NBlog Sept 18 - attendance stats

NoticeBored - Mon, 09/17/2018 - 10:56pm
Someone's attendance at, or absence from, a security awareness and training session or event is, at best, a rough indication of their involvement and engagement with the awareness and training program and yet it is often used as a measure, a metric. Why is that?
Clearly, if someone fails to show up at all, they are hardly going to benefit from the sessions ... but a well-rounded awareness and training program will not rely solely on in-person classes, seminars and similar events: it will typically have an intranet site, maybe newsletters, emails, discussion forums, posters and more. Hence is it certainly possible for someone to be engaged with the program and highly security-aware even if they do not attend the events for some reason (e.g. they may be forgetful, too busy doing other stuff, disabled, working night shifts, low on energy, sick or on vacation, antisocial, not keen on that style of learning, perceived lack of value or purpose ...). Nevertheless, nonattendance generally signals a lack of engagement.
In contrast, someone who shows up at every session without fail appears to be highly supportive of the program - but are they really? Or are they just keen to escape the office drudgery, dozing quietly at the back of the class maybe? 
Most workers (including the session leaders or trainers!) lie somewhere between those extremes: they attend a proportion of events depending on various factors. It is not unreasonable to assume that most attendees are demonstrating some level of interest in or engagement with the awareness program, their attendance rate across multiple sessions presumably correlating with their interest and engagement levels.
From another perspective, attendance rates at various awareness and training events are indicative of the popularity and perceived value of the sessions ... but again there are several factors at play (e.g. the particular topics being covered, the quality of the venue and catering, the quality of the trainer/leader, the supportiveness of the social environment both in and out of class) in addition to all the reasons why a given worker may or may not attend. Provided the attendance data are sufficiently accurate and representative, trends may indicate the awareness program's success or failure, strengths and weaknesses among the training team, popular or unpopular topics, venues, timing and formats etc.
Another reason for recording and reporting attendance is to demonstrate activity and concern. For various reasons, although busy senior managers may be unable to attend many events themselves, they may be relieved to know the events are being held regularly and are being well attended. They are using attendance as an assurance measure, confirming that the organization's investment in information security awareness and training is achieving something beneficial. Hopefully.
One more reason for using attendance as a metric is that it is cost-effective to collect, relative to other possible metrics in this area: attendees at awareness and training events are simply recorded in some fashion, perhaps signing an attendance register or being counted by someone (perhaps even estimated). The raw data are readily accumulated, analyzed (e.g. to identify trends or proportions) and reported ... which brings up another issue: to whom would the information be reported or presented? Who would want to know attendance levels? When and with what purpose? 
Potential audiences include:
  • Management: need assurance that the organization's investment in security awareness and training is worthwhile, and is achieving its objectives;
  • Information risk and security awareness and training professionals: need data to help invest the organization's resources wisely, develop and deliver the activities most effectively, evaluate and compare various options such as different modes of delivery, trainers, topics and venues, and demonstrate their professionalism;
  • Other stakeholders with an interest in the organization's information risk and security status, such as: owners; suppliers, customers and business partners; authorities (such as industry regulators); and compliance certification bodies;
  • Human Resources: most are responsible for administering training records, some take a more proactive interest in personal development plans, awareness and training strategies etc.;
  • Individual workers: some of us like to track our awareness and training activities along with other personal development, updating our resumes and plans accordingly.

Reporting intervals vary from weekly or monthly up to once every few years, or one-off, depending on audience needs. Reporting formats are equally diverse.
Bottom line: while they have their limitations, awareness and training attendance statistics potentially deserve being part of the organization's metrics mesh. 

Categories: NoticeBored

NBlog Sept 17 - fragility

NoticeBored - Mon, 09/17/2018 - 4:33am
In preparation for a forthcoming NoticeBored security awareness module, I'm researching business continuity.  Today, by sheer coincidence, I've stumbled into a business discontinuity: specifically, the website for a commercial company advertising/sponsoring a popular multi-week New Zealand radio show promotion is currently unavailable. It seems to have been so fragile that it broke.
This is how the web page looks right now:
Mostly white space. 502 is the standard error message number indicating a 'bad gateway', meaning that the company's website cannot be contacted by some intermediate network system. It appears to be dead. Resting maybe.
The HTML code for the sparse error page is almost as sparse - just these 14 lines, half of which are comments: tells me its not just my Internet connection playing up.  The website really is unreachable.
That's the NZ website. The company's Australian website is also unavailable, whereas its US site is up and running. 
nginx is the name of a webserver front-end load-balancer utility/application/system.  Given the radio promotion, it is possible the company is using nginx as a cache to reduce an anticipated heavy load on the webserver, or to balance the load across several webservers, but either way evidently it isn't working out right now.  
Summing up the situation:
  • The company has planned and paid for a radio promotion including links to its website: management must have known this was coming;
  • Management appears (at some point) to have made technical arrangements to cope with a heavy load on the webserver: presumably, it anticipated the risk of the website being overloaded;
  • The technical arrangements appear to have failed: the website is currently unavailable;
  • Either management doesn't know the corporate website is down (due to the lack of effective monitoring) or it knows but hasn't reacted effectively (maybe nginx was the response: it hasn't worked for me, today);
  • The company has fallen off the web, making it hard for potential customers to make contact and do business;
  • That, in turn, has implications for its public image: its brand is becoming somewhat tarnished by this incident. It's not a good look.

This is a classic information security (availability and integrity) incident with business implications. The website evidently wasn't sufficiently resilient, and the incident does not appear to have been handled effectively. 
Of course, we can only guess at some of this in the absence of further information. Perhaps my assumptions are wrong. Maybe the fault lies elsewhere and/or the situation is more complex than it appears. Conceivably, the site might even have been taken down deliberately as a response to some other incident. We just don't know.
But we do have a little case study for the awareness module. I'll continue checking the site to see what happens next - how the situation resolves and perhaps gleaning further information about the incident.
[I haven't named the company because it isn't necessary to do so, and I don't want to make the incident any worse for them than it already is by prompting YOU to go check out their website as well!]
Categories: NoticeBored

NBlog Sept 15 - the business value of infosec

NoticeBored - Fri, 09/14/2018 - 3:28pm
Thanks to a heads-up from Walt Williams, I'm mulling over a report by CompariTech indicating that the announcement of serious "breaches" by commercial organizations leads to a depression in their stock prices relative to the stock market.
I'm using "breach" in quotes because the study focuses on public disclosures by large US commercial corporations of significant incidents involving the unauthorized release of large quantities of personal data, credit card numbers etc. That's just one type of information security incident, or breach of security, and just one type of organization. There are many others.

The situation is clearly complex with a number of factors, some of which act in opposition (e.g. the publicity around a "breach" is still publicity!). There are several constraints and assumptions in the study (e.g. small samples) so personally I'm quite dubious about the conclusions ... but it adds some weight to the not unreasonable claim that "breaches" are generally bad for business. At the very least, it disproves the null hypothesis that "breaches" have no effect on business.
Personally, I'm intrigued to find that "breaches" do not have a more marked effect on stock price. The correlation seems surprisingly weak to me, suggesting that I am biased, over-estimating the importance of infosec - another not unreasonable assumption given that I am an infosec pro! It's the centre of my little world after all!
Aside from the fairly weak "breach" effect, I'd be fascinated to learn more about the approaches towards information risk, security, privacy, governance, incident management, risk & security strategy, compliance etc. that differentiate relatively strong from relatively weak performers on the stock market, using that as an indicator of business performance ... and indeed various other indicators such as turnover, profitability, market share, brand value etc. I'm particularly interested in leading indicators - the things that tend to precede relatively strong or weak performance.
On the flip side, I'd be interested to know whether 'good news' security disclosures/announcements (such as gaining ISO27k or other security certifications, or winning court cases over intellectual property) can be demonstrated to be good for business. Given my inherent personal bias and focus on infosec, I rather suspect the effect (if any) will be weaker than I expect ... but I'm working on it!
Categories: NoticeBored

NBlog Sept 14 - black market credit card values

NoticeBored - Thu, 09/13/2018 - 7:05pm
An otherwise unremarkable marketing email from Armor caught my beady with this:"Armor has been tracking hackers, on both English-speaking and Russian-speaking markets, and found that current prices for stolen U.K. credit cards (Visa, Mastercard and American Express), with corresponding CVV data and expiration dates runs $35 each, $30 for a European Visa, Mastercard or American Express card, and $15 for a U.S. Visa or Mastercard and $18 for an American Express card." That's quite a range of values. I wonder why some stolen credit card details are twice as valuable as others on the black market. What makes them so attractive, relatively speaking?
Possible reasons for the discrepancy:
  • Market imperfections such as time lags between changes in supply or demand and price adjustments;
  • Some are rarer, in relatively short supply, with consistent demand driving prices up;
  • Vendors are simply taking advantage of 'market pricing': they charge whatever the market will bear, by reference to prices and sales for similar commodities;
  • Buyers are price-insensitive: the purchase price is insignificant compared to the anticipated income;
  • Demand is higher for some of them hence they are 'worth' more because: 
    • Identity fraud is somehow easier with them (e.g. the card providers' anti-fraud controls are weaker, perhaps detection and prosecution of fraudsters is less likely?);
    • Identity fraud is more lucrative with them (e.g. the accounts to which they link have larger balances and credit limits);
    • They are more likely to be and remain active, less likely to have been or be deactivated by the companies or card holders concerned (perhaps they are less aware of and/or responsive to identity fraud?);
    • The financial companies concerned and/or the authorities are actively buying up these cards in order to take them out of circulation, hoping perhaps to trace the sellers, in the process inadvertently driving up their market value (doh!);
    • Buyers value them for some other reason: they are deemed to be of higher quality, maybe 'needed' to complete collectors' sets?;

    • Statistical anomalies, truly random fluctuation, data errors and plain ol' mistakes e.g. we're not told how many of each type of card were on sale, nor is there any indication of the variance in prices;
    • Ulterior motives and bias behind the reported numbers: they were, after all, included in a mass marketing email, an unsolicited one at that i.e. spam.
    As usual, I'm quoting and citing the source to illustrate an analytical approach, not to discredit or challenge the source so much as encourage you, dear blog reader, to think critically about such information rather than taking it at face value. I've seen similar numbers from other sources ... which may mean they are 'in the right ballpark' but could equally be an example of anchoring bias (if people have no idea of the correct value, they tend to estimate within or near whatever range is suggested to them, focusing on and implicitly assuming that the suggested range is valid).
    Just sayin'
    Categories: NoticeBored

    NBlog Sept 10 - scary stats

    NoticeBored - Mon, 09/10/2018 - 3:47am
    In the course of researching phishing for our next awareness module, I Googled into a 2017 cybercrime report. It makes numerous dire predictions (such as "cybercrime will cost the world in excess of $6 trillion annually by 2021") and is stuffed to the gunnels with outrageously scary statistics (using "1,300 percent", for example, rather than a mere thirteen times). 
    While reading and evaluating the credibility of the report, I found myself strangely distracted by page 9 on "security awareness training":"Cybersecurity Ventures expects 2018 to be the Year of Security Awareness Training — the breakthrough year when organizations globally take the (financial) plunge and either train their employees on security for the first time or doubledown on more robust and ongoing security awareness programs. Global spending on security awareness training for employees is predicted to reach $10 billion by 2027, up from around $1 billion in 2014. Training employees how to recognize and defend against cyber attacks is the most under spent sector of the cybersecurity industry. While the annals of hacking are studded with tales of clever coders finding flaws in systems to achieve malevolent ends, the fact is most cyber attacks begin with a simple email. More than 90 percent of successful hacks and data breaches stem from phishing, emails crafted to lure their recipients to click a link, open a document or forward information to someone they shouldn’t. Training employees on how to recognize and react to phishing emails and cyber threats may be the best security ROI. ... Employee training may prove to be the best ROI on cybersecurity investments for organizations globally over the next 5 years."That's almost the entire written content of the security awareness section. Those strident assertions (e.g. about the 'breakthrough year', and training being 'the most under spent sector') might as well have been plucked out of thin air. 
    The report's author, Cybersecurity Ventures, immodestly describes itself as "the world’s leading researcher and publisher covering the global cyber economy". Gosh. The commercial sponsor, Herjavec Group, tells us "Information Security Is What We Do. Full Stop." ... then continues. 
    Ever the cynic, I wonder if the report was written in such extreme terms simply in order to be quoted incessantly - and, yes, blogged about. Much as I would love to believe their claims about the meteoric rise of security awareness this year, somehow I doubt it will be much different to every other year. Despite the best efforts of awareness and training providers, I see no evidence of a massive change of heart. Yet. Unfortunately.
    What we need is a more effective awareness campaign ... about the value of security awareness. Ironic really.
    Categories: NoticeBored

    NBlog Sept 8 - chew before swallowing

    NoticeBored - Fri, 09/07/2018 - 10:00pm
    The Global State of Online Digital Trust is a typical vendor-sponsored piece, a white paper (= marketing promotion in the guise of a 'survey') prepared by Frost & Sullivan for CA Technologies.
    I say 'typical' in that they have disclosed hardly any information about the survey method and sample. A press release instructs us to see the report for "Full survey methodology details" but unless I'm blind, it looks to me as if someone either 'forgot' to write the materials-and-methods section or casually neglected to incorporate it in the published report.  Oh dear.
    A CA marketing VP called it "a survey of 1,000 consumers, 350 cybersecurity professionals and 325 business executives from all over the world" whereas the press release referred to it as "The global online survey of 990 consumers, 336 security professionals and 324 business executives across 10 countries". 
    We can only guess at how they might have assigned respondents between the three categories e.g. who would not qualify as a 'consumer'? Wouldn't a CISO fall into all three groups? In the report, numbers next to the graphs appear to indicate the sample sizes up to about 990
    Last time I checked, there were rather more than 10 countries in the world aside from USA BRA UK FRA GER ITA AUS IND JPN and CHN as listed the report. If I'm interpreting those abbreviations correctly, that's well short of "all over the world".
    If indeed the survey was online, that rather suggests the sample only consisted of people from the ten countries who were happy to answer an online survey - which itself implies a degree of trust in online security as well as a willingness to respond to a vendor-sponsored survey. 
    It is unclear whether or how the report's conclusions relate to the survey findings ... and they are somewhat predictable given the report sponsor's commercial interests:"CULTIVATE A CULTURE OF SECURITY Implement data protection policies that are in accordance with the world’s strictest data privacy regulations. Ensure company-wide familiarity with security policies, including among non-technical staff to reduce the risk of data breaches. START AT THE TOP Too many business executives see security initiatives as a negative return on investment. Alert the C-Suite to the tangible business impacts of a breach and a loss of consumer trust. COVER YOUR BASES Consumers consider both social and technical factors when determining whether to trust an organization; be sure that your organization has the technical foundation in place to mitigate attacks and have a response team ready to minimize damage to consumer trust in the event of a breach. KEEP IT SIMPLE Clear communication from organizations around policies and data handling practices is critical for building trust. Far too many organizations overestimate the degree to which consumers can easily manage their personal data online. Present your policies in simple language, and provide important details without overwhelming the consumer."So they evidently equate "a culture of security" with data protection, data privacy and data breaches. Spot the common factor. A similar bias towards privacy law compliance and the protection of "customer data" is evident in all four paragraphs. That is an important issue, I agree, along with "cybersecurity" (an undefined term ... but I guess they mean IT security) but what about all the rest of information security: trade secrets, intellectual property, business continuity, physical and procedural security, information integrity, blah blah blah?
    I freely admit to being heavily prejudiced in favour of both cultural development and management-level security awareness but their emphasis on breach impacts and consumer trust once again betrays a myopic focus on privacy breach incidents, while the conclusion about return on investment seems very suspect to me. I wonder if the survey question/s in that area were unambiguous enough to be interpreted in the same way by all the respondents? Or are the reported differences between the groups of respondents merely indicative of their distinct perspectives and assumptions? Did they even face the same questions? We can't tell since they choose not to disclose the survey questions.
    The report introduces the term "Digital trust index". Sounds great, right? A metric concerning trust in, errr, digits? A percentage value relative to, um, what exactly? Oh let me guess, relative to the score conjured out of the air for this, the first report. And unfortunately for the sponsors, the term "Digital Trust Index" is already in use elsewhere.
    Overall, a disappointing and essentially pointless read, like most other commercially-sponsored and heavily-promoted "survey" I have read in my career with few exceptions. 
    Clearly, I'm a slow learner, stubborn as an old boot. Venting my spleen through this blog is immensely helpful though, along with the vain hope that you might perhaps be persuaded to take a more critical look at the next "survey" that plops onto your screen. Chew it over rather than swallowing whole.
    Categories: NoticeBored

    NBlog Sept 7 - what have policies ever done for us?

    NoticeBored - Thu, 09/06/2018 - 10:07pm
    Why do we have policies, procedures and all that jazz? What are they and what are they for?  What do they actually achieve?  What would happen if we didn't bother at all?  What else could we do instead - are there better ways?  
    Those rhetorical questions were prompted by a disarmingly simple and naive-sounding question on the ISO27k Forum this morning, viz "I am looking at implementing iso27001. How do I know if I need a policy or procedure in place?" 
    Good question!
    In relation to ISO27k and to information risk and security in general, policies and/or procedures are needed in order to:
    • Address information risks that are of concern to the organization, or more specifically to management and other stakeholders;
    • State or express management's intentions formally in various areas;
    • Communicate and clarify things to the intended readers, giving them clear guidance (e.g. work instructions, awareness and training materials);
    • Satisfy requirements stated explicitly in ISO/IEC 27001(assuming the organization intends to be certified compliant);
    • Satisfy other relevant and applicable requirements (e.g. under privacy laws and regulations, or for contractual reasons);
    • Promote good practices through a stable, mature, considered, structured and systematic approach, allowing continuous review, updates and improvement where needed;
    • Integrate various approaches in a coherent manner (e.g.information risk and security, plus privacy, plus business continuity, plus compliance, plus physical security, plus .... plus ...);
    • Demonstrate to all concerned (insiders and outsiders) that various issues have been considered and desired approaches have been determined, while generally implying that other possible approaches have been discounted and are not required, perhaps even not approved or authorized;
    • Use formally for compliance enforcement purposes, in which case they need to be unambiguous: clearly written, clearly applicable, clearly mandated ...;
    • Stop people guessing or making stuff up on a whim, or at least reduce this in certain areas while giving them more latitude in other areas;
    • Emphasize and focus attention on Stuff That Matters.

    As to 'policy' and 'procedure', individuals and organizations quite often interpret those and related terms differently. Dictionary definitions are generally   definitive.
    ISO/IEC 27000 defines some terms explicitly in the context of the ISO27k standards including:
    • “Documented information” means information required to be controlled and maintained by an organization and the medium on which it is contained [i.e. ‘documentation’ in common parlance];
    • “Policy” means intentions and direction of an organization, as formally expressed by its top management [where organization and top management are also explicitly-defined terms];
    • “Process” means set of interrelated or interacting activities which transforms inputs into outputs [where none of those terms are explicitly defined!].
    By the way, "insurance policy" neatly demonstrates a key difficulty in defining words individually, in isolation from the context. An insurance policy is not the "intentions and direction of an organization, as formally expressed by its top management" - it is a legally binding agreement, a contract between the parties concerning the insurance arrangement. "Foreign policy" is different again, and so on. Dictionaries tackle this situation by providing multiple, distinct or related definitions and examples, illustrating the defined terms being used in typical statements. ISO/IEC 27000 backs into a corner by giving just one definition and no context.
    To make it worse, several key words and terms (including "key", for one!), are undefined. “Procedure” is not explicitly defined … but is used throughout ISO27k including 27000 itself where “processes and procedures” suggests they are distinct, and “policies, procedures and practices” implies further [also undefined] distinctions.
    “Procedure” to me means the description of a “process” which is generally a sequence of “activities” which may be “tasks” or “decisions” or something else (e.g. “Wait patiently for authorization”). The manner of their description may be step-by-step instructions, flow diagrams, demonstrations, notes or some other format, usually captured in some form so that it can be more easily and consistently specified, stored, standardized, reviewed and authorized, communicated/used, and improved.I have my own personal documentation preferences and styles. Given the choice, I prefer clear at-a-glance diagrams over tedious paragraphs of text for procedures, although both and more may be needed. For corporate policies, I much prefer readable plain English over the curious pseudo-legal mumbo-jumbo that is depressingly common in practice. But then IANAL: I'm a technical author writing information risk and security policies, procedures, training guides and awareness materials for ordinary people.
    If a client uses different terms or interpretations, has particular requirements such as specific documentation formats and styles, needs their mumbo to be jumbo or whatever, that’s fine by me. He who pays the piper calls the tune!  
    So, apart from all that, what have security policies ever done for us?
    Categories: NoticeBored

    NBlog September 1 - outsider threat awareness module published

    NoticeBored - Sat, 09/01/2018 - 12:09am
    If “insiders” are defined as the organization’s employees, “outsiders” must be everyone else, right, all those who are not on the payroll?  In reality from any single organization’s perspective, a huge variety and number of people qualify as outsiders. ‘We’ are completely outnumbered by ‘them’.Leading on from August’s awareness coverage of insider threats, it’s time now to explore the information-related threats from outside the organization – both threatening outsiders and external threats that don’t involve malicious people, or indeed people, at all.The scope of September's NoticeBored security awareness and training module includes external events, incidents, accidents and challenges that aren’t deliberate, targeted attacks by specific people or groups – supply chain interruptions, cloud service failures and Internet drop-outs for example are external threats to the business, as are more general, widespread or social issues such as climate change, infectious disease outbreaks and natural disasters.  We call these “outside threats”.For completeness, the threats and risks arising from “inbetweenies” – neither insiders nor outsiders - were mentioned last month and are brought up again this month.  We’re talking about contractors, consultants, professional advisors, interns, temps and others.  Perhaps at some future point we should explore the inbetweeny threats in more depth.By the way, the A-to-Z guide to outsider threats turned out to be 12 pages as predicted. It was a bit of a rush to prepare such a detailed awareness paper at the end of the month but I'm glad we did; I'm still thinking about offering it as a threat catalog to guide anyone trying to identify and understand their outsider threats.  Google finds a number of threat catalogs already but none I have found so far cover "outsider threats" as well as ours does. But then I wrote it, so I'm biased. I should probably let it cool off for a while, and maybe I should add "insider threats" as well to complete the set.
    Categories: NoticeBored

    NBlog August 30 - A-to-Z of outsider threats

    NoticeBored - Thu, 08/30/2018 - 5:50am
    I love it when a plan comes together!  
    We're close to completing the NoticeBored 'outsider threats' security awareness module for September, checking and finalizing the materials. Things are getting tense as the IsecT office clock ticks away the remaining hours.
    Normally, we develop awareness briefings for each of the three audience groups from the corresponding three awareness seminar slide decks, using the graphics and notes as donor/starter content and often following a similar structure. 
    Having finished the staff seminar this morning, I anticipated using that as the basis for a staff briefing as usual ... but, on reflection, I realized that we have more than enough content to prepare a lengthier A-to-Z guide to outsider threats instead. 
    The sheer number and variety of outsider threats and incidents is itself a strong awareness message. Listing and (briefly) describing them in an alphabetical sequence makes sense. 
    This will be an interesting read for awareness and training purposes and, I believe, a useful reference document - essentially a 'threat catalog' to help identify and assess the information risks relating to outsiders and other external threats. 
    If your current list of outsider threats and risks has only a handful of entries, you should expect to be caught out by any of the dozens you have failed to consider.
    Preparing it sounds great in theory but potentially it's too much work for the little time remaining ... except that I had the foresight to prepare a Word template for the A-to-Z guides from the last one we prepared. Now 'all I have to do' is paste in lists of threats and incidents already written in other awareness materials, click the magic button to sort them alphabetically, apply the Word styles to make the whole product look presentable then check it through for consistency. OK so there's a bit more to it than that but it's coming along rapidly and will be done in time. Having written about 9 pages so far, I'm taking a break after some 9 hours' intense concentration, resting and hoping not to wake up at 2 or 3 am with a head full of it!  It needs about 2 or 3 more hours' work in the morning to complete the remaining 2 or 3 pages (spot the formula!). At least, that's the plan.
    When it's all done, maybe we could offer it for sale as a combined awareness/training piece and outsider threat catalog through the SecAware website: what do you think?  Is it something that would interest you dear reader? Would you be prepared to invest a few dollars for immediate download? NoticeBored subscribers will receive it as part of their subscription, naturally, but I think it has some potential and value as a standalone product for wider readership. 
    Failing that, we might just release it as a freebie for marketing purposes, or seek to get it published in one of the trade journals. Or sit on it, updating it from time to time as inspiration strikes. We'll see how it goes.  
    For now, though, I'm all in and off to bed to recharge my flagging grey matter for the final slog.
    Categories: NoticeBored

    NBlog August 29 - outsider threats and incidents

    NoticeBored - Tue, 08/28/2018 - 7:20pm
    The wide variety of threatening people, organizations and situations Out There, and the even wider variety of outsider incidents, is quite overwhelming ... which means we need to simplify things for awareness purposes. If we try to cover too much at once, we'll confuse, overwhelm and maybe lose our audiences, if not ourselves.
    On the other hand, that variety is itself an important lesson from September's awareness module. It's not sufficient, for instance, for the cybersecurity team to lock down the corporate firewall in order to block hackers and malware while neglecting other outsider threats such as intellectual property theft and disinformation. Organizations are in a difficult position, trying to avoid, prevent or limit all manner of outsider incidents, some of which are particularly difficult to even identify let alone control. It's soot-juggling really.
    With our start-of-month delivery deadline imminent, we're currently finalizing September's NoticeBored slide decks and briefings, focusing on the key messages and making sure they have enough impact to resonate with the awareness audiences - our own version of soot-juggling. We have the advantage of being able to delve into things in more depth later, thanks to the rolling program of awareness topics. Next month, for example, we'll focus on phishing, specifically, so this month we'll take the opportunity to mention phishing as a form of outsider social engineering cyber-attack,  briefly, without having to explain all of that just now.
    Things always become a bit frantic in the IsecT office as the deadline looms. On the bright side, we've done a stack of prep-work during the month plus research prior to that so we have no shortage of content. And we've been here many times before - every single month for the past 15 years in fact! So, that's it for now. Must dash. Speling to dubble-chek. Shiny things to polish.
    Categories: NoticeBored

    NBlog August 27 - dynamic authentication

    NoticeBored - Sun, 08/26/2018 - 8:14pm

    It is hard to authenticate someone's claimed identity:
    • Quickly;
    • Consistently and reliably to the same criteria at all times;
    • Strongly, or rather to a required level of confidence;
    • Cheaply, considering the entire lifecycle of the controls including their development, use and management;
    • Practically, pragmatically, feasibly, in reality;
    • On all appropriate platforms/systems/devices (current, legacy and future) and networks with differing levels of trustworthiness and processing capabilities;
    • Under all circumstances, including crises or emergencies;
    • For all relevant people (insiders, outsiders and inbetweenies), regardless of their mental and physical abilities/capacities, other priorities, concerns, state of health etc., while also failing to authenticate former employees, twins (evil or benign), fraudsters, haXXors, kids, competitors, crims, spooks, spies, pentesters and auditors on assignment;
    • Using currently viable technologies, methods, approaches and processes; and
    • Without relying on unproven, unverifiable or otherwise dubious technologies.

    In short, authenticating people is tough, one of those situations where we're squeezing a half-inflated balloon, hoping it won't bulge alarmingly or just pop.
    In practice, when designing and configuring authentication subsystems or functions, the key question is what to compromise on, how much slack can realistically and safely be cut (i.e.  reducing various information risks to an acceptable level), and just how far things need to be pushed (an assurance issue). 
    In the ongoing hunt for solutions, quite a variety of authentication methods, tools and techniques has been invented and deployed so far:
    • Vouching ("Jim's OK, I trust Jim and you trust me, right?");
    • Credentials such as business cards, driving licenses, passports, photo IDs, badges, uniforms, sign-marked vehicles, logos ...;
    • Secret passwords;
    • Complex passwords, enforcing rules such as mixed case, punctuation etc.;
    • System-generated passwords;
    • System-generated passwords in forms or styles that are intended to be more mem-or-able;
    • Multiple passwords;
    • Multi-part passwords, the parts held by different people;
    • Long passwords or pass phrases;
    • Passwords that expire and need to be replaced periodically;
    • Passwords that are generated by cryptographic things and expire in a minute or so;
    • Pictorial passwords - picking out specific images from several presented;
    • Digital certificates with PKI on crypto things (digital keys, smart cards, desktops, laptops, smartphones ...);
    • Biometrics based on:
      • Fingerprint, palmprint;
      • Visage/facial recognition;
      • Iris or retinal pattern;
      • Voice recognition;
      • Typing characteristics;
      • Distinctive chemicals (smell) and other bodily or behavioural characteristics such as color, mannerisms, gait (very widely used by animals other than humans); 
      • DNA (quite reliable but hardly instantaneous!);
    • User and/or device location;
    • Network address, hardware address
    • Mode/means/route/mechanism of access;
    • Time of access;
    • Multifactor authentication using more than one 'factor';
    • Probably other stuff I've forgotten about;
    • Some combination of the above.

    Depending on how you count them, there are easily more than 20 authentication methods in use today, and yet it is generally agreed that they barely suffice. 
    Rather than inventing yet another method, I wonder if we need a different paradigm, a better, smarter approach to authentication? Specifically, I'm thinking about the possibility of continuous, ongoing or dynamic authentication rather than episodic authentication. 
    Instead of forcing us to "log in" at the start of a session, how about simply letting us start doing stuff, rating us as we go and deciding what stuff to let us do according to how authentic we appear to be, and what it is that we want to do? So, returning to my earlier point about having to make compromises, the assurance needed before allowing someone to browse the Web is rather different to that needed to let them bank online - and within online banking, viewing account balances is not equivalent to making a funds transfer between accounts, or a payment to another account, in Switzerland, of the entire balance and credit/overdraft value, at 3:30am, from a smartphone somewhere in Lagos ...
    Biometric authentication methods have to allow for natural variation between measurements because living organisms vary, and measurement methods are to some extent imprecise. Taking additional measurements is an obvious way to improve accuracy and precision ... so instead of taking a single fingerprint reading, why not keep on re-reading and checking until there is sufficient data and sufficient statistical confidence? Instead of forcing me to use a password of N-characters, why not check how I type the first few characters to see if the little timing and pressure differences indicate it is probably me, perhaps coupling that with facial recognition and additional checks depending on what it is that I'm doing during the session. If I'm doing something out of character, especially something risky, prevent or slow me down. Instead of timing out and locking me out of the system if I wander away to make a cup of tea, reduce my trustworthiness rating and hence the things I can do when I return. Let me boost my trustworthiness if I really need additional rights 'right now' by inviting me to use some of those slower and more costly authentication mechanisms, or correlating authentication/trustworthiness indicators and scores from several systems (e.g. make it harder for me to access the file server if I have not clocked-in to the building with my staff pass card, bought a coffee without sugar from the vending machine, and polled the local cell tower from my cellphone).
    Maybe even turn the problem on its head. Rather than making me prove my claimed identity, disprove it by checking what I'm doing for anomalies and concerns. I'm sure there's huge potential in behavioral analysis - not just the basic biometrics such as typing speed but the specific activities I perform, the sequence, the context and so on - building up a more holistic picture of the person in the chair. 
    Oh and if the systems are not entirely sure it is me in the chair, why not let me think I am doing stuff while in reality caching my inputs and faking what I see while waiting for me to build up sufficient additional assurance ... or quietly summoning Security.
    Categories: NoticeBored