Welcome to NBlog, the NoticeBored blog

I spy with my beady eye ...

Feb 17, 2020

NBlog Feb 18 - neat and tidy

My perfectionist streak flared up with a vengeance today.

First I spent a productive couple of hours checking and revising the content of our generic/model Acceptable Use Policies, intending to include them in the updated InfoSec 101 module for March. 

Aside from reviewing and tinkering with the information content, this also involved standardising the formatting of the AUPs by using the same MS Word template with specific styles for all of them. The AUPs have been updated at various times in various NoticeBored modules and I noticed that, somewhere along the way, I must have changed the bullets and colouring for the 'acceptable use' and 'unacceptable use' points. Evidently I have also meddled with the boilerplate text that tops and tails each AUP, making them slightly inconsistent. To my beady eye, this will not do! 

Unsure how to name the model AUP files, I toyed with the idea of making a single multi-page document containing them all but customers may not want them all.  Instead I settled on a numeric naming scheme.    

As I was doing that, I noticed the document properties also needed standardising. The properties are stored with each document and affect the directory listings. To get to this picture of neatness ...

... I had to fiddle with the Tags and Authors for each of the 8 AUPs. 

The Tags are easy enough to update but changing the Author property is a little awkward: originally, the Author for all the files was "Gary" which, although technically correct, is not helpful for those who don't know it was actually little ol' me. I decided to use my unique email address instead, and soon discovered that updating the Author of both existing and new Word documents involves numerous clicks and typing. It always defaulted to Gary.

"There must be a better way!" I muttered to myself, and started by exploring the properties saved on the info tab of my Word templates - a bit of a mission since the templates are stored under my profile, and updates can't be saved while the templates are open. Instead, I had to follow this 8-step process:
  1. Create a new document using an existing template
  2. Update the template content
  3. Save the updated file as a template (in my default templates directory - I've been here before) with a new name
  4. Close the open file
  5. Navigate to the templates directory in Windows Explorer (made easier using a previously-saved shortcut) 
  6. Delete the original template
  7. Rename the revised template the same as the now deleted original
  8. Open a new document using the updated template to check it out.

Unfortunately, I soon discovered that the Author property on a Word template does not automatically carry forward to new documents created using that template, even though I am the only user of this PC. Instead, MS Office insists on using the "User name" stored in the General tab of my Word Options ...

Nothing as obvious as "Default author" though, oh no. That would be far too easy. Silly me.

So here I am, some two hours after noticing and deciding to fix those little discrepancies, still not entirely sure I've permanently fixed the problems but at least I've vented some of my angst and hopefully helped some of you avoid the same pitfalls.  If in due course I find the updated default Author does not also apply to PowerPoint, Excel and other Office files, I'll gnaw my knuckles rather bore you with another rant.

NBlog Feb 17 - tips on security induction sessions

The InfoSec 101 management presentation is coming along ... but I'll need to rein in my enthusiasm for all things yellow to refocus on the information security essentials: one of the challenges with induction training is keeping it within a tight timescale. 'Speak fast!' is not the answer because the audience probably won't take it all in, given that information security is just one of several important induction topics. It's trial by fire for them.

Some of our customers will have more time for induction training than others, so my cunning plan is to make the 101 presentations flexible. Customers who have the luxury of more time can elaborate on pertinent details and interact more extensively with the inductees. Those short of time may want to skim through or skip some of the slides ... but I hope to encourage them all to make the time to introduce inductees to the information security team. Making that personal link starts the long process of getting to know each other, with benefits on both sides as time goes on. For example, it's easier for workers to email, pick up the phone or drop in on someone they have already met, whether to ask a question, raise an issue or simply say "Hi!". 'Putting faces to names' is, to me, part of 'socialising information security', making it an integral part of the corporate culture. 

On that point, I will be encouraging NB customers to allocate suitable information risk and security pro's to conduct the induction courses, in person. Information Security's 'customer services' or 'help desk' people and experienced trainers are the obvious choices for this job. Furthermore, if the Information Security Manager or CISO or CEO turns up, in person, to say hello and reinforce some point or other (implying a little preparation), that sends a more subtle message about the importance of information security for new workers. It's a powerful technique to cut through the avalanche of information assaulting inductees.

If it is simply not practicable for the relevant InfoSec people to make the time to attend induction courses, other approaches include:

  • Playing a brief 'talking heads' video statement by the ISM, CISO or CEO;
  • A quick live phone call or videoconference appearance by the ISM, CISO or CEO during the session;
  • Showing 'meet the team' biographies - mugshots and a few choice words about the pro's in the InfoSec team (which, in fact, means everyone in the organization, including those currently in the induction session!). 
Another cool idea is to invite inductees to come along to Information Security events and meetings after the induction session - ideally specific, planned events within the next month or two, otherwise any regular or general-access events and meetings ... and in fact that's not a bad idea anyway: these are potentially complementary approaches, not necessarily alternatives.

I have other ideas up my sleeve for making the induction content stickier, more memorable, but that's enough for now. Over to you: what would you suggest?  Comments open! 

Feb 14, 2020

NBlog Feb 14 - this year's InfoSec 101 theme

I've come up with a new theme for the InfoSec 101 presentations this year, driven by a visual metaphor.  As I was picking out general-purpose security-related graphics from our stock for the slide decks, I noticed a preponderance of yellow ... which led me to think about warnings in nature (such as the yellow and black stripes of this wasp) and on the roads (driving hazards), plus the classic Red-Amber-Green traffic lights.

RAG colours are a simple visual cue, well suited to a basic induction or awareness refresher module. The concept gradually forming in my head is that we would like to get to green (as in "Go ahead, get on with the business ... safely") and, wherever possible, avoid the reds ("STOP!  Dangerous!"), so amber ("Caution: hazards") is the path trodden by the security awareness and training program. I have in mind using a few reds and greens to illustrate the range but mostly I think we'll focus on those ambers in the middle ground.  

The core message concerns vigilance, caution and situational awareness. We can't be there all the time, pointing out dangers to our colleagues, so they need to take responsibility for their own well-being - for example, hesitating and thinking twice about clicking those too-good-to-be-true offers sitting in their email inboxes and social media messaging.

We can even have a bit of fun with the roadsigns while we're at it, raise the odd laugh or wry smile maybe. Who says warning notices and awareness sessions should be dull and boring?

Feb 12, 2020

NBlog Feb 12 - terms of art

Yesterday I wrote about the laborious process of condensing our comprehensive 300+ page information risk and security glossary to something much more succinct and appropriate for inductees, new to the organization and the topic. So far, the InfoSec 101 glossary is down to just 15 pages but it's not finished yet. I am systematically reconsidering the relevance of each term and, for those destined to remain in the glossary, composing a straightforward explanation that encapsulates the concept in just a few simple words. 

Well that's the aim anyway! I balked at describing cryptography, even though I'd quite like everyone to have at least a rough idea of what it is about. Maybe today the inspiration will come. 

There's a nice bonus to all this: the terms that made it into the 101 glossary will go into a word-grid and possibly also a crossword if there's time. If people find unfamiliar words in the puzzles, they can look them up in the glossary to find out what they mean ... and it doesn't stop there: the glossary is designed to intrigue as well as inform. Any specialist terms in the explanations are hyperlinked to the corresponding entries, encouraging readers to click and read-on, hopefully browsing the whole thing. We want it to be as sticky as a tar-pit for newbies. In millennia to come, paleontologists will be digging out the bones of Novi operatur, a long-forgotten but remarkably vigilant humanoid species from the 21st Century. 

But wait, there's more! We also use word lists to generate word clouds, visual depictions of the topic that again intrigue and inform - this sort of thing:

That's one I created for the 'surveillance' awareness module, an unusual topic that led us through corporate oversight and security monitoring into the realm of spooks and spies. The words on the graphic remind me of our coverage when the module was prepared three years ago - things such as Ed Snowden's revelations about the NSA. For me, at least, visual depictions work amazingly well as memory prompts. I like mind maps for the same reason, using them to analyse, explain and recall the more technical areas, even relatively complex, challenging topics ... hence they often feature in our awareness materials.

Yes yes, I know, it's not all about me! I appreciate that words and pictures, technical content and challenging concepts are not to everyone's taste, so the approach we've taken with NoticeBored was explicitly designed to appeal to 'everyone'. For some people, even InfoSec 101 may be a struggle to understand. At the other end of the scale, some may be bored of the awareness notices or alarmed at our simplifications of deep and meaningful areas they know well. Some may not pay attention unless they are 'shown' stuff or given the chance to experience things for themselves. Some may prefer to figure it out under their own steam. Many will be busy and distracted by other shiny things, especially workers new to the job, being assaulted by induction materials on a host of topics apart from InfoSec 101 ... and I hope our valued customers have seized the opportunity to demonstrate to their colleagues in HR, Health & Safety, IT and other areas that being lectured at by an earnest, well-meaning but essentially overbearing and humourless presenter is perhaps not the best way to greet newcomers. A 3 minute video cartoon, or a 10 minute sermon, or some coercive game may work for some, but not all: diversity is the key, plus the stickiness of a tar-pit (you remember!).

Bottom line: there may be no silver bullet for security awareness but we've been delivering golden shotgun cartridges every month since 2003. 

Feb 11, 2020

NBlog Feb 11 - InfoSec 101 terms

Our  information risk and security glossary has grown steadily over the years to a document of 100,000 words over 346 pages defining about 3,000 terms. That's easily a book's worth (maybe we should publish it!), and way too much information for the InfoSec 101 module, so I spent yesterday paring it down to a more sensible size. 

The easiest approach was to chop out obscure/specialist terms and their definitions, then go through again to catch the ones I missed. 

Next I set to work trimming down the definitions for the remaining terms, simplifying the wording and removing the quoted extracts from the ISO27k and other standards and references. 

Some terms are context-dependent - they normally mean one thing but can mean something else. For the purposes of the 101 module, I've chopped off the 'something else' explanations.

So now we're down to 11,000 words and 40 pages, defining about 400 terms. Still more than I'd like. The most recent 2017 revision of the 101 module included a glossary of 2,000 words and 10 pages defining about 100 terms. Hmmm, it will be a struggle to get it down that far, but I'll give it a go. 

Time for another few cycles of chopping and trimming ...

Feb 8, 2020

NBlog Feb 8 - InfoSec 101

For March, we're working on our final NoticeBored security awareness module, an update to "InfoSec 101". Unlike the other NoticeBored modules, this covers several information risk and security topics at a basic level. Its main purpose is to provide a gentle introduction, for example in new employee induction or orientation training, or as a launch module for organizations just starting or re-starting their awareness and training programs, bringing everybody quickly up to speed.

So what should it cover? For the general staff audience, I'm thinking:
  • Information risk and security fundamentals, including common terms
  • Policies and procedures, with a touch of compliance
  • User IDs and passwords ... and why they matter
  • Backups
  • Patching
  • Phishing and other social engineering scams
  • Apps and mobile security
  • Ransomware and antivirus
  • Physical security in the office
  • Physical security when on the road or working from home
  • Cloud, Internet, network and system security basics
  • Vigilance: spotting, reacting to and reporting concerns
  • Who's who - putting faces to the names behind information security
For the management audience:
  • Information risk and security management basics e.g. net value of incidents avoided/reduced less the costs of control
  • A little more on compliance e.g. privacy
  • Roles, responsibilities and accountability, with a little on governance
  • Strategies, architecture, plans and big-picture-stuff
  • Insider/outsider threats including fraud
  • Awareness and training, plus motivation and culture, plus 'executive security'
  • Information security in business relationships e.g. with vendors, partners and customers
  • Security metrics, reporting and systematic improvement
  • Business continuity
For the professional audience:
  • Identification and authentication
  • Access controls
  • Logging, alerting and alarms
  • Cryptography fundamentals
  • Cybersecurity vs information security
  • Intellectual property? Copyright at least
That's already quite a lot. It would be easy to overwhelm people with too much all at once, or conversely to bore them stiff with trivial, superficial, condescending material. We need to find ways to help people navigate the content, touching on all the main points and, if they wish, dipping deeper where appropriate. Most importantly, the content needs to be interesting, engaging and relevant - which is another challenge since that depends, in part, on the business context: key awareness messages are bound to differ in emphasis if not content between, say, a tech company, a bank or a charity. That suggests an initial activity for the person or team receiving and thinking about how to use the awareness module ... figuring out what are the essentials, the things that everyone needs to know?

Feb 5, 2020

NBlog Feb 5 - YMMV

Once more today I find myself drawn into an interminable discussion over on the ISO27k Forum.

This time around, it's with a member who (as I see it) steadfastly refuses to remove his IT blinkers and acknowledge that - perhaps - there's more to information risk and security management than IT security, that he can't simply ignore the rest or claim/pretend that it's someone else's problem.

His little IT world defines his horizon, and everything beyond the edge is (to him) at once both unseen and scary.

And to be fair to him, I'm just the same. OK, so my blinkers don't say "IT" all over them but it's true I perceive the world in terms of information risks. I can't help it. It's how my brain works. I have something of an idea of what lies beyond that horizon, but nevertheless it's scary because that's not my domain of knowledge, experience and expertise. It's not my home turf. It makes me uncomfortable.

Take 'financial risk' for example. I know a tiny bit about return on investment, exchange rates, stock markets, money markets and so on ... but I'm well out of my depth when it comes to, say, futures and options. I thoroughly enjoyed reading Nick Leeson's book about his shenanigans that brought down the veritable British financial institution of Barings Bank but I freely admit that, despite his patient and eloquent description in the book, I didn't entirely understand the ins-and-outs of his fraud (nor indeed did the bank's managers and auditors, until it was too late!). Although the story sort of made sense at the time, I was struggling to understand and, now, I'd fall in a heap if I tried to recall and explain it.

Arguably there's a difference, though, between me and my rather naive, blinkered colleague on the ISO27k Forum. Specifically, I'm sufficiently self-aware to know my limits. If I wanted/needed to get into, say, financial risk, I'd seek out and rely on someone who's good at that stuff, someone with experience and reputation, probably qualifications too. To be crystal clear, even in outlining 'financial risk' above, I'm taking a punt. The terms are unfamiliar and awkward to me, the concepts vague and ill-defined in my little head, but I recognise and acknowledge that. That's the nub of it ...

... and in so describing the situation, I've yet again demonstrated my own myopic obsession with information risk, plus risk in general. 

I appreciate the information risk associated with the limits of my knowledge and expertise, and I'm willing to address them. That's a product of my world-view.  That I'm even blabbering on about it here is a further clue as to the narrowness of my perspective.

Your Myopia May Vary.

Jan 31, 2020

NBlog February - just-in-time security awareness

This afternoon, we completed, proofread and published February's security awareness module on malware, a few short hours before our (self imposed!) end-of-month deadline. 

The atmosphere in the office has grown increasingly tense this week as the deadline loomed. Early in January we took the decision to use the Travelex ransomware incident as a very topical (live!) case study for the module, and as such we were hostage to their timeline. By sheer chance, the main Travelex websites were up and running again this very morning, neatly tying off the month's events.

Comparing and contrasting the Sony and Travelex ransomware incidents has been fascinating: they each handled the situations in their own way, and yet there are common themes - for instance they were both forced to fend off an inquisitive (hostile!) pack of journalists. Travelex also made effective use of social media, and completed the main part of their recovery roughly twice as fast as Sony, so things have moved on in the five years since Sony Pictures Entertainment were all over the headlines with salacious gossip about film stars and wild speculation about North Korean cybertage.

Meanwhile, down here in rural NZ, our 4G wireless broadband Internet connection has been playing up something rotten. It's not good at the best of times but has been notably unreliable this week until, with perfect timing, the connection dropped out entirely as I was uploading the completed awareness module to our server. You probably know that we're a micro-company. I am the network technician, the IT Department in fact. Also the Procurement, Finance, Production, Marketing and Customer Services Departments, and yes I even make the tea. I'm not doing this totally alone, quite, but we rely on third party suppliers for various essential services, such as our comms. This week I could really have done with some technical help to get the broadband connection fixed while finishing the awareness materials, but as it was I found myself lashing-up a temporary Internet connection just to deliver the module at the most stressful time of the month.
On top of that, strong winds brought down trees across the track ... and guess who is the Chainsaw Operative part of the Grounds Maintenance Department!

Such is life. Business continuity is a challenge even for a microbusiness in sleepy NZ. But, like Travelex, we made it through and live to fight another day.

Over the next few days I'll catch my breath and crack on with a long to-do list, including (I hope!) a more durable fix for the broadband, plus preparations for the next and final NoticeBored monthly module. Although I know I'll miss the challenge, I'm really looking forward to leaping off this monthly treadmill, like an exhausted mouse. Hey, pass the cheese ...

Jan 30, 2020

NBlog Jan 30 - simplicity itself

"Simplicity is the default unless there's a good business reason to do something else. What is typically lacking are the business reasons ..."
That comment on CISSPforum set me pondering during this morning's caffeine fix. We've been chatting about some training webinar sessions recently promoted by (ISC)2. Some say they over-simplify information security to the point of trivialising and perhaps misleading people.

If you follow NBlog, you'll know that this month I have been slaving away on an awareness module covering malware, a topic we've covered many times before - particularly the avoidance or prevention of infections but this year a customer asked us for something on publicly disclosing incidents in progress, a disarmingly simple request that turned into a fascinating foray into the post-malware-infection incident management and resolution phase for a change. I've been exploring and writing about what does, could or should happen after malware 'hits' - from that dramatic moment the ransomware demands appear on everyone's screens, for example. 

What follows is quite an intricate and frantic dance, in fact, involving management, IT and other staff, customers, suppliers and partners, regulators/authorities, journalists and the news + social media etc. plus the Incident Management Team, infosec and business continuity pros trying to keep everything on track, the legal team figuring out who to sue, the compliance pros wondering how not to get sued, and various hired-hands helping with forensics, disinfection and finding then retrospectively plugging whatever holes were initially exploited by the malware. All the while, the menacing hackers and cybercrims are wielding big coshes in the shape of threats to make the disruption permanent and terminal, and/or to disclose whatever juicy tidbits of corporate and personal info they've previously stolen (the CEO’s emails, or browser history perhaps?). And all the while the systems, data, business processes/activities, websites and apps are being maintained, recovered or restored. Brands and relationships are under pressure, along with all the dancers. It's an intensely stressful time for them, I'm sure. 

The approach we've taken is to explore the timeline of an actual incident, in real time as it happens (as it happens), building a case study around the ongoing Travelex ransomware incident: the sequence forms a convenient thread to lead people through the story, thinking about what's going on at each stage and imagining how it would be if a similar incident happened 'here'. I’ve drawn up a simplified Travelex incident timeline in the same style as the one I drew for the Sony Pictures Entertainment fiasco 5 years back, pointing out some of the key events plus the phases of the overall process. The new Travelex version (‘in press’!) is simpler but remarkably similar since the sequence is much the same at this fairly high level. 

My point is that pictures help. They really do ‘speak a thousand words’. We use mind maps, diagrams, screenshots, flowcharts, Ishikawa-style risk-control spectra, animated PIGs and other eye-catching visuals extensively, making frequent use of Red-Amber-Green traffic-light colours and other visual cues. Most people still need to have stuff explained to them in written or spoken words, too, but the TL;DR; version is usually graphic. The graphics act as foils or prompts as well as summaries for the written or spoken words - in fact I seem to be naturally a ‘visual thinker’: it’s easier for me to write simply about complex stuff with a picture in mind, on the screen or scribbled on a scrap. 

In other words, we reduce ‘understanding a complex topic’ down to ‘explaining and expanding upon a few simple images’.

One of the nice things about that is our approach in practice, at 'run-time' when our content is actually being used in, say, an awareness session, workshop, course or online discussion, the way the materials are used depends on the presenter, the audience, the topic and its relevance to the organization, and the context (e.g. is it a half day session in a meeting room or half minute chat in the lobby?). Diagrams are much more flexible than text - although techniques such as headings, contents pages, side-bars, pullquotes and text boxes make it easier for people to skim through the text to pick out whatever catches their eye in, say, a briefing paper or report. Generally speaking, bright, colourful, 'interesting' pictures make the best eye-catchers.

If you’ve done much teaching and coaching, or you are some other sort of social engineer (!), you probably get it, although you probably have your own style and preferences too. There are ways and means of simplifying and explaining even complex stuff, step-by-step, top-down, bottom-up, middle-out, end-to-end or whatever. The visual approach works well for me. The real trick, though, is to explore and understand the topic well enough firstly to prepare said simple versions, and secondly to be able to explain them reasonably eloquently, preferably with enough enthusiasm and presence to engage with and motivate the audience. It’s all very well me writing a tidy stack of awareness and training content, but I can’t personally present and discuss this with our customers’ employees: that’s down to their awareness and training people … who first of all have to explore and understand the awareness content themselves! That’s why our PowerPoint slide decks have extensive speaker notes, supplementing and explaining the relatively simple and largely graphical slides. 

As if that’s not enough already, we also have to bear in mind the awareness audiences. Whereas most security awareness programs only address “staff” (sometimes known as “users” or “general employees”), we’re also keen to engage “management” and “specialists” too since they are key pieces in the infosec puzzle, with their own information needs and preferences. Management, for instance, has an obvious interest in the governance, strategy, policy, compliance, continuity and assurance aspects, plus of course risks, specifically information risk management, oh and let’s not forget “the business” – all of which are relevant in the post-malware-infection module. Likewise the IT, risk, continuity and compliance professionals have their own interests and concerns. The differences extend all the way down to the individuals: Freda in Accounts might be fascinated by the numbers – the headline figures and the graphs, whereas Alice in Engineering is far too busy and distracted right now and can barely even spare a sideways glance at the screen. John from IT might be colour blind, or plain blind, so all our hard work on those diagrams is wasted unless someone can conjour up the pictures for John.

Individuals vary in our preferred modes of learning too. Some of us like to read stuff (words and/or pictures) while others prefer to listen, be shown or experience things first-hand. Some simply accept new information at face value (especially if provided by an 'expert' or 'senior') whereas some challenge or are inspired to contemplate and explore the topic as their way of internalising it. A few reject stuff by default, only ever accepting things on their own terms. And yes, some simply can't be bothered, don't understand and/or don't care. We all have our off-days and Other Stuff Going On Right Now.

I guess either those (ISC)2 webinars are not aimed at the CISSPforum-type greybeard audience, or whoever prepared them comes from a different place - a high level outline thinker rather than a details-oriented geek, maybe, or a professional educator working to a budget from a prepared brief rather than an infosec pro working from knowledge, experience and a passion for the subject.

Simplification is good but even awareness, training and teaching are more complex than they appear, once you scratch the surface.

PS  Although I'd love to supplement or even replace this blog piece with a neat little diagram, I don't have the time to simplify things right now. That's the downside of graphics: visual creativity takes time to express. Must dash, module to finish ...

Jan 29, 2020

NBlog Jan 29 - taking it to the wire

Today since before 5am I've been slaving away over a hot keyboard in a steamy hot office on a flaming hot topic: malware awareness. 

As you may have noticed here on the blog, all month long I've been systematically tracking the ongoing Travelex incident, observing from a safe distance the unsightly aftermath of another ugly malware - and business continuity - incident unfolding before our very eyes.

With our end-of-month delivery deadline looming large, it's time to draw out the lessons from the case study and weave the whole episode into a compelling tale for February's awareness module - well, three closely-related tales in fact since as always we're catering for the differing perspectives, concerns and information needs of our customers' staff, management and professional audiences. 

What have we learnt this month? 

What has happened, and why? 

What do we think might/should have been going on behind the scenes, out of the glare of the media spotlight? What were the dilemmas facing Travelex's management and IT people?

How might things have played out if the incident had been handled differently?

And, most importantly of all, what are our carry-outs, our take-home learning points and the Things We Ought to be Doing? Taking the whole sorry episode into account, what does it mean for us, our organization, right now?

You'll find a few clues to the answers in the blog ... but for the full nine yards you'll need to hang on just a few short days until the awareness module is completed and published. 

Or of course you can invest something like 250 hours of your own time researching, writing and weaving your own set of security awareness and training content on this highly topical topic. Provided you can match or exceed the quality of our content, you'll be "quids in" if your salary and costs are below two measly dollars per hour!

Mutter mutter moan moan slave labour.

"Oh we need security awareness and training" they say. "Our people are the weakest links!" they exclaim. "Woe is me!  What am I to do?"  

I'm almost too modest to answer ... but not quite that daft.

Jan 28, 2020

NBlog Jan 28 - woe betide ...

.... any organization unfortunate enough to suffer a privacy breach today, of all days, being "Data Privacy Day". 

In the unlikely event that there are no new ones today, recent newsworthy breaches are liable to be trawled up and paraded across the media, again. 

I've been writing about preparing to deal with malware incidents all this month. Managing or controlling the publicity aspects is trickier than it may appear. Sony pulled a master stroke in getting its legal team to threaten action against journalists who continued to exploit the tittle-tattle disclosed in the Sony Pictures Entertainment breach five years ago - but that's not a universally applicable approach. Travelex did well to get basic, static web pages published quickly, plus a talking-heads video explanation/apology by the CEO ... but ask their retail customers whether they feel 'informed', while the promised restoration of services is patently taking longer than anyone (except perhaps the cybercrims behind the attack) wants.

Blend in the compliance aspects as well for good measure. I suspect British Airways and Marriott International, for instance, would have much preferred to take their corporal punishment under GDPR in private, rather than baring their bottoms on News At Ten.

There's a fine line between their being directly blamed for causing the incidents, and being blamed for failing to prevent them - a line which Public Relations teams might do well to consider. The real culprits here are the cunning VXers, hackers and cybercrims, rather than their targets. Defending all points at once is undoubtedly much tougher than exploiting one or more vulnerabilities. It's not a fair fight! Too bad: that's how it is ... but maybe it wouldn't hurt to explain that.

By the way, the issues multiply when you take into account the wide range of people and organizations who want to know and/or should be kept informed. Take employees, for instance: when the screens go dark in any IT-enabled organization, workers are left wandering and wondering. What can management say to explain the situation and reassure people? How can they even get their calming messages out if the comms are down? Same thing with suppliers, customers, partners, owners and authorities. This is where preparing for serious malware incidents makes good business sense. It sure beats leaving them all wandering and wondering!

(Some) IT, comms and information services are bound to degrade in and following an incident, but it takes deliberate effort to ensure they degrade gracefully, with dignity, rather than collapsing into a blubbering, smouldering heap.

Meanwhile, deep down in the engine room, are the IT pros frantically running in circles tearing their remaining hair out, or systematically following a tried and tested process for halting the incident, maintaining resilient services, restoring others and gathering the forensic evidence that might one day be necessary to prosecute the offenders? Again, preparation is key, especially when "time is of the essence" (which is always!).

If the lights go out before anyone has thought to get a torch, good luck with your fumbling.

Jan 27, 2020

NBlog Jan 27 - MD/CISO's question time

Seems I'm not the only ravenous shark circling the Travelex ransomware incident.

Over at the Institute of Chartered Accountants in England and Wales website, Kirstin Gillon points out there are learning opportunities for senior management in this "horror story".

Specifically, Kirstin suggests posing six awkward questions of those responsible for managing incidents and risks of this nature ...

Rhetorical questions of this nature are not a bad way to get management thinking and talking about the important issues arising - a valuable activity in its own right although it falls some way short of taking decisions leading to appropriate action. Admittedly, there's an art to framing and posing such questions. Kirstin's questions are along the right lines, a good starting point at least.

Faced with such questions, some Boards and management teams will immediately 'get it', initiating further work to explore the issues, evaluate the risks and controls more deeply, and if appropriate propose corrective actions to address any unacceptable risks. Others may need to be prompted, gently prodded or goaded to address these issues, particularly given the broader context of the organization's other risks, concerns and business initiatives. They all have other things on their plates.

Another possible approach, then, is for the CISO, Information Security Manager, Cybersecurity Manager, Business Continuity Manager, Compliance Officer, Privacy Office, IT Audit Manager etc. (ideally working as a team) to seize the initiative themselves by launching an internal investigation/project, or at least preparing a briefing for senior management on the current situation, preempting those awkward questions from above. Most likely the organization is already ahead of the game in some areas, behind in others so hopefully it's not all bad news. This strategy has the advantage that the professionals set the agenda and guide the discussion in ways that will probably enable them to Do What Must Be Done, while senior management can influence the outcome according to the business context, a handy combination.

[Hinson tip: most if not all six of those question can probably be answered using relevant security metrics. If your organization isn't already measuring patch latency and proactively monitoring the effectiveness of critical controls such as network and system security monitoring, backups, business continuity and supplier security management, then your problems run deeper still. You're bleeding out while the great whites are closing fast.]

A third possibility, of course, is to do nothing at all. Nil. Zip. Nowt. Look the other way, completely ignoring the entire Travelex/ransomware episode, perhaps pretending or claiming that it 'is irrelevant' and 'doesn't apply here'. Flat denial may work for some, for example if an autocratic Big Boss doesn't understand the issues, is too busy with other matters ... or is terrified he/she already knows the answers to those awkward questions and would rather not poke that particular beasty in the eye right now (especially in a way that would then make it tricky to deny accountability if a similar incident occurred). That suggests a different concern again, a governance issue.

A fourth approach involves focusing obsessively and interminably on the tiniest of wee tiny details. This is a favourite of Yes Minister's civil servants and the military administration in MASH. Avoid actually facing up to anything significant by swamping it with trivia and burying it in red tape. Get real busy paddling fast while going nowhere. This too is a governance issue, another troublesome one if it is endemic to the entire management structure ... which perhaps explains why so many municipalities have been hit hard by ransomware. Maybe they are soft targets, more willing to pay the ransom (the "cybersecurity tax"!) and hope for the best than make a genuine effort to find and fix their vulnerabilities. Or maybe they are literally incompetent, under-resourced and over-stretched, facing an impossible task.

I could continue but that's enough of this conjecture for today. I find it interesting to be heading into the area of governance, business, security and risk management, and accountability from what was initially a straightforward malware infection. Thank you Travelex (and Sony, and Norsk Hydro, and ...)

Jan 25, 2020

NBlog Jan 25 - data privacy day

On Tuesday, data privacy day, privacy will be top of the agenda.

Well, OK, not top exactly, not even very high if I'm honest.

And apart from mine, I'm not sure whose agenda I'm talking about.

Evidently it's about "data privacy", not other kinds of privacy, oh no.

If I'm coming across just a little cynically, then evidently I need to try harder.

I bumped into data privacy day while searching for something privacy related - I forget exactly what, now. Otherwise, it would surely have passed me by, and maybe you too, dear blog reader.

Anyway, data privacy day appears to date back to Jan 28th 1981 when Convention 108 was signed in conventional Europe. "The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" was among the first, if not the very first, data protection regulation, predating today's privacy laws and regs.

In 2006, the Council of Europe launched Data Privacy Day as an annual event on January 28th.

Data privacy day was later taken up by some American organizations. According to the Wikipedia page, participants in the 2016 "event" included the Anti-Phishing Working Group, Carnegie Mellon University, Cyber Data-Risk Managers, EDUCAUSE, Georgetown University, Federal Trade Commission (FTC), Federal Communications Commission (FCC), Federal Bureau of Investigation (FBI), Identity Theft Council, the Privacy Commissioner of Canada, New York State Attorney General Office, the UK Information Commissioner and Data Security Council of India. I have no idea if they are still involved this year, and frankly I can't be bothered to find out just as none of them, it appears, could be bothered to update the Wikipedia page in 4 years.

The fact that I had no idea data privacy day was coming up on Tuesday suggests that all those years of publicity haven't been entirely successful.

This year, StaySafeOnline from the National Cyber Security Alliance appears to be valiantly leading the publicity effort, although their website is playing hard to get: 

StaySafeOffline would be a more apposite domain. Well I guess that's one way to ensure data privacy: simply don't publish the data on the Interwebs. Bish bash bosh, job's a good'un.

I was hoping to take a look at the information they allegedly offer in support of data privacy day, but no such luck. However, I did find some info at a related site - StopThinkConnect"the global awareness campaign to help all digital citizens stay safer and more secure online" - including these tips:
Protect Your Personal Information
  • Lock down your login: Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media.
  • Make your password a sentence: A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!
  • Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.
  • Write it down and keep it safe: Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer. You can alternatively use a service like a password manager to keep track of your passwords.
An interesting selection of tips that, with no mention of browser security, or patching, or antivirus, or not sending personal info by email, or only disclosing personal info to trustworthy organizations, or checking privacy policies first, or totally avoiding social media and apps (!), or ... well clearly there are lots of things that they could have said but I get it: these are supposed to be a few succinct tips, which means someone had to select the very best. Hmmm. If it were me, I don't think I'd recommend writing down passwords as a way to protect personal information, even if it does avoid the need to navigate the hazards of the forgotten password/reset process. Odd, then, that they would casually mention password managers while also recommending 'positive' and memorable pass phrases (of at least 12 characters - a number plucked out of thin air I presume, and they missed the chance to mention punctuation and deliferate mispelings), rather than suggesting people use the password generators built-in to said password managers.

Summing up, data security day is a badly publicised, ill-conceived, poorly supported and not very effective effort to ... to ... well I'm not at all sure what it is intended to achieve, on just one day a year. Although admittedly I haven't put much effort into searching, I haven't found any stated objectives, which makes it hard to guage its success or otherwise. "Maybe that's a deliberate ploy to avoid accountability" said the cynical voice in my head.

I wish them well in their endeavour. I sincerely hope the day far exceeds my very low expectations. 


Jan 24, 2020

NBlog Jan 24 - information, data, knowledge And All That

On the ISO27k Forum lately we've been discussing something that comes up repeatedly, a zombie topic you could say since the discussion is never really settled to everyone's complete satisfaction. There's always more to say.

The discussion concerns the disarmingly simple phrase "information asset", used in some but no longer defined in any of the ISO27k standards. Among other things, we've discussed whether people/workers can be classed as information assets, hence information risks associated with people potentially fall within scope of an ISO27k ISMS.

Yesterday, Mat said:
"Knowledge is generally broken down into three different types - explicit, implicit, and tacit. When we are talking about classing employees as an asset or simply treating the information that they know as an asset, I think maybe this can be broken down further using these different knowledge types.
Explicit knowledge is knowledge that is easily transferable, can be recorded and stored. Things like standard work instructions, guides, procedures, policies. Due to the nature of this information, it seems obvious to class the information itself as the asset here - you can mitigate the risk of information loss simply by recording the information.
Implicit knowledge is the practical application of explicit knowledge. This can include knowing your way around a particular security product, or a particular piece of equipment. This type of knowledge is difficult to record, however, things like best practices are the best attempt although it's difficult to include the entire background knowledge of the best practice. Due to this, loss of this information is difficult to completely mitigate, and hence, I think the employee here could be classed as the information asset. The best mitigation is to keep the employee.
Tacit knowledge is the practical application of implicit knowledge. Examples of this are knowing not only a particular security product but how and why this product fits into your infrastructure. The small details which make the infrastructure whole - having the history of decisions and incidents which led to this point directly on hand. This type of knowledge is inherently most difficult to record and I think due to this, the employee would again be classed as the information asset. The best mitigation is to keep the employee."
That breakdown, described back in 1991 in the Harvard Business Review, makes sense in theory but things are rarely so neat and simple in practice. Information, data, knowledge And All That defies simplification.

Information that is ‘captured’ in some lasting physical form (Mat's ‘explicit knowledge’, captured in documentation, written words, diagrams, doodles, audio or video recordings, computer data, program code, emails, bloggings etc.) is never truly comprehensive or complete. Even War and Peace must surely have had parts where the author or editors trimmed it back, or decided not to go into details! However, once captured, information is more easily:
  • Stored
  • Communicated/passed on to others ... or withheld from them
  • Copied
  • Accumulated
  • Valued, sufficient for accounting, sales or other purposes
  • Disputed or challenged
  • Analysed
  • Expanded upon
  • Protected by intellectual property laws ... or pirated, plagiarized and disclosed inappropriately
  • Submerged, hidden, stolen, damaged/modified, garbled, deliberately mis-stated or destroyed in that physical form. It can certainly still be misunderstood or misinterpreted (ask any lawyer about the 'precision' of even formally-worded statutes and contracts!).
While physical storage media are not free, the real value of, say, a book or a computer disk comes from the information stored on it - the information content. I believe the same is true of people, particularly knowledge workers whose brains are more highly valued than their brawn.

Information that is presently ‘uncaptured’ (Mat's implicit and tacit knowledge) can still be withheld or communicated in an ephemeral form – such as someone shaking their head or nodding gently, or groaning, or clapping, or failing to step in and stop proceedings, when someone else is pondering some choice or decision. Those actions may never be permanently recorded or captured as such, just ephemerally observed (or missed!) by someone else.

Furthermore, the way or manner in which things are expressed is itself a form of information, meta-information you could call it. Shouting “STOP!!!” means something different to a muttered or whispered “stop”! The plain written instruction "Stop" leaves a lot unsaid ("Should I simply take my foot off the accelerator, or change quickly down through the gears, gently or forcibly apply the brakes or slam them on hard, deploy the parachute/anchor and brace for impact?").

Implicit and tacit knowledge includes 'thoughts', 'concepts' and 'ideas', ‘experience’, ‘expertise’, ’understanding’, ‘comprehension’, ‘wisdom’, 'creative works' such as art and inventions … and more, much more. It includes the frameworks and patterns that organise and interrelate, link or distinguish things as part of 'the bigger picture', including both the narrow and the broader context. Generally, this all accumulates during a person’s life, for some more than others. Some bits can be taught and learnt, others have to be internalized, or drawn out and refined through practice, or appear to be inherent capabilities or innate skills. Try as I might, I will never be an Olympic gymnast, chess grand master or concert violinist … but I believe I have a reasonable grasp of information risk and security, picked up over the decades – and I enjoy passing it on and debating things here and elsewhere (e.g. in conversations, presentations, courses, books, websites, articles, reports, emails …), partly because I enjoy thinking about and expressing things, contemplating the topic and learning new stuff from other people, expanding my own knowledge-bank at the same time. It's give and take.

Specifically, Mat twice said “The best mitigation is to keep the employee.” There are several issues with that. For a start, not all knowledge workers or sources are employees. Some are paid advisors or contractors, teachers etc., some are colleagues, peers, gurus or ‘thought leaders’ in a much more general way. Where would we be without Google, eh? Secondly, and more importantly, simply ‘keeping’ employees is seldom sufficient. They (we!) are neither possession nor pets. They need to be looked after, nurtured, rewarded, encouraged, challenged, given opportunities, pushed a little, cut some slack, guided, motivated, brought back in line, told to "stop waffling and get to the bloody point, Gary" and so on, in order to get the best of them. This is far from easy for those managing 'knowledge workers' and those whose knowledge seems to be locked inside them, out of reach, including people suffering stress and mental illness or ... whatever. The point is that we're all different, individuals, so a generic/simplistic approach is, at best, sub-optimal.

Circling back to the topic, in business and virtually all other contexts, information even in the form of intangible, ephemeral, implicit or tacit knowledge can obviously be an asset - something of value. If it's missing or damaged, we are poorer. Most of us make substantial efforts to gain it, even consciously investing in it. And, just like other investments, its value can vary: riskier investments generally offer higher returns but you may get back less than you invest.
“If I send my people on training courses to get better qualified, they’ll leave!” the reluctant manager explained. “Ah but”, said the wise advisor, “what if you don’t train them … and they stay?”
Is a worker the information asset, or is it their knowledge that is the information asset? Interesting question! Using Mat's breakdown:
  • Their explicit knowledge is already captured, making it available to exploit even without the person ... provided the knowledge capture is sound (accurate and complete - integrity properties) and available when needed;
  • Their implicit knowledge may be captured and then exploited so long as the person is there and is cooperating, and so long as someone (possibly the same person) has the inclination, resources and capacity to 'capture' it with integrity - which is far from certain;
  • Their tacit knowledge can be exploited but would be difficult or impossible to capture, or at least it would take an extraordinary effort to do so, and the worker must be available, willing to cooperate and able to disclose the knowledge or unable to prevent its disclosure.

The process of 'capturing' a worker's knowledge, then, turns out to have information security implications. There's much more to it than simply requiring the worker to "document what you do" or "write stuff down", especially as some of the most valuable knowledge is conceptual, complex, difficult to express in any form, particularly in writing (and here I am, struggling to express my thoughts and complete this little inconsequential blog piece!). Furthermore, knowledge that is valuable to the organization may well be of value to others, hence there are confidentiality aspects to it as well. Captured knowledge can be locked away in a vault but, oddly enough, workers generally resent being treated that way, their implicit and tacit knowledge becoming both harder to capture and less valuable during incarceration.

OK, that's more than enough rambling from me for now. I've got Things To Do, knowledge to capture and secure, animals to feed, a crust to earn. ... but somehow I suspect I'll return to this topic more than once. Perhaps on my business card, I should call myself a "Zombie wrangler".