Welcome to the SecAware blog

I spy with my beady eye ...

29 Dec 2018

NBlog Dec 29 - awareness case study

The drone incident at Gatwick airport makes a good backdrop for a security awareness case study discussion around resilience.  

It's a big story globally, all over the news, hence most participants will have heard something about it. Even if a few haven't, the situation is simple enough for them to pick up on and engage in the conversation.

The awareness objective is for participants to draw out, consider, discuss and learn about the information risk, information or cybersecurity aspects, in particular the resilience angle ... but actually, that's just part of it. It would be better if participants were able to generalize from the Gatwick drone incident, seeing parallels in their own lives (at work and at home) and ultimately respond appropriately. The response we're after involves workers changing their attitudes, decisions and behaviors e.g.:
  • Considering society's dependence on various activities, services, facilities, technologies etc., as well as the organization and their own dependencies, and ideally reducing dependence on vulnerable aspects;
  • Becoming more resilient i.e. stronger, more willing and able to cope with incidents and challenges of all kinds;
  • Identifying and reacting appropriately to various circumstances that are short on resilience e.g. avoiding placing undue reliance on relatively fragile or unreliable systems, comms, processes and relationships;
  • Perhaps even actively exploiting situations, gaining business advantage by persuading competitors or adversaries to rely unduly on their resilience arrangements (!).
Assorted journalists, authorities and bloggers are keen to point out that the Gatwick drone incident is 'a wake-up call' and that 'something must be done'. Most imply that they are concerned about other airports and, fair enough, the lessons are crystal clear in that context ... but we have deliberately expanded across other areas where resilience is just as important, along with risk, security, safety, reliability, technology and more.

That's a lot of awareness mileage from a public news story but, as with the awareness challenge, putting the concept into practice is where we earn our trivial fees!

Visit the website or contact me to find out more about the NoticeBored service, and to quote you a trivial price - so low in fact that avoiding a single relatively minor incident should more than justify the annual running costs of your entire security awareness and training program. 

By the way, we set our sights much higher than that!

28 Dec 2018

NBlog Dec 28 - US Dept of Commerce shutdown

Earlier this year I heard about the threatened shutdown of WWV and WWVH, NIST's standard time and frequency services, due to the withdrawal of government funding - an outrageous proposal for those of us around the world who use NIST's scientific services routinely to calibrate our clocks and radios.

Today while hunting for a NIST security standard that appears to no longer be online, I was shocked to learn that it's not just WWV that is closing down: it turns out all of NIST is under threat, in fact the entire US Department of Commerce.

Naturally, being a large bureaucratic government organization, there is a detailed plan for the shutdown with details of certain 'exempt' government services that must be maintained according to US law although how those services and people are to be paid is unclear to me. After the funding ceases, DoC employees are required (or is that requested?) to turn up for work for a few more hours to set their out-of-office notifications (on the IT systems that are presumably about to be turned off?), then piss off basically.  

To me, that's an almost unbelievably callous way to treat public servants. 

So is this fake news? Is it "just politics", brinkmanship by Mr Trump's administration I wonder? 

The root cause, I presume, is the usual disparity between the government's income and expenses, fueled by battles between the political parties plus their 'lobbyists' and the extraordinarily xenophobic pressure to spend spend spend on 'defense'. I gather US-Mexico border wall is, after all (surprise surprise) to be funded by the US, so that's yet another splash of red ink across the government's books.

27 Dec 2018

NBlog Dec 27 - gamifying awareness

We've come up with an idea for our next awareness challenge

January's topic is 'resilience', a concept that means different things to different people. So what does it mean to workers? What is 'resilience' about? What does it imply? What are the key aspects, the things that everyone ought to know about?

The concept we have in mind for the awareness challenge is simple enough: under guidance from the NoticeBored awareness materials, groups of workers discussing and exploring their understanding of the term 'resilience' will occupy the bulk of the challenge. Turning that into a practical and engaging awareness activity takes a bit more work though.

Our approach involves prompting and supporting someone - ideally an information security awareness and awareness professional - to deliver an effective session. Short of actually leading the session in person, we provide the materials and the inspiration to make the event fly, awareness by proxy you could say.

Despite our experience of being out there, doing it, the particular awareness audience and leader/presenter forms a unique combination. That's the tricky bit! It would be straightforward to prepare narrowly-scoped materials for a specific event but we have customers at different stages of maturity in their awareness and training programs, in a variety of organizations and industries or contexts ... hence we deliberately keep the NoticeBored challenges reasonably flexible and open-ended. They may be run as one or more discrete events specifically for this purpose, or as sessions incorporated within some other event such as a briefing, training course or seminar. Online sessions are possible too, ideally in a manner that retains some social interaction. Participants should learn stuff from each other and have fun doing it.

'Having fun doing it' is not just about having a good time: do you recall those deadly dull awareness and training sessions of old where fun was not part of the equation? We remember the aggravation and tedium more than the content. Some of us even actively avoided or evaded the sessions while attendees generally resented being lectured-at. Overall, a very negative experience, counterproductive and ineffective. How not to do it.

The nasty neologism 'gamification' has been coined for a different approach, although exactly what it means is uncertain. To some it means literally turning awareness and training into a game, for example snakes and ladders or monopoly with playing boards and rules adapted to the subject. Climb up the security controls or slide down the risks and incidents, perhaps, or rather than buying properties, seize control of them by hacking, social engineering or malware. 

To software-based awareness companies, it evidently means crude, low-budget computer games with cartoon characters and pixellated graphics reminiscent of Pong

Either way, there is more than just a hint of treating workers as children. Picture it: "Warning! This awareness game contains scenes that may upset some people. Seek the guidance of a parent or guardian."

To us, 'gamification' is more to do with socializing information security. We provide factual and conceptual information to groups of people, encouraging them to interact with both the awareness materials and with each other in an upbeat, positive, engaging setting - such as an awareness challenge. Having fun is a valuable part of the approach, the means to an end rather than an end in itself.  If fun was THE objective, it would be easier just to send everyone to the bar to liquefy what remains of the awareness and training budget.

26 Dec 2018

NBlog Dec 26 - making the workforce resilient

A resilient workforce is well-prepared to cope with whatever stuff is thrown at it, all manner of challenges and incidents ... like this for instance:

Security-aware workers are an important defensive control: we really ought to recognize this email for what it is - an obvious social engineering attack, a crude attempt to dupe us into opening the attachment ... but awareness is not the only control, a good thing too since we are only human. A truly resilient organization has a comprehensive suite of information security controls that come into effect both before, during and after the email gets delivered, even if a hapless worker receives and falls for the con, opening that attachment.

In information security, resilience is largely achieved through layered, overlapping and complementary controls. Individually none of them can totally eliminate the risks, but collectively the risks are reduced to the point that we can handle the remaining issues - at least that's the theory! Incident management is part of it, along with risk and business continuity management including resilience engineering, disaster recovery and contingency, for those unanticipated situations that we weren't expecting. 

Awareness and training support all those aspects as well. The NoticeBored materials directly address management and professionals, as well as the general workforce, because they have distinct roles in making the organization resilient. Managers set key objectives, define priorities and control corporate assets, particularly funding. Professionals advise, guide and assist management in those activities, and are further responsible for implementing management edicts. A security awareness and training program that ignores either or both of those audiences is like a car with neither steering nor engine: fine as long as everything is heading downhill in the right direction. 

14 Dec 2018

NBlog Dec 14 - choosing ISO27k products

On ISO27k Forum today, a new member asked for advice on whether a 'complete package' would help the organization achieve ISO/IEC 27001 certification.

It's hard to answer without knowing more about the organization and its people (especially the management and specialists), their experience and maturity in respect of information risk and security, and ISO management systems, and the business context.  For example:
  • A small engineering company is in a different position to, say, a large charity, a government department or a multinational: its complexity, information risks, information security controls and other factors vary;
  • A company in a heavily-regulated industry such as healthcare, finance or defense is probably more compliance-driven, its management and workforce more comfortable with structured and systematic ways of working than, say, a retailer or farmers' cooperative;
  • An organization that is 'surrounded' or owned by ISO27k-certified organizations may be under more pressure to implement than a pioneer, especially if there are commercial pressures or contractual/regulatory obligations in this area (e.g. for privacy reasons);
  • A patently insecure organization that has suffered one or more serious infosec incidents, breaches, compliance failures etc. is likely to be under more intense pressure to reform and 'get secure' than one which is (or believes itself to be) relatively secure, doing OK at the moment but maybe looking into ISO27k as a strategic opportunity, supporting other initiatives and complementing other management systems maybe;
  • A mature, specialized, narrowly-focused, relatively simple and stable organization (such as a steel mill) probably needs far less flexibility in its ISMS than one which is highly dynamic, growing fast, chasing different markets and proactively innovating (such as manufacturer of IoT things).
Also, despite the additional wording in the original query, I'm not at all sure what a 'complete package' is. That might mean any of the following, alone or in combination:
  • Documentation e.g.:
    • Sets of ISO27k and possibly other standards (the core set of ISO/IEC 27000, 27001, 27002, 27003 and 27005 are almost universally recommended);
    • Generic template/skeleton ISMS documentation such as scope, SoA, RTP etc.;
    • Generic infosec policies and procedures etc.;
    • Generic project/program plans, frameworks etc.;
    • Generic, structured methods/approaches etc.;
    • Tailored documentation to suit the general type/size of business, industry etc.;
    • Bespoke or heavily customized documentation, competently tailored to suit a particular organization;
  • ISMS-related consultancy-type services of various kinds e.g.:
    • Training and awareness services for individuals, teams or the entire organization;
    • Help with the program and project governance and management aspects e.g. planning, resourcing, metrics, targets, project risk management;
    • Mentoring, guidance and advice for the CISO/ISM, ISMS implementation project manager/team and perhaps others e.g. senior management, risk management, IT audit, IT, Facilities, HR, Operations, Privacy ...;
    • All manner of gap analyses, reviews, audits, benchmarks etc. to assess and report on the current situation and help determine future directions, priorities etc.;
    • Full-time hands-on ISMS project and program management leading to permanent ISM and CISO roles;
    • Part-time local and/or remote support, advice, mentoring etc. for the permanent on-site team - including perhaps assistance with the recruitment and training of such a team;
    • Business development consultancy e.g. help to re-position and market the organization as an ISO27k-certified secure, trustworthy, reliable supplier or whatever;
  • Systems e.g.:
    • IT systems specifically supporting an ISO27k ISMS, or any kind of ISMS, or more generally information risk and security-related;
    • Document Management Systems, possibly pre-loaded with [generic but hopefully customizable, relevant and suitable] ISO27k ISMS documentation;
    • Learning Management Systems, possibly pre-loaded with ISO27k-related training materials, courses, tests etc.;
    • Private, hybrid or public cloud-based apps;
    • Structured methods, frameworks and approaches in this area, with or without IT components; 
  • Something else!
Some of those options above are much more valuable than others (note: 'valuable' is not the same as 'expensive': some are free!). Comprehensive materials and support services might suit your organization (if you can afford them, and if they cover all your requirements!), but you might be better off with an appropriate selection and combination of point-solutions addressing more specific weak-points and needs, complementing and reinforcing the organization's existing resources and capabilities.

Lastly, I'll throw-in another important factor to consider: the nature, quality and value of the products (both goods and services) depends heavily on the suppliers or sources - their competence, experience, expertise (both depth and breadth), quality assurance, creativity and so forth. Are they new to the market, full of brash enthusiasm and bright ideas but short on history and perhaps credibility? Are they old, established, set-in-their-ways maybe? Are they ISO27k specialists (e.g. they ONLY offer ISO27k training courses), broader ISO27k and infosec suppliers (e.g. they provide training plus consulting plus systems) or generalists (e.g. the auditing/accounting/business consultancies)? Are they well-known and highly respected in the field with glowing customer references, or relatively unknown with dubious credentials? Oh and are you certain the products on offer are what will actually be delivered (avoiding the old bait-n-switch scam)?  

I hope this general advice helps. I appreciate that it raises far more issues than it answers ... but hopefully those questions and considerations are a lot more useful than the alternative "Well, it all depends!"

8 Dec 2018

NBlog Dec 8 - bashing tick-n-bash

Auditing compliance with rules defined in policies, standards, laws and regulations is just one audit approach, commonly and disparagingly known as tick-n-bash auditing.

The rule says X
but you do Y
……. BASH!

It is like being rapped over the knuckles as a kid or zapping a trainee sheep dog through its radio-controlled shock collar. It's a technique that may work in the short term but it is crude and simplistic. The trainee/auditee is hurt and ends up resentful. Strong negative emotions persist long after the tears have dried and the bruising has gone down, making it counterproductive. It’s best reserved as a last resort, in my considered opinion.*

Certification audits are ultimately compliance audits but even they can be performed in a more sympathetic manner. The trick is to combine bashing (where justified) with explaining the requirements and encouraging compliance. It means motivating not just dragging people, and a lot more listening and observing to understand why things are the way they are.

Sometimes there are genuine, legitimate reasons for noncompliance, like for example finding better ways to do things or competing priorities. Sometimes noncompliance achieves a better outcome for the organization and other stakeholders. Actively looking for and exploring such situations turns the audit into a more positive exercise, even if it turns out that noncompliance was indeed unjustified and problematic: the investigation will often turn up root causes that deserve to be addressed, enabling us to treat the disease, not just ameliorate the symptoms. 

Competent, experienced auditors appreciate the value of downgrading relatively minor findings to ‘minor non-conformance’ status, or even on occasions ‘letting things ride’ with informal comments and motivational words of encouragement to the auditees. That then makes any remaining major issues stand out, focusing everyone’s attention on the Stuff That Really Matters – matters to the organization and other stakeholders, for legitimate business reasons. It’s no longer just a matter of “The rule says X”: there are reasons why rule X exists, reasons that deserve attention. Rule X is simply a means to an end, not an end in itself.

From there, it’s but a small step towards effectiveness and efficiency-based auditing, a more sophisticated and intelligent approach than crude compliance auditing. The idea is to identify sub-optimal activities that might usefully be adjusted to improve the outcomes, ultimately achieving business objectives and success. The approach focuses on the positives, on finding creative solutions that most benefit the organization (and, by the way, the individual auditees: more carrot = less stick!). The very premise that some activities might be ‘sub-optimal’ implies a deeper level of understanding about what ‘optimal’ actually means in that context, and a wider appreciation of good practises and alternatives. Being able to recite the rules verbatim, and carry a big stick, is no longer the mark of a good auditor!

In the ISO27k context, the information security controls recommended by ISO/IEC 27002 are intended to address specified control objectives. However, they aren't guaranteed always to achieve those objectives in any given situation, nor are those objectives necessarily relevant and sufficient. Both the control objectives and the controls are generic - general advice intended to suit most organizations. Both need to be interpreted in the specific context of a particular organization. Both may need to be supplemented, extended modified or ignored in various circumstances. That complexity makes it too tough for straightforward compliance auditors, apparently, demonstrating a fundamental limitation of the tick-n-bash approach. That's why an ISO/IEC 27001 compliance certificate confirms the presence of a 'management system' for information risk and security, rather than a secure organization with all the appropriate information security controls in place.

ISO/IEC 27001 specifies that internal audits must be performed on the Information Security Management System but does a poor job of explaining them, in particular it uses the word 'conforms', a synonym for 'complies' with the unfortunate implication that auditing is compliance auditing:

Taking my own medicine, I ask myself "Why? Why does the standard equate auditing with compliance auditing?" The answer lies with the experts responsible for the ISO27k standards, in their biases and prejudices about auditing ... which in turn reflects their experience of auditing ... which I presume is largely compliance auditing ... and so the loop continues. 

Breaking the committee out of that vicious cycle is an objective I have thus far failed to achieve but the current round of standards revision presents another opportunity, a chance to explain, persuade and hopefully convince. Not bash, oh no. 

Longer term, I'd like to push ISO27k further into the realms of assurance and accountability, and beef-up its advice on governance, information risk management, business continuity, and business for that matter. The business context and objectives for information security would be fascinating to explore and elaborate further on. One day maybe. I've learnt to pick my battles though: it takes a winning strategy to succeed in war.

* PS  I have the same philosophy in security awareness and training. To me, security awareness and training works best as a positive, motivational and inspirational technique. Dire warnings and penalties may be necessary to curb inappropriate behaviors and instill discipline but that's a last resort, best reserved for when other techniques have failed. Clearly, I'm no sadist.

7 Dec 2018

NBlog Dec 7 - who owns the silos?

Michael Rasmussen has published an interesting, thought-provoking piece about the common ground linking specialist areas such as risk, security and compliance, breaking down the silos.

“Achieving operational resiliency requires a connected view of risk to see the big picture of how risk interconnects and impacts the organization and its processes. A key aspect of this is the close relationship between operational risk management (ORM) and business continuity management (BCM). It baffles me how these two functions operate independently in most organizations when they have so much synergy.”

While Michael’s perspective makes sense, connecting, integrating or simply seeking alignment between diverse specialist functions is, let's say, challenging. Nevertheless, I personally would much rather collaborate with colleagues across the organization to find and jointly achieve shared goals that benefit the business than perpetuate today's blinkered silos and turf wars. At the very least, I'd like to understand what drives and constrains, inspires and concerns the rest of the organization, outside my little silo.

Once you start looking, there are lots of overlaps, common ground, points of mutual interest and concern. Here are a few illustrative examples:
  • Information risk, information security, information technology: the link is glaringly obvious, and yet usually the second words are emphasized leaving the first woefully neglected;
  • Risk and reward, challenge and opportunity: these are flip sides of the same coin that all parts of the business should appreciate. Management is all about both minimizing the former and maximizing the latter. Business is not a zero-sum game: it is meant to achieve objectives, typically profit and other forms of successful outcomes. And yes, that includes information security!
  • Business continuity involves achieving resilience for critical business functions, activities, systems, information flows, supplies, services etc., often by mitigating risks through suitable controls. The overlap between BCM, [information] risk management and [information] security is substantial, starting with the underlying issue of what 'critical' actually means to the organization;
  • Human Resources, Training, Health and Safety and Information Risk and Security are all concerned with people, as indeed is Management. People are tricky to direct and control. People have their own internal drivers and constraints, their biases and prejudices, aims and objectives. Taming the people without destroying the sparks of creativity and innovation that set us apart from the robots is a common challenge ... and, before long, taming those robots will be the next common challenge.

Dig deeper still and you'll also find points of mutual disinterest and conflicts within the organization. Marketing, for instance, yearns to obtain and exploit all the information it can possibly obtain on prospective customers, causing sleepless nights for the Privacy Officer. Operations find it convenient or necessary to use shared accounts on shop-floor IT systems in the interest of speed, efficiency, safety etc. whereas Information Risk and Security point out that they are prohibited under corporate-wide security policies for accountability and control reasons.

You could view the organization as a multi-dimensional framework of interconnections and tensions between its constituent parts, all heading towards roughly the same goal/s (hopefully!) but on occasions pulling any which way at different speeds to get there. To make matters still more complex, the web of influence extends beyond the organization through its proximal contacts to The World At Large. That takes us into the realm of chaos theory, global politics and sociology. 'Nuff said.

All the organization's activities fall under the umbrella of corporate governance, senior managers clarifying the organization's grand objectives and optimizing the organization's overall performance by  establishing and monitoring the corporate structures, hierarchies, strategies, policies and other directives, information flows, relationships, systems, management arrangements etc. necessary to achieve them. Driving alignment and reducing conflicts is part of the governance art. Silos are governance failures.

2 Dec 2018

NBlog Dec 2 - Acceptable Use Policies

A question came up on the ISO27k Forum about an Acceptable Use Policy. I'll take this opportunity to dispense a few Hinson Tips (free, worth every penny!). 

AUP isn’t a generally-defined and globally-agreed term. Even “policy” has a spectrum of meanings. So, regardless of what any of us might think or claim it means, what matters is the organization that’s using it – the organizational context. What does your management expect an AUP to be? To achieve? To look like? You should get some useful clues from other similar materials in other areas such as IT, HR and Finance, other functions that to some extent formally express directives. They may or may not be called AUPs, so take a look around the policy-related guidance materials, and preferably talk to the original authors about their work. You will probably pick up some useful tips, maybe even some help to knock your materials into shape. 

Some organizations use AUPs formally, stating employees' obligations for legal purposes. Personally, I prefer conventional policies and employment-related contracts, terms and conditions, rulebooks etc. for that purpose.  I treat AUPs more as guidelines than policies ... but even so that’s on the premise that a ‘guideline’ CAN and generally SHOULD incorporate obligations defined in various policies, laws and regulations – in other words, despite the name, a guideline includes and revolves around mandatory elements. Its purpose, for me, is to explain those obligations in plain language and thereby encourage people to comply. 

Employees shouldn't need to consult a lawyer to figure out what is expected of them. Management should ensure not only that employees are instructed, but they are also helped to understand and fulfill their obligations.

There are various ways to ‘explain and encourage’ employees. A useful approach is to lay out examples covering both acceptable AND unacceptable activities, hence the AUPs in our awareness and training materials look something like this little extract:

The language is reasonably simple and straightforward (avoiding the technobabble and pseudo-legalese that afflicts some of our esteemed colleagues!) and we’re using the obvious green and red color cues plus the ticks and crosses to emphasize do’s and don’ts. We try to have roughly the same number of each, countering the tendency for the whole thing to preach “Thou shalt not …” And separating the reds from the greens gives an otherwise jumbled list a little structure. We’re trying hard to encourage and make it easy for even reluctant, busy, distracted and disinterested readers to read. 

For the same reason, we also take the position that ‘less is more’, meaning that our AUPs have less than 500 words each. They are all one-pagers with a two-column layout. That’s quite a challenge for the AUP author [me!] since words are at a premium which means condensing the AUP down to essentials. Aside from careful wordsmithing, it’s worth asking “If someone barely has the time or interest to glance at this, what are the key messages we’d must put across?”. That approach in turn begs questions about what happens to the other stuff that we’re forced to leave out. For us, it’s easy enough because we also provide briefings and seminar slide decks and conventional policy templates etc., a coherent and comprehensive package of goodies and awareness activities supporting the AUP, all covering the same infosec topic ...

... Which brings up another part of our approach: we don’t try to cover everything all at once. We deliberately break things down into a series of distinct topic areas, allowing us to focus and go into a bit more depth on each topic, moving ahead month-by-month to cover the entire field

Consuming the elephant one bite at a time

If you think one or more AUPs would be useful in your organization but are unsure about the format, you might like to prepare or compile a variety of AUPs in different styles, giving management the chance to consider the options and choose the best ones or the best bits. As well as AUPs from within the organization, look for examples from other organizations (including ours!) to see the range of styles and formats in use. Once you get management's agreement and generate something that is acceptable to all parties, that becomes the template for others ...

... And that's how we work too. All our security awareness and training materials are prepared from templates, making it easier to adopt and stick to a consistent look-and-feel. The templates pre-set things such as:
  • Page/paper size and orientation;
  • Language for spell-checking;
  • The font, font sizes and colors, both for plain content plus the titles, headings, hyperlinks etc. using 'styles';
  • Headers and footers with titles, page numbering and our copyright notice;
  • Page layouts e.g. columns, tables;
  • Document structure e.g. cover page, main headings;
  • Boilerplate text such as sources of further information and contacts at the bottom of almost everything (sometimes customized according to the topic);
  • Miscellaneous formatting e.g. line thicknesses and colors, arrowheads;
  • Diagrammatic styles e.g. the risk-control spectrum and PIG diagrams you'll see pop up occasionally on this very blog;
  • Metadata such as tags to make it easier to search for specific kinds or items of material. 

Our full suite of templates has evolved in the course of a decade and is still being tweaked from time to time. In particular we review and where necessary modify the whole lot annually at the start of the calendar year: updating the copyright notices triggers that process. We try to keep a lid on minor changes during the year in order not to introduce noticeable inconsistencies, so the annual template re-vamp is our opportunity to address any little issues and if appropriate adopt more significant changes, sometimes retiring templates that are no longer proving useful.

Another source of change is the creation of new formats or styles of awareness materials, such as the AUP seen above. New items normally take a couple of iterations and adjustments before stabilizing and being templated, becoming part of the set. 

Finally, there are other tricks of the trade in researching, writing and polishing awareness and training materials that both are and appear professional. A suite of templates is an excellent start but just as important is the way the templates are used, and of course the quality of the information content. We take pride in our work. We care about spelling and grammar. We consider our audiences, and we learn and improve systematically. We're perfectionists by nature. That's the secret weapon that gives us an edge over the usual rather amateurish and slapdash awareness and training content that is so common out there, the stuff that gives our profession a bad reputation. We must do better, raising our game. We're doing our bit. What about you?

30 Nov 2018

NBlog Dec 1 - security awareness on 'oversight'

We bring the year to a close with an awareness and training module on a universal control that is applicable and valuable in virtually all situations in some form or other.  Oversight blends monitoring and watching-over with directing, supervising and guiding, a uniquely powerful combination.
The diversity and flexibility of the risk and control principles behind oversight are applied naturally by default, and can be substantially strengthened where appropriate. Understanding the fundamentals is the first step towards making oversight more effective, hence this is a cracker of an awareness topic with broad relevance to information risk and security, compliance, governance, safety and all that jazz.
It’s hard to conceive of a security awareness and training program that would not cover oversight, but for most it is implicit, lurking quietly in the background.  NoticeBored draws it out, putting it front and center.  
In the most general sense, very few activities would benefit from not being overseen in some fashion, either by the people and machines performing them or by third parties.
To a large extent, management is the practical application of oversight.  It’s also fundamental to governance, compliance and many controls, including most of those in information risk and security. 
Imagine if you can a world without any form of oversight where:
  • People and organizations were free to do exactly as they wish without fear of anyone spotting and reacting to their activities;
  • Machines operated totally autonomously, with nobody monitoring or controlling them;
  • Organizations, groups and individuals acted with impunity, doing whatever they felt like without any guidance, direction or limits, nobody checking up on them or telling them what to do or not to do;
  • Compliance was optional at best, and governance was conspicuously absent. 
Such a world may be utopia for anarchists, egocentrics and despots but a nightmare scenario for information risk and security professionals, and for any civilized society!

Read more about December's NoticeBored security awareness and training module then get in touch to subscribe.

NBlog Nov 30 - P-day

The lack of blogging lately is due to working flat-out to complete December's NoticeBored security awareness module on oversight. 

Today, Friday the 30th of November, it's P-day here in the IsecT office:

  • Posters - two more poster designs are due in from the art department today. This close to the deadline I'd be worried except that, over the years, we have developed a close relationship and understanding with the supplier. I'm confident we'll get the stuff on time, and that it will be good.  Generally, it's right-first-time, which is nice. Our contingency plan involves crayons and a scanner - not pretty but, um, distinctive!
  • Proofreading - checking through the materials for errors and omissions, opportunities for improvement, loose ends to be tied-off and so on. This is oversight, in action. 
  • Polishing - tying-off those loose ends and finalizing the materials. Often I find that having prepared the content for the first stream, working on the second stream reminds me about stuff we should mention or incorporate into the first stream - and the same again with the third stream. There is some iteration, followed by a further round of checks to ensure that all three streams end up consistent, yet reflect the distinct perspectives of the three target audiences.
  • Packaging - we currently use WinZip to package and deliver the materials, an awkward, slow, costly and poorly-supported utility. We really ought to look for a better alternative. Suggestions welcome.
  • Publishing - uploading the materials to the server for customers, updating the NoticeBored website to describe the new module, and notifying subscribers is almost the last step, except for a quick update to this blog if I have time ... because it is ...
  • POETS day - once the month's work is done, it's play time, where 'play' partly involves catching up with all the other stuff that has been piling up on our to-do lists lately - ISO27k drafts to comment on, customers to contact, prospects to persuade, payments to chase. Plus a little R&R. Maybe a small dry sherry and an hour in front of the goggle-box if I'm lucky.
All too soon the cycle turns and it'll be time to start next month's juggling act, the final one of the year. I'll be blogging about our next awareness topic soon. Watch this space

24 Nov 2018

NBlog Nov 24 - elaborating on information risk

High-level corporate, project and personal objectives are often very vague - “A trusted partner”, “A safe pair of hands” or “The best!”. Same thing with corporate mission statements (“Don’t be evil”), marketing/branding (“Just do it”), politics (“Vive la revolution!”) and more. To act on and hopefully achieve them in a rational, directed or controlled manner involves understanding what they really mean, peeling back the layers, exploring the meanings and interpretations in more detail – a process that is inherently uncertain i.e. risky. The upside risk (opportunity) arises from the understanding, insight, specificity and consensus generated as they are discussed, amplified and clarified, while the downside risk includes the opposites e.g. misunderstandings, hand-waving generalities and fragmentation of objectives. 

ISO/IEC 27001 tries to persuade organizations to think through their corporate or business objectives, elaborating on the information risk and security implications which form the main drivers for the Information Security Management System. I’m not entirely sure it succeeds though! Section 4 on the context for the ISMS is extremely important to the ultimate success of the ISMS but the standard's wording is succinct and complex, open to a wide variety of interpretations. It’s a topic we often discuss on the ISO27k Forum. 

It’s a tricky thing to do at the outset of an ISMS design and implementation … and, by the way, something that ought to be actively reviewed and updated as time goes on, not least because if it ISMS itself materially changes the organization. A sound ISMS affects not just achievement of the corporate objectives in this area, but opens up further possibilities for the business. A secure organization has more options.

Aside from personal or individual objectives, all the others involve groups of people working towards shared/common objectives (hopefully), and of course that creates room for differences of interpretation, approach, priorities etc. Hence communication is another risky aspect to this – not datacoms but expressing, discussing, understanding and agreeing on complex issues. It includes persuasion, possibly even social-engineering-type manipulation. This very email is an example: I think I know what I’m trying to say, but I’m certain not all of you will read it, get it and agree with every word! I’m taking a small risk by even expressing it. 

In the information security context, we have numerous objectives, some of which are hard to express and pulling us in different directions (e.g. strong authentication and access controls reduce the availability of information to legitimate/authorized users as well as to the illegitimate/unauthorized ones; strong compliance can be costly and counterproductive). I maintain that exploring and elaborating on them, emphasizing in particular the infosec objectives that most obviously and directly align with and support the organization’s business/strategic objectives is a powerful approach. It certainly makes it harder for anyone to block or interfere with the achievement of security objectives. It can be career-limiting to be seen to be acting against the organization’s interests. Resisting without being obvious about it remains a possibility however!

22 Nov 2018

NBlog Nov 22 - SEC begets better BEC sec

According to an article on CFO.com by Howard Scheck, a former chief accountant of the US Securities and Exchange Commission’s Division of Enforcement: 
"Public companies must assess and calibrate internal accounting controls for the risk of cyber frauds. Companies are now on notice that they must consider cyber threats when devising and maintaining a system of internal accounting controls."

A series of Business Email Compromise frauds (successful social engineering attacks) against US companies evidently prompted the SEC to act. Specifically, according to Howard:
"The commission made it clear that public companies subject to Section 13(b)(2)(B) of the Securities Exchange Act — the federal securities law provision covering internal controls — have an obligation to assess and calibrate internal accounting controls for the risk of cyber frauds and adjust policies and procedures accordingly."
I wonder how the lawyers will interpret that obligation to 'assess and calibrate' the internal accounting controls? I am not a lawyer but 'assessing' typically involves checking or comparing something against specified requirements or specifications (compliance assessments), while 'calibration' may simply mean measuring the amount of discrepancy. 'Adjusting' accounting-related policies and procedures may help reduce the BEC risk, but what about other policies and procedures? What about the technical and physical controls such as user authentication and access controls on the computer systems? What about awareness and training on the 'adjusted' policies and procedures? Aside from 'adjusting', how about instituting entirely new policies and procedures to plug various gaps in the internal controls framework? Taking that part of the CFO article at face value, the SEC appears (to this non-lawyer) very narrowly focused, perhaps even a little misguided. 

Turns out there's more to this:
"As the report warns, companies should be proactive and take steps to consider cyber scams. Specific measures should include:
  • Identify enterprise-wide cybersecurity policies and how they intersect with federal securities laws compliance
  • Update risk assessments for cyber-breach scenarios
  • Identify key controls designed to prevent illegitimate disbursements, or accounting errors from cyber frauds, and understand how they could be circumvented or overridden. Attention should be given to controls for payment requests, payment authorizations, and disbursements approvals — especially those for purported “time-sensitive” and foreign transactions — and to controls involving changes to vendor disbursement data.
  • Evaluate the design and test the operating effectiveness of these key controls
  • Implement necessary control enhancements, including training of personnel
  • Monitor activities, potentially with data analytic tools, for potential illegitimate disbursements
While it’s not addressed in the report, companies could be at risk for disclosure failures after a cyber incident, and CEOs and CFOs are in the SEC’s cross-hairs due to representations in Section 302 Certifications. Therefore, companies should also consider disclosure controls for cyber-breaches."
The Securities Exchange Act became law way back in 1934, well before the Internet or email were invented ... although fraud has been around for millennia. In just 31 pages, the Act led to the formation of the SEC itself and remains a foundation for the oversight and control of US stock exchanges, albeit supported and extended by a raft of related laws and regulations. Todays system of controls has come a long way already and is still evolving.

21 Nov 2018

NBlog Nov 21 - getting the Board on-board

Engaging with the board: Five ways for Chief Information Security Officers to stand out is an excellent advisory from PwC. It stimulated me to think of supplementary advice, a set of corrollaries for PwC's advice.

PwC tip #1: "Invest in your relationships." 
Hinson tip #1: "Don't focus and rely entirely on individual Board meeting/s". Board members may usefully be contacted and briefed or lobbied outside of the meetings, ideally in person over an extended period. You might be introduced through a well-connected senior manager who understands and is sympathetic to the information risk and security objectives (implying they need to be on-board first). Failing that, friendly email, text messages and phone calls work. Better still is to establish a long-term business-like social relationship with the Directors and executives based on mutual respect and trust ... which means finding out about their concerns as much as expressing yours. And, by the way, it's worth asking for feedback and improvement suggestions. Are you pitching stuff appropriately? How could your interactions become more effective?

PwC tip #2: "Be thoughtful when preparing pre-read materials.
Hinson tip #2: "Include the Board and executive/senior management in your security awareness program."  The PwC advisory mentions that  too few Board members are tech-savvy but I'd go further than that. IT/tech and cybersecurity awareness could be higher, yes, but even more important is senior management's broad understanding of information risk and security in general, especially in relation to its value and relevance to the organization's business objectives and to their governance and compliance responsibilities. 

PwC suggests providing executive summaries. A good exec summary doesn't just give a succinct precis of a piece: it catches the reader's eye and intrigues, leading them to want to learn more about the topic at hand. There's an art to writing exec summaries, picking out the key points and expressing them appropriately in as few words as possible, in such a way that readers are willing to read the full version. Despite having been practicing since the 1980s, I still find this as challenging as writing advertisements and marketing copy.

PwC tip #3: "Know your audience."  
Hinson tip #3: "Research the Board." Do your homework. Find out who sits on the Board, for starters, and what roles they play. Use Google and Linkedin to profile them, discovering their experience and interests. Experienced Board members often sit on several Boards, for instance: what else do they do? Ask senior colleagues about Board members and Board business, such as who might be sympathetic or resistant to information security, and what else might be on their plates at the moment. Although Board agendas and minutes tend to be confidential, you have a legitimate interest, potentially a need to know. Discreet inquiry of the right people is not unreasonable.

PwC tip #4: "Be strategic with your time."
Hinson tip #4: "Respect the Board's high level business perspective."
For best effect, all awareness and training materials and activities need to suit their intended audiences. The rather basic fare pitched at employees in general, or the more technical content aimed at specialists, is unlikely to resonate with management. Board members, in particular, have lots of significant issues on their plates already so the security awareness materials need to get straight to the point. Furthermore, their perspective is strategic - high level and broadly concerned about the organization as a whole. So 'the points' (the topics covered and points made) need to be relevant, to resonate with them.

NoticeBored delivers a stream of awareness content aimed specifically at the management audience, including succinct, high-level, business-like items specifically written with senior/executive management and directors in mind. 

NoticeBored's portfolio of 60+ topics includes but goes well beyond cybersecurity, covering the organizational context and compliance aspects for instance. Governance, risk, control, effectiveness, efficiency, innovation and maturity are brought up frequently as threads or points of interest and concern in the materials.

PwC tip #5: "Focus on your message."
Hinson tip #5: "Focus on effective comms."
PwC's advice revolves around putting on a good show, a professional, polished performance in front of the Board. That wide-eyed bunny-in-the-headlights look is a classic  symptom of someone who is new to the game. Fair enough PwC but there's more to it than appearance or first night nerves.

Don't forget that Board members are politically-savvy, senior, experienced business people - and human beings with all that entails. Don't be too intense, too pushy or disrespectful. You want/need them on your side. Inform, persuade and motivate them. Actively sense their reactions and responses. Exploit their hot buttons. Treat this as a social engineering challenge if you like. Don't forget that the way you communicate stuff is just as important as the content - not just the message but how and when you express it including the context or situation.  

And the best way to get that right is to practice as often as you can, which takes us neatly back to the start. If attending Board meetings is just a fairly routine part of your ongoing productive dialog and trusted relationship with senior managers, you on to a winner. 

20 Nov 2018

NBlog Nov 20 - go ahead, make my day

What can be done about the semi-literate reprobates spewing forth this sort of technobabble nonsense via email? 
"hello, my prey.
I write you since I attached a trojan on the web site with porn which you have visited. My malware captured all your private data and switched on your camera which recorded the act of your wank. Just after that the malware saved your contact list. I will erase the compromising video records and data if you pay me 350 EURO in bitcoin. This is wallet address for payment : [string redacted]
I give you 30h after you view my message for making the transaction. As soon as you read the message I'll know it immediately. It is not necessary to tell me that you have paid to me. This wallet address is connected to you, my system will delete everything automatically after transfer confirmation. If you need 48h just Open the calculator on your desktop and press +++If you don't pay, I'll send dirt to all your contacts.      Let me remind you-I see what you're doing!You can visit the police office but anyone can't help you.
If you try to cheat me , I'll see it immediately!
I don't live in your country. So anyone can not track my location even for 9 months. Goodbye for now. Don't forget about the disgrace and to ignore, Your life can be destroyed."

It's straightforward blackmail - a crime in New Zealand and elsewhere - but the perpetrators are of course lurking in the shadows, hoping to fleece their more naive and vulnerable victims then cash-out anonymously via Bitcoin. Identifying them is hard enough in the first place without the added burden of having to gather sufficient forensic evidence to build a case, then persuade the authorities to prosecute.

So instead I'm fighting back through awareness. If you receive vacuous threats of this nature, simply laugh at their ineptitude and bin them. Go ahead, bin them all. Train your spam filters to bin them automatically. Bin them without hesitation or concern. 

Then, please help me pass the word about these ridiculous scams. Let your friends and family (especially the most vulnerable) know. Share this blog with your classmates and work colleagues. Send journalists and reporters the URL. Hold a bin-the-blackmail party. 

By all means call your national CERT or the authorities if that makes you feel better. Just don't expect much in the way of a response beyond "We're inundated! Sorry, this is not a priority. We simply don't have the resources."

If enough of us call their bluff, these pathetic social engineering attacks will not earn enough to offset the scammers' risks of being caught ... and who knows, we might just draw some of them into the open in the process. Let's find out just how confident their are of their security, their untraceability and invincibility. 

Recite after me: "Go ahead, make my day ..."