Welcome to the SecAware blog

I spy with my beady eye ...

28 Aug 2020

NZ Stock Exchange DDoS continues

The New Zealand Stock Exchange is having a rough week.  Under assault from a sustained DDoS attack, its web servers have crumpled and fallen in an untidy heap again today, the fourth day of embarrassing and costly disruption.

DDoS attacks are generally not sophisticated hacks but crude overloads caused by sending vast volumes of data to overwhelm the servers.  

The Host Error message above shows "RedShield" which appears to be a security service remarkably similar to a Web Application Firewall (although the company claims to be producing something far better) ...

If so, RedShield appears to be passing DDoS traffic to the stock exchange web servers which can't cope. Presumably, this particular DDoS attack does not fit the profile of the attacks that RedShield is designed to block, in other words RedShield is patently not preventing the DDoS.

I don't know whether RedShield is supposed to block DDoS traffic and is failing to do so, or if DDoS protection is simply not part of the RedShield service. Either way, it appears a DDoS attack is causing business impacts.

Whether RedShield is still working as designed to block application-level attacks is a moot point if the web servers are down ... but it is possible that the DDOS attack may be an attempt to over-stress the security systems, allowing more sophisticated hacks to leak past the weakened defences.  Hopefully, RedShield is still faithfully blocking all of them.

More likely, I suspect, this is a classic DDoS extortion: the attackers are demonstrating their power to disrupt the Stock Exchange's business, repeatedly, despite the defensive measures in place, as a way to force the Exchange to pay a ransom (probably - they are understandably reluctant to reveal the details with the spooks at GCSB actively investigating the incident).

Defences against DDoS attacks start with the basics such as network and server security, plus the policies and procedures to make sure the controls are effective in practice. Routine security monitoring and incident responses should include characterising the attack in progress, leading to active responses ranging from 'simply' disconnecting the network feeds (perhaps literally pulling the cables out) to filtering, diverting or slowing down the network traffic, ideally blocking the malicious traffic while allowing legitimate traffic to flow as normal. I'm talking about fairly conventional network security controls (mostly firewalls), albeit with sufficient throughput to cope with the onslaught. 

Almost certainly the responses would need to be coordinated with Internet service providers, internal IT service providers, and the authorities. Given the clearly disruptive impacts on the business, a crisis team would be liaising with all involved while keeping senior management and other stakeholders informed. From personal experience, this is an extremely stressful time for all involved, all the more so if there was inadequate preparation i.e. business continuity management, crisis planning, incident management exercises etc. with lashings of security awareness and training.  [If it turns out the Exchange was not, in fact, adequately prepared for this, there are governance and accountability implications for senior management. DDoS is just one of several 'real and present dangers' for any Internet connected business.] 

From there, the sky's the limit in terms of potential investment in increased server and network capacity, resilience, flexibility and redundancy, even cloud-based DDoS mitigation services such as Cloudflare and Akemai and other business continuity arrangements designed to guarantee at least a minimal level of service for essential business activities. Quite possibly these are in effect and working just fine right now, despite the apparent disruption to the Exchange's website: I have no inside track here but I'll be watching the news with interest as the incident unfolds. [Normally, I would be busy preparing a case study for security awareness purposes but since the NoticeBored service has ended, I'm spending my valuable time on Other Stuff, such as writing this very blog.]

27 Aug 2020

Creative teamwork post-lockdown

A couple of days ago I blogged about MURAL, just one of many creative tools supporting collaborative working. If you missed it, please catch up and contemplate about how you might use tools such as that right now for teamworking during the COVID19 lockdowns.

Today I've been thinking about 'the new normal' as the world emerges from the pandemic, inspired by the intersection of two threads.

Firstly, thanks to a Zoom session with participants and presenters from Queensland, I've been reading-up on "industry 4.0". I'm not totally au fait with it yet but as I see it the key distinguishing features are:
  • Ever-increasing automation of manufacturing, with smart devices and robotics supplementing the capabilities of both manual and knowledge workers;
  • Industrial IoT, coupling sensors and actuators on the production line with each other, allowing workers to interact with the machinery through screens and keyboards etc. and a growing  layer of automation smarts and networking;
  • Ever-increasing reliance on IT, data, analytics, systems and artificial intelligence (with implications for risk, resilience, reliability and security);
  • New capabilities, particularly in the specification and design areas - such as virtual reality simulations and rapid prototyping of jigs, machines and products by "additive manufacturing" (industrial 3D printers);
  • An increasing focus on adding value through knowledge work in research and development plus product service/support, de-emphasising the manufacturing production core activities (which, I guess, started with the off-shoring of manufacturing to low-wage economies, and is now leading to both on- and off-shore automated manufacturing);  
  • Rapid innovation and change, leading to difficulties in strategic corporate planning (with credible planning horizons falling to just a couple of years!) and personal career planning (e.g. how can workers learn to use tools and techniques that either aren't refined enough to be taught, perhaps not even invented yet?);
  • Shortages of people with the requisite skills, knowledge and adaptability, able to thrive despite the challenges and seize opportunities as they arise.
Secondly, various governance experts have been grappling with changes brought about directly and suddenly by COVID19, and what remains to be done as we collectively recognise that, thanks to dependencies, incidents can spread ripples far and wide through the extended supply networks we've built. For example, through a YouTube session, David Koenig emphasised the governance need for resiliency, implying not just a greater appreciation of supply network risks, but better quality information and stronger control of those risks. David promotes a positive view of risk, in other words boards and senior exec management deliberately taking risks where that best serves the needs of the business and its stakeholders (implying a convergence of their clear rooftop view of the rapidly changing external environment with solid management information about the situation way down in the engine room, driving the corporation towards effective and efficient achievement of its business objectives). 'Taking risks smartly' is cool. 

[Aside: where do you stand on this if you are an infosec pro? Do you accept the duality of risk and opportunity, or that the "exploitation" of information can be both illegitimate and legitimate? Do you see information risk as a business and human issue, rather than purely a technology issue? If so, you may be CISO material!]

So, this evening I'm wondering about the governance and enterprise risk management aspects of Industry 4.0. Yes there are all manner of risks associated with automation, industrial IoT, rapid innovation and change ... but at the same time there is significant potential for strong organisations that understand what they are getting into, and are both willing and able to exploit opportunities opened up, in part, by COVID19.

I'm intrigued by the possibility of small, nimbler, innovative organisations collaborating to take down the industry goliaths - the lumbering supertankers. Those creative collaborative teamworking tools I mentioned earlier could be game-changers. Being frank about it, although some SMEs will fail valiantly, they are more expendable than those misguided supertankers heading inexorably for the rocks. 

Now is the time to be bold, SME friends! Watch your ankles, goliaths! 

26 Aug 2020

ISMS templates

Systematically checking through ISO/IEC 27001:2013 for all the documentation requirements is an interesting exercise. Some documents are identified explicitly in the standard and are clearly mandatory, while many others are only noted in passing, often in ambiguous terms or merely alluded-to ... which can make it tricky to both comply with the standard and persuade the certification auditors of that.

Here's an example, one of the document templates from SecAware ISMS Launchpad:

That succinct one-pager addresses two requirements from the standard:
  • Clause 9.2 (c) says (in part) "The organisation shall plan, establish, implement and maintain an audit programme(s)" - an explicit documentation requirement that the certification auditors will definitely check for compliance;

  • Clause 9.3 says (in part) "Top management shall review the organization's information security management system at planned intervals to ensure its continuity suitability, adequacy and effectiveness." - an implicit documentation requirement that the certification auditors will probably check for compliance, and although the standard doesn't literally demand it, they may well insist on seeing written evidence that management reviews have been planned.
Those clauses lay out fairly succinctly what it means to internally audit or management review the ISMS: I have interpreted the requirements in terms of activities that might be performed quarterly over two years as shown on the schedule, with brief descriptions about the approaches to be taken ... but, as with all the SecAware materials, they are merely generic suggestions that customers are encouraged to adapt. 

Large, mature organisations with Internal Audit functions, for instance, may well engage them to plan and perform the ISMS internal audits using their conventional audit approach and whatever associated documentation they normally produce. They may prefer to audit the ISMS just once during the three year certification cycle, or conversely they may want to focus on a series of specific areas of risk and concern over successive audits, perhaps integrating the ISMS audit work with other IT, risk, cybersecurity or compliance audits.

Small organisations may feel that the absolute minimum of audits and reviews will suffice for them since they are short of resources and are already tackling all the significant issues anyway - but determining 'the absolute minimum' involves interpreting the wording of the standard very carefully, and then hoping the certification auditors accept whatever they do. 

Yesterday I completed a supplementary document template with the scopes and objectives of those audits and reviews. Today I'm developing a fill-in-the-blanks reporting template to be used for both audits and reviews: again, these are simple, generic documents, designed to be customised. Based on my experience in this area, we provide 'typical' generic templates in the hope of inspiring customers to develop whatever they need. 

Imagine yourself implementing clauses 9.2 and 9.3 of the standard in your organisation. Faced with those requirements, would you know what to do - how to go about the audits and reviews? Or would you be scratching your head, staring blankly at the screen wondering where on Earth to start? We can help with that! 

Find out more about the first two packs of SecAware ISMS templates, and keep an eye on this blog for news of the third one, currently in preparation.    

24 Aug 2020

ISMS comms plan

Yesterday I started preparing an ISMS communications plan to satisfy ISO/IEC 27001:2013 clause 7.4, with a little help from the Web.

Naturally I started out with the standard itself. Clause 7.4 doesn't literally demand that organisations must have a "communications plan" as such, otherwise it would have been one of the mandatory documents included in SecAware ISMS Launchpad. Oh no, it's more circumspect: the standard says "the organization shall determine the need for internal and external communications relevant to the information security management system" ... and proceeds to outline - yes, you guessed it - a "communications plan".

ISO/IEC 27003:2017 confirms our assessment by stating explicitly:
"Documented information on this activity and its outcome is mandatory only in the form and to the extent the organization determines as necessary for the effectiveness of its management system".
In other words, a documented comms plan is discretionary - advised as good practice but not strictly demanded of every organisation for '27001 compliance certification.

Well anyway, let's do it! To comply with the standard, what should typically be communicated in respect of the ISMS, when, to and by whom, and by what means?

ISO/IEC 27003 offers examples of the things that should be communicated:
  • Information security policies and procedures, plus changes thereto;
  • [The organisation's] Information [risk and] security objectives;
  • Knowledge on information security risks; 
  • Requirements [of information] suppliers; 
  • Feedback on the information security performance (not least the certificate of compliance with '27001 and asserted conformance with privacy laws);
  • [Information about relevant] incidents and crises. 
Hmmm, as you can guess from the [insertions] in the list, while reading the advice I'm already putting my own slant on this, thinking about how the organisations I've previously worked/consulted with interpreted the standard's concise/minimalist advice, and what I would do now.

Next I set to work drafting the template in the form of a summary followed by a table with three columns (when, internal comms and external comms), rows for each quarter of a year and bullet points outlining the nature of the comms in each case. A simple 3½-page two-year comms plan covering the period up to and beyond certification came together in no time. 

Here's a taster, a glimpse of the first ½-page as originally drafted:

The sequence of communications mirrors the ISMS implementation project from initial approval through building the ISMS to certification and then business as usual as the ISMS settles down and gradually matures - hence the comms plan is pretty close to being an ISMS implementation project plan, including management comms about the progress of the project.

Have I neglected anything important though? I turned to Google and found useful guidance in the first few search results:
  • Jean-Luc Allard, a respected member of ISO/IEC JTC 1/SC 27, takes the opportunity while writing for Advisera to elaborate on the standard's requirement. I appreciate his advice to consider comms as a two-way street: I will incorporate that into the template comms plan.

  • ISMS.online has quite a bit of advice albeit much of it concerns how their ISMS cloud service generates information in a form that could usefully be communicated. They point out the link to discretionary control A.7.2.2 on security awareness which is already in the plan anyway: maybe we should mention A.7.2.2 in the preamble though.

  • Ben Woelk, program manager for the Information Security Office at Rochester Institute of Technology, has published a detailed ISO comms plan - 16 pages laying out all the things they planned to communicate as part of their ISMS. I anticipate our customers using the templates to develop something along these lines, customised of course to suit their specific requirements ... but the SecAware ISMS templates are much shorter and generic.  We are deliberately offering a bare-bones starting point hoping to inspire customers to develop the templates as they need, rather than a comprehensive out-of-the-box 'solution' which is unlikely to suit every customer. Nevertheless, Ben's inclusion of the goals and strategies for his comms plan is a cool idea, something again we can mention in the preamble.
I could continue laboriously trawling the remaining 1.7 million Google results (!) for inspiration but life's too short. Already I have the impression that the template comms plan is fine with just a little adjustment to the preamble - that summary section up-front that explains what the plan is about and intends to achieve. For example, it should mention who will be involved in preparing, authorising and delivering the comms (several people from various functions). So that's one of today's tasks on the to-do list.

First, though, I need to feed our ravenous ewes, lambs, goats and kids, two tame deer, a small flock of chooks and a house cow called Ginger. The sky is blue, the sun shining brightly, another glorious Spring day in rural New Zealand. Feeding out is an opportunity to think.

PS  This blog piece has taken me as least as much time and effort to write as the comms plan itself, but I hope you find it useful to hear about the work that goes into the SecAware ISMS templates and other materials

20 Aug 2020

Creative teamwork in lockdown

Inspired by a heads-up from a colleague on LinkeDin, I bumped into MURAL today.

MURAL is a 'digital workspace for visual collaboration' by virtual teams.   

The animated demonstration on their home page caught my beady eye. Here's a static snapshot as a small group of people are busy placing/moving blobs on a graphic, presumably while discussing what they are doing on a parallel channel (e.g. Zoom):

Replacing the static monochrome graph with one of our colourful red-amber-green Probability Impact Graphics, a Risk-Control Spectrum, Universal Awareness Device, mind map, word cloud, process flowchart, any form of metric, clustered Post-It Notes, architecture diagrams, conceptual designs, strategy maps ... or ... whatever ... 

MURAL looks like a creative, fun and productive way for groups or teams working from home to collaborate virtually as if they were physically present in one of those soulless corporate meeting rooms lined with whiteboards and dire warnings about not writing on the projector screen.

If it makes you feel better, start the session with an inspirational poster of your glorious leader quoting the corporate values, followed by a numbered list of the rules for running a good meeting.

Or simply wing it. Go on, take a chance. Live a little.

In-person collaborative sessions are excellent for discussing and reaching consensus among teams, provided the person or people leading/guiding the session have the relevant skills and aptitudes, and the participants play along. It's a balancing act to inject enough energy and enthusiasm into the proceedings without over-cooking it, and to keep things on-track, moving inexorably towards the intended objectives ... which implies being reasonably clear about those objectives when inviting people and introducing the session ... and inviting the right people ... which requires some preparatory work rather than diving straight in at the deep end, unless the session leaders and participants are sufficiently experienced to know the score. 

How about virtual team weekly progress meetings? Progress reports? Personal morale timelines? Project planning and reporting? Interactive audit reports?Budgeting? Security awareness and training sessions? Knowledge transfer and creative inspiration? To-do and shopping lists? Virtual draughts/checkers, or chess, or other board games given the appropriate board images, icons, players and spare time (a little something for the night shift, perhaps)? 

Rather than everyone lamely watching some inept presenter reading out their bullet points with a tedious monologue, how about an interactive webinar where the presenter and audience, collectively, mind-map the proceedings, doodle around the topic at hand, all the while generating a memorable and inspirational visual record?  

The possibilities are endless. Pull up a mouse and engage brain.

If you're not already using it, check out MURAL.