Welcome to the SecAware blog

I spy with my beady eye ...

30 Sept 2014

Cybertage - our 50th security awareness topic

We have just achieved a significant milestone with the release of a NoticeBored module covering the fiftieth topic in our ever-growing information security awareness portfolio.

Our topic for October is “cybertage”, meaning sabotage in cyberspace. As you might surmise from the stark red awareness poster in the style of 1940’s public safety warnings, cybertage is an age old subject. It even pre-dates IT: propaganda, for instance, involves deliberately using information to manipulate, undermine and - yes - cybertage an enemy. It is of little consequence how propaganda is delivered: leaflets, emails, stone tablets, CNN, wax cylinders, Blogger, Morse code, hilltop beacons, whatever. Message trumps medium. As with security awareness, it’s the content that matters most.

Today’s cyberteurs are truly spoilt for choice. They have the potential to attack their targets through the Internet and a variety of media, and as we learned from Stuxnet even air-gaps are an imperfect defense against sophisticated viruses. Our IT systems and networks make juicy cybertage targets in their own right. Add to that the possibility of smear campaigns spreading vicious rumours and half-truths through social media and ‘customer review and feedback’ sites, and the power of cybertage in the 21st Century becomes alarmingly obvious.

But wait, there’s more! Cyberteurs walk among us. They lurk in our midst, waiting to strike from within. All it takes is a careless, cutting remark, a snub from management or some other incident to turn our once-loyal colleague into a raving virtual-ax-wielding cyberteur, intent on getting his own back by inflicting maximum grief on the corporation.

Cybertage is a novel topic for the security awareness program, something deliberately out-of-the-ordinary that we hope will catch you and your colleagues’ imaginations as it did ours. However, we appreciate that this is a delicate issue, and that raising awareness could conceivably induce people who are so inclined to commit cybertage. 

On balance, as with several other modules in the NoticeBored portfolio, we take the position that in the unlikely event that any disgruntled, unethical employees do become cyberteurs solely as a result of these awareness materials, the far greater number of security-aware and motivated colleagues who will notice and discourage, warn or report them represents an effective information security control. It seems to us that the alternative – blind faith and ignorance, ignoring the issue in the hope that it will go away – is literally worse than useless. 

However, if customers feel that we are biased, and that we might even be undermining (cybertaging!) their information security arrangements, they can choose to avoid the awareness topic completely or be more circumspect or focused in how they approach it.

Our job as authors is to provide high quality ammunition for your security awareness program: it’s up to you to load, aim and fire!

So what does your security awareness program have to say about cybertage and 49 other information security matters? Feel free to contact me directly if NoticeBored sounds like something you could use. Mention this blog for Mates Rates!

Gary (Gary@isect.com)

27 Sept 2014

More unsociable engineering

An unsolicited email from somone I have never heard of that reads "Hello, I am seeking representation for a wrongful dismissal. Please advice if this is your area of practice and how much it will cost me to retain your firm" may be brief but it smells distinctly like yet another social engineering scam - presumably an attempt at identity theft, advance fee fraud or some such dastardly deed.  The possibility of a lucrative business deal is a classic social engineering lure, while the sense of urgency is sure to follow.

We are not a legal firm and we don't represent others in employment disputes, but if we had been, and if we weren't quite as security-aware and alert for scams of this nature, one of us might have fallen for it or something similar. Given the scammers' negligible costs and income from past hits, carving suitable hooks to ensnare vulnerable people in all manner of professions, industries, organizations, cultures, hobbies etc. only requires a little knowledge/research and creativity - and there's a powerful lesson from history: fraudsters are cunning.  Remember those slap-the-forehead moments when you either figure out what they are up to, or some kind soul explains it to you?  Like good magic tricks, they are only 'obvious' once you discover how they work. Prior to that point they are, of course, pure magic.

Projecting forward, it is surely just a matter of time before the scammers figure out how to catch us out too ... in fact I can't be 100% certain that we aren't victims already (can anyone?) which reminds me to review our business continuity and contingency arrangements.  Forewarned is forearmed.