Welcome to NBlog, the NoticeBored blog

Bored of the same old same old? Here's something a bit different.

May 22, 2019

NBlog May 22 - cyber-blinkers and cyber-bling

Security Tip ST19-001 Best Practices for Securing Election Systems - an advisory from the US government - is fascinating for the things it leaves out, more than those few it includes.

At least five substantial omissions occurred to me literally as I was skim-reading the piece for the very first time:

  1. Physical security for voting systems and associated paraphernalia;
  2. Application design of voting software;
  3. Social media and voter coercion (the elephant in the room);
  4. Information risk management - a systematic approach to identify, evaluate and address the information risks as a whole (not just a few items seemingly plucked out of thin air);
  5. Assurance - clearly a crucial concern for elections, underpinning the entire democratic process (a raging herd of angry elephants here!). 
Items 3, 4 and 5 on my little list concern the bigger picture. It's pointless securing the computer systems alone, even if that could be achieved which would take a lot more than is implied by this astonishingly basic advisory ("best practices" - yeah right!). Thanks in large measure to the US government, "cybersecurity" is a solid gold buzzword, despite decades of experience with information security. This advisory is a classic illustration of what happens when the cyber-blinkers are firmly applied. 

So what's really going on here? Are the US government, DHS and CISA unbelievably naive? Do they really need to offer such basic advice in such an important area? Do they truly believe that 'notice and consent banners' are priority matters worth bringing to attention?

Or is this just more cyber-bling, another cynical attempt to divert attention from those bigger issues I mentioned? Does this advisory itself qualify as fake news, part of a political agenda to manipulate public opinion by placing the blame superficially on IT for issues that run much deeper?

Either way, I find this quite remarkable, astonishing even. I'm incredulous.

May 21, 2019

NBlog May 21 - real-world physical impacts

At the moment, as currently scoped, June's NoticeBored awareness module primarily concerns physical security measures protecting information, data and IT systems, including health and safety protection for workers ... but there's another aspect that potentially falls in scope: IT incidents with physical real-world impacts.

Thus far, fortunately, such incidents have been very rare, mostly proof-of-concept demonstrations that hacking, say, the IT systems controlling an electricity generator could indeed cause it to liberate the smoke. The potential is very real and scary however once you appreciate just how much of modern life is controlled by vulnerable computers, often Internetworked, with design flaws and bugs mostly tucked out of sight, lurking in the extreme technical complexities under the hood. There be dragons, as the Iranians discovered.

The proliferation and interconnectedness of IT systems has reached epic proportions lately with Internet-connected lightbulbs, air conditioners, bicycles and nuclear fuel reprocessors. Wirelessly-configurable smart pacemakers may only directly and mortally concern a tiny, vulnerable proportion of the population, but those and a million other IoT and IIoT crazies are the canaries in the coal mine. Humankind is building itself a house of cards at an alarming rate, recklessly in fact. It'll end in tears.

I'm far from the only person genuinely concerned at the prospect of driverless vehicles for instance, even taking into account the extraordinary efforts being made to develop, improve and prove the technology with the overt aim of making driverless vehicles safer than those driven by competent, careful drivers.  

Not 'secure from hackers and malware', notice, but 'safer than competent, careful drivers'. 

Spot the difference.

Even competent, careful drivers can be hacked in the sense of being duped by fake road signs then pulled over by fake cops, or led astray by optical illusions and cognitive issues, some brought on by alcohol and other drugs, or stress or tiredness. Bottom line: the bar is not even remotely high enough for my liking. I won't even mention pilotless planes and autonomous weapons (oh look, I just did).

Well, OK, I'm scaring myself now, plummeting into uncharted territory. It's a fascinating if dark area well worth exploring again, but not in June. I'll continue pondering and researching this for a future awareness topic, though. For now, it's perched delicately on the edge of a shelf in the IsecT office labeled "Dragons".

PS  After drafting this blog piece, I enjoyed watching Robocop again: no shortage of very physical impacts there!

May 20, 2019

NBlog May 20 - the value of visuals

Whereas tangible information assets and physical security are different to the intangibles we normally address, the process of managing the information risks is essentially the same:

Variations on that diagram feature in many NoticeBored modules since the information risk management process is central to information security. 

In June, we'll elaborate on it in the particular context of physical information assets and risks thereto, using typical assets, incidents and situations to help people understand what we're concerned about. 

In subsequent modules, we'll pick out different aspects according to the monthly topic, and occasionally we'll zoom-in to explore certain parts of the process in more depth - risk identification, for instance, or incident management. 

We may tweak the layout here and there but, over time, our awareness audiences gradually become familiar with the process - one of a handful of core concepts underpinning the field. These are themes linking individual information security awareness and training messages together into a coherent story or picture that plays out during the years.

The formatting/style of the process flow diagram is another aspect that we aim to keep reasonably consistent from month-to-month. Once you've been shown and talked through any one of them, other processes are easier to understand since they are described in familiar terms. We consistently use visual cues to highlight specific parts of the diagrams (e.g. the deep red "Incidents and close shaves" box) while red-amber-green coloring features in every module (e.g. in our Probability Impact Graphics).

Diagrams are an invaluable tool for awareness and training purposes, flexible and expressive, supplementing and enhancing the written and spoken word. For instance, those six numbered blobs on the diagram will link to a process description laying out, explaining and elaborating on the six key activities in words.

The diagrammatic approach is quite straightforward, obvious and natural but, in our experience, many information security and technology professionals struggle to prepare and utilize decent diagrams: they can sketch things out on paper but (short of scanning the scraps!) converting rough drawings into more presentable and useful formats is challenging. It takes time, effort and skills. Despite our decades of practice, we invest a lot of time and creative energy in both figuring out and presenting concepts, processes, relationships etc. visually every month because it pays off. Better still, it's fun.

May 17, 2019

NBlog May 17 - physical infosec

Sorry for the pause: among other things, I've been busy exploring a new subject for next month's NoticeBored security awareness and training materials.

June's topic is physical information security, something we've covered a number of times previously. Physically protecting computer systems and storage media against threats such as intruders and thieves, fires, floods and power problems is an essential part of information security for all sorts of reasons that we'll soon be elaborating on.

This time around, however, we'll also pick up on protection of another category of tangible information assets, specifically our people.

Workers are definitely assets (otherwise, why would we pay them?) but do they qualify as 'information assets'? I'd argue yes for the reason that we value their brains at least as much as their brawn. Whereas brawn can generally be replaced by machinery, it's much harder to replace a competent person's knowledge, experience, expertise and so forth, advances in robotics and artificial intelligence notwithstanding.

Protecting workers, then, takes us into the realm of health and safety, hence why I'm busy researching at the moment. I'll have more to say on this so tune back to this station soon for the next exciting episode.

May 1, 2019

NBlog May - Security awareness for off-site workers

Hot off the NoticeBored production line comes May's security awareness and training module about working off-site.

The 69th topic in our portfolio was inspired by a subscriber asking for something on home working.

It ended up covering not just working at home but the information risk and security implications of working on the road (digital nomads), in hotels, on supplier or customer sites and so forth, touching on online collaboration and other related areas along the way.

Module #193 is 95% brand new, prepared from scratch during April and blended-in with a little updated content recycled from previous modules on workplace security and portable ICT security, plugging the gap, as it were.

I'm proud of the guideline (item #04), part of the staff awareness stream. At 16 pages, it is lengthier than normal due to the sheer variety. With the odd touch of humor and stacks of pragmatic security tips for home and mobile workers, it would make a neat little awareness booklet or eDoc for people to leaf through as they wait for planes and buses, or “work” in front of the TV. It's a good read.

The module's management stream has quite a bit to say about achieving balance. There are clearly business and personal benefits to working off-site, provided the associated risks and costs are managed and kept in check. Compliance is particularly challenging as the workforce escapes the confines of the office, powerful ICT devices in hand, dispersing valuable yet vulnerable information assets across the globe. Resilience and flexibility are substantial plus-points.

Extending the working day or week can increase productivity to a point, beyond which over-stressed workers (staff and management!) plummet toward exhaustion and burn-out. In strategic terms, senior management has to make the right choices in order for the organization to reach the peak but not overdo it - and, for that matter, so do individual workers. Just because we can stay constantly in-touch doesn't mean we have to. There are further strategic and governance implications of the evolving nature of work, hence quite a bit of sociology in May's module.

The professional/specialist awareness materials get further into the IT or cyber security aspects such as security administration of mobile devices. Recent news about the discovery of exploitable flaws in WPA3 has risk implications for mobile workers using Wi-Fi, particularly in potentially hostile environments such as busy shopping areas, stations and cafes. On the other hand, anyone who has followed the sorry tale of Wi-Fi security woes since the beginning should not be surprised. WEP, WPA and WPA2 have their vulnerabilities too, as do Bluetooth, cellular networks, Ethernet and the rest.

If off-site working is becoming or has become the norm for your organization, let's tease out and tackle the associated information risks through creative security awareness and training materials, helping you strike the balance between risk and opportunity, pain and gain. Over to you!

Apr 30, 2019

NBlog April 30 - tangents

As the hours evaporate before our self-imposed start-of-month delivery deadline, I'm trying to stay focused on completing and proofreading the "Working off-site" security awareness module ... but it's hard when there's a fascinating discussion in full flow on the ISO27k Forum about quantitative vs qualitative methods of information risk analysis, plus all the usual stuff going on around me.

I find myself physically on-site in the IsecT office, supposedly working flat-out, but my mind is drifting off-site. I just caught myself day-dreaming about the possibility of racing driverless cars, their algorithms competing against each other and the laws of physics. What a bizarre tangent! I think it's something the behavioural biologists call 'displacement activity'.

Anyway, back to the grindstone.  Catch you later.

Apr 26, 2019

NBlog April 26 - a productive day

Leafing through our information security policy templates this morning, I couldn't find anything specifically covering off-site working, so I knuckled down and prepared one.  

It took longer than planned due to a false start: I soon realized that there are lots of potential policy matters in this area, so I refined the scope to cover just the information risk and security aspects. Following a general policy axiom, the more detailed policy statements describe 'typical examples' of the controls in three main categories (since they are likely to vary according to circumstances), plus a handful of others - about 2 sides of actual policy with the usual summary, applicability, introduction and references sections.

This afternoon, I prepared a case study for May's awareness and training module on working off-site based around an intriguing scenario. What normally happens when a home-worker (someone who always, often or occasionally 'works from home') leaves the organization? What should happen? Specifically, how should the organization deal with any work-related information/data the worker may have had at home, on portable equipment, on paper or whatever? 

And what if it turns out that the worker has not, in fact, fully complied with policy and employed all the anticipated and required security controls? Tut tut!

There are information risks in this scenario that aren't explicitly covered by the new security policy, but I would argue that they are HR and IT issues that ought to be covered by HR and IT policies - governance, oversight, supervision and compliance matters for instance. 

That situation is not at all unusual: in our experience, few 'incidents' or 'situations' are so simple and straightforward as to involve just one issue and one applicable policy. Usually, several rules and regs apply, hinting at the need for a comprehensive mesh of policies, contractual terms, procedures, guidelines, work instructions etc., and there's the rub. 

We are infosec specialists. Our products focus on infosec. Infosec is What We Do. We gather there may be one or two other, lesser matters potentially of concern to our lovely customers (!) but there's only so much we can achieve. 

Our solution to this conundrum is to refer to other types or categories of policies etc. in the reference section of our policy templates without being too specific. Other information security policies are cited more explicitly since we have the corresponding templates to hand and are familiar with what they say, having written and maintained them. In any event, customers are likely to review and customize the policy templates, adapting and merging them with other corporate policies, procedures etc. - well hopefully anyway, assuming they have the competencies and resources to do that. I suspect many don't, but at least we know the security policy templates form a reasonably coherent and consistent suite. Who knows, maybe the style and structure of our policy templates will inspire customers to review and revise their entire policy structure, bringing the whole edifice into a more professional, valid state, a valuable central element of their corporate governance arrangements. 

Dream on!

Apr 25, 2019

NBlog April 25 - Teflon-coated security

An article about hackers compromising IoT things mentions that IoT manufacturers choose not to make their devices more secure because the additional security controls would create 'friction' for users - in other words, they are making explicit commercial decisions about their products that take into account usability as well as various other factors, such as security, privacy and I guess cost.

Well, who'd a thunk it? Information risk and security management is all about making compromises and trade-offs. There are numerous options and decisions to be made, plus situations that are forced upon us.

Re 'friction', it occurs to me that effective security awareness smooths the way for additional/better security. Once people such as the concerned mother in the article, and hopefully some of its readers, appreciate the need for and value of security, they are more likely to accept the cost of security - not just the slight increase in the price of things for additional security features but the effort it takes to configure, use, monitor, manage and maintain security, a bunch of additional costs that inevitably follow (inevitable for adequate security, not inevitable for manufacturers and consumers!). 

The same thing applies in a corporate setting. The reasoning goes: workers who know about and grasp the reasoning behind security are more likely to accept it. That's why our security policies include an introduction/background section with a brief explanation/justification, setting the scene for the controls documented in the main body. And it's why we continue to push security awareness and training as a valuable part of the treatment of information risks.

'Features' raises an interesting point. In a free market, consumers elect whether or not to buy certain products according to whatever criteria they set. Likewise, producers choose what products to offer, with whatever characteristics they feel will sell. It could be argued that security is not an optional feature but 'essential' or even 'mandatory' in the same way as 'safety' - but at present it generally isn't. Sensible consumers include security among their selection criteria and rank or prioritize it appropriately ... so first they need to understand what security is and why they might want it, which implies awareness. IoT vendors aren't exactly pushing product security in their advertisements: it barely merits a mention in the smallprint, overshadowed by the gee-whizz stuff top and centre. "Hey, look, you can adjust your aircon settings from your smartphone and come home to a comfortable temperature! Wow!" Even security things such as smart locks are sold on the strength of convenience and tech-whizz rather than security per se, thanks in part to the curious distinction between physical security and cybersecurity (as if cyber doesn't need physical: it does. They are complementary, not alternatives).

Bruce Schneier famously stated that, given the choice, people will choose 'dancing pigs' over 'security' every time. Security simply isn't sexy. We notice if it fails, not when it succeeds. We resent the cost without appreciating the value. We expect security to come for free, and to work perfectly every time. Right or wrong, those are tricky criteria for manufacturers (and security awareness gurus!) to satisfy.

Aside from learning from the safety field including aspects such as transparency and openness over disclosing and investigating incidents (e.g. the ongoing 737MAX scandal), I'm interested in the way cloud security is coming along. Thanks largely to the stirling efforts of the Cloud Security Alliance, security is being promoted industry-wide as an integral, essential part of cloud services - not a bolt-on optional extra 'feature' but core, not a product differentiator but a unifier. I hope the IoT Cybersecurity Alliance and Software Security Alliance are equally successful. An Operating System Security Alliance would be cool too (hint hint Microsoft, Apple, Google, IBM ...).

Meanwhile, we'll soldier on, promoting security awareness among our subscribers' workforces and blog readership, improving security month-by-month, topic-by-topic, organization-by-organization, person-by-person. 

Must dash: May's NoticeBored security awareness module on working off-site is fast approaching the end of the production line. We're preparing to add a glossy topcoat of non-stick Teflon.

[Non-stick == 100% carrot!]

Apr 18, 2019

NBlog April 18 - another NSA contractor accused of schlurping

Catching up with recent infosec news, I stumbled across a piece about NSA contractor Harold T Martin III, accused of schlurping (pinching and hoarding) some 50 terabytes of secret data.  50 Tb!  Along with Julian Assange, Ed Snowden and Chelsea Manning, the US government appears to be hemorrhaging secrets by the shed-load, despite all the extraordinary security controls designed to prevent and detect it.

I say 'shed-load' advisedly: a typical page of a typical document has about 500 typical words per side i.e. 1,000 words per double-sided sheet needing about 200 kb of rich text data (e.g. a Word document). That's 5 sheets per Mb*. 50 Tb is 50 million Mb or about 250 million sheets. A typical box of printer paper contains 10 reams of 500 sheets i.e. 5,000 sheets per box, enough to print out about 1 Gb of data*. So, printing 50 Tb would take about 50,000 boxes of paper, a stack of about 37x37x37 boxes. That's a shed-load ... a big shed, a small warehouse or industrial unit*.

Modern PC disk drives hold about 1 Tb. It is possible someone might casually stroll out of work carrying 50 hard drives in a box marked "Spares", more likely a high-capacity USB thumb drive or laptop every working day for a month or three.

Alternatively, 50 Tb would take approximately forever to download at 1 Gb per hour on a typical home Internet connection ... but barely a day on a lightning-fast fiber-optic line running flat-out at 1 Gb per second*. Professionals working regularly from home, perhaps offering remote IT support, could conceivably claim the business expense of a fast fiber line ... or invest personally for geek status points.

This is relevant to next month's NoticeBored security awareness topic. IT-enabled workers are technically capable of accessing and storing vast quantities of data wherever they happen to be working, whether on- or off-site. About 20 years ago 'deperimiterization' became a nasty buzzword, referring to the dissolving boundaries around organizations, changing the information risks. Today, it seems as if those boundaries have completely evaporated: inside and outside are virtually indistinguishable.

If our organizations can't quite match the government spooks' budgets and appetites for information security (and even if they can!), where does that leave us? I'll  tell you where - firmly in the Probability Impact Graph's high-risk bright red zone.

* All the figures in this piece are vague approximations. Treat them as rough ball-parks at best ... and please let me know if you spot any errors.

Apr 14, 2019

NBlog April 14 - SecAware eShop open for business

Acquiring top-quality creative security awareness and training materials is easier, quicker and cheaper than ever through our online shop at www.SecAware.com 

Browse a selection of awareness materials including policies, the InfoSec 101 orientation module and more.  

Pick, pay and download - "easy-as" as we Kiwis say.

Please let me know if there are other materials or topics you'd like us to offer through SecAware ... and please excuse the minimalist site design: it's just a starting point as we figure out how to build and maintain websites for mobiles and desktops.  

So much left to do, so much left to learn.

Apr 13, 2019

NBlog April 13 - working off-site

We're rapidly spiralling-in on a scope, purpose and hence title for the next NoticeBored security awareness and training module, currently trundling its way along the production conveyor belt at IsecT HQ.

Inspired by a customer request to cover the security aspects of 'home working', we set out to complement the BYOD and business continuity topics ... but in exploring the associated information risks and controls, we've realized that there are other ways and means of working with similar issues. 

Mobile or portable working, for example, is almost the rule for managers and professionals these days, at least to the extent of being constantly in touch by cellphone, keeping up with emails and TXT messages, and using work apps on smartphones, laptops and tablet PCs. Commuters on public transport often seem totally absorbed by their screens and ear-buds, whether that's personal or work emails, podcasts, news from the city desk, Harry Potter, Game of Thrones, Bach or BoyZone we don't know.

Just as 'the office' has evolved from classrooms laid out with rank-and-file desks sporting noisy typewriters and ashtrays, to separate rooms with closed doors, through Dilbert cubicles (with partitions but without doors), to open-plan spaces, stand-up meetings, table-football, basketball hoops and flame-grilled hot-desking, so too 'the home office' has changed over time. 

Back in the 80's all-in-one beige plastic monsters such as IBM PCs and DEC VAXmates were all over the business ads, while home computers of the time looked more like unfinished industrial machines with plenty of blinkenlights and mysterious switches to catch the hobbyist's beady eye. Adverts focused on the 'powerful machine' rather than 'the workstation', 'desk' or 'office'. We had duplicators, pagers, PDAs and luggables, facsimile machines, and those first generation mobile telephones that needed their own motorized carts for the battery packs.

Do you recall when 'workstation furniture' became a thing - weird multilevel desks on caster wheels with cutouts for keyboards and cables, and plenty of depth for big heavy CRT monitors, leaving precious little leg-room for the unfortunate user. For a while, executive home offices were advertised by suited, bossy gentlemen (almost always) in high-back puffy leather chairs at expansive and expensive mahogany veneer desks the size of tennis courts (well table tennis tables anyway). Then came corner desks, filing cabinets on wheels and home stationery cupboards with roller-shutter fronts to stop the kids pinching daddy's crayons. 

Today, given the price of property, the 'home office' is more often a corner of the kitchen workbench or someone's lap. I wouldn't be surprised to learn of people replying to work emails on vertical touchscreens on their fridges and microwaves, all while cooking tea. We don't all have the Oval Office at home.

It has become socially acceptable, almost the norm to hold business meetings in cafes and restaurants, and anyone without a smartphone in easy reach, yakking loudly and laughing into their wireless headset, stands out like a sore thumb-drive.

Entire generations of business travelers have been trained to leap to their feet as the plane lurches to a stop, grabbing their phones and wondering where the Uber will lurk.

Oh and as speaking as a motorcyclist, don't get me going on texting-while-driving. Have you noticed just how many displays there are built-in to cars now, in addition to those clutched by the occupants? 

So, that outlines the physical and cultural context we have in mind for the next awareness module. Some of the associated information risks are obvious, others less so, which means quite a variety of controls, plenty to explain and discuss.

Apr 12, 2019

NBlog April 12 - off-site security

Do your mobile sales reps look after the information relating to products, pricing, contracts, supplies, specifications, strategies and all that – not just the sales apps, spreadsheets and slide decks on their laptops, tablets and smartphones, but all the other sensitive and valuable corporate and personal data they carry or access? What about your roaming product/tech support and maintenance people? Your company doctor? The Board of Directors? Managers and business travelers generally? Workers catching up with email on their way home, or putting the final touches on a progress report while stretched out on the couch watching an episode of CSI?

Are they vigilant and alert? Do they have the faintest clue about the information risks around them, or what's expected of them in the way of information security and privacy? Do they care?

Portable ICT has revolutionized our lives to the point that we take it for granted these days. We've become blasé about it. No longer are we tied to the desk and landline. We can be reached almost anywhere at any time by friends, family and colleagues, including the boss, customers and associates. One-way pagers morphed into TXT messaging and SMS-RSI. Cellular telephones with power packs the size of Manhatten, the capacity of a flea and dreadful audio quality became multimedia smartphones small enough to wear on the wrist, while jogging. Embedded computing used to refer to dedicated Computer Numerical Controllers buried deep inside noisy industrial machines: now it includes subcutaneous things.

It's not just students doing homework. For some, working from home is a lifestyle choice, a way to mesh work and family lives seamlessly or at least to juggle dishwashing with helpdesking. For others, it's a necessity, squeezing a few more precious hours into the working week while being physically present and technically 'at home'. And 'home' tonight may be a bland concrete box in some anonymous city hotel, tomorrow a cab and departure lounge en route to the next bland concrete box.

Those are just some of the scenarios we have in mind for May's NoticeBored security awareness and training module. With a profusion of information risks and security controls to explore, preparing the materials involves drawing out the core themes and threading them into story lines that spark the imagination. Informing, engaging and persuading people is what we do. Must dash now: dishes to wash. 

Apr 11, 2019

NBlog April 11 - the KISS approach to ISO27k

From time to time on the ISO27k Forum, someone claims that certification auditors 'like to see', 'require' or even 'insist on' or 'demand' certain information security controls. Sometimes, it is further claimed or implied that certification auditors have actually raised or might yet raise nonconformances regarding the lack of certain controls, and consequently might refuse to certify their clients.

I'm not entirely convinced that such claims are true, for starters, but if so that hints at a problem with the certification and perhaps accreditation processes.

In accordance with ISO/IEC 27006, ISO/IEC 27007, ISO 19011 (revised last year) and their own internal certification audit procedures, accredited certification auditors should be certifying an ISO27k Information Security Management System against the requirements formally specified in the main body clauses of ISO/IEC 27001. They should definitely raise major nonconformances and refuse to certify if they have evidence that an organization has not fulfilled particular requirements in the main body of '27001. However, if there are issues regarding the organization’s interpretation and/or implementation of '27001 Annex A controls, that’s a different matter because Annex A itself is not mandatory.

A (re)current example on the Forum concerns asset inventories. The main body of '27001 does not formally require that organizations prepare and maintain inventories, databases or lists of their assets. Compliant organizations are required to consider the advice in Annex A regarding inventories and other matters, but they do not have to take the advice and they are free to interpret it in whatever way happens to suit their purposes.

Arguably, if an organization has identified and evaluated its information risks and decided to implement certain mitigating controls based on Annex A, but has not in fact done so yet (at least not satisfactorily) and has no real intention, then that suggests a failure of the ISMS processes which would likely constitute a reportable nonconformance. However, if the organization acknowledges that the controls are not fully implemented yet and is in the process of addressing that (ideally with some evidence of genuine intent, such as approved projects with allocated resources), then the ISMS processes appear to be working as planned … which would be a basis to challenge a nonconformance raised by the certification auditors. One of the objectives for an ISO27k ISMS is to drive and facilitate systematic improvement and maturity in this area: that’s nothing to be ashamed of - quite the reverse!

Unfortunately a number of myths and misunderstandings persist in the field, including allegedly common practices and widespread approaches that are not entirely aligned with the ISO standards. Even if many certified organizations happen to have asset inventories, that does not mean the standard formally requires everyone to do so. The same thing applies to information classification, antivirus controls, backups and so forth – in fact, the whole of Annex A ("Reference control objectives and controls") is advisory: certified organizations are formally required to check their selection of controls against Annex A "to ensure that no necessary controls have been overlooked" [27001 cluse 6.1.3c note 1] but they are not formally required to adopt and implement the Annex A controls. They are encouraged to select whatever controls happen to best address their risk mitigation needs, from any sources they choose including controls of their own invention. 
"Organizations can design controls as required, or identify them from any source." 
[ISO/IEC 27001:2013 clause 6.1.3b (note)]
Oh and by the way, mitigation is just one of four perfectly acceptable forms of risk treatment, along with avoidance, sharing and acceptance. Again, the organization is fully within its rights to choose its approach and the auditors should not complain (with some provisos concerning how those choices were made).

This point drove our development of the ISMS mandatory documentation checklist for the ISO27k Toolkit (free!). If you analyze the wording of ‘27001 carefully and narrowly, almost like a lawyer analyzing a contract, you find that many common practices are optional, not mandatory after all. This has implications for the certification auditors: clients have a sound basis to challenge audit findings or nonconformances on options that, for whatever reason, they have chosen not to take up. Provided the process through which they evaluated and chose their options is compliant with '27001, and provided they duly complied with their own policies and procedures, the auditors should not insist that those options are in fact required.

Having said all that, there is more to this than certified compliance with '27001. It could equally be argued that Annex A constitutes good practice, hence in accordance with '27001 6.3.1d, organizations that choose not to adopt Annex A controls should at least be able to justify their decisions in a Statement of Applicability. Right or wrong, discretion is appropriate and necessary under various circumstances, in practice. 

Furthermore, while certification auditors might be going beyond their brief if they refuse to certify organizations that choose not to adopt all the controls in Annex A, they might appear negligent if they didn’t at least point out substantial information security concerns which crop up in the course of their audits … which is where minor nonconformances, ‘other findings’, ‘potential points of concern’, informal reporting and the negotiations towards the end of an audit generally come into play. 'We will certify your ISMS, but we advise you of the following issues: ...'.

ISMS management reviews, ISMS internal audits etc. probably should dig out and report concerns of this nature too: they generally have a wider brief than certification and are not necessarily constrained to compliance auditing solely against the formal requirements. Almost anything is potentially reportable internally if a competent person believes and has evidence that is in the organization’s best interests. That includes audits and reviews of the ISMS against other requirements such as quality assurance or health and safety or environmental protection or corporate strategies or whatever. Organizations have many obligations and expectations in addition to those in ‘27001, not least meeting their own business objectives and duties towards various stakeholders.

So what does this all mean? Personally, despite being a fan of good security practices, I understand the value of a minimalist KISS approach (as in Keep your ISMS Simple, Stupid) with benefits such as:
  • Ease of understanding, use, management, maintenance and auditing;
  • Focus on the essentials, and do those well, make them slick;
  • Lack of red tape and bloat - often itself a rats nest of security issues as well as the obvious costs and delays;
  • Maximize bang for buck - the core processes and an ISO/IEC 27001 compliance certificate are valuable, even if the certified ISMS is minimalist;
  • Release the organization from the constraints of overbearing security, encouraging investment and effort in other more valuable business opportunities;
  • A solid foundation on which to build appropriate extensions at some future point - meaning both maturity and the flexibility to respond to novel situations as they arise.

Apr 8, 2019

NBlog April 8 - The Power of Resilience

One of my all-time top-N books, this one. Love it!

The author, Yossi Sheffi, is an expert in systems optimization, risk analysis and supply chain management. He’s a professor at MIT, the Director of the Center for Transportation & Logistics, a faculty member of the Civil and Environmental Engineering Department and Institute for Data, Systems, and Society. As well as his academic credentials, he’s a level-headed clear thinker.

Yossi’s thesis is valuable and convincing. There is no organization that would not benefit from being even more resilient, and for the vast majority even modest improvements along these lines could make a huge difference to their capabilities and capacities, both in disastrous conditions and in normality.

I particularly like the emphasis on resilience as a strategic matter, for example making organizations fit and ready to seize the business opportunities that open up when their less-resilient peers are struggling to cope with nightmare scenarios. Resilience is far more than a defensive mechanism: this book explains how to create competitive advantage by a more proactive approach.

The writing style is excellent. The book is clear, easy to read and understand, and interesting too - I really enjoyed reading and contemplating it. It is peppered with details and anecdotes from the author's research with numerous companies, not just the usual rather restricted and superficial set of case studies but a wealth of relevant info from a wide range of industries, albeit mostly large companies hence SMEs are a little underrepresented.

It's a stimulating read. Every few pages I found an angle that hadn't occurred to me before, an approach that instantly registered as something well worth considering. It's overflowing with good advice - and not just hand-waving generalities: there are plenty of clues here for bright managers to adapt and adopt.

All in all, fantastic! A cracker! A keeper!

Apr 7, 2019

NBlog April 7 - time resilience

It's official - summer's over in the Southern hemisphere.  

Not only did we need to light a fire to keep warm yesterday but at 3 am last night our clocks went back an hour at the end of NZ Daylight Savings Time. We're now 12 hours ahead of UTC.

◄ My Windows PC clock reset itself automagically, dropping an information entry into the system logs 12 seconds later ▼

Consequently the normally sequential Windows system log appears out of sequence. According to the time stamps ► log entries at 02:55 and 02:56 were followed by the informational entry at 02:00. 

That's just an reporting/display artifact though. Under the covers, the operating system uses UTC. UTC didn't change by an hour at 02:00 but just kept ticking away like normal. Log entries always join the top of the heap in a strictly sequential log.

UTC does occasionally change by a second, though, to keep it in step with the Earth's rotation which is how we animals measure time - by reference to the cycle of days and nights, sunrises and sunsets.

We all know days and nights change gradually in length throughout the year. Thanks to their atomic clocks, the scientists know that the 'gradual change' is not, in fact, entirely consistent. For reasons that escape me, atomic clocks are more consistent than the Earth's rotation, hence UTC is not entirely accurate.

UTC is only ever adjusted in whole 1 second increments ... which presents a problem for computer systems and processes that depend on UTC. Loggable events occurring within the period of a step adjustment could be logged with the wrong times, so a better approach is to speed up or slow down the clock tick rate ever so slightly until the one second change is achieved. Now, log entries will be ever so slightly wrong for the period of the change, but provided 'ever so slightly' is less than the resolution of the date-time-stamps, it shouldn't matter, hopefully.

Some systems and clocks don't adjust themselves, such as Sun.exe, a neat little Windows utility that displays a yellow or blue sun icon on the task bar depending on whether it is day or night. The times shown on its pop-up message about sunrise and sunset are wrong by an hour:

After terminating and restarting Sun.exe, the times are correct:

So it looks as if Sun.exe takes its time reference as it launches, not as it calculates and displays the pop-up message and colours the task bar icon.

Along with assorted battery-powered clocks around the place, the 1 hour error in Sun.exe is a trivial issue. For forensics purposes, accuracy of date-time-stamps to the second may be important when establishing the precise sequence of events, perhaps down to millisecond levels in some business situations (such as recording the precise moment that a bargain is struck in a volatile trading market). There might be safety or other implications as a result of strictly sequential activities getting out of sequence, unless the systems involved are coordinated to change at the same rate, which I guess is the reason for 'coordinated' in Coordinated Universal Time (i.e. UTC - the acronym is based on the French version of the phrase, as if this wasn't confusing enough already). What matters there is relative time ... and no, I'm not going into relativity at this point.

Overall, though, we manage. As with the much-feared Y2K, we scrape through. We're quite resilient, you could say. It takes me maybe a couple of days to adjust my body-clock to the 1 hour changes between winter and summer time, or other stepwise changes that occur when I fly East or West through one or more time zones. Of course I could cross just one time zone at the very point the clocks change between summer and winter time to cancel out the changes but the stress of figuring out whether I should change my watch, by how much and which way, would be worse than just coping with it. I'm glad I don't schedule flights though. 

So here I sit at 0730am roughly an hour after sunrise this Sunday morning, in daylight outside. Yesterday at this clock time, I needed the desk lamp on because it was still quite dark. This evening, it will be drink o'clock an hour earlier than yesterday. Drink o'clock is more daylight- than clock-related ... so I'd better push on. Things to do while it's light.

PS  As I tagged this blog piece, I realised that the issue has numerous implications for information security. There's more to it than it seems.

Mar 30, 2019

NBlog April - spotting incidents

'Spotting incidents’ is the brand new NoticeBored security awareness and training module for April.

It concerns vigilance, early detection and (where appropriate) prompt reporting of a deliberately diverse and open-ended set of information-related incidents, concerns and risks ... 

Whether you consider them to be incidents or not, suspicious activities and near-misses are also worth reporting if ‘early warning’ is something you and your management would appreciate. Nasty surprises are, well, nasty.  The sooner you know about trouble on the horizon, the more options you have, not least the possibility of deftly avoiding the minefields ahead.


The NoticeBored module concerns two critical early steps that kick-start the incident management cycle:

We have covered the remainder of the incident management process before and will do so again - in fact every single NoticeBored module concerns incidents since they are the very reason that information risks are of concern, and information security is necessary. 

Learning objectives

‘Spotting incidents’ is about identifying and reporting a wide range of information security-related incidents:
  • For the general staff audience, the awareness and training materials emphasize vigilance and diligence.  Simply put, we’re encouraging people to watch out for and report more stuff, as well as responding directly to threats (e.g. by not clicking suspicious links). 
  • For the management audience, the materials also cover reporting (e.g. enabling and actively encouraging staff to let management know about issues, incidents, risks, near-misses etc.) and edge forward into the analysis and response to reported incidents, including the need to disclose some incidents externally (e.g. privacy breaches).
  • For the professional audience, the materials touch on the ‘instrumentation’ of information systems and processes.  Automated flagging/alerting and logging of security-relevant events naturally complements the manual reporting by IT users, but is a neglected area of systems architecture and design.
Those three streams support each other, setting workers thinking and talking about this topic, fostering the security culture in a general way. It’s a good topic for socializing security among the organization because it is relevant to, involves and affects everyone.
Think about your learning objectives in this area. What are your organization’s challenges around spotting incidents? If you are struggling to deal with the volume of incident-related reports already flowing and reluctant to invite yet more, you’d better get more efficient at assessing, handling and using those reports! The preferred way to cut the volume of incident reports is to improve your information security, which includes improving the quality and relevance as well as timeliness of incident reporting.

Don’t just complain: raise your game!

As well as customizing the NoticeBored materials to suit your awareness branding and objectives, feel free to blend-in additional content.  Use the materials in the company newsletters and magazines, your intranet Security Zone, in awareness events and training courses, and for new employee induction or orientation purposes.

Get this module

Subscribe to NoticeBored for access to 'spotting incidents' and other creative security awareness and training materials, delivered fresh every month.