NBlog Jan 24 - information, data, knowledge And All That

NoticeBored - Thu, 01/23/2020 - 2:37pm
On the ISO27k Forum lately we've been discussing something that comes up repeatedly, a zombie topic you could say since the discussion is never really settled to everyone's complete satisfaction. There's always more to say.
The discussion concerns the disarmingly simple phrase "information asset", used in some but no longer defined in any of the ISO27k standards. Among other things, we've discussed whether people/workers can be classed as information assets, hence information risks associated with people potentially fall within scope of an ISO27k ISMS.
Yesterday, Mat said:"Knowledge is generally broken down into three different types - explicit, implicit, and tacit. When we are talking about classing employees as an asset or simply treating the information that they know as an asset, I think maybe this can be broken down further using these different knowledge types. Explicit knowledge is knowledge that is easily transferable, can be recorded and stored. Things like standard work instructions, guides, procedures, policies. Due to the nature of this information, it seems obvious to class the information itself as the asset here - you can mitigate the risk of information loss simply by recording the information. Implicit knowledge is the practical application of explicit knowledge. This can include knowing your way around a particular security product, or a particular piece of equipment. This type of knowledge is difficult to record, however, things like best practices are the best attempt although it's difficult to include the entire background knowledge of the best practice. Due to this, loss of this information is difficult to completely mitigate, and hence, I think the employee here could be classed as the information asset. The best mitigation is to keep the employee. Tacit knowledge is the practical application of implicit knowledge. Examples of this are knowing not only a particular security product but how and why this product fits into your infrastructure. The small details which make the infrastructure whole - having the history of decisions and incidents which led to this point directly on hand. This type of knowledge is inherently most difficult to record and I think due to this, the employee would again be classed as the information asset. The best mitigation is to keep the employee."That breakdown, described back in 1991 in the Harvard Business Review, makes sense in theory but things are rarely so neat and simple in practice. Information, data, knowledge And All That defies simplification.
Information that is ‘captured’ in some lasting physical form (Mat's ‘explicit knowledge’, captured in documentation, written words, diagrams, doodles, audio or video recordings, computer data, program code, emails, bloggings etc.) is never truly comprehensive or complete. Even War and Peace must surely have had parts where the author or editors trimmed it back, or decided not to go into details! However, once captured, information is more easily:
  • Stored
  • Communicated/passed on to others ... or withheld from them
  • Copied
  • Accumulated
  • Valued, sufficient for accounting, sales or other purposes
  • Disputed or challenged
  • Analysed
  • Expanded upon
  • Protected by intellectual property laws ... or pirated, plagiarized and disclosed inappropriately
  • Submerged, hidden, stolen, damaged/modified, garbled, deliberately mis-stated or destroyed in that physical form. It can certainly still be misunderstood or misinterpreted (ask any lawyer about the 'precision' of even formally-worded statutes and contracts!).
While physical storage media are not free, the real value of, say, a book or a computer disk comes from the information stored on it - the information content. I believe the same is true of people, particularly knowledge workers whose brains are more highly valued than their brawn.
Information that is presently ‘uncaptured’ (Mat's implicit and tacit knowledge) can still be withheld or communicated in an ephemeral form – such as someone shaking their head or nodding gently, or groaning, or clapping, or failing to step in and stop proceedings, when someone else is pondering some choice or decision. Those actions may never be permanently recorded or captured as such, just ephemerally observed (or missed!) by someone else.
Furthermore, the way or manner in which things are expressed is itself a form of information, meta-information you could call it. Shouting “STOP!!!” means something different to a muttered or whispered “stop”! The plain written instruction "Stop" leaves a lot unsaid ("Should I simply take my foot off the accelerator, or change quickly down through the gears, gently or forcibly apply the brakes or slam them on hard, deploy the parachute/anchor and brace for impact?").
Implicit and tacit knowledge includes 'thoughts', 'concepts' and 'ideas', ‘experience’, ‘expertise’, ’understanding’, ‘comprehension’, ‘wisdom’, 'creative works' such as art and inventions … and more, much more. It includes the frameworks and patterns that organise and interrelate, link or distinguish things as part of 'the bigger picture', including both the narrow and the broader context. Generally, this all accumulates during a person’s life, for some more than others. Some bits can be taught and learnt, others have to be internalized, or drawn out and refined through practice, or appear to be inherent capabilities or innate skills. Try as I might, I will never be an Olympic gymnast, chess grand master or concert violinist … but I believe I have a reasonable grasp of information risk and security, picked up over the decades – and I enjoy passing it on and debating things here and elsewhere (e.g. in conversations, presentations, courses, books, websites, articles, reports, emails …), partly because I enjoy thinking about and expressing things, contemplating the topic and learning new stuff from other people, expanding my own knowledge-bank at the same time. It's give and take.
Specifically, Mat twice said “The best mitigation is to keep the employee.” There are several issues with that. For a start, not all knowledge workers or sources are employees. Some are paid advisors or contractors, teachers etc., some are colleagues, peers, gurus or ‘thought leaders’ in a much more general way. Where would we be without Google, eh? Secondly, and more importantly, simply ‘keeping’ employees is seldom sufficient. They (we!) are neither possession nor pets. They need to be looked after, nurtured, rewarded, encouraged, challenged, given opportunities, pushed a little, cut some slack, guided, motivated, brought back in line, told to "stop waffling and get to the bloody point, Gary" and so on, in order to get the best of them. This is far from easy for those managing 'knowledge workers' and those whose knowledge seems to be locked inside them, out of reach, including people suffering stress and mental illness or ... whatever. The point is that we're all different, individuals, so a generic/simplistic approach is, at best, sub-optimal.
Circling back to the topic, in business and virtually all other contexts, information even in the form of intangible, ephemeral, implicit or tacit knowledge can obviously be an asset - something of value. If it's missing or damaged, we are poorer. Most of us make substantial efforts to gain it, even consciously investing in it. And, just like other investments, its value can vary: riskier investments generally offer higher returns but you may get back less than you invest.“If I send my people on training courses to get better qualified, they’ll leave!” the reluctant manager explained. “Ah but”, said the wise advisor, “what if you don’t train them … and they stay?”Is a worker the information asset, or is it their knowledge that is the information asset? Interesting question! Using Mat's breakdown:
  • Their explicit knowledge is already captured, making it available to exploit even without the person ... provided the knowledge capture is sound (accurate and complete - integrity properties) and available when needed;
  • Their implicit knowledge may be captured and then exploited so long as the person is there and is cooperating, and so long as someone (possibly the same person) has the inclination, resources and capacity to 'capture' it with integrity - which is far from certain;
  • Their tacit knowledge can be exploited but would be difficult or impossible to capture, or at least it would take an extraordinary effort to do so, and the worker must be available, willing to cooperate and able to disclose the knowledge or unable to prevent its disclosure.

The process of 'capturing' a worker's knowledge, then, turns out to have information security implications. There's much more to it than simply requiring the worker to "document what you do" or "write stuff down", especially as some of the most valuable knowledge is conceptual, complex, difficult to express in any form, particularly in writing (and here I am, struggling to express my thoughts and complete this little inconsequential blog piece!). Furthermore, knowledge that is valuable to the organization may well be of value to others, hence there are confidentiality aspects to it as well. Captured knowledge can be locked away in a vault but, oddly enough, workers generally resent being treated that way, their implicit and tacit knowledge becoming both harder to capture and less valuable during incarceration.
OK, that's more than enough rambling from me for now. I've got Things To Do, knowledge to capture and secure, animals to feed, a crust to earn. ... but somehow I suspect I'll return to this topic more than once. Perhaps on my business card, I should call myself a "Zombie wrangler".
Categories: NoticeBored

NBlog Jan 23 - awareness quiz on malware

NoticeBored - Wed, 01/22/2020 - 3:00pm
Trawling through our back catalogue for content worth recycling into next month's awareness module, I came across a quiz we set in 2017. The challenge we set the group was this:Aside from malware (malicious software), what other kinds of “wares” are there?The idea was to prompt the group to come up with a few obvious ones (such as software), then start digging deeper for more obscure ones. Eventually they would inevitably start to improvise, making up 'ware' terms but, if not, here are our tongue-in-cheek suggested answers, provided for the quiz master in case the group needed prompting towards more creative, lateral thinking: 
  • Abandonware – software long since given up on by its author/support krew and left to rot 
  • Adware – software that pops up unwelcome advertisements at the least appropriate and most annoying possible moment
  • Anyware - web-based apps that can be used while in the office, on the road, in the bath, wherever ... provided the Internet is accessible
  • Beggarware – smelly, homeless software that periodically rattles its virtual cup, begging loose change "for a cup of tea"
  • Bloatware – software that has grown fatter than a week-old beached whale with ‘features'
  • Botware - software to stop the bots  becoming bored and naughty
  • Brochureware – over-hyped marketing, promotional or advertising copy about alleged new software (also known as vaporware, neverneverware and noware)
  • Courseware – software for courses
  • Coarseware – software for curses
  • Crapware – software so badly designed and written as to be worth flushing away
  • Crimeware – software used by criminals for various nefarious purposes
  • Crippleware – cheap or free software with deliberately restricted functionality to coerce users into buying the full version
  • Firmware – low level software burnt into microchips and embedded in hardware, or possibly Viagra spam
  • Floppyware – software delivered on floppy disk, or maybe yet more spam about Viagra
  • Freeware – software generously given away by its owners, some of it worth every penny
  • Glassware – highly fragile software, likely to smash to smithereens with the slightest knock
  • Groupware - software supporting group activities (work-related, not sex, oh no)
  • Hardware – computer equipment, IT stuff, equipment, kit
  • Houseware – IT stuff at home, including all those IoT things that have quietly snuck in while our backs were turned
  • Malware – malicious software: viruses, worms, Trojans, ransomware, APTs and so forth
  • Middleware – a layer of software linking applications to other applications, operating systems and hardware, not as sweet but just as messy as the jam in a sandwich
  • Ransomware – malware that coerces victims into paying a handsome ransom for the safe return of their loved ones - their invaluable IT systems and data; may involve 'proof of life' in the form of decrypted content
  • Scareware – scary malware that terrifies victims into needlessly paying a trumped-up “fine” 
  • Shareware – software shared among evaluators, cheapskates, skinflints and pirates
  • Shelfware – policies and procedures that languish unread and unloved on the shelf, collecting dust
  • Sneakerware – software delivered on foot e.g. on a potentially infectious USB stick
  • Software – computer programs, apps and other fluffy stuff
  • Spyware – sneaky, spooky, voyeuristic software that secretly spies on the user
  • Tupperware – branded plastic containers carrying blank CD-RWs or lunch 
  • Underwear – undies, frillies, lingerie, pants, togs, daks, knickers,  cheese-cutters, unmentionables ... offering a very personal form of privacy
  • Warez – ripped-off software stolen and traded by pirates who evidentally cant spel
  • Wetware – human beings, being mostly water and sometimes full of steam
  • Ware's Wally?  Malware is usually well hidden, although it doesn't wear stripy tops, attempting to blend in with massive crowds on stripe-day
  • Workware –  uniforms and clothes used by workers … plus intrepid social engineers 
There was a genuine learning objective behind all that (familiarity with the terms of art) but to be honest the main purpose was for the group to loosen-up and have a laugh ... before pressing ahead with a second, more serious challenge:Which of those “wares” could be used to exploit our organization?  Think of realistic incidents or scenarios in which this has happened or might occur. We provided no 'suggested answers' for the second part, hoping that the now relaxed group and quiz master would take it wherever they wanted to go, chatting on until they ran out of time or inspiration. The broad learning objective here was for the group to gain a deeper understanding of the terms and risks in this area, particularly around malware incidents that the organization had experienced: we have no idea what they might be, but hopefully those present would recount some interesting stories, real or imagined.
This informal, open-ended style of quiz or challenge is something we've developed into a routine part of the NoticeBored awareness service. Most months there are similar opportunities for the group to draw up lists of terms, incidents, risks, controls or whatever relating to the particular month's information security topic. Sometimes we've asked them to draw mind-maps, sketch out ideas or fill in the gaps on process flows: again, these are really just excuses to get the group chatting and having fun in the general area of information security, while hopefully learning things along the way. As I'm sure you appreciate, this can be a tediously dry, dull and boring topic area otherwise, so we'll grab any opportunity to lighten-up and get people smiling. Aside from anything else, it makes teaching the subject just a bit more enjoyable.

PS  Leaving aside the very silly ones, there are at least 50 legitimate 'wares'.
Categories: NoticeBored

NBlog Jan 22 - further lessons from Travelex

NoticeBored - Tue, 01/21/2020 - 3:00pm
At the bottom of a Travelex update on their incident, I spotted this yesterday:
Customer PrecautionsBased on the public attention this incident has received, individuals may try to take advantage of it and attempt some common e-mail or telephone scams. Increased awareness and vigilance are key to detecting and preventing this type of activity. As a precaution, if you receive a call from someone claiming to be from Travelex that you are not expecting or you are unsure about the identity of a caller, you should end the call and call back on 0345 872 7627. If you have any questions or believe you have received a suspicious e-mail or telephone call, please do not hesitate to contact us. 

Although I am not personally aware of any such 'e-mail or telephone scams', Travelex would know better than me - and anyway even if there have been no scams as yet, the warning makes sense: there is indeed a known risk of scammers exploiting major, well-publicised incidents such as this. We've seen it before, such as fake charity scams taking advantage of the public reaction to natural disasters such as the New Orleans floods, and - who knows - maybe the Australian bushfires.
At the same time, this infosec geek is idly wondering whether the Travelex warning message and web page are legitimate. It is conceivable that the cyber-criminals and hackers behind the ransomware incident may still have control of the Travelex domains, webservers and/or websites, perhaps all their corporate comms including the Travelex Twitter feeds and maybe even the switchboard behind that 0345 number. 
I'm waffling on about corporate identity theft, flowing on from the original incident.
I appreciate the scenario I'm postulating seems unlikely but bear with me and my professional paranoia for a moment. Let's explore the hypothetical information risks and see where it leads.
Firstly, corporate identity theft may not be as well publicised as personal identity theft but it is a genuine risk, as demonstrated through incidents such as: 
  • Scammers seizing control of DNS records to redirect traffic from corporate websites to their own;
  • Scammers using fraudulently obtained or fake digital certificates, or exploiting browser vulnerabilities, to undermine HTTPS controls;
  • Phishing where victims are socially-engineered into believing they are interacting with the lure organization's website;
  • Fake apps, spyware and bank Trojans designed to steal login credentials and other confidential information while maintaining the facade of normality;
  • Cybersquatters registering domains similar to legitimate corporate domains with different extensions, typos or lookalike characters, intending to mislead visitors;
  • Counterfeiting, where branding, logos, packaging etc. are used to dupe victims (consumers and sometimes also retailers and corporate customers) into buying fake and usually substandard products;
  • Various telephone, email and social media scams involving misrepresentation and other social engineering methods to mislead and defraud victims who mistakenly believe they are dealing with legitimate companies, authorities or other trusted bodies.
Secondly, the breadth and depth of network security compromise involved in major ransomware and other malware incidents suggests an even more sinister threat: the ransom demand is merely a dramatic, shocking point in the course of the incident, an incident that started at some prior point when the first corporate system was hacked or infected. Since then, possibly for days, weeks or months, the perpetrators would presumably have been surreptitiously roaming around the network 'behind enemy lines', exploring the topography and mapping out controls, installing and preparing to trigger the ransomware (perhaps also disabling the backups), stealing and exfiltrating corporate information to reinforce the ransom demands (perhaps selling or disclosing it for kicks, or stashing it away for a rainy day) and who knows what else. 
It is feasible, then, for the cybercriminals to have taken command of Travelex's external relations, including the website, the current holding pages and Tweets. They could all be fakes, the hackers pressing home management's powerlessness. How would we tell? Even the Travelex CEO's talking-heads videoblog concerning the incident could be part of the scam. Like many of their retail customers, I have no idea whether the person we've seen in the video is really their CEO or an actor, an imposter, perhaps a deepfake video animation.
Even if you find that lurid scenario untenable, there are less extreme possibilities worth considering. The fact is it's no simple matter to lock down a complex global corporate network following such a compromise, shutting out the hackers while also releasing official information, patching and securing systems, recovering compromised data and services, resuming internal corporate comms and keeping various external stakeholders in touch with developments. Maybe the hackers still have partial access (e.g. through covert backdoors) and limited control, enough to observe and meddle with the recovery activities, discredit and disrupt comms and so restrict management's freedom of action.
As with the Sony incident 5 years ago, there's a lot we can learn from Travelex's misfortune, through a blend of observation, analysis and supposition. All it take is some appreciation of the information risk and security aspects, a vivid imagination, and the ability to draw out general lessons from the specific case. For example, under crisis conditions, normal internal and external corporate communications may be disrupted and untrustworthy ... so what can be done now to prepare for that eventuality? Recovering from a major cyber incident takes rather more than just 'invoking the IT disaster recovery plan'! February's NoticeBored security awareness module will have a gripping story to tell, for sure!
Categories: NoticeBored

NBlog Jan 21 - exceptions vs exemptions

NoticeBored - Mon, 01/20/2020 - 1:39pm

In the context of information risk and security management, I define and use the terms "exemption" and "exception" quite deliberately.

Exceptions” are unauthorized non-conformance or non-compliance situations.  For example if the organization has a policy to use multi-factor authentication for all privileged system accounts, a privileged account that only has single-factor auth for some reason (maybe an oversight or a practical issue) would constitute an exception, something that has not [yet] been officially notified to, risk-assessed and accepted, authorized, permitted or granted by management. 
Depending on the circumstances and the nature of the information risks, identified exceptions may be classed as issues or events, perhaps even incidents worth reporting and managing as such.
Exemptions” are where management has formally considered and risk-assessed non-conformance or non-compliance situations and explicitly authorized or agreed that they should continue – perhaps with compensating controls, for a defined limited period, and with clear accountability for the associated risks. So, for instance, the information risks associated with only having single-factor auth on a test system may be acceptable to management if the control costs are deemed excessive in that situation … but the exemption might be only for the duration of the testing, and on the condition that the test system only has access to test data not live/production data, with the Test Manager accepting personally accountability for the associated information risks. 

Exemptions do not constitute issues, events or incidents unless
  • The situation at hand varies substantially from that authorized e.g. if the compensating controls are not actually in operation, or if the authorized exemption period has expired (yes, even exemptions have to be complied with ... perhaps implying the need for compliance checks and other control measures if the information risks are significant);
  • The information risks are materially different from those accepted e.g. if they were misunderstood or misstated/misrepresented when someone applied for the exemption. If incidents have occurred on the test system that would have been prevented by multifactor auth, that suggests the need for management to revisit the authorization of the exemption and perhaps hold the Test Manager to account for the incidents, demanding appropriate corrective action.

The distinction implies processes or activities for identifying, evaluating and treating the information risks - conventional risk management, in fact, applied rationally according to the differing circumstances. 
The critical distinction between exemptions and exceptions is not the amount of risk, or management's knowledge of the situation, or even the authorization: the distinction ultimately comes down to accountability. There are information risks associated with both exemptions and exceptions, but with exemptions an individual explicitly accepts the risks, whereas with exceptions the risks are left floating in mid-air ... which means 'management' as a whole accepts them implicitly and severally, since they fall within management's governance obligations.
Categories: NoticeBored

NBlog Jan 20 - Travelex vs Sony shootout

NoticeBored - Sun, 01/19/2020 - 3:00pm
The Travelex ransomware case study is coming along nicely. Over the dull grey NZ weekend, I prepared a timeline of the ongoing incident to compare and contrast against the Sony Pictures Entertainment ransomware incident at the end of 2014. 
Already, Travelex is well ahead on points, restoring UK customer services within 3 weeks of the attack with more on the way. The incident timeline is substantially compressed relative to Sony's: they are getting through whatever needs to be done more quickly.
Travelex has done well to keep its retail customers updated throughout, from the initial rapid disclosure on Twitter through to brief informational pages on the web, an FAQ, plus a statement and talking-head videoblog by its CEO on Friday just gone. Full marks from me!
As far as I'm concerned, Travelex has managed the disclosures and public comms well, releasing professionally-crafted, informative briefings about the evolving situation, reassuring customers and not trying to cover things up or hide away. The CEO fronting-up is notable, confirming beyond doubt that senior management is on top of things, facing up rather than shying away. As with city's most senior policeman fielding a press briefing very shortly after the London bombings of July 2005, impeccably dressed, confident and impressive, the reassurance is very valuable, damping down rather than fanning the flames.
Although admittedly I have not hunted for them specifically, I haven't yet come across any informal/unauthorized disclosures by Travelex workers, such as those mobile phone photos of the scary skeleton threats plastered over Sony's screens. Despite what must surely be a tense atmosphere in the offices, the Travelex workforce is evidently pressing on with the job, all hands to the pumps. Good on them too!
In parallel, Travelex management must have been busy liaising with and reassuring its commercial customers/partners, industry regulators and the global news media too, while the fairly rapid restoration of services hints at a huge amount of work under way down in the IT engine room (presumably a disaster recovery approach, rebuilding servers from backups?).
Most likely there are incident investigation and information security activities going on as well, and possibly communications with the cyber-crims behind the attack and the authorities. We know virtually nothing about that aspect at present, which is to be expected since it is commercially sensitive and might be forensically relevant. Further information may or may not emerge over the forthcoming months and years ...
... which reminds me: this incident is some way short of being 'resolved' at this point. Even when all Travelex's customer services are fully operational, there will still be loose ends to tie off, business relationships to rebuild and lessons to be learned. Meanwhile, thank you Travelex (and Sony and the Metropolitan Police and others) for teaching us a thing or two about handling serious incidents.
Categories: NoticeBored

NBlog Jan 19 - exercising in private

NoticeBored - Sat, 01/18/2020 - 3:00pm
Continuing this mini-series of bloggings inspired by business continuity exercises, today I'm talking about other sources of creative inspiration for security awareness purposes - specifically, information from within and around the organization concerning incidents, near-misses, information risks and other issues that are known internally but haven't (yet!) been picked up by the news media. There's a wealth of information there, behind closed doors.
Most organizations care enough about various kinds of risks to manage them explicitly. All organizations seeking certification against ISO/IEC 27001 are required to manage information risks (by which I mean "risks pertaining to information"), a process that starts by identifying the risks to be managed.
How do they do that?
One approach involves considering the organization's risks in general: what threatens achievement of corporate/business objectives? And which of those risks has an information element? Large, mature organizations typically have some sort of 'corporate risk register', perhaps even a dedicated team or department of risk experts primarily responsible for risk management, especially (if not exclusively) for the "significant", "substantial", "strategic" or "bet-the-farm" risks. Other organizations have more diffuse arrangements for managing risks, perhaps just an implicit, integral or informal part of 'governing', 'managing' or 'doing business'. Either way, the risks typically identified at that high level may not be labelled or even considered to be "information risks" but many are, or have an information aspect. Fluctuating exchange and interest rates, for instance, can have significant implications for corporate financial management, and so need to managed carefully: the rates, plus the factors influencing them, plus the details around how the rates affect corporate finances, plus the financial management systems and processes themselves, all revolve around information ... hence there are information risks. Pick any other significant corporate risk and you can almost certainly find significant information risks.
Another approach explores business processes, systems etc. For business continuity purposes, a classical Business Impact Assessment is all about mapping out the organization's main activities and highlighting the things that absolutely must continue operating come-what-may in order for the organization to survive. Extend that map just a little to include the activities required for the organization to thrive and prosper, and there you go: a nice set of business activities (plus systems, resources, relationships etc.) that are critical or extremely important to the organization. Once again, there are bound to be associated information risks, since information is critical to all of them.
A third way focuses on information systems and flows, especially computer data, looking for IT-related threats and vulnerabilities. They may be labelled "IT risks", "technology risks", "cyber risks", "data risks" or whatever, but to me these are simply a subset, members of the broader set of corporate information risks. [And if you are wearing massive dark cyber-blinkers, you should expect to be blind-sided by serious incidents involving information that were outside your field of view. Don't say you weren't warned!] 
A fourth way looks at issues, events and incidents, and perhaps near-misses that the organization has experienced directly when risks have actually materialised or come close. These are learning opportunities with an obvious significance for those directly involved and (usually) interest and value for others. 'Once bitten, twice shy' concerns the long-term personal and social reaction to adverse events. Post-incident investigations can be an excellent source of information about risks, including threats, vulnerabilities, impacts, controls, governance, management, processes, people, situations, capabilities and more (e.g. "We were fortunate on this occasion that ..."). However, investigations are tough because of the damage caused and the natural reactions and sensitivities of those involved. 
Those four approaches to identifying and dealing with risks, plus others (such as the insurance and strategic/corporate governance perspectives), all contribute to the organization's general understanding and appreciation of risks, including information risks ... hence they are all sources of content for security awareness and training purposes. It makes a lot of sense for the awareness program itself to be risk-driven, risks being an obvious means of both identifying relevant topics and prioritizing the coverage. 
It doesn't particularly matter whether the impetus relates specifically to information risks or corporate risks in general since information is an integral part of all of them. So, for instance, if for some reason management happens to be particularly concerned about the organization's compliance-related risks right now, there is plenty of latitude to raise awareness of information risk and security within the context of compliance e.g. compliance with privacy and other information-related laws, contractual terms relating to information protection, security policies, intellectual property rights and so on. 
That's what we've been doing every month since 2003, in a generic way, building and maintaining a unique library of awareness and training content covering 70 information risk and security topics. Within your organization, you can do the same thing with a narrower perspective, focusing on aspects that are pertinent to your business, or to your culture, your people, your locale, your industry, your challenges, your incidents, your critical activities, your resources ... and, yes, your risks. Rummage through the corporation's attic (its risk registers, incident reports and BIAs) looking for pain points, concerns and interesting stuff worth dusting off and exploiting for your purposes. Talk to your colleagues about the Stuff That Really Matters and dig a little deeper to discover plenty more sources of inspiration. Explore situations where the organization (or those in which employees previously worked) narrowly escaped disaster, and the same for your business partners, industry peers and office neighbours. If you ever run short of interesting and relevant security awareness topics, you're just not thinking broadly, deeply or creatively enough - so let's talk. We'd love to help. It's what we do. 
Categories: NoticeBored

NBlog Jan 18 - business discontinuity

NoticeBored - Fri, 01/17/2020 - 3:00pm

As if following a cunning plan (by sheer conicidence, in fact) and leading directly on from my last two bloggings about business continuity exercises, Belgian manufacturing company Picanol suffered a ransomware infection this week, disabling its IT and halting production of high-tech weaving machines at its facilities in Ypres, Romania and China.

Fortunately, Picanol's corporate website is still up and running thanks to, hence management was able to publish this matter-of-fact press release about the incident:

Unsurprisingly, just a few short days after it struck, technical details about the "massive ransomware attack" are sparse at this point. The commercial effects, though, are deemed serious enough for trading in its shares to have been suspended on the Brussels bourse. 
There's already plenty of information here for a case study in February's awareness module. Through a brief scenario and a few rhetorical questions, we'll prompt workers to consider the implications both for Picanol and for their own organizations. If a similar malware incident occurred here, knocking out IT and production for at least a week, what would be the effects on workers, the company, its customers and other stakeholders? How should management respond, after such an incident ... and what can be done now to reduce the risks?
Normally our case studies are designed for the general staff awareness audience. This one, however, appeals to the management and tech/specialist audiences too, with only minor changes of emphasis in the questions to prompt discussion and learning.

I'm sad to say that Picanol and Travelex are not the only recent newsworthy incidents involving malware: ransomware in particular is a 'real and present danger' right now. For security awareness purposes in general, regardless of the specific topics, we rarely struggle to find relevant incidents to discuss ... largely because we choose awareness topics that are topical. It's not always quite so easy for topics such as APT malware (Advanced Persistent Threats), insider threats, industrial and commercial espionage, or other incidents that are normally kept quiet by victims, but somehow we've always managed.
Categories: NoticeBored

NBlog Jan 17 - live-fire continuity exercises

NoticeBored - Thu, 01/16/2020 - 6:57pm
Yesterday I blogged about the advantages and disadvantages of business continuity exercises. Today's topic concerns the alternative approaches, in particular the idea of 'live-fire' exercises in the business continuity context.
Vast tracts of prime agricultural land are set aside as military training grounds, allowing the armed forces to practice their maneuvers and, sometimes, fire actual bullets, mortars, missiles and bombs. Real ones, not dummies. 
There are, of course, certain health and safety risks associated with weapons (!), so why take the risks? What are the benefits of not using blanks and simulations?
Two obvious reasons are:
  1. To test, prove and improve the weapons, for example confirming the accuracy, range and effectiveness of a field gun firing live rounds towards a tank, building or bunker, with gusting cross winds, challenging terrain, engineering and operational variables.
  2. To practice, test, prove and improve the soldiers' capabilities, including dealing with the very real safety concerns when their weapons are locked and loaded.
These are still exercises, though, somewhat removed from genuine action on the battle grounds of, say, the middle East ... and it could be argued that even those are merely limited-scope live-fire exercise in preparation for for all-out global warfare.
So do we have the equivalent of live-fire exercises in the business continuity context? Yes, there are at least two types: 
  1. Actual incidents that occur routinely within the organization, ranging from frequent minor events up to the occasional more serious incidents, if somewhat removed from genuine disasters thanks, in part, to the incident management and disaster mitigation activities. Hopefully all that preparation and exercising pays off! It's straightforward for a responsible manager to "declare an emergency", initiating the disaster management activities even though that may not be strictly justified by the exact circumstances. From that point, turning the incident into an exercise may simply be a matter of going through the motions, perhaps simulating various facets that haven't been tested and proven lately. 
  2. Actual incidents that afflict other organizations. These can be valuable gifts in that we get to find out something about what actually happened under fire, without finding ourselves in the cross-hairs. 
A nice benefit of both approaches is that, unlike typical continuity exercises and just like real disasters, they are opportunistic, not pre-planned. They are unlikely to occur, conveniently enough, at the end of the working week before a long holiday weekend. Coping with the adrenaline rush of truly believing that a severe incident or disaster has actually occurred is an integral part of the event/exercise. The chaos and confusion are a step up from the usual cool, calm and collected exercises. True, there are risks too, but they are still less than the risks of being unprepared for incidents and disasters. Risk is relative not absolute, remember, and can seldom if ever be totally eliminated.
I'll have more to say about using third party incidents for awareness purposes tomorrow. Maybe later. Let's live on the edge.
Categories: NoticeBored

NBlog Jan 16 - pros and cons of continuity exercises

NoticeBored - Wed, 01/15/2020 - 7:45pm
Usually, business continuity-related exercises are very carefully planned in advance. Those directly involved are generally well aware of the impending events, often having a good idea if not explicit information about the timescale as well as the situation to be simulated. The more involved the exercise, and the longer the planning, the greater the leakage of information about it. The rumour mill grinds it out.
There are several good reasons for all that exercise pre-planning:
  • Preparing for exercises is also [at least partly] preparing for genuine incidents - a convenient [partial] alignment of objectives 
  • Planning improves the chances of 'success' - an important factor for those personally charged with overseeing, managing and conducting the exercises 
  • People and organizations confronted with an exercise scenario are less likely to panic, thinking and reacting as if it is a genuine incident, if they know about it in advance
On the other hand, the pre-planning has its drawbacks too:
  • People and organizations naturally focus on and prepare for the specific scenario/s planned, perhaps diverting resources from other aspects of preparedness that might be even more important/urgent
  • A pre-planned and anticipated exercise removes a substantial element of uncertainty that occurs in real incidents, begging questions such as "Is this an incident?", "What's going on?", "How serious is this?" and "Am I the only person who knows about this?"
  • "Success" in an exercise is not quite the same as "success" in a genuine incident - generally speaking, the stakes and hence the stresses are much higher, pushing systems, processes, individuals, organizations and communities to and in some cases beyond their breaking points, something that most exercises studiously avoid. It is conceivable for organizations to become highly accomplished at exercises, yet hopeless in actual incidents.
  • There may be adverse effects on operations if exercises go wrong, despite all the efforts to minimise the risks, whereas there certainly will be adverse effects in the case of actual incidents, especially those severe enough to warrant all this preparation, planning, exercising and so on. One consequence of this is that exercises tend to last a few hours or days at most, maybe a further few weeks for the wash-up meetings, reporting and note-taking for the next run. Genuine incidents typically last for weeks or months, with business and personal impacts that can easily last a year or more.
So, with that in mind, it is worth considering whether business continuity exercises are sufficient, in fact, in terms of both preventing or ameliorating incidents and gaining assurance that the arrangements will work properly when required for real.
I'll have more to say about this tomorrow, providing nothing disastrous happens in the meantime.
Categories: NoticeBored

NBlog Jan 14 - a live case study

NoticeBored - Tue, 01/14/2020 - 1:36am
As we slave away on next month's security awareness module on malware, the Travelex ransomware incident rumbles on - a gift of a case study for us, our customers and for other security awareness pro's out there.
A quick glance at Travelex dotcom tells us that (as of this blogging) the incident is ongoing, unresolved, still a public embarrassment to Travelex that is presumably harming their business and their brand ... although having said that I've already mentioned their name three times in this piece. If you believe 'there's no such thing as bad publicity', then headline stories about the incident are all good, right?
Hmmm, leave that thought with me. Meanwhile, for the remainder of this piece, I'll call them "Tx" for short.
Technically speaking, the Tx dotcom website is up and running, serving a simple information page 'apologising for any inconvenience' [such as retail customers being unable to use the site to access Tx financial services in the normal fashion] and blaming 'a software virus': 

It refers to another Tx website which appears to be a legitimate Tx customer authentication page ... but, if it were me, given the incident I would be very dubious about submitting my credentials without first ascertaining that the site is legitimate, not simply part of the scam.
Anyway, the point is that they are at least on the Web, albeit a basic holding page, including their logo I notice. Without further information, we can only guess as to whether this page plus the associated webserver was hurriedly knocked together from scratch during the course of the incident, or was prepared in advance as part of a pre-planned incident response, perhaps customised a little and published when the evil ransomware struck. Likewise the separate login page.
Tx doctom is currently being served from an Amazon cloud, on an IP address shared by an eclectic collection of ~200 domains including:

Fair enough, there's no particular information security issue with cloud services and shared IPs, but it suggests that Tx's dedicated webservers and IP addresses are currently offline. In other words, the informational We've got a problem, Houston page is presumably being served from an alternative webserver ...
.... so what I'm doing now is building the case study, systematically piecing together whatever information I can glean or surmise about the incident, more importantly trying to figure out or plain guess what Tx may have done already and might now be doing in response to the incident. There are things to be pointed out, lessons to be learned here, lessons that hopefully don't involve the rest of us suffering an actual malware incident. For that, we should all be very grateful to Tx, and at the same time sad that they evidently didn't have the advantage of learning the hard lessons from the many unfortunate organizations that have suffered similar incidents before them. [Yes, there are lessons here for Tx too, plus their customers ... and I suspect they know that only too well right now, without our unsolicited input.]
That's still only a small part of preparing February's awareness content, an illustration based on one specific incident. Generalising from the Tx incident is the bulk of our work this month. We'll be elaborating on the things that typically occur during and follow after a major malware incident, highlighting the things that can and should probably have been done ahead of time.
Categories: NoticeBored

NBlog Jan 6 - post-malware-incident notification & other stuff

NoticeBored - Mon, 01/06/2020 - 1:24am
A couple of days ago here on NBlog I wrote

"One screamingly-obvious lesson from the rash of ransomware incidents is that we need to anticipate malware infections when the preventive controls fail, which means strengthening the security protecting our business-critical systems and being ready to recover IT services and data efficiently following incidents." 
That's not all.

Anticipating that, despite all we do to prevent them, malware infections are still likely to occur implies the need for several post-event controls.  These are the kinds of controls I have in mind:
  • Reliable, efficient, effective, top-quality incident response and management processes - in particular, speed is almost always of the essence in malware incidents, and the responses need to be well-practiced - not just the run-of-the-mill routine infections but the more extreme/serious "outbreaks";
  • Decisive action is required, with strong leadership, clear roles and responsibilities, and of course strong awareness and training both for the response team and for the wider organization;
  • Clarity around priorities for action e.g. halt the spread, assess the damage, find the source/cause, recover;
  • Technological controls, of course, such as network segmentation (part of network architectural design), traffic filtering and (reliable!) isolation of segments pending their being given the all-clear;
  • Clarity around priorities for reporting including rapid escalation and ongoing progress updates, in parallel with the other activities;
  • Forensics, where appropriate, feasible and helpful (e.g. which preventive controls failed, why, and what if anything can be done to strengthen them);
  • Restoration and testing of backups, prioritizing key business processes and other cleanup efforts as part of ...;
  • ... Business continuity management;
  • Additional/heightened preventive and detective controls with alerts/alarms and rapid responses to further/reinfection - that jumpy phase when we think but aren't entirely certain that everything is resolved;
  • Stakeholder notification, with implications for exactly what can and should be said, to whom, when, how and by whom (taking account of the impacts on them, including compliance failures and business service interruptions);
  • Post-incident reviews to identify and learn the lessons once the dust has settled, making the best of a bad job by improving whatever can and should be improved for the future - part of systematic improvement.
Stakeholder notification is something one of our awareness customers raised, and something we intend to cover specifically in February's awareness materials ... and while we're at it, I figure there's plenty more mileage in the remainder of those bullet points above. Given that, sadly, this will be our final update to the malware awareness and training content, it seems fitting to end with something new on what needs to be done when (not if) malware incidents occur, our legacy if you will.
Categories: NoticeBored

NBlog Jan 5 - plus ça change, plus c'est la même chose

NoticeBored - Sat, 01/04/2020 - 11:29pm
Malware has clearly been an issue for a long time. It was prevalent enough to be the topic of our second NoticeBored security awareness module way back in July 2003. I've just dug the old NB newsletter out of the archive to see what's changed.  
In 2003, I wrote about viruses (macro, boot sector and parasitic types), Trojans, worms and logic bombs. Although other forms of malware were around back then, we elected to stick with the basics for awareness purposes. 
Getting on for 18 years later, we're taking a broader perspective. Today's workers need to know about spyware, BEC & VEC (Business/Vendor bmail Compromise), phishing, infectious mobile apps and more. Actual computer viruses are practically unheard of now, although the term remains.
We're still concerned about preventive, detective and corrective controls, and malware risks that include data corruption - only now it's mostly deliberate in the form of ransomware rather than cybertage or bugs in the malware code.
The 2020 and 2003 newsletters have a very similar style with minor differences that only catch my eye because I wrote them, and I've been responsible for using and updating the format throughout. We've changed from Arial to Calibri font. Shouty "EMAIL" became calmer "email" at some point. The Hinson Tips on awareness migrated from the newsletter to the train-the-trainer guide, and the NoticeBored banner logo was smartened up. The two-column newsletter format remains, though, despite the layout problems that has caused me over the years, particularly when I wanted to include full-page-width diagrams. I've learnt to overcome most of the limitations of MS Word but not always without grief! 
We have more actual news now, too, finding short but relevant news items on the web to push the point home that the information risks are not merely theoretical: actual incidents are occurring all the time. Finding quotable news clips is becoming harder, however, due to the spread of paywalls: it's simply not economic for us to subscribe to all the commercial sources we'd need to maintain a broad-based newsletter, so we're increasingly using soundbytes from blogs and social media rather than the traditional news media. 
Are you scouring this blog for quotable content for your security awareness newsletters, I wonder? If so, go ahead, be my guest!
Categories: NoticeBored

NBlog Jan 4 - malware awareness update 2020

NoticeBored - Fri, 01/03/2020 - 3:16pm
Our security awareness topic for February will be malware, malicious software - viruses, Trojans, worms, crytpminers, APTs, ransomware, spyware and Tupperware. 
Well OK, maybe not all of them: viruses are vanishingly rare these days.
An increasingly important part of the malware problem is the wetware: we humans evidently find it hard to sense and react appropriately to the dangers presented by infected messages, web pages and apps. Addressing that is a key objective of the awareness module, and quite a challenge it is given that the bad guys are forever coming up with new ways to conceal their intentions or trick us into doing something inappropriate. 
Digging a little deeper, I feel we also need to explain why we can't rely on antivirus software etc. to save the day because the baddies are also finding novel ways to evade the technological controls, despite the best efforts of the good guys in IT.
One screamingly-obvious lesson from the rash of ransomware incidents is that we need to anticipate malware infections when the preventive controls fail, which means strengthening the security protecting our business-critical systems and being ready to recover IT services and data efficiently following incidents. Another less-obvious lesson from incidents such as cryptominers, spyware, Vendor Email Compromises and Advanced Persistent Threats is that detecting infections in progress is harder than it appears ... and, again, it makes sense not to over-depend on detection. 
Taking that to its logical conclusion, what could/should we do if we presume the organization is currently infected by some sneaky malware? I'm talking about the malware element of counter-espionage, for example deliberately seeding false information, or creating situations designed to reveal 'moles in the camp'.
There we are then: malware issues to discuss with general employees, tech/specialists and management, respectively. Now all I need to do is prepare the content for those three streams and Bob's yer uncle!
Categories: NoticeBored

NBlog Jan 3 - ISO27k business case published

NoticeBored - Thu, 01/02/2020 - 7:55pm

I've just published the ISO27k business paper I wrote for the latest security awareness module. It elaborates on the typical business benefits and drawbacks of the ISO/IEC 27000 “ISO27k” information security management standards
It is the fourth revision, a complete re-write in fact of a generic business case paper I started roughly two decades ago. Since then, I've gained experience working with clients, chatting with participants in the ISO27k Forum, plus colleagues on the ISO/IEC committee writing and maintaining the ISO27k standards.
The new version deliberately takes a very broad perspective: ISO27k is not just about securing IT systems, networks and data ('cybersecurity') nor even 'information security'. It's really a governance structure for managing an organization's information risks systematically, in support of its business objectives. It's as much about exploiting as protecting information. ISO27k is a business-enabler.
Use it to construct your business case, budget request or project proposal to adopt ISO27k or, if you already have an Information Security Management System in operation, find ways to squeeze even more business value from it. 
Download the paper here.
Comments welcome.
Categories: NoticeBored

NBlog January - ISO27k awareness & training materials

NoticeBored - Mon, 12/30/2019 - 4:36pm

January's security awareness and training materials concern a topic I've been itching to cover for years, literally (the years part, not the itching ... thanks to the magic ointment).

I've been a user and fan of the ISO/IEC 27000 series standards since forever, before they were even conceived, even before BS 7799 was published.

From the original corporate security policy and 'code of practice' on information security (essentially a catalogue of information security controls), ISO27k has grown into a family of related standards, along the way assimilating a couple of other standards and, lately, expanding into privacy, eDiscovery, IoT, smart cities, big data and more.
Making sense of the bewildering scope of today's ISO27k was a particular challenge for this awareness module ...

... and of course ISO27k is not the only source of guidance out there ...

The module came together and turned out nicely ...

I'm especially pleased with how the ISO27k business case and metric (the 'universal KPI') turned out. They and the other awareness materials will serve double-duty in connection with our ongoing ISO27k consulting gigs.
The shiny new batch of ISO27k awareness content is available to download now at It's our 70th information security awareness and training topic. Top that!
Categories: NoticeBored