NBlog - the NoticeBored blog

BYOD security awareness - follow up

noreply@blogger.com (NoticeBored) — Thu, 09 Feb 2012 02:45:00 +0000

Having just released a brand new security awareness module on BYOD (Bring Your Own Device), we have been surprised (in a nice way!) with the level of interest this topic has generated for us, more so than, say, the cloud computing security awareness module we put out last April.

I've been pondering what's going on here. What's so special about BYOD? What makes BYOD security awareness sexier than cloud computing security awareness?

First off, BYOD is quite new. The concept has been around for a while but as soon as it picked up the BYOD tag and started appearing in the computer press about a year ago, it has started to buzz. In other words, it's a hot topic. Well OK, but so is (and was, last April) cloud computing, so hotness alone is not enough to account for the differing levels of interest in these topics. Strike one.

Second, "BYOD" is a distinctive, easily-searched term, so our awareness materials got some instant Web exposure purely by dint of using the term. Great! Cloud computing, in contrast, is not so distinctive. Search for "cloud" and you'll find a lot of weather sites. Search for "cloud computing" and there are plenty of commercial offerings out there, desperate to relieve your corporation of the contents of its IT budgets. Search for "cloud security" and the field thins noticeably, putting it on a par with "BYOD" alone or "BYOD security". So that's not quite it either. Strike two.

Exploring "BYOD security" on the Web is a frustrating pastime. Most of the stuff that Google knows about is facile ("Like this blog item!" I hear you say), and nothing much is new or different. The same few concepts are trotted out time and again. And just like cloud computing, most of the 'security advice' pushed by the journalists, vendors and other pundits is to implement technical controls, or "solutions" as some insist on calling them. Take for instance this short article in SC Magazine which talks about tiered mobile management functionality, broad platform support (which evidently means Android and iOS), and "mobile management solutions" (bzzzzzzzt, there we go, buzzzword bingo), or this piece concerning IBM's move into Mobile Device Management having consumed a minnow. Apparently Big Blue's MDM stuff helps achieve "policy compliance", by which I think they mean technical conformance with some sort of technical standard, not what I would call a policy. But that's just me, being picky with the marketing droids as always.

So maybe, just maybe there is a merest hint that people might be looking for information on ways to tackle their BYOD security issues. For some reasons, they either don't look or are satisfied with what they find from the big cloud vendors, but BYOD is a different ball-game.

Compared to technical controls, security awareness is conspicuously absent from most of the stuff Out There in Security Land, but that's a near universal finding, a truism if you like. The main reason, I suspect, is that the firewall and antivirus vendors who have dominated the IT security industry for more than a decade have engineered the market, their oh-so-valued customers, to expect "technical solutions" to all their security issues, often implying that installing whizz-bang-software X or appliance Y will magically solve everything because, of course, they make $lots from selling X and Y to organizations that swallow their bait. To be fair, WE run firewalls and antivirus software too - but to us, they and various other IT/technical controls are just part of a far more comprehensive suite of information security controls ... and mere commodities at that. Can you honestly tell the differences between AV products from different AV vendors? I bet in a blind tasting, you would be hard pressed to pick out your normal security solution from any other instant-security-in-a-box.

So perhaps that's the difference. In cloud computing, the dominant vendors such as Amazon and Google already have a stranglehold on the market (both supply and demand sides) and can gloss-over the information security issues, selling their "solutions" to a receptive market on the strengths of their respective brands, and their sheer size. Ask awkward questions about data ownership or confidentiality (including privacy) and no doubt the sales people start to fidget but then push back with scaleability, access from anywhere, and all that hand-waving that led to the term "cloud" in the first place. I suspect some cloud customers may not even appreciate the information security issues they are taking on: how many information security professionals have made the time to research the issues and timidly raise their hand from the back before the CIO confidently announces they are being 'outplaced to the cloud to save the company $loads!'? How many have thought through the security implications of even the simplest of cloud services such as webmail and online backups? We have, and they are scary.

But with BYOD, not only is information security a major concern but (as yet) there are no dominant vendors pushing their technical solutions down our throats, in other words there are no full-on sales pitches to displace those nagging questions from the back of the class about data ownership and confidentiality (including privacy). Oh and compliance. And copyright. And all the other security issues that are associated with BYOD. The issues are of no greater concern than with cloud, really (less in the sense that employers have the upper hand with their employees over what they do with their personal devices, while their relationships with the major cloud service providers are in a different league), but the technical solutions in BYOD, and particularly the vendors pushing them, are comparatively weak.

At least it gives those of us who believe in the value of human factors as much as technology a chink of light, an opportunity to remind organizations that there is more to security than just buying the shiniest technology from the pushiest sales creatures. That BYOD security policies are not technical security standards. That helping their staff, managers and IT pros understand, rehearse and polish their respective roles in the security show will actually make a difference to the performance.

Oh and by the way, even those shiny IT security gizmos have to be specified, designed, developed, tested, implemented, maintained, managed and, oh yes, used by PEOPLE. Fallible humans, just like me. People who create bugs in software, and misconfigure technologies, and disable or bypass controls that get in our way. People who fail to appreciate that we are as much part of both the problem and the solution as the technology.

Regards,
Gary (Gary@isect.com)

BYOD security awareness

noreply@blogger.com (NoticeBored) — Tue, 31 Jan 2012 02:39:00 +0000

[Click the diagram to enlarge it]

“Bring Your Own Device” (BYOD) - corporations allowing employees to use their personally-owned ICT gadgets for work - is a hot topic. BYOD started appearing in the computer press about a year ago. Now it seems to be on everybody’s watch list for 2012, the benefits for both employers and employees making this a trend that’s hard to ignore.

While researching BYOD security for February's security awareness module, I have read a lot of glib statements in the security press, a fair number of scare-stories and lots of marketing drivel from vendors desperate to steer the PR bandwagon in their general direction. Several journalists recommend “a BYOD policy”, for instance, but actually finding BYOD policy examples on the Web proved virtually impossible.

Along with the usual mind maps, developing the risk-control spectrum diagram above helped me get my thoughts in order, and provides a useful structure for one of the three seminar presententations in February's awareness module. Given that one might be forgiven for thinking of BYOD as a purely technical subject, I find it interesting that the bulk of the awareness materials focus not on IT pros but on general employees and management. The governance aspects of BYOD are particularly fascinating: without management-level understanding and support through strategies and policies on BYOD security, the IT security controls noted on the spectrum diagram are moot.

Regards,
Gary (Gary@isect.com)

Oxfam report on disasters

noreply@blogger.com (NoticeBored) — Tue, 24 Jan 2012 09:13:00 +0000

A little gem this - a report from Oxfam examines trends in natural disasters over the past few decades. A substantial increase in the number of disasters largely reflects a significant increase in the number of floods. The trend is marked and easy to see since the 1990s.

The report's conclusion brings up the issue of country governance:

"Countries with better governance are less vulnerable to natural hazards, which implies that securing increased standards of governance could help to mitigate future increases in exposure and hazards."

Though the report stops there, I would be utterly amazed if the same was not equally valid at the level of corporations and corporate governance - in other words:

Corporations with better governance are less vulnerable to natural hazards, which implies that securing increased standards of governance could help to mitigate future increases in exposure and hazards.

So ... just how good are your business continuity and disaster response arrangements at coping with, say, floods? Have you ever simulated a flooding disaster?

Regards,
Gary (Gary@isect.com)

Keep calm and carry on

noreply@blogger.com (NoticeBored) — Mon, 02 Jan 2012 00:12:00 +0000

Happy new year everyone.

The monthly NoticeBored security awareness deliveries continue with the relase of a thoroughly updated and refreshed module on business continuity management.

Do you like the new graphic? It's even more impressive as a poster-sized image!

We started researching and planning this module around ISO/IEC 27002’s coverage of business continuity management, and ended up going well beyond what the standard advises. In our opinion, the standard focuses rather myopically on disaster recovery, largely neglecting other equally significant business continuity controls such as disaster avoidance, resilience and contingency. It talks about business continuity planning and testing the plans, but hardly mentions business continuity preparations and exercises.

Resilience, being the ability to keep critical business processes running right through a disaster, is an important organizational capability that management can proactively develop and enhance, provided they are aware of the possibilities and benefits of resilience. We’re talking here about the use of hot sites and cloud computing, for instance, for the IT systems and services supporting core business processes. Furthermore, the concept of resilience extends to supply chains (e.g. having alternative suppliers for vital supplies) and individuals (e.g. the make-do-and-mend so-called “number 8 wire” mentality recently demonstrated by those amazing Kiwis in Christchurch who get on with things and have a go at fixing stuff up rather than passively waiting around for help from the authorities).

All the best for 2012,
Gary (Gary@isect.com)

419s still dribbling in

noreply@blogger.com (NoticeBored) — Sat, 17 Dec 2011 03:18:00 +0000

Fresh from my inbox:

"Dear Sir/Madam

We regret to inform that your Visa/Mastercard secure has been set off because to many attendings, and we beleive that others were ussing your details.

Please download the attach to reactivate the account."

Yeah, right.

To many attendings, eh? Others ussing my details? Unbeleivable.

I'm still troubled by the memory of a printed sign I saw in the lobby of a hotel in Sierra Leone, along the lines of "419ers are not permitted here". Actually I wish I had photographed it for posterity. Ho hum.

Regards,
Gary (Gary@isect.com)

Outsourcing POS IT

noreply@blogger.com (NoticeBored) — Fri, 09 Dec 2011 22:35:00 +0000

From Wired:

"Four Romanian nationals have been charged with hacking card-processing systems at more than 150 Subway restaurants and 50 other unnamed retailers, according to an indictment unsealed Thursday ... The hackers allegedly scanned the internet to identify vulnerable POS systems with certain remote desktop software applications installed on them, and then used the applications to log into the targeted POS system, either by guessing the passwords or using password-cracking software programs."

Which begs the obious question: why would anyone put their Point Of Sale systems on the Internet, with remote desktop software to boot? The answer presumably involves the millions of retail outlets that don't have an in-house IT function but rely on external 'point of sale IT specialists' to install, manage and maintain their card readers and often the electronic tills, accounting and stock management systems.

I wonder if the mom-n-pop retailers are sufficiently aware of information security to even be concerned about the implications of outsourcing their IT in this way?

I wonder if the Subway group offers IT support to its franchisees, or recommends/uses local POS IT people?

The POS IT specialists, meanwhile, presumably have the expertise either to do their jobs well and protect their customers (and their customers) or to pull the wool over their customers' eyes. I wonder how many manage to slip right under the PCI-DSS radar?

Regards,
Gary (Gary@isect.com)

Sign of the times: M$ hard-up

noreply@blogger.com (NoticeBored) — Thu, 01 Dec 2011 01:49:00 +0000

Wow! Lucky me! I've won a prize from the MSN Foundation!

I guess Microsoft must have fallen on hard times.

[Endless junk like this leaches bandwidth from the network, wastes processing cycles, consumes bytes on disk and exercises my grey matter (admittedly, not a lot). I guess the cretins sending it have nothing better to do except annoy the rest of us.]

Regards,
Gary (Gary@isect.com)

Network security awareness

noreply@blogger.com (NoticeBored) — Wed, 30 Nov 2011 05:21:00 +0000

December's awareness module on network security has just been released to our subscribers. Here's a thumbnail of one of six new security awareness poster designs in the module:

Computer networks, particularly the Internet, enable employees, business partners, suppliers and customers to share information and collaborate more or less instantaneously. The advantages of networking are enormous and have revolutionized modern business life – we are in the midst of an “information revolution”. However, the World Wide Web is not unlike the Wild Wild West. Hackers and organized criminals (the Internet’s outlaws) are plundering vulnerable online businesses to steal the gold (information assets). There are precious few sheriffs in cyberspace and the outlaws pack powerful weapons. Consequently there are significant risks associated with networking and strong security controls are necessary to protect the organization’s information assets.

The NoticeBored awareness materials cover a wide variety of information security risks associated with networks and networking, and recommend a corresponding variety of security controls to address them. The ‘risk-control spectrum’ (one of several diagrams and mind maps provided as an MS Visio file) summarizes many of them in an easily digested format.

It was not hard to find topical examples and recent news cuttings for the awareness newsletter this month, unforutnately, since networking is almost universal and network security incidents often hit the headlines.

Read more about the module here and, if NoticeBored looks like something that would pep-up your flagging or non-existent security awareness program, do get in touch. I'd love to hear back from you.

Regards,
Gary (Gary@isect.com)

Heir Hunters - not

noreply@blogger.com (NoticeBored) — Mon, 21 Nov 2011 21:08:00 +0000

Interesting new slant on an old 419 scam now circulating:

Hello Dear,

I am writing you from Heir Hunters Company in the United kingdom .

Heir Hunters probate detectives looking for distant relatives of people who have died without making a will,

the United Kingdom government last year made over ?18m from uncliamed assets.

When people die intestate ( without a will ) and with no known relatives, their names are released by the Treasury.

Every Thursday, a list of these unclaimed estates, the Bona Vacantia ( Latin for "ownerless goods" ) is published on the Treasury Solicitor's website.

The race is then on for heir locators to track down the often distant relatives in line for a windfall. Often heir hunters pick more unusual names first, as they are easier to trace.

We came across your profile and email while searching through genealogy database,we will be glad if you can get back to us with your full name, date of birth,

address and your direct number if it corresponds to the information

we have in our data base in order to enable us carry out necessary verification processes and to get your claim across to you without any delay.

Heir Hunters have handed over thousands and millions of funds to heirs who have no idea of their fortune,some of them ,Holocaust victims' estates,

whom some of their heirs tried to flee war-torn Europe,but did any of them survive to claim these fortune ?

We will gladly answer this question for you.

Very Truly Yours
Mrs.Sarah Bernstein OR Mr.James Horgan

Tell your family and friends if you think they might fall for it.

Regards,
Gary (Gary@isect.com)

Singalongapassword

noreply@blogger.com (NoticeBored) — Wed, 16 Nov 2011 21:24:00 +0000

Brian Krebs is an excellent journalist and blogger on information security matters. He often seems to pick up infosec stories that nobody else covers and his advice is generally sound.

In respect of password choices, however, I think Brian's missing a trick. He offers the stock advice on avoiding common words, using miXed case and punctuation ... etc. all fair enough but neglects to mention the coolest tip of all, which is to use long pass phrases.

Long passwords used to be counterproductive on old Windows systems that broke them all into weak 7-character chunks. Windows hasn't done this for years. The only other issue I'm aware of is that some dinosaurs of the mainframe era still restrict password length to about 8 characters. But hey, it's only the mainframe, so nothing much to protect there, eh?

My favorite passphrases are the complete lines of songs, complete with punctuation, spaces, capiTaliZation and tricks such as duplicating, omitting or substituting certain characters. Best of all, I only need to remember one long passphrase - the one that opens my password vault - and I practice it often enough that it stick in my mind. When it's time to change it, I simply pick another line or another song, poem or famous quotation, something memorable. Occasionally I find myself quietly humming along as I type it in, and yes I'm paranoid enough to worry about anyone overhearing me!

Regards,
Gary (Gary@isect.com)

Colombian credentials

noreply@blogger.com (NoticeBored) — Mon, 07 Nov 2011 07:39:00 +0000

Presumably as a result of international pressure on the Colombian authorities, a colleague sending me a letter had to attach a photocopy of his REPUBLICA DE COLOMBIA - IDENTIFICACION PERSONAL - CEDULA DE CIUDADANIA (what appears to be his Colombian government-issued ID card), front-and-back including his mugshot and fingerprint, to the "CARTA DE RESPONSABILIDAD" form PR-OP-AD-001-FR-001 endorsed by somebody working for the POLICIA ANTINARCOTICOS at Aeropuerto El Dorado - Bogota.

The bottom of the form reads "Nota: Recuerde que es obligatorio anexar fotocopia del documento de identidad". With my rather primitive understanding of Spanish, I take that to mean that it was compulsory for the sender to attach the photocopy of his ID card, presumably to be able to send me the letter.

I was absolutely amazed to receive all that personal information 'in plaintext', attached by sticky tape to the rear of the airmail letter that arrived in my NZ postbox today.

I guess the Colombian authorities appreciate that the attached information is personal to the sender and could probably be used as credentials for identity theft. I presume that nevertheless they insist on it due to the significant risk of drugs being exported via email. I am astounded that, having checked it, they actually sent the personal information out of the country.

Needless to say, I have destroyed the form and the photocopied ID card.

Regards,
Gary (Gary@isect.com)

Credentials module released

noreply@blogger.com (NoticeBored) — Wed, 02 Nov 2011 00:14:00 +0000

One of this month's awareness poster images

'Credentials' is the rather formal title of November's NoticeBored security awareness module, but in fact the materials cover a wider brief relating to identification and authentication.

Authentication associates a person unambiguously to an identity, excluding others. It reduces the possibility of fraud and hacking, helps maintain the integrity of the systems and data, and is a prerequisite for personal accountability. Authenticated individuals can safely be given access to sensitive and valuable information resources which they are authorized to access. Without authentication, unauthorized access would be a much bigger problem and the information security risks would be even greater.

That said, from the ordinary employee's perspective, the key issues are choosing good passwords and keeping his staff ID card safe.

Regards,
Gary (Gary@isect.com)

SSL security checker

noreply@blogger.com (NoticeBored) — Fri, 30 Sep 2011 21:10:00 +0000

A nicely presented online tool from Qualys lets us check the security of SSL configurations used by public websites.

SSL is not exactly the security panacea that is usually implied by online businesses. It can be configured on the servers to negotiate and establish connections using older, weaker algorithms, instead of the more recent, stronger, recommended ones - or not. The Qualys tool presumably connects and tries to persuade the tested site to fall back to one of the deprecated SSL algorithms, marking down the site's score if it succeeds.

This is a simple illustration of the complexity of IT security management today, and the value of routine independent pen testing of corporate websites.

Regards, Gary (Gary@isect.com)

[Thanks to Jim for the heads-up on this.]

Another 4,900,000 privacy breach statistics

noreply@blogger.com (NoticeBored) — Fri, 30 Sep 2011 20:53:00 +0000

A backup tape containing medical records and other personal information on nearly 5 million US military personnel in the TRICARE scheme have been stolen from an SAIC employee's car.

TRICARE is a US "health care program serving Uniformed Service members, retirees and their families worldwide".

SAIC (Science Applications International Corporation) is a "scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. We do this with the constant and deliberate commitment to ethical performance and integrity that has marked SAIC since its founding". It is best known as an IT oursourcer/service provider.

TRICARE's statement "retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure" does not stand up well to scrutiny. If the data had been strongly encrypted - which is generally accepted as good practice for such confidential information, or "reasonable controls" - then knowledge of hardware, software and data structures wouldn't have been a factor. Without encryption, yes it might require a professional tape drive to get at the data, and then some time (perhaps months) analyzing the data to establish the data structure. But if the prize is worth the investment, someone may feel lucky. Given that the people whose personal information has been stolen include serving US military personnel, the stakes are high.

Did they really have to wait two weeks after discovery before disclosing this 'to avoid raising undue alarm'? It sounds like their incident management, HIPAA compliance, and relationship management processes could do with a squirt of WD-40.

TRICARE says "both SAIC and TRICARE Management Activity (TMA) are reviewing current data protection security policies and procedures to prevent similar breaches in the future". Shame it took an incident of this magnitude to spur them into action. If I was one of the 4.9 million, or a US taxpayer, I would be calling TRICARE and SAIC management to account for their handling of governace, compliance, policy, privacy and information security.

Regards,
Gary (Gary@isect.com)

Privacy awareness module

noreply@blogger.com (NoticeBored) — Fri, 30 Sep 2011 00:11:00 +0000

Today we released the October NoticeBored awareness module on privacy ...

The awareness materials introduce basic privacy concepts using the OECD privacy principles, emphasizing compliance with privacy laws and regulations, as well as corporate privacy policies and procedures. Information security controls underpin privacy for personal information and data. Ethical considerations take privacy beyond mere compliance into the realm of appropriate and inappropriate use and disclosure of private matters, while the business impacts of privacy breaches, and the costs of privacy controls, are also discussed.

The awareness quiz is a new idea. I hope customers will have fun with that. The quiz format will no doubt continue to evolve over future months, and as always improvement suggestions are very welcome.

Regards,
Gary (Gary@isect.com)

Social media policies

noreply@blogger.com (NoticeBored) — Wed, 28 Sep 2011 01:03:00 +0000

Seems free speech is alive and well in the US ...

"Most of the social media policies that we've been presented are very, very overbroad," Solomon said in an interview. "They say you can't disparage or criticize the company in any way on social media, and that is not true under the law." ... Doreen Davis, a management-side labor lawyer based in Philadelphia, said many of her corporate clients are often "surprised and upset" when they learn they can't simply terminate employees for talking about work online.

Employers should develop sound, legally-sanctioned policies concerning what employees can and can't say about them on Facebook or whatever, but more importantly they need to provide mechanisms for employees to voice genuine grievances and have them addressed properly by management, without fear of persecution or recrimination. That's the real issue here, isn't it? And it's a governance matter in my book.

So why is it that whistleblowers' hotlines are still as rare as rocking horse poo?

Regards,
Gary (Gary@isect.com)

40 hard-won business continuity lessons from the NZ and Japan quakes

noreply@blogger.com (NoticeBored) — Tue, 20 Sep 2011 20:42:00 +0000

Rob Slade and I wrote an article capturing forty business continuity lessons arising from the massive earthquakes in New Zealand and Japan. It has just been published in EDPACS and, thanks to the generosity of the publishers Taylor and Francis, it is available as a free PDF download.
Aside from the specific lessons concerning resilience, crisis management, disaster recovery, and contingency management, our article illustrates a broader point, namely that it is not necessary to experience disasters first-hand in order to learn from them. If you are fortunate enough not to live and work in an earthquake-prone area, there are still valid lessons here to help you survive other natural and unnatural disasters.

Regards,
Gary (Gary@isect.com)

What use is a BCP that won't work?

noreply@blogger.com (NoticeBored) — Wed, 07 Sep 2011 05:16:00 +0000

While contemplating the latest PwC security survey report, I was intrigued to read:

"At first glance, the nearly six out of every 10 (58%) respondents who report their organization has a contingency plan in place for security incidents is a healthy number. (Figure 15) But when you factor this number by the percentage who report that their plan is effective (63%), the results are disheartening. In effect, most organizations (63%) have no plan or the plan they have doesn’t work."

I'm curious about the implication that about a third of organizations have nonfunctional contingency plans for information security incidents. Presumably they know their plans don't work because:

They have used the plans but they failed in operation. It's possible some such organizations are too busy trying to recover from the incidents, or conceivably they are too badly damaged, to work on their contingency plans right now. What are the others doing?;
They have tested the plans but the tests failed. Surely these organizations are in the process of re-working their plans? The alternative - failing to respond to the test failure - sounds to me like more than just a matter of incompetence or not knowing how to fix their broken plans. Isn't this a governance issue, verging on negligence?; or
For some reason they assume their plans would not work, perhaps because they are clearly incomplete, unworkable or missing vital components. They believe they have an issue but are they doing anything about it? This looks like an assurance issue and poor governance again.

I could understand a small proportion (5 to 10%?) of organizations finding themselves caught in the act of checking and updating their plans at the time of the survey, but I would not have predicted the proportion would reach as high as one third, on top of the 42% without any plans at all (doh!). Such is the value of surveys, I guess.

IMNSHO it's high time that contingency, or rather business continuity, planning came into the mainstream of business management, under professional leadership, as an expectation of every soundly-governed organization. Having no workable plans is simply an untenable position for management, especially knowing that there is no such thing as perfect or complete information security, and given that serious incidents will certainly be costly and could easily destroy the business. Standards such as BS 25999 and NFPA 1600 are already available with ISO/IEC 27031 and ISO 22301 on their way, while professional organizations such as the BCI support their members with information and guidance on good practices.

An article for EDPACS that I wrote in conjunction with Rob Slade, currently 'in press', uses the earthquakes and tsunami in Christchurch and Sendai to highlight 40 valuable lessons for business continuity planning. I'll let you know as soon as it's released :-)

Regards,
Gary (Gary@isect.com)

Securing people: the human side of information security

noreply@blogger.com (NoticeBored) — Wed, 31 Aug 2011 09:30:00 +0000

Information security involves far more than just computer security. It's about protecting information in all its forms against all sorts of risks using whatever security controls are cost-effective. Technology-based controls such as logins, firewalls and antivirus programs, plus physical controls such as padlocks, are merely parts of the information security space - important parts, maybe, but not sufficient in themselves to secure our information assets.

This is where the modern approach to information security departs from traditional IT security in particular. We need to secure not just the computer systems and networks but also the human beings - the people who design, develop, test, implement, use, manage and maintain the systems and networks, plus those who seem to get by perfectly well without IT ...

Information security is very much a human endeavor, which of course makes it an ideal security awareness topic, not least as security cannot be addressed through technology alone. So we have ... a new awareness module on people security ...

Read all about the module

To be honest, it's actually the 102nd module since we released an additional module following the London Underground bombings in 2005, and module #101 is our security orientation module. But please join with us in celebrating our centenary anyway!

Regards,
Gary (Gary@isect.com)

Oh no! Several stormy rainfall!

noreply@blogger.com (NoticeBored) — Mon, 29 Aug 2011 02:07:00 +0000

Phishers are already using the US hurricanes as the pretext:

"... After several stormy rainfall occurred recently, We regret to inform you that a computer failure has affected some of the modules of our systems notament sending wire transfers and credit card payments online. But our teams have set up a verification process and reactivate your account. To complete verification, you will be taken through the following stages:
1. Input your Personal Information
2. Input your Account Information
3. Input your Online Banking Information
4. Click on Continue ..."

Anyone gullible enough to believe that 'several stormy rainfall' is enough to knock out a bank's computer systems and require them to 'verify' themselves probably shouldn't have a bank account. :-)

Regards,
Gary (Gary@isect.com)

Spoon-fed security

noreply@blogger.com (NoticeBored) — Wed, 10 Aug 2011 02:01:00 +0000

I've been reading the recently-issued revised FFIEC guidance to US financial institutions on user authentication and related 'layered' controls, and puzzling as to why such guidance is required Is it really necessary for the FFIEC to tell banks, for example, to use "enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk"? Is that not stating the bleedin' obvious? Isn't it clearly in the banks' interest to make their valued customers aware of keylogging Trojans, phishing, 419s, money-mules and a zillion other scams?

The financial institutions in which I have worked have all been hot on risk management, and have usually worked at or close to the cutting-edge of brand new security technologies. My risk, security and fraud colleagues definitely appreciated the issues relating to failing to identify and authenticate customers, not least for Internet banking systems, while on the whole, management "gets" security. After all, it is of course their core business. Security is 'what banks do'.

Aside from generally-accepted good security practices and standards, plus industry norms shared informally through industry forums and employee migration, they experience and learn from information security and fraud incidents, in much the same way as they learnt the need for strong bank vaults from traditional stocking-masked bank heists. For example, banks know that cheap low-resolution CCTV systems give woefully inadequate images, whereas good quality stills, or even better clear color video shots from multiple angles, substantially improves the probability of someone recognizing bank robbers caught in the act. So too do they appreciate that strong forensic evidence concerning network hacks makes it much more likely to pin the attacks on the perpetrators. I won't go into details about the controls but suffice to say that practice is good.

In Europe and Australasia, in my experience, the banking regulations are primarily concerned with corporate governance, accounting practices and systemic risk - areas in which banks' commercial interests might conceivably conflict with the wider interest of customers, tax authorities, shareholders and society. There are of course laws and regulations about privacy, but compliance is relatively insignificant for banks given the pervasive security culture. The laws and regulations mandate privacy 101 for the witless and clueless, while on the whole banks are in a completely different class*.

So is there something materially different about financial services in the States that for some reason requires rather minimal security standards to be imposed on the industry by a government regulator? Without the regulations, would US banks not be concerned about protecting their customers' assets? Unless spoon-fed the appropriate security advice, I wonder whether they would casually leave the vault doors open?

That the FFIEC guidance even exists perhaps implies that (some) US financial institutions are incompetent, negligent and/or irresponsible regarding information security. Following hot on the heels of the 'sub prime' fiasco, there does seem to be something of a mental block there concerning risk and control. Please tell me I'm wrong ...

Regards,
Gary (Gary@isect.com)

* That's not to say that banks always get it right - like for instance the local branch that insisted on repeatedly FAXing confidential customer paperwork to my office phone, until I was annoyed enough to forward the call to our office FAX and discovered the culprit. It was a simple case of digital dyslexia - a wrong number stored in the FAX machine's memory. The branch was of course embarrassed to discover the breach and the annoying calls stopped immediately. Lesson over. Move along. No need for an industry regulation.

Hard lessons

noreply@blogger.com (NoticeBored) — Fri, 05 Aug 2011 08:41:00 +0000

Distribute.IT, an ISP that suffered a devastating hacker attack on June 11th was attempting disaster recovery by June 13th but in serious trouble by June 17th and finally admitted defeat with the complete loss of several important customer-facing servers by June 21st, just ten days after the hack. Some 4,800 domains and customer accounts were lost, with (it appears) no offsite data backups from which they might have been restored.

With 20/20 hindsight, someone in Distribute.IT's management presumably made some extremely unwise decisions regarding the risk that materialized. Whether they simply didn't consider or appreciate the risk, considered it too remote to address, or failed to treat the risk adequately, is now a moot point: whatever they did do was patently not good enough, and it looks like the business has failed. Controls that are meant to prevent hacks fail quite often in practice, so it would have been sensible to make suitable disaster recovery and business continuity arrangements on that basis. We know that now, and so do they and their customers - too late for this incident but hopefully not too late for the rest of us to learn the hard lessons.

Regards,
Gary (Gary@isect.com)

Hacking the Sun

noreply@blogger.com (NoticeBored) — Wed, 03 Aug 2011 06:21:00 +0000

The website for the Sun newspaper, formerly a competitor to the now defunct News of the World, has been hacked, compromising personal details of entrants to an online competition. Whether this is linked to Lulzsec and Anonymous hacks remains to be seen, but I'm glad I'm not an information security manager for the British tabloid press, or in fact any British news media.

Regards,
Gary (Gary@isect.com)

RSA hack cost >$66m

noreply@blogger.com (NoticeBored) — Wed, 03 Aug 2011 02:30:00 +0000

EMC, which owns RSA, spent US$66m 'between April and June' as a result of the Trojan/hack incident in March that compromised their SecureID product.

$66m may be Information Week's headline figure and that's a staggering amount of money for starters, but that's just it - it's for starters. We're told "It doesn't include post-breach expenses from the first quarter, when EMC began investigating the attack, hardening its systems, and working with customers to prevent their being exploited as a result of the attacks." so we know for sure it is an underestimate of the full breach costs. The wording of the disclosure also implies that it only covers the direct costs that are readily-attributed to the breach. Indirect costs such as the brand/reputation damage, customer defections, lost sales prospects, damaged employee morale and more are hard to even estimate, let alone with sufficient accuracy to satisfy the bean-counters and marketing people who typically drive these "earnings calls". Furthermore, the costs of the incident to RSA/s customers are totally out of the picture.

The ultimate grand total tally may be orders of magnitude greater than $66m, all thanks to an employee retrieving an email from the spam folder and unwisely opening the attachment. [Was that a Freudian slip? I originally typed "attackment" which is not far from the mark.]

Regards,
Gary (Gary@isect.com)

Disclosing our sources

noreply@blogger.com (NoticeBored) — Fri, 29 Jul 2011 20:35:00 +0000

These are some of the key resources we use routinely to find out about and learn from information security incidents:

Google, of course. We search often using the Google toolbar in our browser. We have learnt to craft more effective queries by exploiting Google’s search syntax including the advanced search functions.
Google Alerts are a helpful way to trawl the Web daily for specific news and tidbits relevant to the monthly topics, especially since we discovered how to integrate alerts into our RSS/blog reader …
Google Reader is, currently, our RSS/blog reading weapon of choice. Have you spotted the not-too -subtle pattern here? Google rocks!
Hyperlinks embedded within other sources.
Blogs, particularly information security blogs from information security gurus and respected tech journalists, but sometimes we enjoy naïve or counter-cultural blogs, even those from the Dark Side, the hacker underground (as in ‘know your enemy’!). Check our blogroll (lower right) of this page to see who we’re currently following.
Information security newsgroups, discussion forums or email reflectors.
Academic and trade journals, such as EDPACS, ISSA Journal and (ISC)² Journal.
Industry associations, meetings and peers.
Magazines such as Hackin9 and ClubHACK.
General news media – yes, even TVNZ, the BBC, CNN and others occasionally highlight information security incidents or issues that haven’t already come to our attention elsewhere, albeit rather superficially.
Information security surveys such as those from Secunia, CSI and PwC (including the biannual breaches survey). While these sometimes describe interesting incidents, they tend not to be very recent. Surveys are of more use for their information about information security threats.

What do you use?

Regards,
Gary (Gary@isect.com)

PS We'll cite further sources as they occur to us, on the NoticeBored links page.