Welcome to the SecAware blog

I spy with my beady eye ...

11 Mar 2017

NBog March 10

Well here we are on the tenth of the month already with April's awareness module looking disappointingly sparse at this point:

Nothing is actually finished as yet (no black ticks) but there are several items on the go and the thinking is in full swing.

The 'train the trainer' piece is the furthest advanced, thanks to two parts. The scope and purpose of the awareness module is taking shape (looks like the name of the module might be "Security innovation"), and we've come up with some creative and innovative ideas for security awareness - quite a few in fact. After furiously writing a page of bullet points I had to take a break in order to get on with other things.

Those 'other things' included discussing some potential ISO27k consulting work with a new client and trying to find out what happened to a previous metrics consulting/training proposal that plummeted into the deep dark depths of the NZ government official tendering process. [Conveniently, the NZ government is currently running a supplier survey about their tendering process, giving me the chance to get a few things off my chest - albeit anonymously because I'm a coward still hoping to get more business from them!]

I've also been thinking, blogging about and discussing the latest revelations on Wikileaks about the CIA's hacking tools. Big Brother's cloak of secrecy is looking distinctly menacing at this time. This is an interesting and vital societal concern that's clearly in the news headlines right now making it a strong candidate for a future security awareness module ... except that we've done a fair bit on and around this topic already, not least as a result of the Snowden debacle. There's a veritable swarm of possible awareness topics floating around the headlines, including governance, accountability, oversight, Big Brother, hacking, privacy, compliance, risk, cybersecurity and more, so it shouldn't be hard to find something relevant that we haven't covered for a while if ever. Responsible disclosure springs to mind, along with whistleblowing, so I'll pencil that into the NoticeBored topic diary (actually a whiteboard in the office).

Meanwhile, our research on security innovation continues apace. We've come across a fascinating insight into the systematic process of hackers finding zero-day technical vulnerabilities in a particular model of webcam. It turns out the cheap Chinese thing is bristling with design flaws and/or bugs that affect a huge number of webcams built around the same OEM core. Who'd have thought it, eh? Worse still, there are little hints that the webcam might perhaps have been pre-infected with botware at the factory, perhaps deliberately. Anyway, it is a handy situation to discuss in all three streams of the security innovation module, including a case study. The story is too technical, complex and obscure to use as-is but we ought to be able to simplify and generalize the case to stimulate a lively discussion around privacy, security and new technology, making it a winner for security awareness purposes.


No comments:

Post a Comment