Welcome to the SecAware blog

I spy with my beady eye ...

16 Jan 2015

Management awareness paper on security compliance metrics

Compliance with information security related obligations, privacy laws in particular, was already a major issue for management when this paper was written back in 2007. Over the succeeding years, it has grown even bigger and yet we still often hear people discussing compliance in simplistic, black-and-white or binary terms in the sense of "You either comply or you don't". In reality, compliance is usually a matter of interpreting and weighing-up the evidence concerning the extent to which the obligations have or have not been fulfilled, and their relative importance. Compliance may not be glorious Technicolor but there are definitely shades of grey!

This metrics briefing proposed a few simple measures of the extent and speed of compliance, as well as the costs relating to or arising from compliance.  

In addition to legislation, it mentioned compliance with and enforcement of corporate policies and other requirements (such as good security practices and contractual obligations - PCI-DSS being a classic example).  

We developed further and elaborated on the concept of a 'security compliance status' metric that was introduced in this paper in later briefings. Looking at the paper now, with the benefit of hindsight, it seems rather naive but it served a purpose as a security awareness item for managers.

7 Jan 2015

Time to drop 'regular' password changes?

A mediocre bit of journalism in Forbes notes a security breach at NVIDIA, the video card company, that was notified to employees by an email from their Privacy Office last month.

The email is light on details about the breach, apparently, but it appears employee usernames and passwords may have been compromised in some manner.  For some reason, the journalist latched on to particular parts of the security awareness advice included in the email concerning being alert to phishing and care over passwords: maybe he has additional information about the incident ... or perhaps he simply doesn't understand what he's reporting.

According to the Forbes piece, NVIDIA's email includes the recommendation "Regularly change your passwords on both company and personal accounts. Avoid using the same password for more than one account".

From the information security perspective, I agree with not re-using passwords (although that has significant implications given the number of accounts that most of us currently maintain) but regular password changes can be counterproductive: it is hard enough to generate and remember one good password or passphrase, let alone a new one every so often. If employees are to use unique passwords on each system, the additional requirement to change them 'regularly' is onerous, especially as the reasons for doing so are, at best, obscure and perhaps erroneous.

'Regular' password changes have been part of the folklore in IT for decades, but I don't really understand the origin of the approach, nor why it continues today. I'm all in favour of irregular/one-off password changes, by which I mean people ought to be able and urged to change their passwords promptly if there is any hint of a breach. I guess one could argue that 'regular' password changes get them used to the mechanism so they can change their passwords more efficiently when they actually need to do so, in other words 'regularly' changing passwords may have some value as an exercise, a way to practice ... but at what cost?

'Regular' password changes do reduce the period during which someone who has somehow obtained or guessed a pasword can use the account, but password lifetimes are typically between one and three months: an identity thief can do a lot of damage in minutes, let alone days, weeks or months. If that is the intended effect of the control, it is very weak.

A better security control in that case is to tell users at login time when they last logged in: if someone else has been using the account, the time since last login can be a dead giveaway. This used to be a bog-standard feature on networked IT systems two decades ago, but is vanishingly rare today. 

Automated activity monitoring on the systems could, potentially, make the control even more effective: if a given user normally only logs in on work days during normal working hours from the LAN, but suddenly logs in out of hours or from a remote system, that change can be identified by the system and yellow flagged. If subsequent activities by the user on the same session turn out to be suspicious (e.g. unusual transactions, security events etc.), it may be appropriate to raise the red flag, block the account, and have someone contact the user to find out exactly what's going on. This is real time risk management, much more effective than 'regular' password changes ... but of course it is a complex and potentially costly and disruptive approach. It may be appropriate for relatively high-risk systems (e.g. banking, safety or missile-launch systems) but probably not for most. It's down to the owners of the systems to determine which controls are necessary to address the risks of concern. 'Regular' password changes may conceivably be appropriate but I'd be interested to see the justification in terms of the risks and the cost-effectiveness of the control.

There's loads more to say about passwords and user authentication in this month's NoticeBored security awareness module.


6 Jan 2015

Management awareness paper on physical security metrics

In the context of information security, physical security is about protecting tangible assets holding, communicating or processing valuable information - primarily ICT systems and data storage media - from physical incidents such as theft, criminal or accidental damage, loss, sabotage, fire, flood, mechanical breakdown, electrical surges, dips and power cuts, static discharge, magnetic or electrical interference etc. that would damage the information content or the services provided.

Strictly speaking, it includes physical protection for people, workers particularly, since we also constitute physical information assets - well most of us anyway (some are liabilities!).  'Health and safety' is, in a sense, part of information security, along with substantial parts of HR.

This very brief metrics discussion paper, written seven years ago, does not explore the entire scope of physical security but mentions just a few considerations around physical security targets and measurements.  It was not one of our best efforts ... and yet it might just prompt you to think of something worth measuring in your situation.

I promise the quality of this series of papers improves as we head into 2015. Our understanding of metrics improved markedly as we did the thinking and research for the PRAGMATIC book, on top of which we revisited, updated and expanded on the older papers as we completed successive cycles of information security topics. Yes, I know it's "jam tomorrow" but stick with us and enjoy the journey.