales transaction) and have the ability to opt-out later.  The hackers and scammers now in possession of the stolen personal information are unlikely to respect opt-in or opt-outs however.  There have been gloomy predictions of spear phishing attacks over the coming weeks and months, perhaps using the branding of the 50 client companies - or indeed of Epsilon itself - to ensnare potentially vulnerable customers on the client mailing lists.

I find it interesting that the ISO27k standards featured heavily in their report.  Epsilon's management, clearly under pressure to account for the security breach, must feel that their adoption of ISO27k demonstrates sound security or information governance.  According to the report, Epsilon's Information Security Management System been certified compliant with ISO/IEC 27001 for about 5 years, and they have implemented the generally-accepted good security practices recommended by ISO/IEC 27002, the code of practice standard.

This begs the obvious question "How come the good security practices promoted by the ISO27k standards didn't prevent the breach?" ... from which, in turn, some might infer that ISO27k is worthless.

A similar issue cropped up this week on CISSPForum, an email reflector for CISSPs and other information security professionals.  In the context of an ongoing discussion about security awareness, a colleague told us
At a conference the speaker made the statement "If awareness was going to work, it would have worked by now."
... the implication being clearly that awareness is so broken that it's just not worth doing. 

There's a logical fallacy in both cases.  The may not have been perfect controls, but without ISO27k and without security awareness (which happens to be one of the ISO27k-recommended controls), the Epsilon incident might have been far worse

After the fact, there is actually some evidence of the value of both the ISO27k security controls and the management system.  That Epsilon responded so rapidly to the incident, notifying their clients in short order and liaising with the authorities, forensics experts and others indicates that their security incident response and management activities, at least, worked smoothly and efficiently.  Senior management was engaged, and must have been sufficiently aware of the significance of the incident to react appropriately.  It was phrased thus in the report:
"In identifying the recent attack on Epsilon’s systems, the company’s security program detected unauthorized download activity and invoked Epsilon’s security incident response program. This led to an immediate move to investigate and remediate the unauthorized entry and to put in place additional safeguards based on the company’s findings."
Further details about the incident response were provided in the report, albeit in summary.  This does not read to me like the typical uncoordinated/panic reactions that we sometimes see elsewhere, although to be fair this is a formal, public report to a committee.  The internal incident investigation findings might have told a different picture!

The 'if it was going to work, it would have worked by now' statement [I refuse legitimize it by calling it an argument] could apply to many different things, such as information security as a whole, or anti-corruption laws, or CFC bans, or restrictions on whaling.  The fact is that, in each case, we can't tell for certain what would have happened if we had not acted.  However, before we did whatever it was, we presumably weighed-up our options and thought it appropriate to go ahead.  Afterwards, there may be some evidence to suggest that we did the right thing but it tends to be anecdotal or circumstantial, and so remains open to the challenge that it would probably have happened anyway.  Short of conducting scientific trials under controlled conditions, the factual evidence is bound to be limited and disputable. Such is the nature of risk management.

Gary (Gary@isect.com)