NBlog May 20 - the value of visuals

NoticeBored - Sun, 05/19/2019 - 6:44pm
Whereas tangible information assets and physical security are different to the intangibles we normally address, the process of managing the information risks is essentially the same:
Variations on that diagram feature in many NoticeBored modules since the information risk management process is central to information security. 
In June, we'll elaborate on it in the particular context of physical information assets and risks thereto, using typical assets, incidents and situations to help people understand what we're concerned about. 
In subsequent modules, we'll pick out different aspects according to the monthly topic, and occasionally we'll zoom-in to explore certain parts of the process in more depth - risk identification, for instance, or incident management. 
We may tweak the layout here and there but, over time, our awareness audiences gradually become familiar with the process - one of a handful of core concepts underpinning the field. These are themes linking individual information security awareness and training messages together into a coherent story or picture that plays out during the years.
The formatting/style of the process flow diagram is another aspect that we aim to keep reasonably consistent from month-to-month. Once you've been shown and talked through any one of them, other processes are easier to understand since they are described in familiar terms. We consistently use visual cues to highlight specific parts of the diagrams (e.g. the deep red "Incidents and close shaves" box) while red-amber-green coloring features in every module (e.g. in our Probability Impact Graphics).
Diagrams are an invaluable tool for awareness and training purposes, flexible and expressive, supplementing and enhancing the written and spoken word. For instance, those six numbered blobs on the diagram will link to a process description laying out, explaining and elaborating on the six key activities in words.
The diagrammatic approach is quite straightforward, obvious and natural but, in our experience, many information security and technology professionals struggle to prepare and utilize decent diagrams: they can sketch things out on paper but (short of scanning the scraps!) converting rough drawings into more presentable and useful formats is challenging. It takes time, effort and skills. Despite our decades of practice, we invest a lot of time and creative energy in both figuring out and presenting concepts, processes, relationships etc. visually every month because it pays off. Better still, it's fun.
Categories: NoticeBored

NBlog May 17 - physical infosec

NoticeBored - Fri, 05/17/2019 - 1:44am

Sorry for the pause: among other things, I've been busy exploring a new subject for next month's NoticeBored security awareness and training materials.
June's topic is physical information security, something we've covered a number of times previously. Physically protecting computer systems and storage media against threats such as intruders and thieves, fires, floods and power problems is an essential part of information security for all sorts of reasons that we'll soon be elaborating on.
This time around, however, we'll also pick up on protection of another category of tangible information assets, specifically our people.
Workers are definitely assets (otherwise, why would we pay them?) but do they qualify as 'information assets'? I'd argue yes for the reason that we value their brains at least as much as their brawn. Whereas brawn can generally be replaced by machinery, it's much harder to replace a competent person's knowledge, experience, expertise and so forth, advances in robotics and artificial intelligence notwithstanding.
Protecting workers, then, takes us into the realm of health and safety, hence why I'm busy researching at the moment. I'll have more to say on this so tune back to this station soon for the next exciting episode.
Categories: NoticeBored

NBlog May - Security awareness for off-site workers

NoticeBored - Tue, 04/30/2019 - 9:21pm

Hot off the NoticeBored production line comes May's security awareness and training module about working off-site.
The 69th topic in our portfolio was inspired by a subscriber asking for something on home working.
It ended up covering not just working at home but the information risk and security implications of working on the road, in hotels, on supplier or customer sites and so forth, touching on online collaboration and other related areas along the way.

Module #193 is 95% brand new, prepared from scratch during April and blended-in with a little updated content recycled from previous modules on workplace security and portable ICT security, plugging the gap, as it were.

I'm proud of the guideline (item #04), part of the staff awareness stream. At 16 pages, it is lengthier than normal due to the sheer variety. With the odd touch of humor and stacks of pragmatic security tips for home and mobile workers, it would make a neat little awareness booklet or eDoc for people to leaf through as they wait for planes and buses, or “work” in front of the TV. It's a good read.
The module's management stream has quite a bit to say about achieving balance. There are clearly business and personal benefits to working off-site, provided the associated risks and costs are managed and kept in check. Compliance is particularly challenging as the workforce escapes the confines of the office, powerful ICT devices in hand, dispersing valuable yet vulnerable information assets across the globe. Resilience and flexibility are substantial plus-points.
Extending the working day or week can increase productivity to a point, beyond which over-stressed workers (staff and management!) plummet toward exhaustion and burn-out. In strategic terms, senior management has to make the right choices in order for the organization to reach the peak but not overdo it - and, for that matter, so do individual workers. Just because we can stay constantly in-touch doesn't mean we have to. There are further strategic and governance implications of the evolving nature of work, hence quite a bit of sociology in May's module.
The professional/specialist awareness materials get further into the IT or cyber security aspects such as security administration of mobile devices. Recent news about the discovery of exploitable flaws in WPA3 has risk implications for mobile workers using Wi-Fi, particularly in potentially hostile environments such as busy shopping areas, stations and cafes. On the other hand, anyone who has followed the sorry tale of Wi-Fi security woes since the beginning should not be surprised. WEP, WPA and WPA2 have their vulnerabilities too, as do Bluetooth, cellular networks, Ethernet and the rest.
If off-site working is becoming or has become the norm for your organization, let's tease out and tackle the associated information risks through creative security awareness and training materials, helping you strike the balance between risk and opportunity, pain and gain. Over to you!
Categories: NoticeBored

NBlog April 30 - tangents

NoticeBored - Mon, 04/29/2019 - 7:45pm
As the hours evaporate before our self-imposed start-of-month delivery deadline, I'm trying to stay focused on completing and proofreading the "Working off-site" security awareness module ... but it's hard when there's a fascinating discussion in full flow on the ISO27k Forum about quantitative vs qualitative methods of information risk analysis, plus all the usual stuff going on around me.
I find myself physically on-site in the IsecT office, supposedly working flat-out, but my mind is drifting off-site. I just caught myself day-dreaming about the possibility of racing driverless cars, their algorithms competing against each other and the laws of physics. What a bizarre tangent! I think it's something the behavioural biologists call 'displacement activity'.
Anyway, back to the grindstone.  Catch you later.

Categories: NoticeBored

NBlog April 26 - a productive day

NoticeBored - Fri, 04/26/2019 - 1:10am
Leafing through our information security policy templates this morning, I couldn't find anything specifically covering off-site working, so I knuckled down and prepared one.  
It took longer than planned due to a false start: I soon realized that there are lots of potential policy matters in this area, so I refined the scope to cover just the information risk and security aspects. Following a general policy axiom, the more detailed policy statements describe 'typical examples' of the controls in three main categories (since they are likely to vary according to circumstances), plus a handful of others - about 2 sides of actual policy with the usual summary, applicability, introduction and references sections.
This afternoon, I prepared a case study for May's awareness and training module on working off-site based around an intriguing scenario. What normally happens when a home-worker (someone who always, often or occasionally 'works from home') leaves the organization? What should happen? Specifically, how should the organization deal with any work-related information/data the worker may have had at home, on portable equipment, on paper or whatever? 
And what if it turns out that the worker has not, in fact, fully complied with policy and employed all the anticipated and required security controls? Tut tut!
There are information risks in this scenario that aren't explicitly covered by the new security policy, but I would argue that they are HR and IT issues that ought to be covered by HR and IT policies - governance, oversight, supervision and compliance matters for instance. 
That situation is not at all unusual: in our experience, few 'incidents' or 'situations' are so simple and straightforward as to involve just one issue and one applicable policy. Usually, several rules and regs apply, hinting at the need for a comprehensive mesh of policies, contractual terms, procedures, guidelines, work instructions etc., and there's the rub. 
We are infosec specialists. Our products focus on infosec. Infosec is What We Do. We gather there may be one or two other, lesser matters potentially of concern to our lovely customers (!) but there's only so much we can achieve. 
Our solution to this conundrum is to refer to other types or categories of policies etc. in the reference section of the policy templates without being too specific. Other information security policies are cited more explicitly since we have the corresponding templates to hand and are familiar with what they say, having written and maintained them. In any event, customers are likely to review and customize the policy templates, adapting and merging them with other corporate policies, procedures etc. - well hopefully anyway, assuming they have the competencies and resources to do that. I suspect many don't, but at least we know the security policy templates form a reasonably coherent and consistent suite. Who knows, maybe the style and structure of our policy templates will inspire customers to review and revise their entire policy structure, bringing the whole edifice into a more professional, valid state, a valuable central element of their corporate governance arrangements. 
Dream on!
Categories: NoticeBored

NBlog April 25 - Teflon-coated security

NoticeBored - Wed, 04/24/2019 - 6:59pm
An article about hackers compromising IoT things mentions that IoT manufacturers choose not to make their devices more secure because the additional security controls would create 'friction' for users - in other words, they are making explicit commercial decisions about their products that take into account usability as well as various other factors, such as security, privacy and I guess cost.
Well, who'd a thunk it? Information risk and security management is all about making compromises and trade-offs. There are numerous options and decisions to be made, plus situations that are forced upon us.
Re 'friction', it occurs to me that effective security awareness smooths the way for addition/better security. Once people such as the concerned mother in the article, and hopefully some of its readers, appreciate the need for and value of security, they are more likely to accept the cost of security - not just the slight increase in the price of things for additional security features but the effort it takes to configure, use, monitor, manage and maintain security, a bunch of additional costs that inevitably follow (inevitable for adequate security, not inevitable for manufacturers and consumers!). 
The same thing applies in a corporate setting. The reasoning goes: workers who know about and grasp the reasoning behind security are more likely to accept it. That's why our security policies include an introduction/background section with a brief explanation/justification, setting the scene for the controls documented in the main body. And it's why we continue to push security awareness and training as a valuable part of the treatment of information risks.
'Features' raises an interesting point. In a free market, consumers elect whether or not to buy certain products according to whatever criteria they set. Likewise, producers choose what products to offer, with whatever characteristics they feel will sell. It could be argued that security is not an optional feature but 'essential' or even 'mandatory' in the same way as 'safety' - but at present it generally isn't. Sensible consumers include security among their selection criteria and rank or prioritize it appropriately ... so first they need to understand what security is and why they might want it, which implies awareness. IoT vendors aren't exactly pushing product security in their advertisements: it barely merits a mention in the smallprint, overshadowed by the gee-whizz stuff top and centre. "Hey, look, you can adjust your aircon settings from your smartphone and come home to a comfortable temperature! Wow!" Even security things such as smart locks are sold on the strength of convenience and tech-whizz rather than security per se, thanks in part to the curious distinction between physical security and cybersecurity (as if cyber doesn't need physical: it does. They are complementary, not alternatives).
Bruce Schneier famously stated that, given the choice, people will choose 'dancing pigs' over 'security' every time. Security simply isn't sexy. We notice if it fails, not when it succeeds. We resent the cost without appreciating the value. We expect security to come for free, and to work perfectly every time. Right or wrong, those are tricky criteria for manufacturers (and security awareness gurus!) to satisfy.
Aside from learning from the safety field including aspects such as transparency and openness over disclosing and investigating incidents (e.g. the ongoing 737MAX scandal), I'm interested in the way cloud security is coming along. Thanks largely to the stirling efforts of the Cloud Security Alliance, security is being promoted industry-wide as an integral, essential part of cloud services - not a bolt-on optional extra 'feature' but core, not a product differentiator but a unifier. I hope the IoT Cybersecurity Alliance and Software Security Alliance are equally successful. An Operating System Security Alliance would be cool too (hint hint Microsoft, Apple, Google, IBM ...).
Meanwhile, we'll soldier on, promoting security awareness among our subscribers' workforces and blog readership, improving security month-by-month, topic-by-topic, organization-by-organization, person-by-person. 
Must dash: May's NoticeBored security awareness module on working off-site is fast approaching the end of the production line. We're preparing to add a glossy topcoat of non-stick Teflon.
[Non-stick == 100% carrot!]
Categories: NoticeBored