Welcome to the SecAware blog

I spy with my beady eye ...

31 Mar 2016

Network security awareness

Suppose you decide, or are required, to raise awareness among your employees of the security aspects of networking. What do you want to cover? What are the main things you want to get across? 

Think about that for a moment.

Something that naturally springs to mind is IT network security, Internet security in particular. I guess you were mostly thinking about hackers, malware, firewalls, VPNs, that sort of thing, and fair enough those are certainly significant issues ... but wait, just as there’s more to information security than IT or cyber-security, there's more to network security than IT networks! 

April’s NoticeBored awareness module takes on a wider brief, including classical IT network security (TCP/IP, the Internet, portable/mobile IT devices, VOIP, VPNs and all that jazz), current IT network security challenges (particularly cloud and IoT, plus home-office/private networking), and information security aspects of other forms of networking (social networks, business networks, collaborative working and so on). 

Having said that, it is neither realistic nor necessary for the awareness program to attempt to cover the entire scope of network security in-depth this month. Several of those topics are covered individually through separate awareness modules anyway, so April’s module glosses over certain areas to delve deeper into others, all the while hinting at the full breadth of this topic and finding (we hope) unusual angles to spark employees’ imaginations.

For instance, one of the senior management briefings says (in part):
"Network security is both a technology and a business issue. More than mere information conduits, networks bind ICT (information and communications technology) systems, people, teams, departments, business units, organizations and communities together. They transport telephone conversations, emails, orders and commands around the world at the speed of light … along with viruses, hacks and online frauds. Networks have to a large extent supplanted books for the transmission of knowledge, for entertainment and social contact.  They are part of our lives."
Speaking as a former academic, long-time bookworm and library-lover, I have personally experienced the shift towards online/electronic information sources over the past 15 years or so. I vividly recall snipping/ripping articles out of industry magazines, survey reports, marketing blurb and so on at the turn of the new millennium, systematically filing them away on a wall-mounted filing system for later reference according to the information security topics. I think I still have the the now empty filing racks, their dog-eared contents having long since been recycled. During the interim/transition period, I found myself systematically filing electronic articles, clips and scans in basically the same way, on disk in directories ... but I don't even do that much today.  Instead I Google stuff, usually selecting "Posted within the past month" under the advanced search options. I still read the occasional book, but more for entertainment and contemplation than for information transfer.

Printed materials are so 20th Century. 

The network is it.  

And Google rocks.

Gary (Gary@isect.com)

PS  Am I the only one who gets intensely frustrated at those tedious PDF flip-the-page online magazines and journals?  Zooming in and out and tugging the page around on the screen just to see the bits I want to read is nuts, and goes against the grain. I guess traditional print publishers are (on the whole) still locked into the typesetting mindset, laying out the page as they want it to be, rather than what suits the reader - or rather the readers, because we're all different, as well as our screen sizes and visual acuity. Fixed typesetting is a broken and outdated paradigm, as far as I'm concerned. 

Mind you, thinking that through, I wonder whether our security awareness documents should still be designed and laid out in Word for the printed page rather than the screen? And should our seminar slide decks be sequential one-screen-at-a-time 'slides' after all, even with animated transitions and illustrations?  Hmmm, food for thought.

30 Mar 2016

Creative approaches to information security induction/orientation

This morning, my beady eye has been caught by an excellent Harvard Business Review article from 2007 about creative approaches to new employee orientation/induction. In particular, I was struck by this:
"New employees go through an exhausting three-month immersion process, a sort of organizational boot camp, in which top management, including the CEO, oversees their every step. In the first month, new recruits participate in fast-paced creative projects, in teams of about 20, under the mentorship of more-experienced colleagues called section leaders. In the second month, the project teams are shuffled and split into smaller “breakthrough teams” charged with inventing product or service ideas, creating business models, building prototypes, and developing marketing plans—all in hyperaccelerated fashion. In the third month, the recruits have to demonstrate their capacity for personal initiative. Some continue working on their breakthrough teams; others find sponsors elsewhere in the company and work on their projects. Upon completion of the program, candidates undergo rigorous evaluation and receive detailed feedback on their performance from colleagues, section leaders, and senior management. The new hires are sent to different parts of the organization, but the bonds they develop during this extreme orientation period remain strong throughout their careers."
Regretfully I've never worked in or with an organization that invested anything like as much in new starters: such approaches are rare in my experience. Mostly, joiners are subjected to a rather tedious series of lectures about policies and procedures, often presented by bored employees who would plainly rather be somewhere else. It's a rite of passage, a compliance formality with all that implies. Such a shame.

Nevertheless, security orientation/induction presents opportunities along similar lines, albeit within the narrower confines of information security. For example, we encourage our clients' information security and physical/site security people to get actively engaged in employee security orientation sessions, as opposed to expecting someone from HR, IT or Training to deliver them on their behalf. The key reason is that this is the first proper opportunity to build personal relationships with the new arrivals - to impress on them the value of information security and the importance of their role as integral components of the Information Security Management System.  From the other perspective, it's also a chance to 'put a face to the name' so that when an employee comes across a security issue or query, they are more inclined to call it in.

Personally, I don't think it unreasonable to expect the Information Security Manager and other members of the department (such as the Security Admin or Help Desk people) to deliver general employee security induction sessions in person. I appreciate that they are busy people so it comes down to a matter of priorities and making efficient use of their valuable time. Making sure the security induction session is focused and slick using professionally-crafted security awareness/training materials will help maximize the impact for minimum effort, time and outlay.

When it comes to security induction for new managers, it makes even more sense for the ISM or CISO to get directly involved. Rather than the usual group induction sessions, we recommend organizing one-on-one briefings with managers, either in the office or (discreetly) in a cafe or restaurant - a chance for a bit of a chat if not a full and frank exchange of views. It's an excellent opportunity to establish mutual understanding and respect with a huge payoff in terms of management support for information security and information security support for the business (both invaluable!). Bring managers quickly up to speed on the information risk and security objectives, strategies policies and metrics, and discover how information security can facilitate the business. It's a win-win.

Gary (Gary@isect.com)

23 Mar 2016

Another vendor survey critique

I've just been perusing another vendor-sponsored survey report - specifically the 2016 Cybersecurity Confidence Report from Barkly, a security software company.

As is typical of marketing collateral, the 12 page report is strong on graphics but short on hard data. In particular, there is no equivalent of the 'materials and methods' section of a scientific paper, hence we don't know how the survey was conducted. They claim to have surveyed 350 IT pro's, for instance, but don't say how they were selected. Were they customers and sales prospects, I wonder? Visitors to the Barkly stand at a trade show perhaps? Random respondents keen to pick up a freebie of some sort for answering a few inane questions? An online poll maybe?

The survey questions are equally vague. Under the heading "What did we ask them", the report lists:
  • Biggest concerns [presumably in relation to cybersecurity, whatever that means];
  • Confidence in current solutions, metrics, and employees [which appears to mean confidence in current cybersecurity products, in the return on investment for those products, and in (other?) employees. 'Confidence' is a highly subjective measure. Confidence in comparison to what? What is the scale?];
  • Number of breaches suffered in 2015 [was breach defined? A third of respondents declined to answer this, and it's unclear why they were even asked this]
  • Time spent on security [presumably sheer guesswork here]
  • Top priorities [in relation to cybersecurity, I guess]
  • Biggest downsides to security solutions [aside from the name! The report notes 4 options here: slows down the system, too expensive, too many updates, or requires too much headcount to manage. There are many more possibilities, but we don't know whether respondents were given free rein, offered a "something else" option, or required to select from or rank (at least?) the 4 options provided by Barkly - conceivably selected on the basis of being strengths for their products, judging by their strapline at the end: "At Barkly, we believe security shouldn’t be difficult to use or understand. That’s why we’re building strong endpoint protection that’s fast, affordable, and easy to use"].
Regarding confidence, the report states:
"The majority of the respondents we surveyed struggle to determine the direct effect solutions have on their organization’s security posture, and how that effect translates into measurable return on investment (ROI). The fact that a third of respondents did not have the ability to tell whether their company had been breached in the past year suggests the lack of visibility isn’t confined to ROI. Many companies still don’t have proper insight into what’s happening in their organization from a security perspective. Therefore, they can’t be sure whether the solutions they’re paying for are working or not."
While I'm unsure how they reached that conclusion from the survey, it is an interesting perspective and, of course, a significant challenge for any company trying to sell 'security solutions'. I suspect they might have got better answers from execs and managers than from lower-level IT pro's, since the former typically need to justify budgets, investments and other expenditure, while the latter have little say in the matter. The report doesn't say so, however.

Elsewhere the report does attempt to contrast responses from IT pro's (two-thirds of respondents, about 230 people) against responses from IT executives and managers (the remaining one-third, about 120) using the awkwardly-arranged graphic above. The associated text states:
"When our survey results came in, we quickly noticed a striking difference in attitudes among IT professionals in non-management positions and their counterparts in executive roles. These two groups responded differently to nearly every question we asked, from time spent on security to the most problematic effect of a data breach. Stepping back and looking at the survey as a whole, one particular theme emerged: When it comes to security, executives are much more confident than their IT teams."
Really? Execs are "much more confident"? There is maybe a little difference between the two sets of bars, but would you call it 'much' or 'striking'? Is it statistically significant, and to what confidence level? Again we're left guessing.


What do you make of the report? Personally, I'm too cynical to take much from it, aside from these inane comments. It leaves far too much unsaid, and what it does say is questionable. Nevertheless, I would not be surprised to see the information being quoted or used out of context - and so the misinformation game continues.

On a more positive note, the survey has provided us with another case study and further examples of what-not-to-do.

19 Mar 2016

How effective are our security policies?

On the ISO27k Forum today, someone asked us (in not so many words) how to determine or prove that the organization's information security policies are effective. Good question!

As a consultant working with lots organizations over many years, I've noticed that the quality of their information security policies is generally indicative of the maturity and quality of their approach to information security as a whole. In metrics terms, it is a security indicator.

At one extreme, an organization with rotten policies is very unlikely to be much good at other aspects of information security - but what exactly do I mean by 'rotten policies'? I was thinking of policies that are badly-written, stuffed with acronyms, gobbledegook and often pompous or overbearing pseudo-legal language, with gaping holes regarding current information risks and security controls, internal inconsistencies, out-of-date etc. ... but there's even more to it than their inherent quality since policies per se aren't self-contained controls: they need to be used which in practice involves a bunch of other activities.

At the other extreme, what would constitute excellent security policies? Again, it's not just a matter of how glossy they are. Here are some the key criteria that I would say are indicative of effective policies:
  • The policies truly reflect management’s intent: management understands, supports and endorses/mandates them, and (for bonus points!) managers overtly comply with and use them personally (they walk-the-talk);
  • They also reflect current information risks and security requirements, compliance obligations, current and emerging issues etc. (e.g. cloud, BYOD, IoT and ransomware for four very topical issues);
  • They cover all relevant aspects/topics without significant gaps or overlaps (especially no stark conflicts);
  • They are widely available and read … implying also that they are well-written, professional in appearance, readable and user-friendly;
  • People refer to them frequently (including cross-references from other policies, procedures etc., ideally not just in the information risk and security realm);
  • They are an integral part of security management, operational procedures etc.;
  • They are used in and supported by a wide spectrum of information security-related training and awareness activities;
  • Policy compliance is appropriately enforced and reinforced, and is generally strong;
  • They are proactively maintained as a suite, adapting responsively as things inevitably change;
  • Users (managers, staff, specialists, auditors and other stakeholders) value and appreciate them, speak highly of them etc.
As I'm about to conduct an ISO27k gap analysis for a client, I'll shortly be turning those criteria into a maturity metric of the type shown in appendix H of PRAGMATIC Security Metrics.  The approach involves documenting a range of scoring norms for a number of relevant criteria, developing a table to use as a combined checklist and measurement tool. Taking just the first bullet point above, for instance, I would turn that into 4 scoring norms roughly as follows:
  • 100% point: "The policies truly reflect management’s intent: management full understands, supports and endorses/mandates them, managers overtly comply with and use them personally, and insist on full compliance";
  • 67% point: "Managers formally mandate the policies but there are precious few signs of their genuine support for them: they occasionally bend or flaunt the rules and are sometimes reluctant to enforce them";
  • 33% point: "Managers pay lip-service to the policies, sometimes perceiving them to be irrelevant and inapplicable to them personally and occasionally also their business units/departments, with compliance being essentially optional";
  • 0% point: "Managers openly disrespect and ignore the policies. They tolerate and perhaps actively encourage noncompliance with comments along the lines of 'We have a business to run!'"
During the  gap analysis, I'll systematically gather and review relevant evidence, assessing the client against the predefined norms row-by-row to come up with scores based partly on my subjective assessment, partly on the objective facts before me. The row and aggregate scores will be part of my closing presentation and report to management, along with recommendations where the scores are patently inadequate (meaning well below 50%) or where there are obvious cost-effective opportunities for security improvements (low-hanging fruit). What's more, I'll probably leave the client with the scoring table, enabling them to repeat the exercise at some future point e.g. shortly before their certification audit is due and perhaps annually thereafter, demonstrating hopefully their steady progress towards maturity.


16 Mar 2016

Password articles

Love em or loathe em, passwords remain the primary means of authenticating people when logging-on to IT systems.

Publishers Taylor & Francis have just released a collection of security journal articles concerning passwords, a mixed bag published in T&F journals over the past decade or so, the whole being a reasonable reflection of the evolving state of the art.

I haven't read all ~40 articles but so far I have enjoyed:

Gary (Gary@isect.com)