31 Jan 2020
30 Jan 2020
"Simplicity is the default unless there's a good business reason to do something else. What is typically lacking are the business reasons ..."
One of the nice things about that is our approach in practice, at 'run-time' when our content is actually being used in, say, an awareness session, workshop, course or online discussion, the way the materials are used depends on the presenter, the audience, the topic and its relevance to the organization, and the context (e.g. is it a half day session in a meeting room or half minute chat in the lobby?). Diagrams are much more flexible than text - although techniques such as headings, contents pages, side-bars, pullquotes and text boxes make it easier for people to skim through the text to pick out whatever catches their eye in, say, a briefing paper or report. Generally speaking, bright, colourful, 'interesting' pictures make the best eye-catchers.
Individuals vary in our preferred modes of learning too. Some of us like to read stuff (words and/or pictures) while others prefer to listen, be shown or experience things first-hand. Some simply accept new information at face value (especially if provided by an 'expert' or 'senior') whereas some challenge or are inspired to contemplate and explore the topic as their way of internalising it. A few reject stuff by default, only ever accepting things on their own terms. And yes, some simply can't be bothered, don't understand and/or don't care. We all have our off-days and Other Stuff Going On Right Now.
PS Although I'd love to supplement or even replace this blog piece with a neat little diagram, I don't have the time to simplify things right now. That's the downside of graphics: visual creativity takes time to express. Must dash, module to finish ...
29 Jan 2020
28 Jan 2020
27 Jan 2020
25 Jan 2020
In 2006, the Council of Europe launched Data Privacy Day as an annual event on January 28th.
Data privacy day was later taken up by some American organizations. According to the Wikipedia page, participants in the 2016 "event" included the Anti-Phishing Working Group, Carnegie Mellon University, Cyber Data-Risk Managers, EDUCAUSE, Georgetown University, Federal Trade Commission (FTC), Federal Communications Commission (FCC), Federal Bureau of Investigation (FBI), Identity Theft Council, the Privacy Commissioner of Canada, New York State Attorney General Office, the UK Information Commissioner and Data Security Council of India. I have no idea if they are still involved this year, and frankly I can't be bothered to find out just as none of them, it appears, could be bothered to update the Wikipedia page in 4 years.
The fact that I had no idea data privacy day was coming up on Tuesday suggests that all those years of publicity haven't been entirely successful.
Protect Your Personal Information
- Lock down your login: Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media.
- Make your password a sentence: A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!
- Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.
- Write it down and keep it safe: Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer. You can alternatively use a service like a password manager to keep track of your passwords.
24 Jan 2020
The discussion concerns the disarmingly simple phrase "information asset", used in some but no longer defined in any of the ISO27k standards. Among other things, we've discussed whether people/workers can be classed as information assets, hence information risks associated with people potentially fall within scope of an ISO27k ISMS.
"Knowledge is generally broken down into three different types - explicit, implicit, and tacit. When we are talking about classing employees as an asset or simply treating the information that they know as an asset, I think maybe this can be broken down further using these different knowledge types.
Explicit knowledge is knowledge that is easily transferable, can be recorded and stored. Things like standard work instructions, guides, procedures, policies. Due to the nature of this information, it seems obvious to class the information itself as the asset here - you can mitigate the risk of information loss simply by recording the information.
Implicit knowledge is the practical application of explicit knowledge. This can include knowing your way around a particular security product, or a particular piece of equipment. This type of knowledge is difficult to record, however, things like best practices are the best attempt although it's difficult to include the entire background knowledge of the best practice. Due to this, loss of this information is difficult to completely mitigate, and hence, I think the employee here could be classed as the information asset. The best mitigation is to keep the employee.
Tacit knowledge is the practical application of implicit knowledge. Examples of this are knowing not only a particular security product but how and why this product fits into your infrastructure. The small details which make the infrastructure whole - having the history of decisions and incidents which led to this point directly on hand. This type of knowledge is inherently most difficult to record and I think due to this, the employee would again be classed as the information asset. The best mitigation is to keep the employee."
- Communicated/passed on to others ... or withheld from them
- Valued, sufficient for accounting, sales or other purposes
- Disputed or challenged
- Expanded upon
- Protected by intellectual property laws ... or pirated, plagiarized and disclosed inappropriately
- Submerged, hidden, stolen, damaged/modified, garbled, deliberately mis-stated or destroyed in that physical form. It can certainly still be misunderstood or misinterpreted (ask any lawyer about the 'precision' of even formally-worded statutes and contracts!).
“If I send my people on training courses to get better qualified, they’ll leave!” the reluctant manager explained. “Ah but”, said the wise advisor, “what if you don’t train them … and they stay?”
- Their explicit knowledge is already captured, making it available to exploit even without the person ... provided the knowledge capture is sound (accurate and complete - integrity properties) and available when needed;
- Their implicit knowledge may be captured and then exploited so long as the person is there and is cooperating, and so long as someone (possibly the same person) has the inclination, resources and capacity to 'capture' it with integrity - which is far from certain;
- Their tacit knowledge can be exploited but would be difficult or impossible to capture, or at least it would take an extraordinary effort to do so, and the worker must be available, willing to cooperate and able to disclose the knowledge or unable to prevent its disclosure.
23 Jan 2020
Aside from malware (malicious software), what other kinds of “wares” are there?
- Abandonware – software long since given up on by its author/support krew and left to rot
- Adware – software that pops up unwelcome advertisements at the least appropriate and most annoying possible moment
- Anyware - web-based apps that can be used while in the office, on the road, in the bath, wherever ... provided the Internet is accessible
- Beggarware – smelly, homeless software that periodically rattles its virtual cup, begging loose change "for a cup of tea"
- Bloatware – software that has grown fatter than a week-old beached whale with ‘features'
- Botware - software to stop the bots becoming bored and naughty
- Brochureware – over-hyped marketing, promotional or advertising copy about alleged new software (also known as vaporware, neverneverware and noware)
- Courseware – software for courses
- Coarseware – software for curses
- Crapware – software so badly designed and written as to be worth flushing away
- Crimeware – software used by criminals for various nefarious purposes
- Crippleware – cheap or free software with deliberately restricted functionality to coerce users into buying the full version
- Firmware – low level software burnt into microchips and embedded in hardware, or possibly Viagra spam
- Floppyware – software delivered on floppy disk, or maybe yet more spam about Viagra
- Freeware – software generously given away by its owners, some of it worth every penny
- Glassware – highly fragile software, likely to smash to smithereens with the slightest knock
- Groupware - software supporting group activities (work-related, not sex, oh no)
- Hardware – computer equipment, IT stuff, equipment, kit
- Houseware – IT stuff at home, including all those IoT things that have quietly snuck in while our backs were turned
- Malware – malicious software: viruses, worms, Trojans, ransomware, APTs and so forth
- Middleware – a layer of software linking applications to other applications, operating systems and hardware, not as sweet but just as messy as the jam in a sandwich
- Ransomware – malware that coerces victims into paying a handsome ransom for the safe return of their loved ones - their invaluable IT systems and data; may involve 'proof of life' in the form of decrypted content
- Scareware – scary malware that terrifies victims into needlessly paying a trumped-up “fine”
- Shareware – software shared among evaluators, cheapskates, skinflints and pirates
- Shelfware – policies and procedures that languish unread and unloved on the shelf, collecting dust
- Sneakerware – software delivered on foot e.g. on a potentially infectious USB stick
- Software – computer programs, apps and other fluffy stuff
- Spyware – sneaky, spooky, voyeuristic software that secretly spies on the user
- Tupperware – branded plastic containers carrying blank CD-RWs or lunch
- Underwear – undies, frillies, lingerie, pants, togs, daks, knickers, cheese-cutters, unmentionables ... offering a very personal form of privacy
- Warez – ripped-off software stolen and traded by pirates who evidentally cant spel
- Wetware – human beings, being mostly water and sometimes full of steam
- Ware's Wally? Malware is usually well hidden, although it doesn't wear stripy tops, attempting to blend in with massive crowds on stripe-day
- Workware – uniforms and clothes used by workers … plus intrepid social engineers
Which of those “wares” could be used to exploit our organization? Think of realistic incidents or scenarios in which this has happened or might occur.
PS Leaving aside the very silly ones, there are at least 50 legitimate 'wares'.
22 Jan 2020
- Scammers seizing control of DNS records to redirect traffic from corporate websites to their own;
- Scammers using fraudulently obtained or fake digital certificates, or exploiting browser vulnerabilities, to undermine HTTPS controls;
- Phishing where victims are socially-engineered into believing they are interacting with the lure organization's website;
- Fake apps, spyware and bank Trojans designed to steal login credentials and other confidential information while maintaining the facade of normality;
- Cybersquatters registering domains similar to legitimate corporate domains with different extensions, typos or lookalike characters, intending to mislead visitors;
- Counterfeiting, where branding, logos, packaging etc. are used to dupe victims (consumers and sometimes also retailers and corporate customers) into buying fake and usually substandard products;
- Various telephone, email and social media scams involving misrepresentation and other social engineering methods to mislead and defraud victims who mistakenly believe they are dealing with legitimate companies, authorities or other trusted bodies.
21 Jan 2020
“Exceptions” are unauthorized non-conformance or non-compliance situations. For example if the organization has a policy to use multi-factor authentication for all privileged system accounts, a privileged account that only has single-factor auth for some reason (maybe an oversight or a practical issue) would constitute an exception, something that has not [yet] been officially notified to, risk-assessed and accepted, authorized, permitted or granted by management.
- The situation at hand varies substantially from that authorized e.g. if the compensating controls are not actually in operation, or if the authorized exemption period has expired (yes, even exemptions have to be complied with ... perhaps implying the need for compliance checks and other control measures if the information risks are significant);
- The information risks are materially different from those accepted e.g. if they were misunderstood or misstated/misrepresented when someone applied for the exemption. If incidents have occurred on the test system that would have been prevented by multifactor auth, that suggests the need for management to revisit the authorization of the exemption and perhaps hold the Test Manager to account for the incidents, demanding appropriate corrective action.