Welcome to the SecAware blog

I spy with my beady eye ...

30 Aug 2014

New awareness module on change and security

The intersection between information security and change management is our awareness topic for September, covering issues such as: 
  • Many corporate changes deliver new or modified IT systems and business processes, and most of those have information security requirements - therefore information security risk analysis and security design should be a routine part of project management;
  • New and updated laws, regulations and compliance obligations (some of which are relevant to information security, risk, privacy and business continuity) push the organization into changing, as do changes in the information security threats, vulnerabilities and impacts affecting the corporation - in other words, apart from changes driven by the business, it needs to respond to changes in the external environment, including some that affect information security;
  • Change control and system security in general are all bar impossible without adequate IT security controls preventing unauthorized changes - so IT or cyber security is an essential element of change control;
  • Software patches often address security vulnerabilities, while the need to implement them quickly on vulnerable systems puts pressure on conventional test and release mechanisms - security patch management puts ordinary change management processes under stress [we provided a new template policy on patching and other awareness content about that];
  • Significant changes may create unacceptable risks to the organization unless those risks are recognized and treated - it is strongly linked to risk management;
  • Changes are often unsettling to employees, and if mismanaged may lead to resentment, resistance and perhaps even retribution against the organization that is perceived to be imposing them - which is a cue to pick up on the human aspects of corporate change.
This is an unusual information security awareness topic but it certainly has relevance, interest and value, making it a legitimate part of the program (at least that’s how we feel about it!).  It has been five years since we last covered it, and we probably won’t do so again for a few more years yet, so subscribers lap it up while you can.  Get in touch to subscribe to NoticeBored if you agree that this would be an interesting and worthwhile addition to your security awareness and training program ... or by all means invest your time and effort to research and write the awareness materials yourself from scratch.  You'll soon discover why a NoticeBored subscription is such great value!

Gary (Gary@isect.com)

22 Aug 2014

Online auction scam

A seller offering a top-of-the-line radio at a knock-down price through an online auction/swap-meet site seems too good to be true ... as indeed it was. He'd already scammed others, so the website's admin was prepared to string him along when he published another ad, playing the part of his next willing victim.

The story line is all too familiar although it is unusual to see anyone brazenly trying to pass off such cheesy fake documents.  The naivete of people who are being scammed in this manner, as well as the scammer's cynical attempts at coercion and fakery, sing out from the write-up and, I must say. some of the comments that follow. 

A number of warning signs about this scam are noted in the piece, along with generic advice about reducing your risk of being scammed in this manner.  I should mention, though, that this particular website is not a dedicated auction site. Auction sites such as eBay and (here in NZ) Trademe have full-time anti-fraud teams and close links with the authorities.  They have specialist knowledge, tools and competence, reducing the risks still further ... but at the end of the day, there's only so much even they can do to prevent social engineering attacks on their customers.  Recognizing the harm that fraud causes to their reputations and brands, some offer consumer guarantees provided certain conditions are met.

It will be interesting to see if the authorities make any headway in locating and prosecuting the perpetrators behind this scam. I'd be surprised if they even trace them, and doubly impressed if they managed to recover any of the proceeds of crime.

In short, it's a neat, public example of security awareness, not dissimilar to our scam alert on online auction frauds (download) from the May 2013 NoticeBored security awareness module on fraud.


9 Aug 2014

Hot crazy matrix

The universal hot crazy matrix is an amusing demonstration of the power of presenting numeric data in graphical form, extracting meaningful information from the data in order to lift the discussion off the page. We shall have to include it in our security metrics course.

Non-PC sexist humour aside, the presenter's knowledge and passion for the subject are undeniable.  Contrast that enthusiastic, lively presentation with the dull, ponderous, matter-of-fact way we normally present information security and other business metrics. 'Nuff said. For more, come on the course!

5 Aug 2014

Information security roadshow

For something a bit different, have you thought about running a roadshow, tradeshow or conference-style display/event as part of your security awareness program?  "All it takes" is:
  • The creative ideas and enthusiasm to intrigue and garner management support. Don't underestimate this element! The 'man cave' is but one random example of a style/design theme you might adopt. For a significant event, it's worth drafting a proposal and project plan detailing the resources, timing, location/s and most of all the purpose of the roadshow e.g. which information security awareness topic/s will be covered and why? What are the learning objectives and/or key messages you want to put across?;
  • A few mobile display panels (perhaps borrowed from Sales and Marketing) for your posters and other materials ...;
  • Some posters and other display materials. We find that mind maps and metrics, for example, tend to intrigue and draw people in to the stand; the NoticeBored briefings, case studies, puzzles etc. coupled with your corporate security policies, standards etc. make decent handouts;
  • A table and/or magazine rack/s to distribute awareness materials and trinkets;
  • One or more prizes for security quizzes/competitions to run concurrently with the roadshow, maybe locked in a display case or photographed for the stand along with the challenge (for inspiration, think about the promotions you often see on trade stands ranging from the basic “Give us your business card to enter a free prize draw …” to “Pick this padlock faster than anyone else to win the prize …”;
  • Optionally, set up a PC and screen to show rolling slideshows and perhaps a demo of Information Security’s intranet Security Zone (whether offline or online) – but don’t neglect physical security if the stand is ever unattended!;
  • Ideally, organize seminars, workshops or training sessions as part of the event (perhaps one per lunchtime over the course of a week so everyone has the chance to participate);
  • Notepaper or cards to record queries from punters that can't be satisfied at the time: keep these safe and actually follow-up promptly after the event, since inviting inquiries suggests you will respond;
  • Someone to set up and take down the stand, and hopefully someone with an information security background to man the stand and field questions, at least during busy periods (if they cannot be there full-time, it helps to put up a note saying when the stand will next be manned);
  • Permission to set up the display in, say, the reception area, executive suite, staff restaurant or similar;
  • Some pre-show promotional emails, flyers or tickets inviting them to visit the stand.

Don’t forget to take photographs of the stand in use, with people taking an interest, to demonstrate its effectiveness to management and/or to use in your publicity materials the next time you run the roadshow. Consider an informative write-up for your company magazine and the Security Zone, perhaps quoting feedback comments from those who attended this time.

To extract even more value from the investment, you might turn this into a permanent unattended display in a glass case in, say, Reception or the staff restaurant. The trick to keeping permanent displays engaging is to focus on specific issues and items (such as your monthly security awareness topics), changing the content before it becomes stale and boring. For further clues about making it eye-catching, look at the end-of-aisle or sale counter displays in shops, browse any trade show and speak to your esteemed colleagues in Marketing. For bonus marks, make the static display animated and interactive with a touch screen. If you think creatively, it's really not hard to drag your security awareness program kicking and screaming out of the Dark Ages.

More ideas along these lines to follow when inspiration coincides with a free moment ... Meanwhile, what ideas along these lines have you tried?


1 Aug 2014

Cloud security awareness update

We have just updated the NoticeBored security awareness module on cloud computing - well, I say "updated" but it was practically rewritten from scratch - new PowerPoint slide decks, new briefings, new posters, new cloud security metrics and so on.  

Things have moved on some way in cloud computing since we first wrote the module in 2011.  Cloud security is still evolving.  It wasn't hard to find a handful of novel cloud security challenges that have literally come to light within the past month or so to illustrate the module, making it highly topical.

The relationship management aspects of cloud computing caught our attention this time.  One of the items in the module is a due diligence checklist for management to assess the information security aspects of potential cloud service providers before jumping into bed with them.  

Read more about the cloud security awareness module here and get in touch if your awareness program would benefit from a new perspective.