NBlog February 9 - mapping awareness memes

NoticeBored - Thu, 02/08/2018 - 9:09pm
Yesterday I came up with the suggestion of using memes to spread security awareness messages from person to person, in a similar fashion to the way that computer viruses and worms spread from IT system to IT system. 
Today I'm trying to come up with something that people will spread among each other by word of mouth, through email and TXT etc., something funny, shocking or useful - such as tips to avoid falling prey to malware maybe, or rumors about a serious malware infection within or close to the organization.
'Too close for comfort' has potential, perhaps a malware incident and business crisis narrowly averted by sheer good fortune. Or maybe we could fool workers into believing that the auditors will soon be coming to check up on the antivirus controls?
Such an approach could be unethical, risky even (e.g. if it prompted workers to meddle inappropriately with antivirus configurations or audit trails, rather than ensuring that the antivirus controls were operating correctly). It would need to be carefully considered and planned, which itself constitutes an awareness activity even if, in the end, the decision is taken not to go ahead.
The 'meme map' (derived from "Meme Maps: A Tool for Configuring Memes in Time and Space" by John Paull) represents the lifecycle and spatial or geographical spread of the meme. Reading from the bottom up, both the yellow area prior to the meme's release, and then the green area, are awareness opportunities.  
Mapping and demonstrating the gradual spread of a security awareness meme within the organization (e.g. mapping the source of clicks on a link to a fake internal memo about the fictitious antivirus audit, or tracking calls about the audit to the Help Desk) is yet another possible awareness activity, with similarities to the spread of malware ... at which point I recurse up my own backside, so that's enough idle musing for today's blog.
Categories: NoticeBored

NBlog February 8 - making security awareness infectious

NoticeBored - Wed, 02/07/2018 - 8:04pm
Just appearing into view along our virtual conveyor belt comes an updated module on malware, one of those perennial, almost universally-applicable security awareness topics.
Aside from generally checking over and fluffing-up the content delivered in prior years, we're on the lookout for new developments, specifically any changes in the risk profile or security controls associated with malware.
Something we've spotted is an alleged move away from ransomware (which was Big News this time last year, a real and present danger) towards using compromised systems for crypto currency mining. I'm not entirely convinced at this point whether that is a genuine change: maybe ransomware has indeed peaked out (I sure hope so!), maybe not, but either way mining malware could be an emerging trend, another short-lived fad, a mistaken interpretation of limited data or pure fiction invented by someone flogging antivirus software.
Over a much longer timescale, commercial exploitation of malware remains evident, along with the continuing battles between black and white hats. For decades we have seen innovative and increasingly complex technologies being deployed on both sides - clever stuff, but things have more or less stalled on the human front. Despite our best efforts through awareness, education, training, phishing simulators etc., the same old social engineering tricks remain somewhat effective today at spreading malware, and there's plenty of potential there for further innovation. 
Novelty is a challenge for both the tech and non-tech malware defenses. This is cutting-edge stuff where established approaches gradually lose their power. Purely responding to changes on the offensive side is bound to set us on the back foot, especially given that most of those changes are unrecognized as such, initially anyway. Who knows, maybe the Next Big Thing in social engineering might be quietly ramping up right now.
So, I'm sitting here thinking about how to encourage NoticeBored subscribers to up their game with more innovative malware defenses, including our creative efforts on security awareness of course but what else could they be doing? Hmmm, I wonder if security awareness messages could be delivered by malware-like infectious mechanisms? 
Probably not a good idea, that one, subject to the same risks and drawbacks as those supposedly benevolent worms designed to patch systems against security vulnerabilities. 
A meme, though, has possibilities. If we can't infect IT systems with technological controls, can we at least infect people with behavioral controls, in a way that spreads from person-to-person like a beneficial form of flu, without the sniffles?
Categories: NoticeBored

NBlog February 5 - protecting information awareness module

NoticeBored - Mon, 02/05/2018 - 2:55am
‘Protecting information’ is a non-specific title. Almost everything that we do is about protecting information so what does February's NoticeBored awareness module actually cover?

'Protecting information' begs questions such as:
  • What is the information that deserves or needs to be protected?
  • What are the risks the information is protected against - the threats, vulnerabilities and impacts?
  • How can or should the information be protected?
  • Who is responsible for protecting it?
For the answers, we drew inspiration from the fields of information risk management, intellectual property and knowledge management, as well as information security and governance. 

As usual, we chose to discuss all kinds or forms of information in the typical business context - not just computer data. 'Knowledge' for instance includes workers' experience and expertise, trade secrets and know-how in general. The corresponding information risks and controls are quite diverse.

Information classification is one of the key controls patiently explained. The process of classifying and protecting information is more involved than it may appear. Awareness is particularly important for organizations handling government and defense information: it’s all very well stamping SECRET on your manila folders, but what does that actually mean, in practice? What does it achieve? What's the point? How does it work?
The materials promote a balanced and considered approach towards protecting information. Excessively strong information security reduces legitimate access to, and utility of, the information. The very value we seek to protect can be degraded by too much security. Many information/cyber security professionals would do well to consider this paradox! Protecting the availability of information sometimes means compromising on the controls for confidentiality and integrity.

Get in touch if this brief outline has whetted your appetite: if 'protecting information' sounds like something your people should know about, we have the creative content to make it so.
Categories: NoticeBored

NBlog January 31 - protecting information

NoticeBored - Wed, 01/31/2018 - 1:09am
Today after the usual end-of-month rush, we completed and delivered February's security awareness module on protecting information.
We have updated the NoticeBored website with an outline of the new module.  I'll have a bit more to say about it here on the blog, maybe tomorrow.  
Right now I'm de-stressing with a glass of red wine and some time off in front of the TV.
Categories: NoticeBored

NBlog January 24 - distracted, again

NoticeBored - Tue, 01/23/2018 - 11:40pm
Today was a glorious summer day in Hawkes Bay - about 30C under clear blue skies, hot sun and plenty of greenery thanks to the odd thunderstorm lately.  Not exactly the ideal weather for slaving away in the office.
As I was hootling down the track on the 4x4 farmbike on my way to turn off our water pump this afternoon, I turned to look across our paddock ... and saw Maka ("maarka"), our tame/pet red deer hind, sniffing at a little brown wobbly thing, staggering drunkenly around as it struggled to stand on the slope.

The fawn was only an hour or so old. We didn't even know Maka was pregnant, let alone due today, so it was a very pleasant surprise. 
Mother and baby are doing well. We feel like proud grandparents.
Categories: NoticeBored

NBlog January 22 - turning the tables

NoticeBored - Mon, 01/22/2018 - 12:30am
Social engineers exploit their "knowledge" of psychology to manipulate and exploit their victims. So how about we turn the tables - use our knowledge of psychology to counter the social engineers?
That thought popped unexpectedly into my head over the weekend as I was grubbing weeds in the paddock. I've been mulling it over ever since, making hardly any progress to be honest. 
One thing that occurs to me is that social engineers are potentially just as vulnerable to manipulation as their victims, although they have the advantage of having consciously and deliberately performed their attacks ... which could in fact be a weak point: if they believe they are in the driving seat, they may not anticipate being driven. 
There is some evidence of this, for example 419ers (advance fee fraudsters)  have occasionally been led along the garden path by savvy targets. Scam-baiting became A Thing about a decade ago, relatively amateurish though and risky to boot: the authorities quite rightly warn against vigilantism in general, but there were some creative schemes and hilarious trophies.

A better planned, coordinated and generally more professional approach, applying proper psychology and science rather than just bitterness, retribution and belittling, has some merit as a strategy, particularly if the aim is to fire up workers' imaginations and so make them more aware of, and resistant to, the scammers. Whereas an individual organization or even a group may stand little chance of stamping out the 419ers and other social engineers, they can perhaps tilt the odds in their favor, becoming slightly harder, less attractive targets.

I'm still not sure where I'm going with this. It's one of those little germs of an idea that might sprout and flourish, but more likely will disappear without trace. Perhaps me writing about it here has set YOU thinking about it, and together we can take it forward as a discussion thread. It will at least remind me when I'm checking through the blog posts at some future point, having totally forgotten about it!
Categories: NoticeBored